├── .github ├── FUNDING.yml ├── dependabot.yml └── workflows │ ├── pr.yml │ └── publish.yml ├── setup.cfg ├── cefevent ├── __init__.py ├── test_generator.py ├── run.py ├── test_sender.py ├── syslog.py ├── generator.py ├── sender.py ├── test_event.py ├── event.py └── extensions.py ├── MANIFEST ├── setup.py ├── LICENSE ├── .gitignore └── README.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: [kamushadenes] 2 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [metadata] 2 | description-file = README.md 3 | -------------------------------------------------------------------------------- /cefevent/__init__.py: -------------------------------------------------------------------------------- 1 | from .event import CEFEvent 2 | from .sender import CEFSender 3 | -------------------------------------------------------------------------------- /MANIFEST: -------------------------------------------------------------------------------- 1 | # file GENERATED by distutils, do NOT edit 2 | setup.cfg 3 | setup.py 4 | cefevent/__init__.py 5 | cefevent/run.py 6 | cefevent/syslog.py 7 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "pip" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "weekly" 12 | -------------------------------------------------------------------------------- /.github/workflows/pr.yml: -------------------------------------------------------------------------------- 1 | name: PyTest 2 | on: [ pull_request ] 3 | 4 | jobs: 5 | test: 6 | runs-on: ubuntu-latest 7 | timeout-minutes: 10 8 | 9 | steps: 10 | - name: Check out repository code 11 | uses: actions/checkout@v4 12 | 13 | - name: Setup Python 14 | uses: actions/setup-python@v4 15 | with: 16 | python-version: "3.x" 17 | 18 | - name: Install dependencies 19 | run: | 20 | python -m pip install --upgrade pip 21 | pip install setuptools wheel twine pytest 22 | 23 | - name: Test 24 | run: pytest -v 25 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | import os 2 | from setuptools import setup 3 | 4 | long_description = "ArcSight Common Event Format library" 5 | if os.path.exists("README.md"): 6 | long_description = open("README.md", "r").read() 7 | 8 | setup( 9 | name="cefevent", 10 | packages=["cefevent"], 11 | version="0.5.6", 12 | description="ArcSight Common Event Format library", 13 | long_description=long_description, 14 | long_description_content_type="text/markdown", 15 | author="Henrique Goncalves", 16 | author_email="kamus@hadenes.io", 17 | url="https://github.com/kamushadenes/cefevent", 18 | download_url="https://github.com/kamushadenes/cefevent/tarball/0.5.6", 19 | keywords=["logging", "cef", "arcsight", "event", "security"], 20 | ) 21 | -------------------------------------------------------------------------------- /.github/workflows/publish.yml: -------------------------------------------------------------------------------- 1 | name: Upload Python Package 2 | 3 | on: 4 | release: 5 | types: [ published ] 6 | 7 | jobs: 8 | deploy: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Check out repository code 12 | uses: actions/checkout@v4 13 | 14 | - name: Set up Python 15 | uses: actions/setup-python@v4 16 | with: 17 | python-version: '3.x' 18 | 19 | - name: Install dependencies 20 | run: | 21 | python -m pip install --upgrade pip 22 | pip install setuptools wheel twine pytest 23 | 24 | - name: Test 25 | run: pytest -v 26 | 27 | - name: Build and publish 28 | env: 29 | TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} 30 | TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} 31 | run: | 32 | python setup.py sdist bdist_wheel 33 | twine upload dist/* 34 | -------------------------------------------------------------------------------- /cefevent/test_generator.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | import random 3 | 4 | from cefevent.event import CEFEvent 5 | from cefevent.generator import generate_random_events, random_addr 6 | 7 | 8 | def test_random_addr(): 9 | for _ in range(0, 1000): 10 | try: 11 | ipaddress.ip_address(random_addr()) 12 | except ValueError: 13 | assert False, "An invalid IPv4 address was generated" 14 | try: 15 | ipaddress.ip_address(random_addr(v6=True)) 16 | except ValueError: 17 | assert False, "An invalid IPv4 address was generated" 18 | 19 | 20 | def test_generate_random_events(): 21 | field_count = random.randint(10, 100) 22 | event_count = random.randint(1000, 5000) 23 | 24 | events = generate_random_events( 25 | field_count=field_count, event_count=event_count, strict=True 26 | ) 27 | 28 | assert len(events) == event_count 29 | assert all(isinstance(ev, CEFEvent) for ev in events) 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Kamus Hadenes 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /cefevent/run.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | 4 | sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) 5 | 6 | import argparse 7 | from cefevent.sender import CEFSender 8 | 9 | if __name__ == "__main__": 10 | parser = argparse.ArgumentParser( 11 | description="This library is able to generate, validate and send CEF events" 12 | ) 13 | parser.add_argument( 14 | "files", 15 | metavar="DEFINITION_FILE", 16 | type=str, 17 | nargs="+", 18 | help="an file containing event definitions", 19 | ) 20 | parser.add_argument( 21 | "--host", type=str, help="Syslog destination host", required=True 22 | ) 23 | parser.add_argument("--port", type=int, default=514, help="Syslog destination port") 24 | parser.add_argument("--tcp", action="store_true", help="Use TCP instead of UDP") 25 | parser.add_argument( 26 | "--auto_send", 27 | action="store_true", 28 | help="Auto send logs, default to sending once", 29 | ) 30 | parser.add_argument("--eps", type=int, default=100, help="Max EPS") 31 | 32 | args = parser.parse_args() 33 | 34 | cs = CEFSender( 35 | host=args.host, 36 | port=args.port, 37 | files=args.files, 38 | protocol="TCP" if args.tcp else "UDP", 39 | ) 40 | 41 | if args.auto_send: 42 | cs.auto_send_log(args.eps) 43 | else: 44 | cs.send_logs() 45 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | 27 | # PyInstaller 28 | # Usually these files are written by a python script from a template 29 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 30 | *.manifest 31 | *.spec 32 | 33 | # Installer logs 34 | pip-log.txt 35 | pip-delete-this-directory.txt 36 | 37 | # Unit test / coverage reports 38 | htmlcov/ 39 | .tox/ 40 | .coverage 41 | .coverage.* 42 | .cache 43 | nosetests.xml 44 | coverage.xml 45 | *,cover 46 | .hypothesis/ 47 | 48 | # Translations 49 | *.mo 50 | *.pot 51 | 52 | # Django stuff: 53 | *.log 54 | local_settings.py 55 | 56 | # Flask stuff: 57 | instance/ 58 | .webassets-cache 59 | 60 | # Scrapy stuff: 61 | .scrapy 62 | 63 | # Sphinx documentation 64 | docs/_build/ 65 | 66 | # PyBuilder 67 | target/ 68 | 69 | # IPython Notebook 70 | .ipynb_checkpoints 71 | 72 | # pyenv 73 | .python-version 74 | 75 | # celery beat schedule file 76 | celerybeat-schedule 77 | 78 | # dotenv 79 | .env 80 | 81 | # virtualenv 82 | venv/ 83 | ENV/ 84 | 85 | # Spyder project settings 86 | .spyderproject 87 | 88 | # Rope project settings 89 | .ropeproject 90 | 91 | 92 | .imdone 93 | 94 | # IDE stuff 95 | .idea/ -------------------------------------------------------------------------------- /cefevent/test_sender.py: -------------------------------------------------------------------------------- 1 | import csv 2 | import os 3 | import random 4 | import select 5 | import socket 6 | import tempfile 7 | import threading 8 | from time import sleep 9 | 10 | from cefevent.generator import generate_random_events 11 | from cefevent.sender import CEFSender 12 | 13 | sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 14 | sock.bind(("127.0.0.1", 0)) 15 | sock.setblocking(False) 16 | 17 | recvd_pkt = 0 18 | 19 | 20 | def listen(running: threading.Event): 21 | global recvd_pkt 22 | 23 | while running.is_set(): 24 | ready = select.select([sock], [], [], 1) 25 | if ready[0]: 26 | data, _ = sock.recvfrom(1024) 27 | recvd_pkt += 1 28 | sock.close() 29 | 30 | 31 | def test_sender(): 32 | files = 3 33 | 34 | fnames = [tempfile.mktemp() for _ in range(files)] 35 | events = [ 36 | generate_random_events(field_count=10, event_count=random.randint(1, 100)) 37 | for _ in range(files) 38 | ] 39 | 40 | for idx, fn in enumerate(fnames): 41 | headers = events[idx][0].get_fields().keys() 42 | with open(fn, "w") as f: 43 | writer = csv.DictWriter(f, headers, extrasaction="ignore", delimiter=";") 44 | writer.writeheader() 45 | writer.writerows([ev.get_fields() for ev in events[idx]]) 46 | 47 | running = threading.Event() 48 | running.set() 49 | 50 | sender = CEFSender(fnames, "127.0.0.1", sock.getsockname()[1]) 51 | 52 | assert sum(map(len, events)) == len(sender.cef_poll) 53 | 54 | t = threading.Thread(target=listen, args=(running,)) 55 | t.start() 56 | sleep(0.1) 57 | 58 | sender.send_logs() 59 | 60 | sleep(1) 61 | running.clear() 62 | 63 | if not os.environ.get('GITHUB_ACTIONS'): 64 | assert recvd_pkt == len(sender.cef_poll) 65 | 66 | map(os.remove, fnames) 67 | -------------------------------------------------------------------------------- /cefevent/syslog.py: -------------------------------------------------------------------------------- 1 | """ 2 | Remote syslog client. 