ArcSight Extension Dictionary
The CEF Key Names For Event Producers and CEF Key Names for Event Consumers tables list the predefined names that establish usages for both event producers and event consumers. While the fields listed in both the tables are useful event consumers, the fields listed in the CEF Key Names for Event Consumers table must not be set by event producers.
Note:
-
The bytesIn and bytesOut fields were containing only Integer values in CEF 0.1. However, from CEF 1.0 onwards, these fields also contain the Long values.
-
All IP address fields in CEF 0.1 were containing IPv4 addresses only. However, from CEF 1.0 onwards, these fields also contain IPv6 addresses.
CEF Key Names for Event Producers
This table displays the CEF names along with the full names for each CEF key name. When sending events, the CEF key name is the proper form to use, because using the full name to send an event will fail.
CEF Key Names for Event Producers
|
CEF Specification Version |
CEF Key Name |
Full Name |
Data Type |
Length |
Meaning |
|---|---|---|---|---|---|
| 0.1 |
act |
deviceAction |
String |
63 |
Action taken by the device. |
| 0.1 |
app |
applicationProtocol |
String |
31 |
Application level protocol, example: HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. |
| 0.1 |
c6a1 |
deviceCustomIPv6Address1 |
IPv6 address |
|
One of the four IPv6 address fields available to map fields that do not apply to any other in this dictionary. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
c6a1Label |
deviceCustomIPv6 Address1Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
c6a3 |
deviceCustomIPv6Address3 |
IPv6 address |
|
One of the four IPv6 address fields available to map fields that do not apply to any other in this dictionary. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
c6a3Label |
deviceCustomIPv6Address3 Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
c6a4 |
deviceCustomIPv6 Address4 |
IPv6 address |
|
One of the four IPv6 address fields available to map fields that do not apply to any other in this dictionary. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
C6a4Label |
deviceCustomIPv6 Address4Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cat |
deviceEventCategory |
String |
1023 |
Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: “/Monitor/Disk/Read” |
| 0.1 |
cfp1 |
deviceCustomFloatingPoint1 |
Floating Point |
|
One of our floating point fields available to map fields that do not apply to any other in this dictionary. |
| 0.1 |
cfp1Label |
deviceCustom FloatingPoint1Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cfp2 |
deviceCustomFloatingPoint2 |
Floating Point |
|
One of the four floating point fields available to map fields that do not apply to any other in this dictionary. |
| 0.1 |
cfp2Label |
deviceCustomFloatingPoint2 Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cfp3 |
deviceCustomFloatingPoint3 |
Floating Point |
|
One of the four floating point fields available to map fields that do not apply to any other in this dictionary. |
| 0.1 |
cfp3Label |
deviceCustom FloatingPoint3Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cfp4 |
deviceCustomFloatingPoint4 |
Floating Point |
|
One of the four floating point fields available to map fields that do not apply to any other in this dictionary. |
| 0.1 |
cfp4Label |
deviceCustom FloatingPoint4Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cn1 |
deviceCustomNumber1 |
Long |
|
One of the three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| 0.1 |
cn1Label |
deviceCustomNumber1Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cn2 |
DeviceCustomNumber2 |
Long |
|
One of the three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| 0.1 |
cn2Label |
deviceCustomNumber2Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cn3 |
deviceCustomNumber3 |
Long |
|
One of the three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| 0.1 |
cn3Label |
deviceCustomNumber3Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cnt |
baseEventCount |
Integer |
|
A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. |
| 0.1 |
cs1 |
deviceCustomString1 |
String |
4000 |
One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
cs1Label |
deviceCustomString1Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cs2 |
deviceCustomString2 |
String |
4000 |
One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
cs2Label |
deviceCustomString2Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cs3 |
deviceCustomString3 |
String |
4000 |
One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
cs3Label |
deviceCustomString3Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cs4 |
deviceCustomString4 |
String |
4000 |
One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
cs4Label |
deviceCustomString4Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cs5 |
deviceCustomString5 |
String |
4000 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
cs5Label |
deviceCustomString5Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
cs6 |
deviceCustomString6 |
String |
4000 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
cs6Label |
deviceCustomString6Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
destination DnsDomain |
destinationDnsDomain |
String |
255 |
The DNS domain part of the complete fully qualified domain name (FQDN). |
| 0.1 |
destination ServiceName |
destinationServiceName |
String |
1023 |
The service targeted by this event. Example: “sshd” |
| 0.1 |
destination Translated Address |
destinationTranslated Address |
IPv4 Address |
|
Identifies the translated destination that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1” |
| 0.1 |
destination TranslatedPort |
destinationTranslatedPort |
Integer |
|
Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. |
| 0.1 |
deviceCustom Date1 |
deviceCustomDate1 |
TimeStamp |
|
One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
deviceCustom Date1Label |
deviceCustomDate1Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
deviceCustom Date2 |
deviceCustomDate2 |
TimeStamp |
|
One of the two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions.
