Document toolboxDocument toolbox

cef0.cyberArk.vault

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Nov 26, 2021
1 min read

Introduction

The table cef0.cyberArk.vault identifies events in CEF format generated by CrowdStrike Falcon Host.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

TagData table

cef0.cyberArk.vault

cef0.cyberArk.vault

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following is a sample log sent to the cef0.cyberArk.vault table. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

2021-11-19 10:51:02.613 localhost=127.0.0.1 14 CEF: 0|Cyber-Ark|Vault|11.4.0000|32|Add Owner|5|act="Add Owner" suser=name123 fname= dvc=123.123.123.123 shost=123.124.125.126 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2="USR_CA99022_DEV" cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5="123.123.123.123" cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=#015:

And this is how the log would be parsed:

Field

Value

Type

Source field name

Extra fields

eventdate

2021-11-19 10:51:02.613

timestamp



hostname

localhost

str



priorityCode

14

str



cefTag

CEF

str



cefVersion

0

str



embDeviceVendor

Cyber-Ark

str



embDeviceProduct

Vault

str



deviceVersion

11.4.0000

str



signatureID

32

str



name

Add Owner

str



severity

5

str



_cefVer

null

str



act

Add Owner

str



app

null

str



cn1Label

Request Id

str



cn1

null

str



cn2Label

Ticket Id

str



cn2

null

str



cs1Label

Affected User Name

str



cs1

null

str



cs2Label

Safe Name

str



cs2

USR_CA99022_DEV

str



cs3Label

Device Type

str



cs3

null

str



cs4Label

Database

str



cs4

null

str



cs5Label

Other info

str



cs5

123.123.123.123

str



dhost

null

str



duser

null

str



dvc

123.123.123.123

ip4



externalId

null

str



fname

null

str



msg

null

str



reason

null

str



shost

123.124.125.126

str



suser

name123

str



eventId

null

str



categorySignificance

null

str



categoryBehavior

null

str



categoryDeviceGroup

null

str



catdt

null

str



categoryOutcome

null

str



categoryObject

null

str



art

null

str



rt

null

timestamp



src

null

ip4



sourceZoneURI

null

str



ahost

null

str



agt

null

str



agentZoneURI

null

str



amac

null

str



av

null

str



atz

null

str



at

null

str



deviceZoneURI

null

str



dtz

null

str



rawMessage

CEF: 0|Cyber-Ark|Vault|11.4.0000|32|Add Owner|5|act="Add Owner" suser=name123 fname= dvc=123.123.123.123 shost=123.124.125.126 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2="USR_CA99022_DEV" cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5="123.123.123.123" cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=#015:

str



hostchain

localhost=127.0.0.1

str


tag

CEF

str

cefTag