3 | 4 | Works by sending UDP messages to a remote syslog server. The remote server 5 | must be configured to accept logs from the network. 6 | 7 | License: PUBLIC DOMAIN 8 | Author: Christian Stigen Larsen 9 | 10 | For more information, see RFC 3164. 11 | """ 12 | 13 | import socket 14 | 15 | 16 | class Facility: 17 | """Syslog facilities""" 18 | 19 | ( 20 | KERN, 21 | USER, 22 | MAIL, 23 | DAEMON, 24 | AUTH, 25 | SYSLOG, 26 | LPR, 27 | NEWS, 28 | UUCP, 29 | CRON, 30 | AUTHPRIV, 31 | FTP, 32 | ) = range(12) 33 | 34 | LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7 = range(16, 24) 35 | 36 | 37 | class Level: 38 | """Syslog levels""" 39 | 40 | EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, DEBUG = range(8) 41 | 42 | 43 | class Syslog: 44 | """A syslog client that logs to a remote server. 45 | 46 | Example: 47 | >>> log = Syslog(host="foobar.example") 48 | >>> log.send("hello", Level.WARNING) 49 | """ 50 | 51 | def __init__( 52 | self, host="localhost", port=514, facility=Facility.DAEMON, protocol="UDP" 53 | ): 54 | self.host = host 55 | self.port = port 56 | self.facility = facility 57 | self.protocol = protocol 58 | if self.protocol == "UDP": 59 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 60 | elif self.protocol == "TCP": 61 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 62 | self.socket.connect((self.host, self.port)) 63 | else: 64 | raise Exception( 65 | "Invalid protocol {}, valid options are UDP and TCP".format( 66 | self.protocol 67 | ) 68 | ) 69 | 70 | def send(self, message, level=Level.NOTICE): 71 | """Send a syslog message to remote host using UDP or TCP""" 72 | data = "<%d>%s" % (level + self.facility * 8, message) 73 | if self.protocol == "UDP": 74 | self.socket.sendto(data.encode("utf-8"), (self.host, self.port)) 75 | else: 76 | self.socket.send(data.encode("utf-8")) 77 | 78 | def warn(self, message): 79 | """Send a syslog warning message.""" 80 | self.send(message, Level.WARNING) 81 | 82 | def notice(self, message): 83 | """Send a syslog notice message.""" 84 | self.send(message, Level.NOTICE) 85 | 86 | def error(self, message): 87 | """Send a syslog error message.""" 88 | self.send(message, Level.ERR) 89 | -------------------------------------------------------------------------------- /cefevent/generator.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | from datetime import datetime, timedelta 4 | import ipaddress 5 | import sys 6 | from cefevent.event import CEFEvent 7 | 8 | from typing import AnyStr 9 | 10 | random.seed(datetime.now().timestamp()) 11 | 12 | ipv4_networks = ["10.0.0.0/8", "172.16.0.0/16", "192.168.0.0/24"] 13 | ipv6_networks = ["fd00::/48", "fd00::/64"] 14 | 15 | allowed_chars = string.ascii_uppercase + string.ascii_lowercase + string.digits 16 | 17 | start_date = datetime(1970, 1, 1) 18 | end_date = datetime(2999, 1, 1) 19 | delta = end_date - start_date 20 | int_delta = (delta.days * 24 * 60 * 60) + delta.seconds 21 | 22 | 23 | def random_addr(network: AnyStr = None, v6: bool = False): 24 | if network is None: 25 | network = random.choice(ipv6_networks) if v6 else random.choice(ipv4_networks) 26 | net = ipaddress.IPv6Network(network) if v6 else ipaddress.IPv4Network(network) 27 | # Which of the network.num_addresses we want to select? 28 | addr_no = random.randint(0, net.num_addresses) 29 | # Create the random address by converting to a 128-bit integer, adding addr_no and converting back 30 | network_int = int.from_bytes(net.network_address.packed, byteorder="big") 31 | addr_int = network_int + addr_no 32 | if v6: 33 | return str(ipaddress.IPv6Address(addr_int.to_bytes(16, byteorder="big"))) 34 | else: 35 | return str(ipaddress.IPv4Address(addr_int.to_bytes(4, byteorder="big"))) 36 | 37 | 38 | def generate_random_events( 39 | field_count: int = 10, event_count: int = 1, strict: bool = False 40 | ): 41 | cef = CEFEvent() 42 | 43 | events = [] 44 | 45 | fields = random.choices( 46 | list(cef._reverse_extension_dictionary.keys()), k=field_count 47 | ) 48 | 49 | for _ in range(0, event_count): 50 | ev = CEFEvent(strict=strict) 51 | ev.set_prefix("name", "Random CEF Event") 52 | ev.set_prefix("severity", random.randint(0, 10)) 53 | for field in fields: 54 | fdef = cef._reverse_extension_dictionary[field] 55 | if fdef["data_type"] == "String": 56 | ev.set_field( 57 | field, 58 | "".join( 59 | random.choices( 60 | allowed_chars, k=random.randint(1, fdef["length"]) 61 | ) 62 | ), 63 | ) if fdef["length"] else "" 64 | elif fdef["data_type"] == "Integer": 65 | ev.set_field(field, random.randint(0, 2147483647)) 66 | elif fdef["data_type"] in ["Floating Point", "Long"]: 67 | ev.set_field(field, round(random.uniform(0, 2147483647), 5)) 68 | elif fdef["data_type"] == "IPv4 Address": 69 | ev.set_field(field, random_addr()) 70 | elif fdef["data_type"] == "IPv6 Address": 71 | ev.set_field(field, random_addr(v6=True)) 72 | elif fdef["data_type"] == "MAC Address": 73 | ev.set_field( 74 | field, 75 | "{}:{}:{}:{}:{}:{}".format( 76 | *map( 77 | lambda x: hex(x)[2:].upper().zfill(2), 78 | random.sample(range(0, 255), 6), 79 | ) 80 | ), 81 | ) 82 | elif fdef["data_type"] == "TimeStamp": 83 | ev.set_field( 84 | field, start_date + timedelta(seconds=random.randrange(int_delta)) 85 | ) 86 | else: 87 | print(fdef) 88 | 89 | events.append(ev) 90 | 91 | return events 92 | -------------------------------------------------------------------------------- /cefevent/sender.py: -------------------------------------------------------------------------------- 1 | import random 2 | import sched 3 | import time 4 | from datetime import datetime 5 | from typing import List, AnyStr, Any, Callable 6 | 7 | from cefevent.event import CEFEvent 8 | from cefevent.syslog import Syslog 9 | 10 | 11 | class CEFSender(object): 12 | def __init__( 13 | self, files: List[AnyStr], host: AnyStr, port: int, protocol: AnyStr = "UDP" 14 | ): 15 | 16 | self.cef_poll = [] 17 | self.host = host 18 | self.port = port 19 | self.protocol = protocol 20 | self.syslog = Syslog(host, port=port, protocol=self.protocol) 21 | 22 | self.max_eps = 100 23 | 24 | self.sent_count = 0 25 | 26 | now = datetime.now() 27 | self.auto_send_start = now 28 | 29 | self.auto_send_checkpoint = now 30 | 31 | self.checkpoint_sent_count = 0 32 | 33 | self.scheduler = sched.scheduler(time.time, time.sleep) 34 | 35 | for fn in files: 36 | with open(fn, "r") as f: 37 | lines = f.readlines() 38 | 39 | headers = [i.strip() for i in lines[0].split(";")] 40 | 41 | for line in lines[1:]: 42 | line = line.strip() 43 | fields = [i.strip() for i in line.split(";")] 44 | if len(fields) != len(headers): 45 | continue 46 | cef = CEFEvent() 47 | cef.load(headers, fields) 48 | self.cef_poll.append(cef) 49 | 50 | def get_cef_poll(self): 51 | self.log(self.cef_poll) 52 | 53 | def get_info(self): 54 | self.log( 55 | "There are {} events in the poll. The max EPS is set to {}".format( 56 | len(self.cef_poll), self.max_eps 57 | ) 58 | ) 59 | 60 | def send_log(self, cef: CEFEvent): 61 | self.syslog.send(cef.build_cef()) 62 | self.sent_count += 1 63 | self.checkpoint_sent_count += 1 64 | 65 | def send_random_log(self, *args, **kw): 66 | self.send_log(random.choice(self.cef_poll)) 67 | 68 | def timed_call(self, calls_per_second: float, callback: Callable, *args, **kw): 69 | period = 1.0 / calls_per_second 70 | 71 | def reload(): 72 | callback(*args, **kw) 73 | self.scheduler.enter(period, 0, reload, ()) 74 | 75 | self.scheduler.enter(period, 0, reload, ()) 76 | 77 | def get_eps(self): 78 | now = datetime.now() 79 | time_diff = (now - self.auto_send_checkpoint).total_seconds() 80 | eps = self.checkpoint_sent_count / (time_diff if time_diff > 0 else 1) 81 | 82 | self.log("Current