Document toolboxDocument toolbox

cef0.sophos.xg

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
2 min read

Introduction

The table cef0.sophos.xg identifies events in CEF format generated by Sophos XG firewall.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef0.sophos.xg 

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.sophos.xg. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.sophos.xg

2021-09-01 09:34:01.514 localhost=127.0.0.1 14 14 CEF: 0|Cisco|Meraki Access Point||urls|urls |Low| eventId=8370995 msg=src\\=41.131.242.238:61680 dst\\=162.20.79.121:443 mac\\=23:74:d5:30:21:ff customerURI=/var/prod/suggest/lay.webm Customers/bin/yramirez/nothing/buy.ods/05 Neptune/etc/if/analysis/up/grow/tax/group.mov categorySignificance=/var/join/body/source/police/ball/even.pdf categoryBehavior=/etc/concern/trial/yramirez/cup.webm categoryDeviceGroup=/etc/france/among.jpeg categoryOutcome=/etc/both/party/shoulder.avi categoryObject=/opt/game/abc/daughter/mwillis/little.csv art=1628723372661 cat=urls rt=1628723371688 src=41.131.242.238 sourceZoneURI=/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/dev/contain/also.doc Address Space Zones/var/administration.wav1918: 41.19.19.145-123.177.191.230 smac=D0-C6-37-D2-0E-AB dst=162.20.79.121 destinationZoneURI=/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/opt/wall/especially/upon/fear.png Address Space Zones/var/australia/timor-leste/represent.wav duPont de Nemours and Co. Inc. request=https://bin/pay/contain/arrive.webm-data.balena-cloud.com/var/record/game/nearly/region/laugh/believe.docx requestMethod=UNKNOWN

And this is how the log would be parsed:

Field

Value

Type

Source field name

Extra fields

eventdate

2021-09-01 09:34:01.514

timestamp




hostname

localhost

str




priorityCode

14

str




cefTag

CEF

str




cefVersion

0

str




embDeviceVendor

Cisco

str




embDeviceProduct

Meraki Access Point

str




deviceVersion



str




signatureID

urls

str




name

urls

str




severity

Low

str




_cefVer

null

str




cat

urls

str




c6a4Label

null

str




dst

/162.20.79.121

ip4




dpt

null

int4




dvchost

null

str




msg

src\=41.131.242.238:61680

str




proto

null

str




requestMethod

UNKNOWN

str




request

https://bin/pay/contain/arrive.webm-data.balena-cloud.com/var/record/game/nearly/region/laugh/believe.docx

str




rt

2021-08-11 23:09:31.688

timestamp




smac

D0-C6-37-D2-0E-AB

str




src

/41.131.242.238

ip4




spt

null

int4




agentZoneURI

null

str




agt

null

str




ahost

null

str




aid

null

str




amac

null

str




art

1628723372661

str




at

null

str




atz

null

str




av

null

str




categoryBehavior

/etc/concern/trial/yramirez/cup.webm

str




categoryDeviceGroup

/etc/france/among.jpeg

str




categoryObject

/opt/game/abc/daughter/mwillis/little.csv

str




categoryOutcome

/etc/both/party/shoulder.avi

str




categorySignificance

/var/join/body/source/police/ball/even.pdf

str




customerURI

/var/prod/suggest/lay.webm Customers/bin/yramirez/nothing/buy.ods/05 Neptune/etc/if/analysis/up/grow/tax/group.mov

str




destinationZoneURI

/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/opt/wall/especially/upon/fear.png Address Space Zones/var/australia/timor-leste/represent.wav duPont de Nemours and Co. Inc.

str




dtz

null

str




eventId

8370995

str




geid

null

str




sourceZoneURI

/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/dev/contain/also.doc Address Space Zones/var/administration.wav1918: 41.19.19.145-123.177.191.230

str




hostchain

localhost=127.0.0.1 14

str



✓

tag

CEF

str

cefTag

✓

rawMessage

CEF: 0|Cisco|Meraki Access Point||urls|urls |Low| eventId=8370995 msg=src\\=41.131.242.238:61680 dst\\=162.20.79.121:443 mac\\=23:74:d5:30:21:ff customerURI=/var/prod/suggest/lay.webm Customers/bin/yramirez/nothing/buy.ods/05 Neptune/etc/if/analysis/up/grow/tax/group.mov categorySignificance=/var/join/body/source/police/ball/even.pdf categoryBehavior=/etc/concern/trial/yramirez/cup.webm categoryDeviceGroup=/etc/france/among.jpeg categoryOutcome=/etc/both/party/shoulder.avi categoryObject=/opt/game/abc/daughter/mwillis/little.csv art=1628723372661 cat=urls rt=1628723371688 src=41.131.242.238 sourceZoneURI=/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/dev/contain/also.doc Address Space Zones/var/administration.wav1918: 41.19.19.145-123.177.191.230 smac=D0-C6-37-D2-0E-AB dst=162.20.79.121 destinationZoneURI=/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/opt/wall/especially/upon/fear.png Address Space Zones/var/australia/timor-leste/represent.wav duPont de Nemours and Co. Inc. request=https://bin/pay/contain/arrive.webm-data.balena-cloud.com/var/record/game/nearly/region/laugh/believe.docx requestMethod=UNKNOWN

str


✓