Events exported to CEF format

To filter the event logs sent to Syslog, create a log category notification with a defined filter.

CEF is a text-based log format developed by ArcSight™. The CEF format includes a CEF header and a CEF extension. The extension contains a list of key-value pairs.

CEF header

Header

Example

Description

Device Vendor

ESET

 

Device Product

Protect

 

Device Version

10.0.5.1

ESET PROTECT version

Device Event Class ID (Signature ID):

109

Device Event Category unique identifier:

100199 Threat event

200299 Firewall event

300399 HIPS event

400499 Audit event

500599 ESET Inspect event

600699 Blocked files event

700–799 Filtered websites event

Event Name

Detected port scanning attack

A brief description of what happened in the event

Severity

5

Severity 010

CEF extensions common for all categories

Extension name

Example

Description

cat

ESET Threat Event

Event category:

ESET Threat Event

ESET Firewall Event

ESET HIPS Event

ESET RA Audit Event

ESET InspectEvent

ESET Blocked File Event

ESET Filtered Website Event

dvc

10.0.12.59

IPv4 address of the computer generating the event

c6a1

2001:0db8:85a3:0000:0000:8a2e:0370:7334

IPv6 address of the computer generating the event

c6a1Label

Device IPv6 Address

 

dvchost

COMPUTER02

The hostname of the computer with the event

deviceExternalId

39e0feee-45e2-476a-b17f-169b592c3645

UUID of the computer generating the event

flexString1

Lost & Found

The group name of the computer generating the event

flexString1Label

Device Group Name

 

rt

Jun 04 2017 14:10:0

UTC time of occurrence of the event. The format is %b %d %Y %H:%M:%S

CEF extensions by event category

Threat events

Extension name

Example

Description

cs1

W97M/Kojer.A

Found threat name

cs1Label

Threat Name

 

cs2

25898 (20220909)

Detection Engine version

cs2Label

Engine Version

 

cs3

Virus

Detection type

cs3Label

Threat Type

 

cs4

Real-time

file system protection

Scanner ID

cs4Label

Scanner ID

 

cs5

virlog.dat

Scan ID

cs5Label

Scan ID

 

cs6

Failed to remove file

Error message if the action was not successful

cs6Label

Action Error

 

cs7

Event occurred on a newly created file

Short description of what caused the event

cs7Label

Circumstances

 

cs8

0000000000000000000000000000000000000000

SHA1 hash of the (detection) data stream

cs8Label

Hash

 

act

Cleaned by deleting file

Action was taken by the endpoint

filePath

file:///C:/Users/Administrator/Downloads/doc/000001_5dc5c46b.DOC

Object URI

fileType

File

Object type related to the event

cn1

1

Detection was handled (1) or was not handled (0)

cn1Label

Handled

 

cn2

0

Restart is needed (1) or is not needed (0)

cn2Label

Restart Needed

 

suser

172-MG\\Administrator

Name of the user account associated with the event

sprod

C:\\7-Zip\\7z.exe

The name of the event source process

deviceCustomDate1

Jun 04 2019 14:10:00

 

deviceCustomDate1Label

FirstSeen

The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S

arrow_down_business Threat event CEF log example:

Firewall events

Extension name

Example

Description

msg

TCP Port Scanning attack

Event name

src

127.0.0.1

Event source IPv4 address

c6a2

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Event source IPv6 address

c6a2Label

Source IPv6 Address

 

spt

36324

Port of the event source

dst

127.0.0.2

Event destination IPv4 address

c6a3

2001:0db8:85a3:0000:0000:8a2e:0370:7335

Event destination IPv6 address

c6a3Label

Destination IPv6 Address

 

dpt

24

Event destination port

proto

http

Protocol

act

Blocked

Action taken

cn1

1

Detection was handled (1) or was not handled (0)

cn1Label

Handled

 

suser

172-MG\\Administrator

Name of the user account associated with the event

deviceProcessName

someApp.exe

Name of the process associated with the event

deviceDirection

1

The connection was inbound (0) or outbound (1)

cnt

3

The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT and ESET Management Agent

cs1

 

