Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
18 views3 pages

CEF-Based Format Definition - CyberArk Docs

The document provides a detailed definition of the CEF-based format for syslog records generated by CyberArk's PTA, including various fields such as event type, severity, and source/destination information. It specifies the structure and example output of the syslog messages, highlighting key components like user names, IP addresses, and event details. Additionally, it includes notes on the handling of multiple values and formatting considerations for certain fields.

Uploaded by

anshuld1217
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views3 pages

CEF-Based Format Definition - CyberArk Docs

The document provides a detailed definition of the CEF-based format for syslog records generated by CyberArk's PTA, including various fields such as event type, severity, and source/destination information. It specifies the structure and example output of the syslog messages, highlighting key components like user names, IP addresses, and event details. Additionally, it includes notes on the handling of multiple values and formatting considerations for certain fields.

Uploaded by

anshuld1217
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

15/07/2021 CEF-Based Format Definition | CyberArk Docs

Was this article helpful?


CEF-Based Format Definition Yes No

The following table describes the CEF-based format of the syslog records sent by PTA.

Field Description Specified value

Prefix fields

CEF:[number] The CEF CEF:0


header and
version.
The version
number
identifies the
version of the
CEF format.

Device Vendor, Device Information CyberArk, PTA, 12.1


Product, Device Version about the
device
sending the
message. For
PTA, the
Device
Vendor is
CyberArk,
and the
Device
Product is
PTA.

Event Type A unique ID {21-55}


that identifies
the event that
is reported.

Event Name A description {Suspected credentials theft, Unmanaged


of the privileged account, Privileged access during
reported irregular hours, etc…}
event type.
For a complete list of PTA detections,
indicators of compromise and their
descriptions, see What Detections Does PTA
Report?.

Severity A numeric {1,2,3,4,5,6,7,8,9,10}


value that
indicates the
severity of
the event.


1 is the
lowest
event
severity


10 is the
highest
event
severity

Extension fields

suser Source User Any user


Name

shost Source host Any host


name

src Source IP Any IP


address

duser Destination Any user


user name

dhost Destination Any host


host address

dst Destination Any IP


IP address

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/CEF-Based-Format-Definition.htm#!#_Ref446598703 1/3
15/07/2021 CEF-Based Format Definition | CyberArk Docs

Field Description Specified value

cs1Label The label of “ExtraData”


the Extra
Data field

cs1 Additional For example, SPN and Session


information
which is
relevant for
the reported
security event

cs2Label The label of “EventID”


the Security
Event ID field

cs2 The ID of the 52b06812ec3500ed864c461e


reported
security event

deviceCustomDate1Label The label of “DetectionDate”


the
detectionDate
field

deviceCustomDate1 The system 1388577900000


time when
PTA identified
the security
event

cs3Label The label of “PTALink”


the link field

cs3 The HTTPS https://10.1.1.1./PasswordVault/v10/pta/events


link to the
Security
Events page
in PVWA.

cs4Label The label of “ExternalLink”


the external
link field

cs4 An HTTPS http://...


link to other
CyberArk or
third party
products that
can add more
information to
the security
event.
Note: Due to
a CEF
limitation, if
the link
includes the
equals sign
( = ), the link
will be
broken. To
view the link,
copy the
relevant URL
and remove
the backslash
( \ ) before
the equals
sign ( = ).

cs5Label The label of "SuspiciousSessionActivity"


the
suspicious
session
activity

cs5 The The command, for example, DeleteDB


command
describing
the
suspicious
session
activity

Note:

suser, shost, src, duser, dhost and dst fields may contain a single value or a list
of values. If the field contains a list of values, these values will be separated by a
comma, and if they are larger than 1024, data will be omitted and “etc..” will be
added to the end.
dhost and dst fields could be a single host or a database instance. If it is a
database instance, the dhost destination will be in the format
<machine:instance>.
When the src, dst, duser, suser or cs1 field has no value, the field is sent with
the value None.

The following example shows syslog output generated by PTA:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/CEF-Based-Format-Definition.htm#!#_Ref446598703 2/3
15/07/2021 CEF-Based Format Definition | CyberArk Docs

CEF:0|CyberArk|PTA|12.1|1|Suspected credentials
theft|8|[email protected] shost=prod1.domain.com src=1.1.1.1
[email protected] dhost=dev1.domain.com dst=2.2.2.2
cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e
deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000
cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e
cs4Label=ExternalLink cs4=None

Send feedback
Send feedback
Have an enhancement idea? Found a bug? Let us know what's on your mind.
Send email

EXPLORE CONNECT LEARN CONTACT


CYBERARK TECHNICAL COMMUNITY RESOURCES SEND US FEEDBACK

CYBERARK DOCS VERSIONS 10.1 - 10.9 SUPPORT

FOLLOW US

Copyright © 2021 CyberArk Software Ltd. All rights reserved. | Terms and Conditions | Privacy Policy | Third-Party Notices | End of Life Policy

Build 4.4.7.1 [27 June 2021 04:08:04 PM]

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/CEF-Based-Format-Definition.htm#!#_Ref446598703 3/3

You might also like