|
| 0.1 |
deviceCustom Date2Label |
deviceCustomDate2Label |
String |
1023 |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 |
deviceDirection |
deviceDirection |
Integer |
|
Any information about what direction the observed communication has taken. The following values are supported: “0” for inbound or “1” for outbound |
| 0.1 |
deviceDns Domain |
deviceDnsDomain |
String |
255 |
The DNS domain part of the complete fully qualified domain name (FQDN). |
| 0.1 |
device ExternalId |
deviceExternalId |
String |
255 |
A name that uniquely identifies the device generating this event. |
| 0.1 |
deviceFacility |
deviceFacility |
String |
1023 |
The facility generating this event. For example, Syslog has an explicit facility associated with every event. |
| 0.1 |
deviceInbound Interface |
deviceInboundInterface |
String |
128 |
Interface on which the packet or data entered the device. |
| 0.1 |
deviceNt Domain |
deviceNtDomain |
String |
255 |
The Windows domain name of the device address. |
| 0.1 |
Device Outbound Interface |
deviceOutboundInterface |
String |
128 |
Interface on which the packet or data left the device. |
| 0.1 |
Device PayloadId |
devicePayloadId |
String |
128 |
Unique identifier for the payload associated with the event. |
| 0.1 |
deviceProcess Name |
deviceProcessName |
String |
1023 |
Process name associated with the event. An example might be the process generating the syslog entry in UNIX. |
| 0.1 |
device Translated Address |
deviceTranslatedAddress |
IPv4 Address |
|
Identifies the translated device address that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1” |
| 0.1 |
dhost |
destinationHostName |
String |
1023 |
Identifies the destination that an event refers to in an IP network. The format must be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. Examples: “host.domain.com” or “host”. |
| 0.1 |
dmac |
deviceMacAddress |
MAC Address |
|
Six colon-seperated hexadecimal numbers. Example: “00:0D:60:AF:1B:61” |
| 0.1 |
dntdom |
destinationNtDomain |
String |
255 |
The Windows domain name of the destination address. |
| 0.1 |
dpid |
destinationProcessId |
Integer |
|
Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, “105” is the process ID. |
| 0.1 |
dpriv |
destinationUserPrivileges |
String |
1023 |
The typical values are “Administrator”, “User”, and “Guest”. This identifies the destination user’s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of “Administrator”. |
| 0.1 |
dproc |
destinationProcessName |
String |
1023 |
The name of the event’s destination process. Example: “telnetd” or “sshd”. |
| 0.1 |
dpt |
destinationPort |
Integer |
|
The valid port numbers are between 0 and 65535. |
| 0.1 |
dst |
destinationAddress |
IPv4 Address |
|
Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1” |
| 0.1 |
dtz |
deviceTimeZone |
String |
255 |
The timezone for the device generating the event. |
| 0.1 |
duid |
destinationUserId |
String |
1023 |
Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. |
| 0.1 |
duser |
destinationUserName |
String |
1023 |
Identifies the destination user by name. This is the user associated with the event’s destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. |
| 0.1 |
dvc |
deviceAddress |
IPv4 Address |
|
Identifies the device address that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”. |
| 0.1 |
dvchost |
deviceHostName |
String |
100 |
The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. Example: “host.domain.com” or “host”. |
| 0.1 |
dmac |
deviceMacAddress |
MAC Address |
|
Six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61” |
| 0.1 |
