CEF Mapping
The CEF standard from ArcSight defines a set of required fields, and a set of optional fields.
The latter are called extensions in the CEF standard. Data is mapped to these fields from Guardium® configuration information and reports. Note that not all Guardium fields map to a CEF field, so there may not be a one-to-one relationship between the rows of a printed report and the CEF file produced for that report. Also note that this facility is intended to map data from data access domains (Data Access, Exceptions, and Policy Violations, for example), and not from Guardium self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc. ).
The CEF fields in the following table are always present.
CEF Field | Guardium Mapping |
---|---|
Version |
0 (zero); Currently the only version for the CEF format |
Device Vendor |
Guardium |
Device Product |
Guardium |
Device Version |
Guardium software version number |
Signature ID |
ReportID |
Name |
Report Title |
Severity |
Numeric severity code in the range 0-10, with 10 being the most important event. If not reset in the report, 0 (zero, which translates to Info for Guardium). |
The CEF extension fields are optional, and will be present only when the mapping applies. For example, if the report does not contain an access rule description, the act field (the first extension field) will not be present. For more detailed information about the Guardium entities and attributes, see the appropriate entity reference topic.
CEF Field | Entity | Attribute |
---|---|---|
severity |
Policy Rule Violation |
Severity |
act |
Policy Rule Violation |
Access Rule Description |
app |
Client/Server |
DB Protocol |
app |
Exception |
Database Protocol |
dst |
Client/Server |
Server IP |
dst |
Exception |
Destination Address |
dhost |
Client/Server |
Server Host Name |
dpt |
Session |
Server Port |
dpt |
Exception |
Destination Port |
dproc |
Client/Server |
Source Program |
duid |
Client/Server |
OS User |
duser |
Client/Server |
DB User Name |
duser |
Exception |
User Name |
end |
Exception |
Exception Timestamp |
end |
Policy Rule Violation |
Timestamp |
end |
Access Period |
Period End |
end |
Session |
Session End |
msg |
Exception |
Exception Description |
msg |
Message Text |
Message Text |
msg |
Message Text |
Message Subject |
src |
Client/Server |
Client IP |
src |
Client/Server |
Analyzed Client IP |
src |
Exception |
Source Address |
shost |
Client/Server |
Client Host Name |
smac |
Client/Server |
Client MAC |
spt |
Session |
Client Port |
spt |
Exception |
Source Port |
start |
Exception |
Exception Timestamp |
start |
Policy Rule Violation |
Timestamp |
start |
Access Period |
Period Start |
start |
Session |
Session Start |
proto |
Client/Server |
Network Protocol |
request |
FULL SQL |
Full Sql |
request |
SQL |
Sql |
cs1 |
Session |
Uid Chain |
cs2 |
Session |
Uid Chain Compressed |
CEF Field | Entity | Attribute |
---|---|---|
severity |
Policy Rule Violation |
Severity |
act |
Policy Rule Violation |
Access Rule Description |
app |
Client/Server |
DB Protocol |
app |
Exception |
Database Protocol |
dst |
Client/Server |
Server IP |
dst |
Exception |
Destination Address |
dhost |
Client/Server |
Server Host Name |
dpt |
Session |
Server Port |
dpt |
Exception |
Destination Port |
dproc |
Client/Server |
Source Program |
duid |
Client/Server |
OS User |
duser |
Client/Server |
DB User Name |
duser |
Exception |
User Name |
end |
Exception |
Exception Timestamp |
end |
Policy Rule Violation |
Timestamp |
end |
Access Period |
Period End |
end |
Session |
Session End |
msg |
Exception |
Exception Description |
msg |
Message Text |
Message Text |
msg |
Message Text |
Message Subject |
src |
Client/Server |
Client IP |
src |
Client/Server |
Analyzed Client IP |
src |
Exception |
Source Address |
shost |
Client/Server |
Client Host Name |
smac |
Client/Server |
Client MAC |
spt |
Session |
Client Port |
spt |
Exception |
Source Port |
start |
Exception |
Exception Timestamp |
start |
Policy Rule Violation |
Timestamp |
start |
Access Period |
Period Start |
start |
Session |
Session Start |
proto |
Client/Server |
Network Protocol |
request |
FULL SQL |
Full Sql |
request |
SQL |
Sql |
cs1 |
Session |
Uid Chain |
cs2 |
Session |
Uid Chain Compressed |
For more information about CEF, search the web for Common Event Format: Event Interoperability Standard, or visit the ArcSight Website: www.arcsight.com.