This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

The following tables map Common Event Format (CEF) field names to the names they use in Microsoft Sentinel's CommonSecurityLog, and may be helpful when you are working with a CEF data source in Microsoft Sentinel.

For more information, see Connect your external solution using Common Event Format .

Important

On February 28th 2023 , we introduced changes to the CommonSecurityLog table schema. Following this change, you might need to review and update custom queries. For more details, see the recommended actions section in this blog post. Out-of-the-box content (detections, hunting queries, workbooks, parsers, etc.) has been updated by Microsoft Sentinel.

A Microsoft Sentinel workspace is required in order to ingest CEF data into Log Analytics.

A - C

CEF key name CommonSecurityLog field name Description ApplicationProtocol The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. DeviceEventCategory Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. For example: /Monitor/Disk/Read . EventCount A count associated with the event, showing how many times the same event was observed. CEF key name CommonSecurityLog name Description Device Vendor DeviceVendor String that, together with device product and version definitions, uniquely identifies the type of sending device. Device Product DeviceProduct String that, together with device vendor and version definitions, uniquely identifies the type of sending device. Device Version DeviceVersion String that, together with device product and vendor definitions, uniquely identifies the type of sending device. destinationDnsDomain DestinationDnsDomain The DNS part of the fully qualified domain name (FQDN). destinationServiceName DestinationServiceName The service that is targeted by the event. For example, sshd . destinationTranslatedAddress DestinationTranslatedAddress Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address. destinationTranslatedPort DestinationTranslatedPort Port, after translation, such as a firewall.
Valid port numbers: 0 - 65535 deviceDirection CommunicationDirection Any information about the direction the observed communication has taken. Valid values:
- 0 = Inbound
- 1 = Outbound deviceDnsDomain DeviceDnsDomain The DNS domain part of the full qualified domain name (FQDN) DeviceEventClassID DeviceEventClassID String or integer that serves as a unique identifier per event type. deviceExternalID DeviceExternalID A name that uniquely identifies the device generating the event. deviceFacility DeviceFacility The facility generating the event. deviceInboundInterface DeviceInboundInterface The interface on which the packet or data entered the device. deviceNtDomain DeviceNtDomain The Windows domain of the device address deviceOutboundInterface DeviceOutboundInterface Interface on which the packet or data left the device. devicePayloadId DevicePayloadId Unique identifier for the payload associated with the event. deviceProcessName ProcessName Process name associated with the event.

For example, in UNIX, the process generating the syslog entry. deviceTranslatedAddress DeviceTranslatedAddress Identifies the translated device address that the event refers to, in an IP network.

The format is an Ipv4 address. dhost DestinationHostName The destination that the event refers to in an IP network.
The format should be an FQDN associated with the destination node, when a node is available. For example, host.domain.com or host . DestinationMacAddress The destination MAC address (FQDN) dntdom DestinationNTDomain The Windows domain name of the destination address. DestinationProcessId The ID of the destination process associated with the event. dpriv DestinationUserPrivileges Defines the destination use's privileges.
Valid values: Admninistrator , User , Guest dproc DestinationProcessName The name of the event’s destination process, such as telnetd or sshd. DestinationPort Destination port.
Valid values: *0 - 65535 DestinationIP The destination IpV4 address that the event refers to in an IP network. DeviceTimeZone Timezone of the device generating the event DestinationUserId Identifies the destination user by ID. duser DestinationUserName Identifies the destination user by name. DeviceAddress The IPv4 address of the device generating the event. dvchost DeviceName The FQDN associated with the device node, when a node is available. For example, host.domain.com or host . dvcmac DeviceMacAddress The MAC address of the device generating the event. dvcpid Process ID Defines the ID of the process on the device generating the event.

E - I

CEF key name CommonSecurityLog name Description externalId ExternalID An ID used by the originating device. Typically, these values have increasing values that are each associated with an event. fileCreateTime FileCreateTime Time when the file was created. fileHash FileHash Hash of a file. fileId FileID An ID associated with a file, such as the inode. fileModificationTime FileModificationTime Time when the file was last modified. filePath FilePath Full path to the file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip . filePermission FilePermission The file's permissions. fileType FileType File type, such as pipe, socket, and so on. fname FileName The file's name, without the path. fsize FileSize The size of the file. Computer Host, from Syslog ReceivedBytes Number of bytes transferred inbound.

