...
The tags beginning with cef0.extrahopf5 identify events in CEF format generated by ESET F5.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
Tags | Data tables |
|---|---|
|
|
|
|
How is the data sent to Devo?
...
These are the fields displayed in this table:
...
these tables:
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
hostname |
|
priorityCode |
|
cefTag |
|
cefVersion |
|
embDeviceVendor |
|
embDeviceProduct |
|
deviceVersion |
|
signatureID |
|
name |
|
cs2Label
str
cs5Label
str
dhost
str
cs2
str
shost
str
src
ip4
act
str
cs5
str
in
int8
cs6Label
str
cs1Label
str
dtz
str
sourceZoneID
str
slong
str
deviceZoneID
str
eventAnnotationAuditTrail
str
eventAnnotationVersion
str
eventAnnotationModificationTime
str
art
str
originalAgentAddress
str
eventId
str
at
str
mrt
str
customerURI
str
dlat
str
originalAgentZoneURI
str
sourceZoneURI
str
assetCriticality
str
destinationZoneID
str
eventAnnotationFlags
str
agt
str
modelConfidence
str
aid
str
amac
str
slat
str
Severity
str
relevance
str
av
str
eventAnnotationStageUpdateTime
str
locality
str
ahost
str
originalAgentVersion
str
customerID
str
dlong
str
atz
str
originalAgentMacAddress
str
originalAgentType
str
deviceSeverity
str
originalAgentId
str
eventAnnotationManagerReceiptTime
str
originalAgentHostName
str
priority
str
deviceZoneURI
str
eventAnnotationEndTime
str
destinationZoneURI
str
hostchain
str
severity |
|
_cefVer
str
dvc
ip4
cs3Label
str
filePath
str
msg
str
cs4Label
str
cs3
str
cs1
str
dst
ip4
request
str
cs6
str
fileHash
str
rt
timestamp
cs4
str
fname
str
out
int8
_cefVer |
| ||
act |
| ||
app |
| ||
c6a1Label |
| ||
c6a1 |
| ||
c6a2Label |
| ||
c6a2 |
| ||
c6a3Label |
| ||
c6a3 |
| ||
c6a4Label |
| ||
c6a4 |
| ||
cn1Label |
| ||
cn1 |
| ||
cn2Label |
| ||
cn2 |
| ||
cn3Label |
| ||
cn3 |
| ||
cs1Label |
| ||
cs1 |
| ||
cs2Label |
| ||
cs2 |
| ||
cs3Label |
| ||
cs3 |
| ||
cs4Label |
| ||
cs4 |
| ||
cs5Label |
| ||
cs5 |
| ||
cs6Label |
| ||
cs6 |
| ||
deviceCustomDate1Label |
| ||
deviceCustomDate1 |
| ||
deviceExternalId |
| ||
dst |
| ||
dpt |
| ||
dvchost |
| ||
dvc |
| ||
externalId |
| ||
msg |
| ||
requestMethod |
| ||
request |
| ||
rt |
| ||
src |
| ||
spt |
| ||
suid |
| ||
suser |
| ||
microservice |
| ||
hostchain |
| ✓ | |
tag |
| cefTag | ✓ |
rawMessage |
|
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| ||
priorityCode |
| ||
cefTag |
| ||
cefVersion |
| ||
embDeviceVendor |
| ||
embDeviceProduct |
| ||
deviceVersion |
| ||
signatureID |
| ||
name |
| ||
severity |
| ||
_cefVer |
| ||
act |
| ||
app |
| ||
cat |
| ||
c6a1Label |
| ||
c6a1 |
| ||
c6a2Label |
| ||
c6a2 |
| ||
c6a3Label |
| ||
c6a3 |
| ||
c6a4Label |
| ||
c6a4 |
| ||
cfp1Label |
| ||
cfp1 |
| ||
cfp2Label |
| ||
cfp2 |
| ||
cfp3Label |
| ||
cfp3 |
| ||
cfp4Label |
| ||