dvcpid |
deviceProcessId |
Integer |
|
Provides the ID of the process on the device generating the event. |
| 0.1 |
end |
endTime |
Time Stamp |
|
The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. |
| 0.1 |
externalId |
externalId |
String |
40 |
The ID used by an originating device. They are usually increasing numbers, associated with events. |
| 0.1 |
fileCreateTime |
fileCreateTime |
Time Stamp |
|
Time when the file was created. |
| 0.1 |
fileHash |
fileHash |
String |
255 |
Hash of a file. |
| 0.1 |
fileId |
fileId |
String |
1023 |
An ID associated with a file could be the inode. |
| 0.1 |
fileModification Time |
fileModificationTime |
Time Stamp |
|
Time when the file was last modified. |
| 0.1 |
filePath |
filePath |
String |
1023 |
Full path to the file, including file name itself. Example: C:\Program Files \WindowsNT\Accessories\ wordpad.exe or /usr/bin/zip |
| 0.1 |
filePermission |
filePermission |
String |
1023 |
Permissions of the file. |
| 0.1 |
fileType |
fileType |
String |
1023 |
Type of file (pipe, socket, etc.) |
| 0.1 |
flexDate1 |
flexDate1 |
Time Stamp |
|
A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| 0.1 |
flexDate1Label |
flexDate1Label |
String |
128 |
The label field is a string and describes the purpose of the flex field. |
| 0.1 |
flexString1 |
flexString1 |
String |
1023 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| 0.1 |
flexString1 |
flexString2Label |
String |
128 |
The label field is a string and describes the purpose of the flex field. |
| 0.1 |
flexString2 |
flexString2 |
String |
1023 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| 0.1 |
flex String2Label |
flexString2Label |
String |
128 |
The label field is a string and describes the purpose of the flex field. |
| 0.1 |
fname |
filename |
String |
1023 |
Name of the file only (without its path). |
| 0.1 |
fsize |
fileSize |
Integer |
|
Size of the file. |
| 0.1 |
in |
bytesIn |
Integer |
|
Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. |
| 0.1 |
msg |
message |
String |
1023 |
An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. |
| 0.1 |
oldFileCreate Time |
oldFileCreateTime |
Time Stamp |
|
Time when old file was created. |
| 0.1 |
oldFileHash |
oldFileHash |
String |
255 |
Hash of the old file. |
| 0.1 |
oldFileId |
oldFileId |
String |
1023 |
An ID associated with the old file could be the inode. |
| 0.1 |
oldFile Modification Time |
oldFileModificationTime |
Time Stamp |
|
Time when old file was last modified. |
| 0.1 |
oldFileName |
oldFileName |
String |
1023 |
Name of the old file. |
| 0.1 |
oldFilePath |
oldFilePath |
String |
1023 |
Full path to the old file, including the file name itself. Examples: c:\Program Files\ WindowsNT\Accessories \wordpad.exe or /usr/bin/zip |
| 0.1 |
oldFile Permission |
oldFilePermission |
String |
1023 |
Permissions of the old file. |
| 0.1 |
oldFileSize |
oldFileSize |
Integer |
|
Size of the old file. |
| 0.1 |
oldFileType |
oldFileType |
String |
1023 |
Type of the old file (pipe, socket, etc.) |
| 0.1 |
out |
bytesOut |
Integer |
|
Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. |
| 0.1 |
outcome |
eventOutcome |
String |
63 |
Displays the outcome, usually as ‘success’ or ‘failure’. |
| 0.1 |
proto |
transportProtocol |
String |
31 |
Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. |
| 0.1 |
reason |
Reason |
String |
1023 |
The reason an audit event was generated. For example “badd password” or “unknown user”. This could also be an error or return code. Example: “0x1234” |
| 0.1 |
request |
requestUrl |
String |
1023 |