M - P

CEF key name CommonSecurityLog name Description Activity A string that represents a human-readable and understandable description of the event. oldFileCreateTime OldFileCreateTime Time when the old file was created. oldFileHash OldFileHash Hash of the old file. oldFileId OldFileId And ID associated with the old file, such as the inode. oldFileModificationTime OldFileModificationTime Time when the old file was last modified. oldFileName OldFileName Name of the old file. oldFilePath OldFilePath Full path to the old file, including the filename.
For example, C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip . oldFilePermission OldFilePermission Permissions of the old file. oldFileSize OldFileSize Size of the old file. oldFileType OldFileType File type of the old file, such as a pipe, socket, and so on. SentBytes Number of bytes transferred outbound. outcome EventOutcome Outcome of the event, such as success or failure . proto Protocol Transport protocol that identifies the Layer-4 protocol used.

Possible values include protocol names, such as TCP or UDP .

R - T

CEF key name CommonSecurityLog name Description reason Reason The reason an audit event was generated. For example badd password or unknown user . This could also be an error or return code. For example: 0x1234 . Request RequestURL The URL accessed for an HTTP request, including the protocol. For example, http://www/secure.com requestClientApplication RequestClientApplication The user agent associated with the request. requestContext RequestContext Describes the content from which the request originated, such as the HTTP Referrer. requestCookies RequestCookies Cookies associated with the request. requestMethod RequestMethod The method used to access a URL.

Valid values include methods such as POST , GET , and so on. ReceiptTime The time at which the event related to the activity was received. Severity LogSeverity A string or integer that describes the importance of the event.

Valid string values: Unknown , Low , Medium , High , Very-High

Valid integer values are:
- 0 - 3 = Low
- 4 - 6 = Medium
- 7 - 8 = High
- 9 - 10 = Very-High shost SourceHostName Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example, host or host.domain.com . SourceMacAddress Source MAC address. sntdom SourceNTDomain The Windows domain name for the source address. sourceDnsDomain SourceDnsDomain The DNS domain part of the complete FQDN. sourceServiceName SourceServiceName The service responsible for generating the event. sourceTranslatedAddress SourceTranslatedAddress Identifies the translated source that the event refers to in an IP network. sourceTranslatedPort SourceTranslatedPort Source port after translation, such as a firewall.
Valid port numbers are 0 - 65535 . SourceProcessId The ID of the source process associated with the event. spriv SourceUserPrivileges The source user's privileges.

Valid values include: Administrator , User , Guest sproc SourceProcessName The name of the event's source process. SourcePort The source port number.
Valid port numbers are 0 - 65535 . SourceIP The source that an event refers to in an IP network, as an IPv4 address. SourceUserID Identifies the source user by ID. suser SourceUserName Identifies the source user by name. EventType Event type. Value values include:
- 0 : base event
- 1 : aggregated
- 2 : correlation event
- 3 : action event

Note : This event can be omitted for base events.

Custom fields

The following tables map the names of CEF keys and CommonSecurityLog fields that are available for customers to use for data that does not apply to any of the built-in fields.

Custom IPv6 address fields

The following table maps CEF key and CommonSecurityLog names for the IPv6 address fields available for custom data.

CEF key name CommonSecurityLog name

¹ We recommend that you use the DeviceCustomString fields sparingly and use more specific, built-in fields when possible.

Custom timestamp fields

The following table maps CEF key and CommonSecurityLog names for the timestamp fields available for custom data.

CEF key name CommonSecurityLog name

Enrichment fields

The following CommonSecurityLog fields are added by Microsoft Sentinel to enrich the original events received from the source devices, and don't have mappings in CEF keys:

Threat intelligence fields

CommonSecurityLog field name Description IndicatorThreatType The MaliciousIP threat type, according to the threat intelligence feed. MaliciousIP Lists any IP addresses in the message that correlates with the current threat intelligence feed. MaliciousIPCountry The MaliciousIP country/region, according to the geographic information at the time of the record ingestion. MaliciousIPLatitude The MaliciousIP longitude, according to the geographic information at the time of the record ingestion. MaliciousIPLongitude The MaliciousIP longitude, according to the geographic information at the time of the record ingestion. ReportReferenceLink Link to the threat intelligence report. ThreatConfidence The MaliciousIP threat confidence, according to the threat intelligence feed. ThreatDescription The MaliciousIP threat description, according to the threat intelligence feed. ThreatSeverity The threat severity for the MaliciousIP , according to the threat intelligence feed at the time of the record ingestion.

Additional enrichment fields

CommonSecurityLog field name Description OriginalLogSeverity Always empty, supported for integration with CiscoASA.
For details about log severity values, see the LogSeverity field. RemoteIP The remote IP address.
This value is based on CommunicationDirection field, if possible. RemotePort The remote port.
This value is based on CommunicationDirection field, if possible. SimplifiedDeviceAction Simplifies the DeviceAction value to a static set of values, while keeping the original value in the DeviceAction field.
For example: Denied > Deny . SourceSystem Always defined as OpsManager .

Next steps

For more information, see Connect your external solution using Common Event Format .