EPS: {}".format(eps)) 83 | 84 | self.auto_send_checkpoint = now 85 | self.checkpoint_sent_count = 0 86 | 87 | @staticmethod 88 | def log(msg: Any): 89 | now = datetime.now().strftime("%Y-%m-%dT%H:%M:%S") 90 | print("[*] [{}] {}".format(now, msg)) 91 | 92 | def get_total_event_count(self): 93 | self.log( 94 | "{} events sent since {}".format(self.sent_count, self.auto_send_start) 95 | ) 96 | 97 | def auto_send_log(self, eps: int): 98 | self.max_eps = eps 99 | self.get_info() 100 | self.auto_send_start = datetime.now() 101 | self.timed_call(eps, self.send_random_log) 102 | self.timed_call(0.1, self.get_eps) 103 | self.timed_call(0.016, self.get_total_event_count) 104 | self.scheduler.run() 105 | 106 | def send_logs(self): 107 | for ev in self.cef_poll: 108 | self.send_log(ev) 109 | self.log("{} events sent".format(self.sent_count)) 110 | -------------------------------------------------------------------------------- /cefevent/test_event.py: -------------------------------------------------------------------------------- 1 | from cefevent.event import CEFEvent 2 | 3 | 4 | def test_load(): 5 | ev = CEFEvent() 6 | 7 | headers = ["sourceAddress", "name", "message", "sourcePort"] 8 | fields = ["127.0.0.1", "Test Event", "Answer=42", 1234] 9 | ev.load(headers, fields) 10 | 11 | assert ( 12 | ev.build_cef() 13 | == "CEF:0|CEF Vendor|CEF Product|1.0|0|Test Event|5|src=127.0.0.1 msg=Answer\\=42 spt=1234" 14 | ) 15 | 16 | 17 | def test_source_address(): 18 | ev = CEFEvent() 19 | 20 | assert ev.set_field("sourceAddress", "192.168.67.1") == "192.168.67.1" 21 | assert ev.set_field("sourceAddress", "192.168.67.500") is False 22 | assert ev.set_field("sourceAddress", "INVALID_DATA") is False 23 | 24 | 25 | def test_source_mac_address(): 26 | ev = CEFEvent() 27 | 28 | assert ev.set_field("sourceMacAddress", "INVALID_DATA") is False 29 | assert ev.set_field("sourceMacAddress", "00:11:22:33:44:55") == "00:11:22:33:44:55" 30 | assert ev.set_field("sourceMacAddress", "AA:bb:CC:dd:EE:ff") == "aa:bb:cc:dd:ee:ff" 31 | assert ev.set_field("sourceMacAddress", "AA:bb:CC:ZZ:EE:ff") is False 32 | 33 | 34 | def test_source_port(): 35 | ev = CEFEvent() 36 | 37 | assert ev.set_field("sourcePort", "INVALID_DATA") is False 38 | assert ev.set_field("sourcePort", "123456") is False 39 | assert ev.set_field("sourcePort", 123456) is False 40 | assert ev.set_field("sourcePort", "12345") == 12345 41 | assert ev.set_field("sourcePort", 12345) == 12345 42 | 43 | 44 | def test_message(): 45 | ev = CEFEvent() 46 | 47 | assert ev.set_field("message", "INVALID_DATA") == "INVALID_DATA" 48 | assert ev.set_field("message", 123456) == "123456" 49 | assert ev.set_field("message", "test=123456") == "test\\=123456" 50 | 51 | 52 | def test_deviceCustomIPv6Address4(): 53 | ev = CEFEvent() 54 | 55 | assert ev.set_field("deviceCustomIPv6Address4", "INVALID_DATA") is False 56 | assert ev.set_field("deviceCustomIPv6Address4", "2001:0db8:85a3:0000:0000:8a2e:0370:7334") == "2001:0db8:85a3:0000:0000:8a2e:0370:7334" 57 | assert ev.set_field("deviceCustomIPv6Address4", "2001:0db8:85a3::1") == "2001:0db8:85a3::1" 58 | 59 | 60 | def test_strict(): 61 | ev = CEFEvent() 62 | 63 | ev.strict = True 64 | try: 65 | ev.set_field("sourceAddress", "not_a_ip_address") 66 | except ValueError as e: 67 | assert "The following rules apply" in str( 68 | e 69 | ), "The string 'The following rules apply' do not appear in thrown error when setting an invalid ip" 70 | else: 71 | assert ( 72 | False 73 | ), "The set_field() fields methods did ot throw an error when setting an invalid ip" 74 | 75 | try: 76 | ev.set_field("src", "not_a_ip_address") 77 | except ValueError as e: 78 | assert "The following rules apply" in str( 79 | e 80 | ), "The string 'The following rules apply' do not appear in thrown error when setting an invalid ip" 81 | else: 82 | assert ( 83 | False 84 | ), "The set_field() fields methods did ot throw an error when setting an invalid ip" 85 | 86 | try: 87 | ev.set_field("not an field name", "VALUE") 88 | except ValueError as e: 89 | assert "Unknown CEF field" in str( 90 | e 91 | ), "The string 'Unknown CEF field' do not appear in thrown error" 92 | else: 93 | assert ( 94 | False 95 | ), "The set_field() fields methods did ot throw an error when setting an unknown field" 96 | 97 | try: 98 | ev.set_prefix("not an prefix name", "VALUE") 99 | except ValueError as e: 100 | assert "Unknown CEF prefix" in str( 101 | e 102 | ), "The string 'Unknown CEF prefix' do not appear in thrown error" 103 | else: 104 | assert ( 105 | False 106 | ), "The set_prefix() fields methods did ot throw an error when setting an unknown prefix" 107 | 108 | try: 109 | ev.set_prefix("severity", 42) 110 | except ValueError as e: 111 | assert "The severity must be an int in [0-10]" in str( 112 | e 113 | ), "The string 'The severity must be an int in [0-10]' do not appear in thrown error" 114 | else: 115 | assert ( 116 | False 117 | ), "The set_prefix() fields methods did ot throw an error when setting an severity out of bounds" 118 | 119 | ev.strict = False 120 | try: 121 | try: 122 | ev.set_field("src", "notaIPaddress") 123 | except ValueError as e: 124 | assert "The following rules apply" in str( 125 | e 126 | ), "The string 'The following rules apply' do not appear in thrown error when setting an invalid ip" 127 | else: 128 | assert ( 129 | False 130 | ), "The set_field() fields methods did ot throw an error when setting an invalid ip" 131 | except AssertionError: 132 | pass 133 | else: 134 | assert False, "The strict test passed event if ev.strict=False" 135 | -------------------------------------------------------------------------------- /cefevent/event.py: -------------------------------------------------------------------------------- 1 | import re 2 | import socket 3 | from typing import Any, AnyStr, List 4 | 5 | from cefevent.extensions import extension_dictionary 6 | 7 | 8 | class CEFEvent(object): 9 | _prefix_list = [ 10 | "name", 11 | "deviceVendor", 12 | "deviceProduct", 13 | "signatureId", 14 | "version", 15 | "deviceVersion", 16 | "severity", 17 | ] 18 | 19 | _extension_dictionary = extension_dictionary 20 | 21 | def __init__(self, strict: bool = False): 22 | """ 23 | Create a new CEFEvent. 24 | 25 | Arguments: 26 | - strict (`bool`): Set to True to throw ValueError if trying to create an invalid CEFEvent. 27 | 28 | """ 29 | 30 | self.extensions = None 31 | self.prefixes = {} 32 | self.reset() 33 | 34 | self._reverse_extension_dictionary = {} 35 | 36 | self._validate_extensions() 37 | self._build_reverse_extension_dictionary() 38 | 39 | self.strict = strict 40 | 41 | def __repr__(self): 42 | return self.build_cef() 43 | 44 | def load(self, headers: List[AnyStr], fields: List[Any]): 45 | for idx, value in enumerate(fields): 46 | self.set_field(headers[idx], value) 47 | 48 | def _validate_field_value(self, field: AnyStr, value: Any): 49 | obj = self._reverse_extension_dictionary[field] 50 | 51 | # Handle special case of ports 52 | if obj["full_name"].endswith("Port"): 53 | try: 54 | value = int(value) 55 | except: 56 | return False 57 | if not 0 <= value <= 65535: 58 | return False 59 | return value 60 | 61 | for dt in obj["data_type"]: 62 | if dt in ["Integer", "Long"]: 63 | if dt == "Integer" and value > 2**31-1: 64 | continue 65 | try: 66 | return int(value) 67 | except: 68 | continue 69 | elif dt == "IPv4 Address": 70 | if not value.count(".") == 3: 71 | continue 72 | try: 73 | socket.inet_pton(socket.AF_INET, value) 74 | except AttributeError: # no inet_pton here, sorry 75 | try: 76 | socket.inet_aton(value) 77 | except socket.error: 78 | continue 79 | except socket.error: # not a valid address 80 | continue 81 | return value 82 | elif dt == "IPv6 Address": 83 | if not value.count(":") >= 2: 84 | continue 85 | try: 86 | socket.inet_pton(socket.AF_INET6, value) 87 | except: 88 | continue 89 | return value 90 | elif dt == "MAC Address": 91 | valid_mac = bool( 92 | re.match( 93 | "^" + "[\\:\\-]".join(["([0-9a-f]{2})"] * 6) + "$", 94 | value.strip().lower(), 95 | ) 96 | ) 97 | if valid_mac: 98 | return value.strip().lower() 99 | else: 100 | continue 101 | 102 | elif dt == "String": 103 | value = str(value).strip() 104 | 105 | if len(value) > obj["length"] > 0: 106 | continue 107 | else: 108 | value = value.replace("\\", "\\\\") 109 | value = value.replace("=", "\\=") 110 | value = value.replace("\n", "\\n") 111 | return value 112 | elif dt == "Floating Point": 113 | try: 114 | return float(value) 115 | except: 116 | continue 117 | else: 118 | return value 119 | 120 | return False 121 | 122 | def set_prefix(self, prefix: AnyStr, value: Any): 123 | if prefix in self._prefix_list: 124 | if prefix == "severity": 125 | if value in ["Unknown", "Low", "Medium", "High", "Very-High"]: 126 | self.prefixes[prefix] = value 127 | return self.prefixes[prefix] 128 | elif int(value) in range(0, 11): 129 | self.prefixes[prefix] = int(value) 130 | return self.prefixes[prefix] 131 | else: 132 | if self.strict: 133 | raise ValueError( 134 | "The severity must be an int in [0-10]. Not: {}".format( 135 | value 136 | ) 137 | ) 138 | return False 139 | else: 140 | value = value.replace("\\", "\\\\") 141 | value = value.replace("|", "\\|") 142 | self.prefixes[prefix] = value.strip() 143 | return self.prefixes[prefix] 144 | if self.strict: 145 | raise ValueError("Unknown CEF prefix: {}".format(prefix)) 146 | return False 147 | 148 | def set_field(self, field: AnyStr, value: Any): 149 | if field in self._prefix_list: 150 | return self.set_prefix(field, value) 151 | 152 | if field in self._reverse_extension_dictionary: 153 | v = self._validate_field_value(field, value) 154 | if v is not False: 155 | self.extensions[field] = v 156 | return self.extensions[field] 157 | else: 158 | if self.strict: 159 | raise ValueError( 160 | "Invalid value for field: {}\nThe following rules apply: {}".format( 161 | field, self.get_field_metadata(field) 162 | ) 163 | ) 164 | return False 165 | elif field in self._extension_dictionary: 166 | field = self._extension_dictionary[field]["full_name"] 167 | v = self._validate_field_value(field, value) 168 | if v: 169 | self.extensions[field] = v 170 | return self.extensions[field] 171 | else: 172 | if self.strict: 173 | raise ValueError( 174 | "Invalid value for field: {}\nThe following rules apply: {}".format( 175 | field, self.get_field_metadata(field) 176 | ) 177 | ) 178 | return False 179 | if self.strict: 180 | raise ValueError("Unknown CEF field: {}".format(field)) 181 | return False 182 | 183 | def _build_reverse_extension_dictionary(self): 184 | for item in self._extension_dictionary.items(): 185 | self._reverse_extension_dictionary[item[1]["full_name"]] = item[1] 186 | self._reverse_extension_dictionary[item[1]["full_name"]]["name"] = item[0] 187 | 188 | def _validate_extensions(self): 189 | for item in self._extension_dictionary.items(): 190 | for dt in item[1]["data_type"]: 191 | if dt not in [ 192 | "TimeStamp", 193 | "IPv4 Address", 194 | "String", 195 | "Long", 196 | "Integer", 197 | "MAC Address", 198 | "IPv6 Address", 199 | "Floating Point", 200 | ]: 201 | print( 202 | "[-] Invalid data_type in item {}: {}".format( 203 | item[0], item[1]["data_type"] 204 | ) 205 | ) 206 | try: 207 | int(item[1]["length"]) 208 | except: 209 | print( 210 | "[-] Invalid length in item {}: {}".format( 211 | item[0], item[1]["length"] 212 | ) 213 | ) 214 | 215 | def build_cef(self): 216 | template = "CEF:{version}|{deviceVendor}|{deviceProduct}|{deviceVersion}|{signatureId}|{name}|{severity}|{extensions}" 217 | 218 | extensions = [ 219 | "{}={}".format(self.get_cef_field_name(field), self.extensions[field]) 220 | for field in self.extensions.keys() 221 | ] 222 | 223 | return template.format(extensions=" ".join(extensions), **self.prefixes) 224 | 225 | def get_fields(self): 226 | return dict(**self.prefixes, **self.extensions) 227 | 228 | def get_cef_field_name(self, field: AnyStr): 229 | if field in self._extension_dictionary: 230 | return field 231 | elif field in self._reverse_extension_dictionary: 232 | return self._reverse_extension_dictionary[field]["name"] 233 | 234 | def get_field_metadata(self, field: AnyStr, metadata: AnyStr = None): 235 | if field in self._extension_dictionary: 236 | if not metadata: 237 | return self._extension_dictionary[field] 238 | else: 239 | return self._extension_dictionary[field][metadata] 240 | elif field in self._reverse_extension_dictionary: 241 | if not metadata: 242 | return self._reverse_extension_dictionary[field] 243 | else: 244 | return self._reverse_extension_dictionary[field][metadata] 245 | 246 | def reset(self): 247 | self.extensions = {} 248 | self.prefixes = { 249 | "version": 0, 250 | "deviceVendor": "CEF Vendor", 251 | "deviceProduct": "CEF Product", 252 | "deviceVersion": "1.0", 253 | "signatureId": "0", 254 | "name": "CEF Event", 255 | "severity": 5, 256 | } 257 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

cefevent

2 | 3 |

4 | ArcSight's Common Event Format library 5 |

6 | 7 |
8 | 9 | [![Downloads](https://pepy.tech/badge/cefevent)](https://pepy.tech/project/cefevent) 10 | ![GitHub](https://img.shields.io/github/license/kamushadenes/cefevent) 11 | ![GitHub release (latest by date)](https://img.shields.io/github/v/release/kamushadenes/cefevent) 12 | ![Libraries.io dependency status for GitHub repo](https://img.shields.io/librariesio/github/kamushadenes/cefevent) 13 | ![GitHub code size in bytes](https://img.shields.io/github/languages/code-size/kamushadenes/cefevent) 14 | ![PyPI - Format](https://img.shields.io/pypi/format/cefevent) 15 | 16 | 17 |
18 | 19 | This library is able to generate, validate and send CEF events. 20 | 21 |
22 | 23 | ## Usage 24 | 25 | ``` 26 | usage: run.py [-h] --host HOST [--port PORT] [--tcp] [--auto_send] [--eps EPS] DEFINITION_FILE [DEFINITION_FILE ...] 27 | 28 | CEF builder and replayer 29 | 30 | positional arguments: 31 | DEFINITION_FILE an file containing event definitions 32 | 33 | optional arguments: 34 | -h, --help show this help message and exit 35 | --host HOST Syslog destination host 36 | --port PORT Syslog destination port 37 | --tcp Use TCP instead of UDP 38 | --auto_send Auto send logs 39 | --eps EPS Max EPS 40 | ``` 41 | 42 | By default, it will read the definition file and send each log line once. 43 | 44 | If instead `--auto_send` is specified, it will send at `--eps` events per second. 45 | 46 | You can use either TCP or UDP Syslog servers as destination. 47 | 48 | ### DEFINITION_FILE format 49 | The definition file is a CSV file, delimited by `;`, with the CEF field names as headers in the first line. 50 | 51 | ### Send Once Example 52 | ``` 53 | python run.py --host localhost --port 10514 /tmp/example_cef_csv 54 | [*] [2022-05-11T03:12:40] 42 events sent 55 | ``` 56 | 57 | ### Replay Example 58 | ``` 59 | python run.py --host localhost --port 10514 --auto_send --eps 10000 /tmp/example_cef_csv 60 | [*] [2016-07-21T03:27:30] There are 149 events in the poll. The max EPS is set to 10000 61 | [*] [2016-07-21T03:27:40] Current EPS: 3479.0691266185677 62 | [*] [2016-07-21T03:27:50] Current EPS: 3909.1143903948505 63 | [*] [2016-07-21T03:28:00] Current EPS: 3703.146674687884 64 | [*] [2016-07-21T03:28:10] Current EPS: 3521.793641832017 65 | [*] [2016-07-21T03:28:20] Current EPS: 3678.019083580161 66 | [*] [2016-07-21T03:28:30] Current EPS: 3649.0109641324752 67 | [*] [2016-07-21T03:28:33] 228248 events sent since 2016-07-21 03:27:30.502906 68 | ``` 69 | 70 | ### API Usage 71 | 72 | #### Get field metadata 73 | 74 | ```python 75 | >>> from cefevent.event import CEFEvent 76 | >>> c = CEFEvent() 77 | 78 | >>> c.get_field_metadata('c6a1', 'full_name') 79 | 80 | 'deviceCustomIPv6Address1' 81 | 82 | 83 | >>> c.get_field_metadata('c6a1', 'data_type') 84 | 85 | 'IPv6 Address' 86 | 87 | 88 | >>> c.get_field_metadata('c6a1', 'description') 89 | 90 | 'One of four IPV6 address fields available to map fields that do not apply to any other in this dictionary.' 91 | 92 | 93 | >>> c.get_field_metadata('c6a1') 94 | 95 | {'data_type': 'IPv6 Address', 96 | 'description': 'One of four IPV6 address fields available to map fields that do not apply to any other in this dictionary.', 97 | 'full_name': 'deviceCustomIPv6Address1', 98 | 'length': 0, 99 | 'name': 'c6a1'} 100 | ``` 101 | 102 | #### Convert ArcSight Naming to CEF Naming 103 | 104 | ```python 105 | >>> from cefevent.event import CEFEvent 106 | >>> c = CEFEvent() 107 | 108 | >>> c.get_cef_field_name('deviceAddress') 109 | 110 | 'dvc' 111 | ``` 112 | 113 | #### Build an CEF event from scratch 114 | 115 | ```python 116 | >>> from cefevent.event import CEFEvent 117 | >>> c = CEFEvent() 118 | 119 | >>> c.set_field('name', 'Event Name') 120 | >>> c.set_field('deviceVendor', 'Hyades Inc.') 121 | >>> c.set_field('deviceProduct', 'cefevent') 122 | 123 | # Equal signs will be automatically escaped (and so will pipes (|) and backslashes (\\), as per the white paper specification) 124 | >>> c.set_field('message', 'This is a test event (Answer=42)') 125 | 126 | # All fields have some sort of validation, check the test() function for examples 127 | >>> c.set_field('sourceAddress', '192.168.67.1') 128 | >>> c.set_field('sourcePort', 12345) 129 | 130 | # Finally, generate the CEF line 131 | >>> c.build_cef() 132 | 133 | CEF:0|Hyades Inc.