In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. Example: “http://www/secure.com” |
| 0.1 |
requestClient Application |
requestClientApplication |
String |
1023 |
The User-Agent associated with the request. |
| 0.1 |
requestContext |
requestContext |
String |
2048 |
Description of the content from which the request originated (for example, HTTP Referrer) |
| 0.1 |
requestCookies |
requestCookies |
String |
1023 |
Cookies associated with the request. |
| 0.1 |
requestMethod |
requestMethod |
String |
1023 |
The method used to access a URL. Possible values: “POST”, “GET”, etc. |
| 0.1 |
rt |
deviceReceiptTime |
Time Stamp |
|
The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) |
| 0.1 |
shost |
sourceHostName |
String |
1023 |
Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (DQDN) associated with the source node, when a mode is available. Examples: “host” or “host.domain.com”. |
| 0.1 |
smac |
sourceMacAddress |
MAC address |
|
Six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61” |
| 0.1 |
sntdom |
sourceNtDomain |
String |
255 |
The Windows domain name for the source address. |
| 0.1 |
sourceDns Domain |
sourceDnsDomain |
String |
255 |
The DNS domain part of the complete fully qualified domain name (FQDN). |
| 0.1 |
source ServiceName |
sourceServiceName |
String |
1023 |
The service that is responsible for generating this event. |
| 0.1 |
source Translated Address |
sourceTranslatedAddress |
IPv4 Address |
|
Identifies the translated source that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”. |
| 0.1 |
source TranslatedPort |
sourceTranslatedPort |
Integer |
|
A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. |
| 0.1 |
spid |
sourceProcessId |
Integer |
|
The ID of the source process associated with the event. |
| 0.1 |
spriv |
sourceUserPrivileges |
String |
1023 |
The typical values are “Administrator”, “User”, and “Guest”. It identifies the source user’s privileges. In UNIX, for example, activity executed by the root user would be identified with “Administrator”. |
| 0.1 |
sproc |
sourceProcessName |
String |
1023 |
The name of the event’s source process. |
| 0.1 |
spt |
sourcePort |
Integer |
|
The valid port numbers are 0 to 65535. |
| 0.1 |
src |
sourceAddress |
IPv4 Address |
|
Identifies the source that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”. |
| 0.1 |
start |
startTime |
Time Stamp |
|
The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) |
| 0.1 |
suid |
sourceUserId |
String |
1023 |
Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. |
| 0.1 |
suser |
sourceUserName |
String |
1023 |
Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. |
| 0.1 |
type |
type |
Integer |
|
0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). |
| 1.2 | agentTranslatedZoneKey | Agent Translated Zone Key | Integer | 64-bit | ID of an agentTranslatedZone resource reference. |
| 1.2 | agentZoneKey | Agent Zone Key | Integer | 64-bit | ID of an agentZone resource reference. |
| 1.2 | customerKey | Customer Key | Integer | 64-bit | ID of a customer resource reference. |
| 1.2 | dTranslatedZoneKey | Destination Translated Zone Key | Integer | 64-bit | ID of a destinationTranslatedZone resource reference. |
| 1.2 | dZoneKey | Destination Zone Key | Integer | 64-bit | ID of a destinationZone resource reference. |
| 1.2 | deviceTranslatedZoneKey | Device Translated Zone Key | Integer | 64-bit | ID of a deviceTranslatedZone resource reference. |
| 1.2 | deviceZoneKey | Device Zone Key | Integer | 64-bit | ID of a deviceZone resource reference. |
| 1.2 | sTranslatedZoneKey | Source Translated Zone Key | Integer | 64-bit | ID of a sourceTranslatedZone resource reference. |
