CEF
CEF (Common Event Format) is ArcSight's vendor-neutral log standard that encodes security events as structured key-value pairs.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (128)
| Field | Type |
|---|---|
cef.Severity Numeric severity of the event (0-10), indicating the importance of the alert. | string |
cef.EventClassID Unique identifier (Signature ID) for this event type. | string |
cef.Product Name of the product or device that generated the event. | string |
cef.ProductVersion Version of the product or device that generated the event. | string |
cef.Vendor Name of the vendor or manufacturer of the device. | string |
cef.Message Human-readable text message describing the event. | text_general |
cef.act Action taken by the device (e.g., allow, block). | string |
cef.app Application protocol or service involved (e.g., HTTP, SSHv2). | string |
cef.c6a1 First custom IPv6 address extension field. | string |
cef.c6a1Label Label for the first custom IPv6 address field. | string |
cef.c6a2 Second custom IPv6 address extension field. | string |
cef.c6a2Label Label for the second custom IPv6 address field. | string |
cef.c6a3 Third custom IPv6 address extension field. | string |
cef.c6a3Label Label for the third custom IPv6 address field. | string |
cef.c6a4 Fourth custom IPv6 address extension field. | string |
cef.c6a4Label Label for the fourth custom IPv6 address field. | string |
cef.cat Device-assigned event category code. | string |
cef.cfp1 First custom floating-point extension field. | pfloat |
cef.cfp1Label Label for the first custom floating-point field. | string |
cef.cfp2 Second custom floating-point extension field. | pfloat |
cef.cfp2Label Label for the second custom floating-point field. | string |
cef.cfp3 Third custom floating-point extension field. | pfloat |
cef.cfp3Label Label for the third custom floating-point field. | string |
cef.cfp4 Fourth custom floating-point extension field. | pfloat |
cef.cfp4Label Label for the fourth custom floating-point field. | string |
cef.cn1 First custom integer extension field. | plong |
cef.cn1Label Label for the first custom integer field. | string |
cef.cn2 Second custom integer extension field. | plong |
cef.cn2Label Label for the second custom integer field. | string |
cef.cn3 Third custom integer extension field. | plong |
cef.cn3Label Label for the third custom integer field. | string |
cef.cnt Count or tally of occurrences for aggregated events. | plong |
cef.cs1 First custom string extension field. | string |
cef.cs1Label Label for the first custom string field. | string |
cef.cs2 Second custom string extension field. | string |
cef.cs2Label Label for the second custom string field. | string |
cef.cs3 Third custom string extension field. | string |
cef.cs3Label Label for the third custom string field. | string |
cef.cs4 Fourth custom string extension field. | string |
cef.cs4Label Label for the fourth custom string field. | string |
cef.cs5 Fifth custom string extension field. | string |
cef.cs5Label Label for the fifth custom string field. | string |
cef.cs6 Sixth custom string extension field. | string |
cef.cs6Label Label for the sixth custom string field. | string |
cef.destinationDnsDomain DNS domain of the destination endpoint. | string |
cef.destinationServiceName Service name (e.g., HTTP, DNS) for the destination port. | string |
cef.destinationTranslatedAddress Translated destination IP after NAT. | string |
cef.destinationTranslatedPort Translated destination port after NAT. | pint |
cef.deviceCustomDate1 First custom date extension field for user-defined timestamps. | pdate |
cef.deviceCustomDate2 Second custom date extension field for user-defined timestamps. | pdate |
cef.deviceDnsDomain DNS domain of the reporting device. | string |
cef.deviceExternalId External identifier assigned to the device. | string |
cef.deviceFacility Facility code of the originating device. | string |
cef.deviceInboundInterface Inbound network interface name or ID on the device. | string |
cef.deviceNtDomain NT domain of the device or user context. | string |
cef.deviceOutboundInterface Outbound network interface name or ID on the device. | string |
cef.devicePayloadId Identifier for a specific payload segment. | string |
cef.deviceProcessName Name of the process on the device that generated the event. | string |
cef.deviceTranslatedAddress Translated source IP after NAT on the device. | string |