|cefevent|1.0|0|Event Name|5|spt=12345 src=192.168.67.1 msg=This is a test event (Answer\\=42) 134 | ``` 135 | 136 | #### Event Generation 137 | 138 | The library is able to generate events using random data, respecting each field's data type and length limits. 139 | 140 | ```python 141 | >>> from cefevent.generator import generate_random_events 142 | >>> events = generate_random_events(field_count=10, event_count=100) 143 | 144 | >>> len(events) 145 | 100 146 | 147 | >>> events[0] 148 | CEF:0|CEF Vendor|CEF Product|1.0|0|Random CEF Event|5|cs5=okppjRMb57C3dLmTZc0gF2xcwCR9BWTG5IjhbiaPQj2RIYBM6frkKt4pFH6pGf7o7ajt1sQspiV6oCsfXRfl5mK199RjQvXpuU7K6JEDxF8F9SJxXHJrKVbl2Vlokfbet deviceDnsDomain=kV2F27lmrjig95bjUOqpAeeWD74VO0GOSfhvEZQ00NUW0TYuOzoEal0ksYmH8Epu5HRXTTn8IgwTcprN3ifcKQpNLZFfRxSCXMDYatWeE01UrOnlNr8cbHbVd9OxsiQwy6bWGd4UWl2Za2MS0A49vSEmYJtrkqUIZjskQGXxt8Aoz1myiqADIjyMm4HM3B oldFileType=nIPPu48a4zSAPy3jnsTc96Z3vDIKSmsEl8yFqWiAufVmAxAdNqJUlwCWFiG4VGtTrnPYfhIaAnbiu2Cg28oJWf2d2wB01BW29lXwoeE c6a1=fd00::8fba:74fb:c861:31cf cn3Label=IsTUoz63jtiHRTrOisYbMCxPCThcwvNDoTho00yobR4O2HOUVmiTuWJ1hk6otOkHZWCMeJVeflrJyE06pjFYDgp9raCQVPYwRTvAxGVzFNSJhQvq9Fe0nS8CdkQLUbbjho1upU0mrIMSWA09d9Jo5g5CzrHDdkRld7isaRrZELlG6WyVGuGT8A25uah2Hx9E6C7CzhRjSJbdJV86eH2MPMjj0KWmBbqs1CamMYjNC0KrBK19oDotIjONp6OHD01Dy2VUJcVR0u1kz8EO0bVls8YVYaxohy5L4vRKd5171z6z2MzIM8hVWfoVNpYPCMvCsDK1JqLyV98u3pMSIhHAWdtczaMSNzJ0oDiHRYczZVPLndPPjGkNRLiYggQVVekyfgEq9yYj4mNJ37aiaOfqaYAnMgTO45qZ2FOqeaJ2wNGuWFbwm0Ttr9unlmzzYw49UBVoDR1IIzKezTkfIzMDf6u04o5IYlUqjnIo7m3sfrUyNnvafA1htPG6uRjpDVeNTuJ4juQeUHzoK0yIOtCa7jR8gwjlx3YnR7NvntcZVkzfFzcQmkapFeuzmXBgRXRIm4FfneMSWZfzWHpikBGAD9GHJidcSoKC9pIExlsSgPufhQYnHI9b221si50aMwJNULGPZ134flM1FmGdOsvRDBoZx5Cu0zriA8cm0oSdWjhyP4vkYnT9oWmNAW0iCP8U0IM5sojtFaqSDLiDGFf6Gt45e2AvVoYZaIsjg8JhGmHOQ2zkoSql5dcNCIatmiMAwuNmh3DG3HBJREY23hR03LI1VNIPZH2YtmfeYQ4S7hzh2ulpYaAX7qrJtMKWdkEGAwsfaB6TgijL04nq7Hj9e0mnWrxcSPixlm98THZIhefYamh9ywq2hGzrgjEW1sNrvAUqKYhoQg6ORxvsoHVPT oldFilePermission=TEUtuXQWIM0qXlHJEK0HsM1TuWDvUOUKkIlTg8ZIdfJvxdT5CD6OXAXSkaaP4RsLRRnTGdpC4N8hbNbtBPVpug9XZHwQH9NCbKq8tE8j1VMWzilorUa60SAI4NcVhlmCF40NOH4A4kIcmvBAriU8DViCsySJ2DEBPKffXlNlnoZd38xCI9SOVzk7Y8dIRc34DRwqdjrKYNStbDA1xDvC9IlujF90W5TWutrh1tiRV16PqW7jPzggbVHYOZx0o8QimK5SMknQmERL2OsmIByc8RiZGzQbMfBKUGjJZNSR6d4RT68XvyN8Qqz9F9fmiWcPjx40yDkp4ATXIyhc8ClphIydsgbT7ucqvTwtnMi2w27Dp5MtxpiyLDRXcUlKu7yFwIlbU5JCIIj6esnM5zHK9e7VAxM5B1IWxYE0lxS7T8Y73vI3k0kziko1fQeckavQxjjKADloiMChkHwscOzF6k52tUzph8nqexVeclC9XoEMioQpTyKZTib4tYOqPvLW6vE7QtwmyOpOEFWpMb6nKRBZdprhI7jpzABSi5iF91IKHUgmaloiIAeaYC4J9NmEFUZwb7DTKL3MD7tSTbuIMbzhE3pAnwNTA3zMcjakULGgF8yJDijCDGogMFFjVQFyiYJfnZiNeAjpcV5YWMhc0gHB4wlaTuZPPhW0AxO0CdeaRKjM5St66EJ4QsMyvUiuUudH5DPHLRaGqfJJS0cjl3QhSD8MZ64l5MXb1OB1W1os4q cfp1=551727113.03403 destinationTranslatedPort=28984019 cn2Label=Ed7RC17O8V4v5XVB8hTbxypElVpCVEvelfurInKjehXOmj6UYACs5oaz4Yq15njcPzGyayTpMJ6NyYZDgvqSHCmd1uGld2JxVwQbqUdwpNEM66jjqbdPKJu2gEctNLtdJ8YmMvjKqqmBvdUEhKUDtJacSLSKWeqon36ww4lezQHh4mJxvHvQ2wXRvwgXSEHomuvTOQYA1EZ7TjzTjnBVr0GJgZPjJDIyLLeEbXMtXQQnOY0nKTkrciqPFEC7JgoFhwmNqq8p7fygcOed7yYEq9uAbgznyTekdWmv7fjVQFjc7CvtSkjGWijUUT7g2xQXXfYgklL3sgyBe3xGP83AA1x7hGWBFB7P60U7oWGpJcTt79bcbZqd3NJ18vKwiyUaV3ynUPGCEuFU0TUbirkg3eIIEfN0tgBYmbhJQPsLBITwmoDS8S041teA2ZRoFA5Pqbt8EWlarwbAdVCgIQtWthQe1QjJb7cnDy8m4kpx2ObkqEYrrxdCBSkOfvkhms8lRO3dyHtXBgi8x2U3ZP9GtGKjEG4zqKW6RSgbKKfAsEt1NmguQLaTl7q3UMZJTfFKjiSKy2EhP85CQflcjzioCcC5AnZN7nivtsuo31Wx5PVRcWx1cKnSlx2TAAQFxAMCOWmtdK1kWkLixQDLJgStNkDhe4Fy7keHbCNiJPy6ul7qeA9R76sDJIZPYptUzD3KsTpFtQvLkVpKsOak2PqXMLKSeliOg4J7xRiP9LoIl66pyud3LNegpKvU3BHrSuaDJANNpA6ZWfHxQdIo8QHpwsE6CzmjaxElMOUTxhSQZ9KpplXd8mOk cs6=M4gm4bKeOEDmrXCSRt4VWlwDI7REf99BtjDEUqcITnLEfP6k7m9YiuoBe5aoRNA351tRWS5U1fG4huiqnhKRDpgbaicoksujDlNELHFVpcdEfShkVf5jFAXOK0M06Z4nNHIWMoGukNM06pLxtfDwVeNXOFUSWfwzqeghqYXugO9H2V5qHC6jjwWiXDR2jdBLGchDsqisZbVIJPmTH5uJ7sayYPRE3DEoOfY7ZuX66rEJaaibWQJXIfWZYhIUZhLaZG7rrVBBeifAyfWqez9xsCBcNHj292B7YFEBuNoEJAcrUWsLSThf33MYvA1veIACUa7w1TcLsWeCBGoQ165fJa4m3LO0p5dEpMPkMlC7uiqItjpwofDchXSdqSVvF25AZ2XZ2h6pTodPF3Z7mwAbTlfLjyk00ncbziWuv2LYxNuvng81BNqp7mPhOzidIsT265SnZS69SQNzOzHciepWMMcJBu2aYyk4xyFUuClo6LQrn7ZzC5JPoQUhghpEajVE9vE4wRulW53qePJ9IDKjzXe1kWcnaMo3D0P3E4mZaohXZ1ApvJZxWFEnKP 149 | ``` 150 | 151 | #### Raise errors 152 | 153 | By default, the methods `set_field()` and `set_prefix()` return `False` if the name or the value or the CEF field is invalid. 154 | 155 | Set `CEFEvent.strict=True` to raise `ValueError` if any invalid field name / values are passed. 156 | 157 | ```python 158 | >>> from cefevent.event import CEFEvent 159 | >>> c = CEFEvent(strict=True) 160 | >>> c.set_field('sourceAddress', '192.168.67.500') 161 | ``` 162 | 163 | ``` 164 | Traceback (most recent call last): 165 | File "", line 1, in 166 | File "cefevent/cefevent/__init__.py", line 249, in set_field 167 | raise ValueError("Invalid value for field: {}\nThe following rules apply: {}".format(field, self.get_field_metadata(field))) 168 | ValueError: Invalid value for field: sourceAddress 169 | The following rules apply: {'full_name': 'sourceAddress', 'data_type': 'IPv4 Address', 'length': 0, 'description': 'Identifies the source that an event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 'name': 'src'} 170 | ``` 171 | 172 | ## Running Tests 173 | 174 | The project uses [pytest](https://pytest.org/). 175 | 176 | ```bash 177 | pytest -v 178 | ``` 179 | 180 | ``` 181 | ================================================================== test session starts ================================================================== 182 | platform darwin -- Python 3.9.12, pytest-7.1.2, pluggy-1.0.0 -- /opt/homebrew/opt/python@3.9/bin/python3.9 183 | cachedir: .pytest_cache 184 | rootdir: /Users/henrique.goncalves/Dropbox/Projects/Personal/Code/cefevent 185 | collected 9 items 186 | 187 | test_event.py::test_load PASSED [ 11%] 188 | test_event.py::test_source_address PASSED [ 22%] 189 | test_event.py::test_source_mac_address PASSED [ 33%] 190 | test_event.py::test_source_port PASSED [ 44%] 191 | test_event.py::test_message PASSED [ 55%] 192 | test_event.py::test_strict PASSED [ 66%] 193 | test_generator.py::test_random_addr PASSED [ 77%] 194 | test_generator.py::test_generate_random_events PASSED [ 88%] 195 | test_sender.py::test_sender PASSED [100%] 196 | 197 | =================================================================== 9 passed in 6.71s =================================================================== 198 | ``` 199 | -------------------------------------------------------------------------------- /cefevent/extensions.py: -------------------------------------------------------------------------------- 1 | extension_dictionary = { 2 | "act": { 3 | "full_name": "deviceAction", 4 | "data_type": ["String"], 5 | "length": 63, 6 | "description": "Action mentioned in the event.", 7 | }, 8 | "app": { 9 | "full_name": "applicationProtocol", 10 | "data_type": ["String"], 11 | "length": 31, 12 | "description": "Application level protocol, example values are: HTTP, HTTPS, SSHv2, Telnet, POP, IMAP, IMAPS, etc.", 13 | }, 14 | "c6a1": { 15 | "full_name": "deviceCustomIPv6Address1", 16 | "data_type": ["IPv6 Address"], 17 | "length": 0, 18 | "description": "One of four IPV6 address fields available to map fields that do not apply to any other in this dictionary.", 19 | }, 20 | "c6a1Label": { 21 | "full_name": "deviceCustomIPv6Address1Label", 22 | "data_type": ["String"], 23 | "length": 1023, 24 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 25 | }, 26 | "c6a2": { 27 | "full_name": "deviceCustomIPv6Address2", 28 | "data_type": ["IPv6 Address"], 29 | "length": 0, 30 | "description": "One of four IPV6 address fields available to map fields that do not apply to any other in this dictionary.", 31 | }, 32 | "c6a2Label": { 33 | "full_name": "deviceCustomIPv6Address2Label", 34 | "data_type": ["String"], 35 | "length": 1023, 36 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 37 | }, 38 | "c6a3": { 39 | "full_name": "deviceCustomIPv6Address3", 40 | "data_type": ["IPv6 Address"], 41 | "length": 0, 42 | "description": "One of four IPV6 