| 1.2 | sZoneKey | Source Zone Key | Integer | 64-bit | ID of a sourceZone resource reference. |
| 1.2 | reportedDuration | Reported Duration | String | 64-bit signed | Elapsed time in milliseconds of the action or entity the event represents. |
| 1.2 | reportedResourceGroupName | Reported Resource Group Name | String | 128 | Name of a group containing the resource in the system that sent the event. |
| 1.2 | reportedResourceID | Reported Resource ID | String | 256 | Name of a group containing the resource in the system that sent the event. |
| 1.2 | reportedResourceName | Reported Resource Name | String | 64 | Name of the affected resource in the system that sent the event. |
| 1.2 | reportedResourceType | Reported Resource Type | String | 64 | Type of the affected resource in the system that sent the event. |
| 1.2 | frameworkName | Framework Name | String | 256 | The name of the framework used for threatAttackID. |
| 1.2 | threatActor | Threat actor | String | 40 | Threat actor associated with the event. |
| 1.2 | threatAttackID | Threat Attack ID | String | 32 | A full ID of a threat or attack as defined in the security framework in frameworkName. |
CEF Key Names for Event Consumers
This table displays the CEF names along with the full names for each name. When sending events, the CEF key name is the proper form to use. If you use the full name to send an event, then it will fail.
CEF Key Names For Event Consumers
| CEF Specification Version |
CEF Key Name |
Full Name |
Data Type |
Length |
Meaning |
|---|---|---|---|---|---|
| 0.1 |
agentDns Domain |
agentDnsDomain |
String |
255 |
The DNS domain name of the ArcSight connector that processed the event. |
| 0.1 |
agentNtDomain |
agentNtDomain |
String |
255 |
|
| 0.1 |
agentTranslated Address |
agentTranslatedAddress |
IP Address |
|
|
| 0.1 |
agentTranslated ZoneExternalID |
agentTranslatedZone ExternalID |
String |
200 |
|
| 0.1 |
agentTranslated Zone URI |
agentTranslatedZoneURI |
String |
2048 |
|
| 0.1 |
agentZone ExternalID |
agentZoneExternalID |
String |
200 |
|
| 0.1 |
agentZoneURI |
agentZoneURI |
String |
2048 |
|
| 0.1 |
agt |
agentAddress |
IP Address |
|
The IP address of the ArcSight connector that processed the event. |
| 0.1 |
ahost |
agentHostName |
String |
1023 |
The hostname of the ArcSight connector that processed the event. |
| 0.1 |
aid |
agentId |
String |
40 |
The agent ID of the ArcSight connector that processed the event. |
| 0.1 |
amac |
agentMacAddress |
MAC Address |
|
The MAC address of the ArcSight connector that processed the event. |
| 0.1 |
art |
agentReceiptTime |
Time Stamp |
|
The time at which information about the event was received by the ArcSight connector. |
| 0.1 |
at |
agentType |
String |
63 |
The agent type of the ArcSight connector that processed the event |
| 0.1 |
atz |
agentTimeZone |
String |
255 |
The agent time zone of the ArcSight connector that processed the event. |
| 0.1 |
av |
agentVersion |
String |
31 |
The version of the ArcSight connector that processed the event. |
| 0.1 |
customer ExternalID |
customerExternalID |
String |
200 |
|
| 0.1 |
customerURI |
customerURI |
String |
2048 |
|
| 0.1 |
destination TranslatedZone ExternalID |
destinationTranslated ZoneExternalID |
String |
200 |
|
| 0.1 |
destination Translated ZoneURI |
destinationTranslated ZoneURI |
String |
2048 |
The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. |
| 0.1 |
destinationZone ExternalID |
destinationZoneExternalID |
String |
200 |
|
| 0.1 |
destinationZone URI |
destinationZoneURI |
