Project

General

Profile

CEF (ArcSight)

Added by Gilles Lehmann over 6 years ago

Hello

From what I understand CEF is more a "syslog" format than an "alert" format.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf

There still could be interesting attributs to put in v2.

Gil


Replies (3)

RE: CEF (ArcSight) - Added by Gilles Lehmann over 6 years ago

I changed the link (which was already dead) with a new one but I can't find a recent version of the CEF specification. This one is from 2010.

CEF specification used to be downloadable on ArcSight web site if you would give your email, etc ... but I can't find it anymore on HP site.

If you have anything more recent please update (and I'll put it in the IDMEF references on the web site)

Thanx

Gil

RE: CEF (ArcSight) - Added by Anonymous over 6 years ago

We found a more recent version of the CEF specification.
You can find it here : https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf

Sélim & Vérène

RE: CEF (ArcSight) - Added by Anonymous about 6 years ago

We already compared IDMEF and CEF. To summarize what was said, here are the main fields that can be found in CEF and are missing in IDMEF:
- Start time and end time for the event.
- Counter
- Transport protocol
- NAT address
- User privileges

You can find some of these points in the “missing fields” section.

    (1-3/3)