address fields available to map fields that do not apply to any other in this dictionary.", 43 | }, 44 | "c6a3Label": { 45 | "full_name": "deviceCustomIPv6Address3Label", 46 | "data_type": ["String"], 47 | "length": 1023, 48 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 49 | }, 50 | "c6a4": { 51 | "full_name": "deviceCustomIPv6Address4", 52 | "data_type": ["IPv6 Address"], 53 | "length": 0, 54 | "description": "One of four IPV6 address fields available to map fields that do not apply to any other in this dictionary.", 55 | }, 56 | "c6a4Label": { 57 | "full_name": "deviceCustomIPv6Address4Label", 58 | "data_type": ["String"], 59 | "length": 1023, 60 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 61 | }, 62 | "cfp1": { 63 | "full_name": "deviceCustomFloatingPoint1", 64 | "data_type": ["Floating Point"], 65 | "length": 0, 66 | "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", 67 | }, 68 | "cfp1Label": { 69 | "full_name": "deviceCustomFloatingPoint1Label", 70 | "data_type": ["String"], 71 | "length": 1023, 72 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 73 | }, 74 | "cfp2": { 75 | "full_name": "deviceCustomFloatingPoint2", 76 | "data_type": ["Floating Point"], 77 | "length": 0, 78 | "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", 79 | }, 80 | "cfp2Label": { 81 | "full_name": "deviceCustomFloatingPoint2Label", 82 | "data_type": ["String"], 83 | "length": 1023, 84 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 85 | }, 86 | "cfp3": { 87 | "full_name": "deviceCustomFloatingPoint3", 88 | "data_type": ["Floating Point"], 89 | "length": 0, 90 | "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", 91 | }, 92 | "cfp3Label": { 93 | "full_name": "deviceCustomFloatingPoint3Label", 94 | "data_type": ["String"], 95 | "length": 1023, 96 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 97 | }, 98 | "cfp4": { 99 | "full_name": "deviceCustomFloatingPoint4", 100 | "data_type": ["Floating Point"], 101 | "length": 0, 102 | "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", 103 | }, 104 | "cfp4Label": { 105 | "full_name": "deviceCustomFloatingPoint4Label", 106 | "data_type": ["String"], 107 | "length": 1023, 108 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 109 | }, 110 | "cat": { 111 | "full_name": "deviceEventCategory", 112 | "data_type": ["String"], 113 | "length": 1023, 114 | "description": "Represents the category assigned by the originating device. Devices oftentimes use their own categorization schema to classify events.", 115 | }, 116 | "cn1": { 117 | "full_name": "deviceCustomNumber1", 118 | "data_type": ["Long"], 119 | "length": 0, 120 | "description": 'There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary. If possible, "these fields should not be used, but a more specific field from the dictionary. Also check the guidelines hereafter for hints on how to utilize these fields.', 121 | }, 122 | "cn1Label": { 123 | "full_name": "deviceCustomNumber1Label", 124 | "data_type": ["String"], 125 | "length": 1023, 126 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 127 | }, 128 | "cn2": { 129 | "full_name": "deviceCustomNumber2", 130 | "data_type": ["Long"], 131 | "length": 0, 132 | "description": 'There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary. If possible, "these fields should not be used, but a more specific field from the dictionary. Also check the guidelines hereafter for hints on how to utilize these fields.', 133 | }, 134 | "cn2Label": { 135 | "full_name": "deviceCustomNumber2Label", 136 | "data_type": ["String"], 137 | "length": 1023, 138 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 139 | }, 140 | "cn3": { 141 | "full_name": "deviceCustomNumber3", 142 | "data_type": ["Long"], 143 | "length": 0, 144 | "description": 'There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary. If possible, "these fields should not be used, but a more specific field from the dictionary. Also check the guidelines hereafter for hints on how to utilize these fields.', 145 | }, 146 | "cn3Label": { 147 | "full_name": "deviceCustomNumber3Label", 148 | "data_type": ["String"], 149 | "length": 1023, 150 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 151 | }, 152 | "cnt": { 153 | "full_name": "baseEventCount", 154 | "data_type": ["Integer"], 155 | "length": 0, 156 | "description": "A count associated with this event. How many times was this same event observed?", 157 | }, 158 | "cs1": { 159 | "full_name": "deviceCustomString1", 160 | "data_type": ["String"], 161 | "length": 4000, 162 | "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.", 163 | }, 164 | "cs1Label": { 165 | "full_name": "deviceCustomString1Label", 166 | "data_type": ["String"], 167 | "length": 1023, 168 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 169 | }, 170 | "cs2": { 171 | "full_name": "deviceCustomString2", 172 | "data_type": ["String"], 173 | "length": 4000, 174 | "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.", 175 | }, 176 | "cs2Label": { 177 | "full_name": "deviceCustomString2Label", 178 | "data_type": ["String"], 179 | "length": 1023, 180 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 181 | }, 182 | "cs3": { 183 | "full_name": "deviceCustomString3", 184 | "data_type": ["String"], 185 | "length": 4000, 186 | "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.", 187 | }, 188 | "cs3Label": { 189 | "full_name": "deviceCustomString3Label", 190 | "data_type": ["String"], 191 | "length": 1023, 192 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 193 | }, 194 | "cs4": { 195 | "full_name": "deviceCustomString4", 196 | "data_type": ["String"], 197 | "length": 4000, 198 | "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.", 199 | }, 200 | "cs4Label": { 201 | "full_name": "deviceCustomString4Label", 202 | "data_type": ["String"], 203 | "length": 1023, 204 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 205 | }, 206 | "cs5": { 207 | "full_name": "deviceCustomString5", 208 | "data_type": ["String"], 209 | "length": 4000, 210 | "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.", 211 | }, 212 | "cs5Label": { 213 | "full_name": "deviceCustomString5Label", 214 | "data_type": ["String"], 215 | "length": 1023, 216 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 217 | }, 218 | "cs6": { 219 | "full_name": "deviceCustomString6", 220 | "data_type": ["String"], 221 | "length": 4000, 222 | "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.", 223 | }, 224 | "cs6Label": { 225 | "full_name": "deviceCustomString6Label", 226 | "data_type": ["String"], 227 | "length": 1023, 228 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 229 | }, 230 | "destinationDnsDomain": { 231 | "full_name": "destinationDnsDomain", 232 | "data_type": ["String"], 233 | "length": 255, 234 | "description": "The DNS domain part of the complete fully qualified domain name (FQDN).", 235 | }, 236 | "destinationServiceName": { 237 | "full_name": "destinationServiceName", 238 | "data_type": ["String"], 239 | "length": 1023, 240 | "description": "The service which is targeted by this event.", 241 | }, 242 | "destinationTranslatedAddress": { 243 | "full_name": "destinationTranslatedAddress", 244 | "data_type": ["IPv4 Address"], 245 | "length": 0, 246 | "description": 'Identifies the translated destination that the event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 247 | }, 248 | "destinationTranslatedPort": { 249 | "full_name": "destinationTranslatedPort", 250 | "data_type": ["Integer"], 251 | "length": 0, 252 | "description": "Port after it was translated", 253 | }, 254 | "deviceCustomDate1": { 255 | "full_name": "deviceCustomDate1", 256 | "data_type": ["TimeStamp"], 257 | "length": 0, 258 | "description": "There are two timestamp fields", 259 | }, 260 | "deviceCustomDate1Label": { 261 | "full_name": "deviceCustomDate1Label", 262 | "data_type": ["String"], 263 | "length": 1023, 264 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 265 | }, 266 | "deviceCustomDate2": { 267 | "full_name": "deviceCustomDate2", 268 | "data_type": ["TimeStamp"], 269 | "length": 0, 270 | "description": 'There are two timestamp fields available which can be used to map fields which do not fit into any other "field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.', 271 | }, 272 | "deviceCustomDate2Label": { 273 | "full_name": "deviceCustomDate2Label", 274 | "data_type": ["String"], 275 | "length": 1023, 276 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 