Expressions in CEF format for structured data

Edit online

Structured data in CEF format contains one or more properties, which are represented as key-value pairs.

About this task

You can extract properties from an event that is presented in CEF format by writing a CEF expression that matches the property. Valid CEF expressions are in the form of either a single key reference, or a special CEF header field reference.

For example, you have an event that is formatted in CEF:
CEF:0|ABC Company|SystemDefender|1.13|console_login|Console Login|1|start=Oct 18 2017 11:26:03 
duser=jsmith cs1=John Smith cs1Label=Person Name cs2=interactivePassword cs2Label=authType src=1.1.1.1

You can extract a property or a header key property from the event by choosing one of the following methods:

Procedure

  1. To extract the 'cs1' property, type cs1 in the Expression field.
    The possible keys that can be extracted are:
    • start
    • duser
    • cs1
    • cs1Label
    • cs2
    • cs2Label
    • src
  2. To extract a header key property, type the key in the following format in the Expression field: 
    $id$
    The CEF header values can be extracted by using the following expressions:
    • $cefversion$
    • $vendor$
    • $product$
    • $version$
    • $id$
    • $name$
    • $severity$