cef.dhost Destination hostname of the event. | string |
cef.dntdom Destination NT domain for the event. | string |
cef.dpid Destination process ID associated with the event. | pint |
cef.dpriv Destination user privileges (e.g., Administrator, Guest). | string |
cef.dproc Name of the destination process. | string |
cef.dtz Time zone of the destination endpoint. | string |
cef.duid Destination user ID associated with the event. | pint |
cef.duser Username of the destination account. | string |
cef.dvc Custom device string field for additional context. | string |
cef.dvchost Host MAC address of the device. | string |
cef.dvcmac Alternative MAC address field for the device. | string |
cef.dvcpid Process ID on the device that generated the event. | pint |
cef.end End time of the activity or session. | pdate |
cef.externalId External event identifier for cross-system correlation. | string |
cef.fileCreateTime Timestamp when a file was created. | pdate |
cef.fileHash Cryptographic hash of the file involved. | string |
cef.fileId Identifier of the file for tracking. | string |
cef.fileModificationTime Timestamp when a file was last modified. | pdate |
cef.filePath Full filesystem path to the file. | string |
cef.filePermission Permission settings on the file (e.g., rwx). | string |
cef.fileType Type or extension of the file (e.g., exe, dll). | string |
cef.flexDate1 First flexible timestamp field for custom use. | pdate |
cef.flexDate1Label Label for the first flexible timestamp field. | string |
cef.flexString1 First flexible string field for custom use. | string |
cef.flexString1Label Label for the first flexible string field. | string |
cef.flexString2 Second flexible string field for custom use. | string |
cef.flexString2Label Label for the second flexible string field. | string |
cef.fname Filename component only, without path. | string |
cef.fsize Size of the file in bytes. | plong |
cef.in Number of bytes received (input). | plong |
cef.msg Detailed message content for the event. | text_general |
cef.oldFileCreateTime Original file creation time before change. | pdate |
cef.oldFileHash Original file hash before modification. | string |
cef.oldFileId Original file identifier before change. | string |
cef.oldFileModificationTime Original file modification time before change. | pdate |
cef.oldFileName Original filename before rename. | string |
cef.oldFilePath Original file path before move or rename. | string |
cef.oldFilePermission Original file permissions before change. | string |
cef.oldFileSize Original file size before change. | plong |
cef.oldFileType Original file type before change. | string |
cef.out Number of bytes sent (output). | plong |
cef.outcome Result of the event (e.g., success, fail). | string |
cef.proto Network protocol used (e.g., TCP, UDP). | string |
cef.reason Detailed reason or cause for the event. | text_general |
cef.request Original request payload or details. | string |
cef.requestClientApplication Client application (User-Agent) making the request. | string |
cef.requestContext Context or referrer for the request. | string |
cef.requestCookies Cookies sent with the request. | string |
cef.requestMethod HTTP method used for the request (e.g., GET, POST). | string |
cef.rt Receipt time when the event was ingested. | pdate |
cef.shost Source hostname of the event. | string |
cef.smac Source MAC address of the event originator. | string |
cef.sntdom Source NT domain for the event. | string |
cef.sourceDnsDomain DNS domain of the source endpoint. | string |
cef.sourceServiceName Service name (e.g., HTTP) used by the source. | string |
cef.sourceTranslatedAddress Translated source IP after NAT. | string |
cef.sourceTranslatedPort Translated source port after NAT. | pint |
cef.spid Source process ID generating the event. | pint |
cef.spriv Source user privileges (e.g., Admin, Guest). | string |
cef.sproc Name of the source process. | string |
cef.start Start time of the event's activity. | pdate |
cef.suid Source user ID associated with the event. | pint |
cef.suser Username under which the source action ran. | string |
cef.deviceDirection | pint |
cef.type Event subtype code (e.g., base, aggregated, correlation, action). | pint |
cef.dpt Destination port number (0-65535). | pint |
cef.dst Destination IP address. | string |
cef.spt Source port number (0-65535). | pint |
cef.src Source IP address. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.