277 | }, 278 | "deviceCustomDate3Label": { 279 | "full_name": "deviceCustomDate3Label", 280 | "data_type": ["String"], 281 | "length": 1023, 282 | "description": "All custom fields have a corresponding label field where the field itself can be described. Each of the fields is a string describing the purpose of this field.", 283 | }, 284 | "deviceDirection": { 285 | "full_name": "deviceDirection", 286 | "data_type": ["String"], 287 | "length": 0, 288 | "description": "Any information about what direction the communication that was observed has taken.", 289 | }, 290 | "deviceDnsDomain": { 291 | "full_name": "deviceDnsDomain", 292 | "data_type": ["String"], 293 | "length": 255, 294 | "description": "The DNS domain part of the complete fully qualified domain name (FQDN).", 295 | }, 296 | "deviceExternalId": { 297 | "full_name": "deviceExternalId", 298 | "data_type": ["String"], 299 | "length": 255, 300 | "description": "A name that uniquely identifies the device generating this event.", 301 | }, 302 | "deviceFacility": { 303 | "full_name": "deviceFacility", 304 | "data_type": ["String"], 305 | "length": 1023, 306 | "description": "The facility generating this event. Syslog for example has an explicit facility associated with every event.", 307 | }, 308 | "deviceInboundInterface": { 309 | "full_name": "deviceInboundInterface", 310 | "data_type": ["String"], 311 | "length": 128, 312 | "description": "Interface on which the packet or data entered the device.", 313 | }, 314 | "deviceMacAddress": { 315 | "full_name": "deviceMacAddress", 316 | "data_type": ["MAC Address"], 317 | "length": 0, 318 | "description": "Six colon-separated hexadecimal numbers. Example: 00:0D:60:AF:1B:61", 319 | }, 320 | "deviceNtDomain": { 321 | "full_name": "deviceNtDomain", 322 | "data_type": ["String"], 323 | "length": 255, 324 | "description": "The Windows domain name of the device address.", 325 | }, 326 | "deviceOutboundInterface": { 327 | "full_name": "deviceOutboundInterface", 328 | "data_type": ["String"], 329 | "length": 128, 330 | "description": "Interface on which the packet or data left the device.", 331 | }, 332 | "deviceProcessName": { 333 | "full_name": "deviceProcessName", 334 | "data_type": ["String"], 335 | "length": 1023, 336 | "description": "Process name associated to the event. In UNIX, the process generating the syslog entry for example.", 337 | }, 338 | "deviceTranslatedAddress": { 339 | "full_name": "deviceTranslatedAddress", 340 | "data_type": ["IPv4 Address"], 341 | "length": 0, 342 | "description": 'Identifies the translated device address that the event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 343 | }, 344 | "dhost": { 345 | "full_name": "destinationHostName", 346 | "data_type": ["String"], 347 | "length": 1023, 348 | "description": 'Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name associated with the destination node, when a node is available. Examples: "host.domain.com" or "host".', 349 | }, 350 | "dmac": { 351 | "full_name": "destinationMac", 352 | "data_type": ["MAC Address"], 353 | "length": 0, 354 | "description": 'Six colon-separated hexadecimal numbers. Example: "00:0D:60:AF:1B:61"', 355 | }, 356 | "dntdom": { 357 | "full_name": "destinationNtDomain", 358 | "data_type": ["String"], 359 | "length": 255, 360 | "description": "The Windows domain name of the destination address.", 361 | }, 362 | "dpid": { 363 | "full_name": "destinationProcessId", 364 | "data_type": ["Integer"], 365 | "length": 0, 366 | "description": 'Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID.', 367 | }, 368 | "dpriv": { 369 | "full_name": "destinationUserPrivileges", 370 | "data_type": ["String"], 371 | "length": 1023, 372 | "description": 'The allowed values are: "Administrator", "User", and "Guest". This identifies the destination user\'s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUserPrivileges of "Administrator". This is an idealized and simplified view on privileges and can be extended in the future.', 373 | }, 374 | "dproc": { 375 | "full_name": "destinationProcessName", 376 | "data_type": ["String"], 377 | "length": 1023, 378 | "description": 'The name of the process which is the event\'s destination. For example: "telnetd", or "sshd".', 379 | }, 380 | "dpt": { 381 | "full_name": "destinationPort", 382 | "data_type": ["Integer"], 383 | "length": 0, 384 | "description": "The valid port numbers are between 0 and 65535.", 385 | }, 386 | "dst": { 387 | "full_name": "destinationAddress", 388 | "data_type": ["IPv4 Address"], 389 | "length": 0, 390 | "description": 'Identifies destination that the event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 391 | }, 392 | "dtz": { 393 | "full_name": "deviceTimeZone", 394 | "data_type": ["String"], 395 | "length": 255, 396 | "description": 'The timezone for the device generating the event.', 397 | }, 398 | "duid": { 399 | "full_name": "destinationUserId", 400 | "data_type": ["String"], 401 | "length": 1023, 402 | "description": "Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.", 403 | }, 404 | "duser": { 405 | "full_name": "destinationUserName", 406 | "data_type": ["String"], 407 | "length": 1023, 408 | "description": "Identifies the destination user by name. This is the user associated with the event's destination. E-mail addresses are also mapped into the UserName fields. The recipient is a candidate to put into destinationUserName.", 409 | }, 410 | "dvc": { 411 | "full_name": "deviceAddress", 412 | "data_type": ["IPv4 Address"], 413 | "length": 16, 414 | "description": 'Identifies the device that an event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 415 | }, 416 | "dvchost": { 417 | "full_name": "deviceHostName", 418 | "data_type": ["String"], 419 | "length": 100, 420 | "description": 'The format should be a fully qualified domain name associated with the device node, when a node is available. Examples: "host.domain.com" or "host".', 421 | }, 422 | "dvcpid": { 423 | "full_name": "deviceProcessId", 424 | "data_type": ["Integer"], 425 | "length": 0, 426 | "description": "Provides the ID of the process on the device generating the event.", 427 | }, 428 | "end": { 429 | "full_name": "endTime", 430 | "data_type": ["TimeStamp"], 431 | "length": 0, 432 | "description": "The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). An example would be reporting the end of a session.", 433 | }, 434 | "externalId": { 435 | "full_name": "externalId", 436 | "data_type": ["String"], 437 | "length": 40, 438 | "description": "An ID used by the originating device.", 439 | }, 440 | "fileCreateTime": { 441 | "full_name": "fileCreateTime", 442 | "data_type": ["TimeStamp"], 443 | "length": 0, 444 | "description": "Time when file was created.", 445 | }, 446 | "fileHash": { 447 | "full_name": "fileHash", 448 | "data_type": ["String"], 449 | "length": 255, 450 | "description": "Hash of a file.", 451 | }, 452 | "fileId": { 453 | "full_name": "fileId", 454 | "data_type": ["String"], 455 | "length": 1023, 456 | "description": "An ID associated with a file could be the inode.", 457 | }, 458 | "fileModificationTime": { 459 | "full_name": "fileModificationTime", 460 | "data_type": ["TimeStamp"], 461 | "length": 0, 462 | "description": "Time when file was last modified.", 463 | }, 464 | "filePath": { 465 | "full_name": "filePath", 466 | "data_type": ["String"], 467 | "length": 1023, 468 | "description": "Full path to the file, including file name itself.", 469 | }, 470 | "filePermission": { 471 | "full_name": "filePermission", 472 | "data_type": ["String"], 473 | "length": 1023, 474 | "description": "Permissions of the file.", 475 | }, 476 | "fileType": { 477 | "full_name": "fileType", 478 | "data_type": ["String"], 479 | "length": 1023, 480 | "description": "Type of file (pipe, socket, etc.)", 481 | }, 482 | "flexDate1": { 483 | "full_name": "flexDate1", 484 | "data_type": ["TimeStamp"], 485 | "length": 0, 486 | "description": "A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.", 487 | }, 488 | "flexDate1Label": { 489 | "full_name": "flexDate1Label", 490 | "data_type": ["String"], 491 | "length": 128, 492 | "description": "The label field is a string and describes the purpose of the flex field.", 493 | }, 494 | "flexString1": { 495 | "full_name": "flexString1", 496 | "data_type": ["String"], 497 | "length": 1023, 498 | "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.", 499 | }, 500 | "flexString1Label": { 501 | "full_name": "flexString1Label", 502 | "data_type": ["String"], 503 | "length": 128, 504 | "description": "The label field is a string and describes the purpose of the flex field.", 505 | }, 506 | "flexString2": { 507 | "full_name": "flexString2", 508 | "data_type": ["String"], 509 | "length": 1023, 510 | "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.", 511 | }, 512 | "flexString2Label": { 513 | "full_name": "flexString2Label", 514 | "data_type": ["String"], 515 | "length": 128, 516 | "description": "The label field is a string and describes the purpose of the flex field.", 517 | }, 518 | "fname": { 519 | "full_name": "fileName", 520 | "data_type": ["String"], 521 | "length": 1023, 522 | "description": "Name of the file.", 523 | }, 524 | "fsize": { 525 | "full_name": "fileSize", 526 | "data_type": ["Integer"], 527 | "length": 0, 528 | "description": "Size of the file.", 529 | }, 530 | "in": { 531 | "full_name": "bytesIn", 532 | "data_type": ["Integer", "Long"], 533 | "length": 0, 534 | "description": "Number of bytes transferred inbound. Inbound relative to the source to destination relationship, meaning that data was flowing from source to destination.", 535 | }, 536 | "msg": { 537 | "full_name": "message", 538 | "data_type": ["String"], 539 | "length": 1023, 540 | "description": "An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new-line separator.", 541 | }, 542 | "oldFileCreateTime": { 543 | "full_name": "oldFileCreateTime", 544 | "data_type": ["TimeStamp"], 545 | "length": 0, 546 | "description": "Time when old file was created.", 547 | }, 548 | "oldFileHash": { 549 | "full_name": "oldFileHash", 550 | "data_type": ["String"], 551 | "length": 255, 552 | "description": "Hash of the old file.", 553 | }, 554 | "oldFileId": { 555 | "full_name": "oldFileId", 556 | "data_type": ["String"], 557 | "length": 1023, 558 | "description": "An ID associated with the old file could be the inode.", 559 | }, 560 | "oldFileModificationTime": { 561 | "full_name": "oldFileModificationTime", 562 | "data_type": ["TimeStamp"], 563 | "length": 0, 564 | "description": "Time when old file was last modified.", 565 | }, 566 | "oldFileName": { 567 | "full_name": "oldFileName", 568 | "data_type": ["String"], 569 | "length": 1023, 570 | "description": "Name of the old file.", 571 | }, 572 | "oldFilePath": { 573 | "full_name": "oldFilePath", 574 | "data_type": ["String"], 575 | "length": 1023, 576 | "description": "Full path to the old file, including file name itself.", 577 | }, 578 | "oldFilePermission": { 579 | "full_name": "oldFilePermission", 580 | "data_type": ["String"], 581 | "length": 1023, 582 | "description": "Permissions of the old file.", 583 | }, 584 | "oldFileSize": { 585 | "full_name": "oldFileSize", 586 | "data_type": ["Integer"], 587 | "length": 0, 588 | "description": "Size of the old file.", 589 | }, 590 | "oldFileType": { 591 | "full_name": "oldFileType", 592 | "data_type": ["String"], 593 | "length": 1023, 594 | "description": "Type of the old file (pipe, socket, etc.)", 595 | }, 596 | "out": { 597 | "full_name": "bytesOut", 598 | "data_type": ["Integer", "Long"], 599 | "length": 0, 600 | "description": "Number of bytes transferred outbound. Outbound relative to the source to destination relationship, meaning that data was flowing from destination to source.", 601 | }, 602 | "proto": { 603 | "full_name": "transportProtocol", 604 | "data_type": ["String"], 605 | "length": 31, 606 | "description": "Identifies the Layer-4 protocol used. The possible values are protocol names such as TCP or UDP.", 607 | }, 608 | "reason": { 609 | "full_name": "reason", 610 | "data_type": ["String"], 611 | "length": 1023, 612 | "description": 'The reason an audit event was generated. For example "Bad password" or "Unknown User". This could also be an error or return code. Example: "0x1234"', 613 | }, 614 | "requestClientApplication": { 615 | "full_name": "requestClientApplication", 616 | "data_type": ["String"], 617 | "length": 1023, 618 | "description": "The User-Agent associated with the request.", 619 | }, 620 | "requestCookies": { 621 | "full_name": "requestCookies", 622 | "data_type": ["String"], 623 | "length": 1023, 624 | "description": "Cookies associated with the request.", 625 | }, 626 | "requestMethod": { 627 | "full_name": "requestMethod", 628 | "data_type": ["String"], 629 | "length": 1023, 630 | "description": 'The method used to access a URL. Possible values: "POST", "GET", ...', 631 | }, 632 | "request": { 633 | "full_name": "requestURL", 634 | "data_type": ["String"], 635 | "length": 1023, 636 | "description": 'In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well, e.g., "http://www.security.com"', 637 | }, 638 | "rt": { 639 | "full_name": "receiptTime", 640 | "data_type": ["TimeStamp"], 641 | "length": 0, 642 | "description": "The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970).", 643 | }, 644 | "shost": { 645 | "full_name": "sourceHostName", 646 | "data_type": ["String"], 647 | "length": 1023, 648 | "description": 'Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name associated with the source node, when a node is available. Examples: "host.domain.com" or "host".', 649 | }, 650 | "smac": { 651 | "full_name": "sourceMacAddress", 652 | "data_type": ["MAC Address"], 653 | "length": 0, 654 | "description": 'Six colon-separated hexadecimal numbers. Example: "00:0D:60:AF:1B:61"', 655 | }, 656 | "sntdom": { 657 | "full_name": "sourceNtDomain", 658 | "data_type": ["String"], 659 | "length": 255, 660 | "description": "The Windows domain name for the source address.", 661 | }, 662 | "sourceDnsDomain": { 663 | "full_name": "sourceDnsDomain", 664 | "data_type": ["String"], 665 | "length": 255, 666 | "description": "The DNS domain part of the complete fully qualified domain name (FQDN).", 667 | }, 668 | "sourceServiceName": { 669 | "full_name": "sourceServiceName", 670 | "data_type": ["String"], 671 | "length": 1023, 672 | "description": "The service which is responsible for generating this event.", 673 | }, 674 | "sourceTranslatedAddress": { 675 | "full_name": "sourceTranslatedAddress", 676 | "data_type": ["IPv4 Address"], 677 | "length": 0, 678 | "description": 'Identifies the translated source that the event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 679 | }, 680 | "sourceTranslatedPort": { 681 | "full_name": "sourceTranslatedPort", 682 | "data_type": ["Integer"], 683 | "length": 0, 684 | "description": "Port after it was translated by for example a firewall. Valid port numbers are 0 to 65535.", 685 | }, 686 | "spid": { 687 | "full_name": "sourceProcessId", 688 | "data_type": ["Integer"], 689 | "length": 0, 690 | "description": "The ID of the source process associated with the event.", 691 | }, 692 | "spriv": { 693 | "full_name": "sourceUserPrivileges", 694 | "data_type": ["String"], 695 | "length": 1023, 696 | "description": 'The allowed values are: "Administrator", "User", and "Guest". It identifies the source user\'s privileges. In UNIX, for example, activity executed by the root user would be identified with sourceUserPrivileges of "Administrator". This is an idealized and simplified view on privileges and can be extended in the future.', 697 | }, 698 | "spt": { 699 | "full_name": "sourcePort", 700 | "data_type": ["Integer"], 701 | "length": 0, 702 | "description": "The valid port numbers are 0 to 65535.", 703 | }, 704 | "src": { 705 | "full_name": "sourceAddress", 706 | "data_type": ["IPv4 Address"], 707 | "length": 0, 708 | "description": 'Identifies the source that an event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"', 709 | }, 710 | "start": { 711 | "full_name": "startTime", 712 | "data_type": ["TimeStamp"], 713 | "length": 0, 714 | "description": "The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970).", 715 | }, 716 | "suid": { 717 | "full_name": "sourceUserId", 718 | "data_type": ["String"], 719 | "length": 1023, 720 | "description": 'Identifies the source user by ID. This is the user associated with the source of the event. For example, in "UNIX, the root user is generally associated with user ID 0.', 721 | }, 722 | "suser": { 723 | "full_name": "sourceUserName", 724 | "data_type": ["String"], 725 | "length": 1023, 726 | "description": "Identifies the source user by name. E-mail addresses are also mapped into the UserName fields. The sender is a candidate to put into sourceUserName.", 727 | }, 728 | } 729 | --------------------------------------------------------------------------------