CEF Mapping

The CEF standard from ArcSight defines a set of required fields, and a set of optional fields.

The latter are called extensions in the CEF standard. Data is mapped to these fields from Guardium® configuration information and reports. Note that not all Guardium fields map to a CEF field, so there may not be a one-to-one relationship between the rows of a printed report and the CEF file produced for that report. Also note that this facility is intended to map data from data access domains (Data Access, Exceptions, and Policy Violations, for example), and not from Guardium self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc. ).

Note: Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed client IP, the analyzed client IP will be used for the source. If both included in the query, then Client IP takes precedence.

The CEF fields in the following table are always present.

Table 1. Required CEF Fields Mapping
CEF Field Guardium Mapping

Version

0 (zero); Currently the only version for the CEF format

Device Vendor

Guardium

Device Product

Guardium

Device Version

Guardium software version number

Signature ID

ReportID

Name

Report Title

Severity

Numeric severity code in the range 0-10, with 10 being the most important event.  If not reset in the report, 0 (zero, which translates to Info for Guardium).

The CEF extension fields are optional, and will be present only when the mapping applies. For example, if the report does not contain an access rule description, the act field (the first extension field) will not be present. For more detailed information about the Guardium entities and attributes, see the appropriate entity reference topic.

Table 2. CEF Mapping, Guardium Version 8.2
CEF Field Entity Attribute

severity

Policy Rule Violation

Severity

act

Policy Rule Violation

Access Rule Description

app

Client/Server

DB Protocol

app

Exception

Database Protocol

dst

Client/Server

Server IP

dst

Exception

Destination Address

dhost

Client/Server

Server Host Name

dpt

Session

Server Port

dpt

Exception

Destination Port

dproc

Client/Server

Source Program

duid

Client/Server

OS User

duser

Client/Server

DB User Name

duser

Exception

User Name

end

Exception

Exception Timestamp

end

Policy Rule Violation

Timestamp

end

Access Period

Period End

end

Session

Session End

msg

Exception

Exception Description

msg

Message Text

Message Text

msg

Message Text

Message Subject

src

Client/Server

Client IP

src

Client/Server

Analyzed Client IP

src

Exception

Source Address

shost

Client/Server

Client Host Name

smac

Client/Server

Client MAC

spt

Session

Client Port

spt

Exception

Source Port

start

Exception

Exception Timestamp

start

Policy Rule Violation

Timestamp

start

Access Period

Period Start

start

Session

Session Start

proto

Client/Server

Network Protocol

request

FULL SQL

Full Sql

request

SQL

Sql

cs1

Session

Uid Chain

cs2

Session

Uid Chain Compressed

Table 3. CEF Mapping, Guardium Version 9.0
CEF Field Entity Attribute

severity

Policy Rule Violation

Severity

act

Policy Rule Violation

Access Rule Description

app

Client/Server

DB Protocol

app

Exception

Database Protocol

dst

Client/Server

Server IP

dst

Exception

Destination Address

dhost

Client/Server

Server Host Name

dpt

Session

Server Port

dpt

Exception

Destination Port

dproc

Client/Server

Source Program

duid

Client/Server

OS User

duser

Client/Server

DB User Name

duser

Exception

User Name

end

Exception

Exception Timestamp

end

Policy Rule Violation

Timestamp

end

Access Period

Period End

end

Session

Session End

msg

Exception

Exception Description

msg

Message Text

Message Text

msg

Message Text

Message Subject

src

Client/Server

Client IP

src

Client/Server

Analyzed Client IP

src

Exception

Source Address

shost

Client/Server

Client Host Name

smac

Client/Server

Client MAC

spt

Session

Client Port

spt

Exception

Source Port

start

Exception

Exception Timestamp

start

Policy Rule Violation

Timestamp

start

Access Period

Period Start

start

Session

Session Start

proto

Client/Server

Network Protocol

request

FULL SQL

Full Sql

request

SQL

Sql

cs1

Session

Uid Chain

cs2

Session

Uid Chain Compressed

For more information about CEF, search the web for Common Event Format: Event Interoperability Standard, or visit the ArcSight Website: www.arcsight.com.