NetIQ Sentinel: ArcSight CEF CustomFieldMap

Need to include CEF Custom String and Number Labels out of the box. Labels are different for each product.

~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomNumber1,cef.extensions.cn1
CEFCustomNumber2,cef.extensions.cn2
CEFCustomNumber3,cef.extensions.cn3
CEFCustomString1,cef.extensions.cs1
CEFCustomString2,cef.extensions.cs2
CEFCustomString3,cef.extensions.cs3
CEFCustomString4,cef.extensions.cs4
CEFCustomString5,cef.extensions.cs5
CEFCustomString6,cef.extensions.cs6
CustomerVar001,cef.extensions.cs1Label
CustomerVar002,cef.extensions.cs2Label
CustomerVar003,cef.extensions.cs3Label
CustomerVar004,cef.extensions.cs4Label
CustomerVar005,cef.extensions.cs5Label
CustomerVar006,cef.extensions.cs6Label
CustomerVar011,cef.extensions.cn1Label
CustomerVar012,cef.extensions.cn2Label
CustomerVar013,cef.extensions.cn3Label

by: Bryan W. | over a year ago | Integrations

CustomerVar* must not be used out of the box as they are reserved for customer use. Many customers are already using them. We'd need new fields for the labels.

Generally speaking, it is the purpose of a SIEM to normalize data to its schema. So if we already have a native field that matches the semantics of the date being send by an event source, then that native field must be used instead of CEFCustom*.

by: Norbert K. | over a year ago

Micro Focus Enhancement Requests Portal is moving. We are migrating the IDEAS from this site to the New Idea Exchange on May 6th. For more information on the new Idea Exchange please visit the Community FAQs.

1

ArcSight CEF CustomFieldMap

Comments