cef0.thycotic

[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cef0.thycotic identify events in CEF format generated by Anomali ThreatStream Threat Intelligence Management belonging to Anomali.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tags	Data tables

Tags	Data tables
`cef0.thycotic.applicationControlSolution`	`cef0.thycotic.applicationControlSolution`

How is the data sent to Devo?

CEF data can be sent directly to Devo or by using a relay. To use the CEF default relay rule, send to the relay’s port 13000. Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

cef0.threatStream.enterprise

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`	hostchain
priority_code	`str`
cef_tag	`str`
cef_version	`str`
emb_device_vendor	`str`
emb_device_product	`str`
device_version	`str`
signature_id	`str`
name	`str`
severity	`str`
external_id	`str`
computer_id	`str`
computer_name	`str`
event_received_by_server	`str`
file_id	`str`
file_name	`str`
file_path	`str`
policy_name	`str`
username	`str`
hostchain	`str`		✓
tag	`str`	`cef_tag`	✓
rawMessage	`str`		✓

Devo latest