String |
2048 |
The URI for the Zone that the destination asset has been assigned to in ArcSight. |
| 0.1 |
device TranslatedZone ExternalID |
deviceTranslatedZone ExternalID |
String |
200 |
|
| 0.1 |
device TranslatedZone URI |
deviceTranslatedZoneURI |
String |
2048 |
The URI for the Translated Zone that the device asset has been assigned to in ArcSight. |
| 0.1 |
deviceZone ExternalID |
deviceZoneExternalID |
String |
200 |
|
| 0.1 |
deviceZoneURI |
deviceZoneURI |
String |
2048 |
Thee URI for the Zone that the device asset has been assigned to in ArcSight. |
| 0.1 |
dlat |
destinationGeoLatitude |
Double |
|
The latitudinal value from which the destination’s IP address belongs. |
| 0.1 |
dlong |
destinationGeoLongitude |
Double |
|
The longitudinal value from which the destination’s IP address belongs. |
| 0.1 |
eventId |
eventId |
Long |
|
This is a unique ID that ArcSight assigns to each event. |
| 0.1 |
rawEvent |
rawEvent |
String |
4000 |
|
| 0.1 |
slat |
sourceGeoLatitude |
Double |
|
|
| 0.1 |
slong |
sourceGeoLongitude |
Double |
|
|
| 0.1 |
source TranslatedZone ExternalID |
sourceTranslatedZone ExternalID |
String |
200 |
|
| 0.1 |
source TranslatedZone URI |
sourceTranslatedZoneURI |
String |
2048 |
The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. |
| 0.1 |
sourceZone ExternalID |
sourceZoneExternalID |
String |
200 |
|
| 0.1 |
sourceZoneURI |
sourceZoneURI |
String |
2048 |
The URI for the Zone that the source asset has been assigned to in ArcSight. |
| 1.2 | agentTranslatedZoneKey | Agent Translated Zone Key | Integer | 64-bit | ID of an agentTranslatedZone resource reference. |
| 1.2 | agentZoneKey | Agent Zone Key | Integer | 64-bit | ID of an agentZone resource reference. |
| 1.2 | customerKey | Customer Key | Integer | 64-bit | ID of a customer resource reference. |
| 1.2 | dTranslatedZoneKey | Destination Translated Zone Key | Integer | 64-bit | ID of a destinationTranslatedZone resource reference. |
| 1.2 | dZoneKey | Destination Zone Key | Integer | 64-bit | ID of a destinationZone resource reference. |
| 1.2 | deviceTranslatedZoneKey | Device Translated Zone Key | Integer | 64-bit | ID of a deviceTranslatedZone resource reference. |
| 1.2 | deviceZoneKey | Device Zone Key | Integer | 64-bit | ID of a deviceZone resource reference. |
| 1.2 | sTranslatedZoneKey | Source Translated Zone Key | Integer | 64-bit | ID of a sourceTranslatedZone resource reference. |
| 1.2 | sZoneKey | Source Zone Key | Integer | 64-bit | ID of a sourceZone resource reference. |
| 1.2 | reportedDuration | Reported Duration | String | 64-bit signed | Elapsed time in milliseconds of the action or entity the event represents. |
| 1.2 | reportedResourceGroupName | Reported Resource Group Name | String | 128 | Name of a group containing the resource in the system that sent the event. |
| 1.2 | reportedResourceID | Reported Resource ID | String | 256 | Name of a group containing the resource in the system that sent the event. |
| 1.2 | reportedResourceName | Reported Resource Name | String | 64 | Name of the affected resource in the system that sent the event. |
| 1.2 | reportedResourceType | Reported Resource Type | String | 64 | Type of the affected resource in the system that sent the event. |
| 1.2 | frameworkName | Framework Name | String | 256 | The name of the framework used for threatAttackID. |
| 1.2 | threatActor | Threat actor | String | 40 | Threat actor associated with the event. |
| 1.2 | threatAttackID | Threat Attack ID | String | 32 | A full ID of a threat or attack as defined in the security framework in frameworkName. |