From what I understand CEF is more a "syslog" format than an "alert" format.
There still could be interesting attributs to put in v2.
RE: CEF (ArcSight) - Added by Gilles Lehmann over 7 years ago
I changed the link (which was already dead) with a new one but I can't find a recent version of the CEF specification. This one is from 2010.
CEF specification used to be downloadable on ArcSight web site if you would give your email, etc ... but I can't find it anymore on HP site.
If you have anything more recent please update (and I'll put it in the IDMEF references on the web site)
RE: CEF (ArcSight) - Added by Anonymous over 7 years ago
We found a more recent version of the CEF specification.
You can find it here : https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
SÃ©lim & VÃ©rÃ¨ne
RE: CEF (ArcSight) - Added by Anonymous about 7 years ago
We already compared IDMEF and CEF. To summarize what was said, here are the main fields that can be found in CEF and are missing in IDMEF:
- Start time and end time for the event.
- Transport protocol
- NAT address
- User privileges
You can find some of these points in the â€œmissing fieldsâ€ section.