cfp4 |
| ||
cn1Label |
| ||
cn1 |
| ||
cn2Label |
| ||
cn2 |
| ||
cn3Label |
| ||
cn3 |
| ||
cnt |
| ||
cs1Label |
| ||
cs1 |
| ||
cs2Label |
| ||
cs2 |
| ||
cs3Label |
| ||
cs3 |
| ||
cs4Label |
| ||
cs4 |
| ||
cs5Label |
| ||
cs5 |
| ||
cs6Label |
| ||
cs6 |
| ||
destinationDnsDomain |
| ||
destinationServiceName |
| ||
destinationTranslatedAddress |
| ||
destinationTranslatedPort |
| ||
deviceCustomDate1Label |
| ||
deviceCustomDate1 |
| ||
deviceCustomDate2Label |
| ||
deviceCustomDate2 |
| ||
deviceDirection |
| ||
deviceDnsDomain |
| ||
deviceExternalId |
| ||
deviceInboundInterface |
| ||
deviceMacAddress |
| ||
deviceNtDomain |
| ||
deviceOutboundInterface |
| ||
deviceProcessName |
| ||
deviceTranslatedAddress |
| ||
dhost |
| ||
dmac |
| ||
dntdom |
| ||
dpid |
| ||
dpriv |
| ||
dproc |
| ||
dst |
| ||
duid |
| ||
duser |
| ||
dvchost |
| ||
dvc |
| ||
dvcpid |
| ||
end |
| ||
deviceFacility |
| ||
externalId |
| ||
fileCreateTime |
| ||
fileHash |
| ||
fileId |
| ||
fileModificationTime |
| ||
filePath |
| ||
filePermission |
| ||
fileType |
| ||
fname |
| ||
fsize |
| ||
in |
| ||
msg |
| ||
oldFileCreateTime |
| ||
oldFileHash |
| ||
oldFileId |
| ||
oldFileModificationTime |
| ||
oldFileName |
| ||
oldFilePath |
| ||
oldFilePermission |
| ||
oldFileSize |
| ||
oldFileType |
| ||
outcome |
| ||
out |
| ||
proto |
| ||
reason |
| ||
requestClientApplication |
| ||
requestCookies |
| ||
requestMethod |
| ||
request |
| ||
rt |
| ||
shost |
| ||
smac |
| ||
sntdom |
| ||
sourceDnsDomain |
| ||
sourceServiceName |
| ||
sourceTranslatedAddress |
| ||
sourceTranslatedPort |
| ||
spid |
| ||
spriv |
| ||
sproc |
| ||
spt |
| ||
src |
| ||
start |
| ||
suid |
| ||
suser |
| ||
catdt |
| ||
deviceDomain |
| ||
deviceSeverity |
| ||
dpt |
| ||
dtz |
| ||
dvcmac |
| ||
endTime |
| ||
eventId |
| ||
flexNumber1 |
| ||
flexNumber1Label |
| ||
flexNumber2 |
| ||
flexNumber2Label |
| ||
flexString1 |
| ||
flexString1Label |
| ||
flexString2 |
| ||
flexString2Label |
| ||
modelConfidence |
| ||
priority |
| ||
relevance |
| ||
requestContext |
| ||
sessionId |
| ||
slat |
| ||
slong |
| ||
dlat |
| ||
dlong |
| ||
sourceGeoCountryCode |
| ||
sourceGeoLocationInfo |
| ||
sourceGeoPostalCode |
| ||
sourceGeoRegionCode |
| ||
destinationGeoCountryCode |
| ||
destinationGeoLocationInfo |
| ||
destinationGeoPostalCode |
| ||
destinationGeoRegionCode |
| ||
agt |
| ||
ahost |
| ||
art |
| ||
atz |
| ||
mrt |
| ||
categoryBehavior |
| ||
categoryCustomFormatField |
| ||
categoryDeviceGroup |
| ||
categoryObject |
| ||
categoryOutcome |
| ||
categorySignificance |
| ||
categoryTechnique |
| ||
categoryTupleDescription |
| ||
assetCriticality |
| ||
customerID |
| ||
customerURI |
| ||
tag |
| cefTag | ✓ |
rawMessage |
|
✓ | |||
hostchain |
|