...
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
...
How is the data sent to Devo?
CEF data can be sent directly to Devo or by using a relay. To use the CEF default relay rule, send to the relay’s port 13000. Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Table structure
These are the fields displayed in this table:
cef0.netskope.casb
Field | Type | Extra field | Source field name |
|---|---|---|---|
eventdate |
| ||
machine |
| ||
priority_code |
| ||
cef_tag |
| ||
cef_version |
| ||
emb_device_vendor |
| ||
emb_device_product |
| ||
device_version |
| ||
signature_id |
| ||
name |
| ||
severity |
| ||
device_action |
| ||
device_external_id |
| ||
destination_ip |
| ||
request_client_application |
| ||
source_service_name |
| ||
source_ip |
| ||
source_username |
| ||
access_method |
| ||
action |
| ||
app_session_id |
| ||
appcategory |
| ||
application_type |
| ||
browser |
| ||
cc_breach_date |
| ||
cc_breach_media_references |
| ||
cc_breach_score |
| ||
cc_email_source |
| ||
cc_matched_username |
| ||
cci |
| ||
ccl |
| ||
client_bytes |
| ||
device |
| ||
device_classification |
| ||
event_type |
| ||
hostname |
| ||
management_id |
| ||
netskope_justification_reason |
| ||
netskope_justification_type |
| ||
object |
| ||
os |
| ||
page |
| ||
policy |
| ||
policy_actions |
| ||
server_bytes |
| ||
timestamp |
| ||
url |
| ||
audit_log_event |
| ||
audit_type |
| ||
hostchain |
| ✓ | |
tag |
| ✓ | cef_tag |
rawMessage |
|