CEF (ArcSight)
Added by Gilles Lehmann over 8 years ago
Hello
From what I understand CEF is more a "syslog" format than an "alert" format.
There still could be interesting attributs to put in v2.
Gil
Replies (3)
RE: CEF (ArcSight) - Added by Gilles Lehmann over 8 years ago
I changed the link (which was already dead) with a new one but I can't find a recent version of the CEF specification. This one is from 2010.
CEF specification used to be downloadable on ArcSight web site if you would give your email, etc ... but I can't find it anymore on HP site.
If you have anything more recent please update (and I'll put it in the IDMEF references on the web site)
Thanx
Gil
RE: CEF (ArcSight) - Added by Anonymous over 8 years ago
We found a more recent version of the CEF specification.
You can find it here : https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
Sélim & Vérène
RE: CEF (ArcSight) - Added by Anonymous almost 8 years ago
We already compared IDMEF and CEF. To summarize what was said, here are the main fields that can be found in CEF and are missing in IDMEF:
- Start time and end time for the event.
- Counter
- Transport protocol
- NAT address
- User privileges
You can find some of these points in the “missing fields†section.