CEF fields

Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.

forcepoint

Fields for Forcepoint Custom String mappings

forcepoint.virus_id: Virus ID

type: keyword

checkpoint

Fields for Check Point custom string mappings.

checkpoint.app_risk: Application risk.

type: keyword

checkpoint.app_severity: Application threat severity.

type: keyword

checkpoint.app_sig_id: The signature ID which the application was detected by.

type: keyword

checkpoint.auth_method: Password authentication protocol used.

type: keyword

checkpoint.category: Category.

type: keyword

checkpoint.confidence_level: Confidence level determined.

type: integer

checkpoint.connectivity_state: Connectivity state.

type: keyword

checkpoint.cookie: IKE cookie.

type: keyword

checkpoint.dst_phone_number: Destination IP-Phone.

type: keyword

checkpoint.email_control: Engine name.

type: keyword

checkpoint.email_id: Internal email ID.

type: keyword

checkpoint.email_recipients_num: Number of recipients.

type: long

checkpoint.email_session_id: Internal email session ID.

type: keyword

checkpoint.email_spool_id: Internal email spool ID.

type: keyword

checkpoint.email_subject: Email subject.

type: keyword

checkpoint.event_count: Number of events associated with the log.

type: long

checkpoint.frequency: Scan frequency.

type: keyword

checkpoint.icmp_type: ICMP type.

type: long

checkpoint.icmp_code: ICMP code.

type: long

checkpoint.identity_type: Identity type.

type: keyword

checkpoint.incident_extension: Format of original data.

type: keyword

checkpoint.integrity_av_invoke_type: Scan invoke type.

type: keyword

checkpoint.malware_family: Malware family.

type: keyword

checkpoint.peer_gateway: Main IP of the peer Security Gateway.

type: ip

checkpoint.performance_impact: Protection performance impact.

type: integer

checkpoint.protection_id: Protection malware ID.

type: keyword

checkpoint.protection_name: Specific signature name of the attack.

type: keyword

checkpoint.protection_type: Type of protection used to detect the attack.

type: keyword

checkpoint.scan_result: Scan result.

type: keyword

checkpoint.sensor_mode: Sensor mode.

type: keyword

checkpoint.severity: Threat severity.

type: keyword

checkpoint.spyware_name: Spyware name.

type: keyword

checkpoint.spyware_status: Spyware status.

type: keyword

checkpoint.subs_exp: The expiration date of the subscription.

type: date

checkpoint.tcp_flags: TCP packet flags.

type: keyword

checkpoint.termination_reason: Termination reason.

type: keyword

checkpoint.update_status: Update status.

type: keyword

checkpoint.user_status: User response.

type: keyword

checkpoint.uuid: External ID.

type: keyword

checkpoint.virus_name: Virus name.

type: keyword

checkpoint.voip_log_type: VoIP log types.

type: keyword

cef.extensions

Extra vendor-specific extensions.

cef.extensions.cp_app_risk: type: keyword
cef.extensions.cp_severity: type: keyword
cef.extensions.ifname: type: keyword
cef.extensions.inzone: type: keyword
cef.extensions.layer_uuid: type: keyword
cef.extensions.layer_name: type: keyword
cef.extensions.logid: type: keyword
cef.extensions.loguid: type: keyword
cef.extensions.match_id: type: keyword
cef.extensions.nat_addtnl_rulenum: type: keyword
cef.extensions.nat_rulenum: type: keyword
cef.extensions.origin: type: keyword
cef.extensions.originsicname: type: keyword
cef.extensions.outzone: type: keyword
cef.extensions.parent_rule: type: keyword
cef.extensions.product: type: keyword
cef.extensions.rule_action: type: keyword
cef.extensions.rule_uid: type: keyword
cef.extensions.sequencenum: type: keyword
cef.extensions.service_id: type: keyword
cef.extensions.version: type: keyword