Rule ID

cs1Label

Rule ID

 

cs2

custom_rule_12

Rule name

cs2Label

Rule Name

 

cs3

Win32/Botnet.generic

Threat name

cs3Label

Threat Name

 

arrow_down_business Firewall event CEF log example:

HIPS events

Extension name

Example

Description

cs1

Suspicious attempt to launch an application

Rule ID

cs1Label

Rule ID

 

cs2

custom_rule_12

Rule name

cs2Label

Rule Name

 

cs3

C:\\someapp.exe

Application name

cs3Label

Application

 

cs4

Attempt to run a suspicious object

Operation

cs4Label

Operation

 

cs5

C:\\somevirus.exe

Target

cs5Label

Target

 

act

Blocked

Action taken

cs2

custom_rule_12

Rule name

cn1

1

Detection was handled (1) or was not handled (0)

cn1Label

Handled

 

cnt

3

The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT and ESET Management Agent

arrow_down_business HIPS event CEF log example:

Audit events

Extension name

Example

Description

act

Login attempt

Action taking place

suser

Administrator

Security user involved

duser

Administrator

Targeted security user (for example, for login attempts)

msg

Authenticating native user 'Administrator'

A detailed description of the action

cs1

Native user

Audit log domain

cs1Label

Audit Domain

 

cs2

Success

Action result

cs2Label

Result

 

arrow_down_business Audit event CEF log example:

ESET Inspect events

Extension name

Example

Description

deviceProcessName

c:\\imagepath_bin.exe

Name of the process causing this alarm

suser

HP\\home

Process owner

cs2

custom_rule_12

Name of the rule triggering this alarm

cs2Label

Rule Name

 

cs3

78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9

Alarm SHA1 hash

cs3Label

Hash

 

cs4

https://inspect.eset.com:443/console/alarm/126

Link to the alarm in the ESET Inspect Web Console

cs4Label

EI Console Link

 

cs5

126

ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$)

cs5Label

EI Alarm ID

 

cn1

275

Computer severity score

cn1Label

ComputerSeverityScore

 

cn2

60

Rule severity score

cn2Label

SeverityScore

 

cnt

3

The number of alerts of the same type generated since the last alarm

arrow_down_business ESET Inspect event CEF log example:

Blocked files events

Extension name

Example

Description

act

Execution blocked

Action taken

cn1

1

Detection was handled (1) or was not handled (0)

cn1Label

Handled

 

suser

HP\\home

Name of the user account associated with the event

deviceProcessName

C:\\Windows\\explorer.exe

Name of the process associated with the event

cs1

78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9

SHA1 hash of the blocked file

cs1Label

Hash

 

filePath

C:\\totalcmd\\TOTALCMD.EXE

Object URI

msg

ESET Inspect

Blocked file description

deviceCustomDate1

Jun 04 2019 14:10:00

 

deviceCustomDate1Label

FirstSeen

The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S

cs2

Blocked by Administrator

Cause

cs2Label

Cause

 

arrow_down_business Blocked files event CEF log example:

Filtered website events

Extension name

Example

Description

msg

An attempt to connect to URL

Event type

act

Blocked

Action taken

cn1

1

Detection was handled (1) or was not handled (0)

cn1Label

Handled

 

suser

Peter

Name of the user account associated with the event

deviceProcessName

Firefox

Name of the process associated with the event

cs1

Blocked by PUA blacklist

Rule ID

cs1Label

Rule ID

 

requestUrl

https://kenmmal.com/

URL of blocked request

dst

172.17.9.224

Event destination IPv4 address

c6a3

2001:0db8:85a3:0000:0000:8a2e:0370:7335

Event destination IPv6 address

c6a3Label

Destination IPv6 Address

 

cs2

HTTP filter

Scanner ID

cs2Label

Scanner ID

 

cs3

8EECCDD290BE2E99183290FDBE4172EBE3DC7EC5

SHA1 hash of the filtered object

cs3Label

Hash

 

arrow_down_business Filtered website event CEF log example: