Help Center
CEF Key Names for Event Producers
| CEF Specification Version | CEF Field Name | CEF Key Name / Abbreviation | Data Type | Length / Size | Description |
|---|---|---|---|---|---|
| 0.1 | deviceAction | act | String | 63 | Action taken by the device. |
| 0.1 | applicationProtocol | app | String | 31 | Application level protocol, example: HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. |
| 0.1 | deviceCustomIPv6Address1 | c6a1 | IpAddress | One of the four IPv6 address fields available to map fields that do not apply to any other in this dictionary.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. | |
| 0.1 | deviceCustomIPv6Address1Label | c6a1Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomIPv6Address3 | c6a3 | IpAddress | One of the four IPv6 address fields available to map fields that do not apply to any other in this dictionary.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. | |
| 0.1 | deviceCustomIPv6AddressLabel | c6a3Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomIPv6Address4 | c6a4 | IPv6 Address | One of the four IPv6 address fields available to map fields that do not apply to any other in this dictionary.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. | |
| 0.1 | deviceCustomIPv6Address4Label | c6a4Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceEventCategory | cat | String | 1023 | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: “/Monitor/Disk/Read” |
| 0.1 | deviceCustomFloatingPoint1 | cfp1 | Double | One of our floating point fields available to map fields that do not apply to any other in this dictionary. | |
| 0.1 | deviceCustoFloatingPoint1Label | cfp1Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomFloatingPoint2 | cfp2 | Double | One of the four floating point fields available to map fields that do not apply to any other in this dictionary. | |
| 0.1 | deviceCustomFloatingPoint2Label | cfp2Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomFloatingPoint3 | cfp3 | Double | One of the four floating point fields available to map fields that do not apply to any other in this dictionary. | |
| 0.1 | deviceCustomFloatingPoint3Label | cfp3Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomFloatingPoint4 | cfp4 | Double | One of the four floating point fields available to map fields that do not apply to any other in this dictionary. | |
| 0.1 | deviceCustomFloatingPoint4Label | cfp4Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomNumber1 | cn1 | Long | One of the three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | |
| 0.1 | deviceCustomNumber1Label | cn1Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomNumber2 | cn2 | Long | One of the three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | |
| 0.1 | deviceCustomNumber2Label | cn2Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomNumber3 | cn3 | Long | One of the three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | |
| 0.1 | deviceCustomNumber3Label | cn3Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | baseEventCount | cnt | Integer | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | |
| 0.1 | deviceCustomString1 | cs1 | String | 4000 | One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. |
| 0.1 | deviceCustomString1Label | cs1Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomString2 | cs2 | String | 4000 | One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. |
| 0.1 | deviceCustomString2Label | cs2Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomString3 | cs3 | String | 4000 | One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. |
| 0.1 | deviceCustomString3Label | cs3Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomString4 | cs4 | String | 4000 | One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. |
| 0.1 | deviceCustomString4Label | cs4Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomString5 | cs5 | String | 4000 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. |
| 0.1 | deviceCustomString5Label | cs5Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomString6 | cs6 | String | 4000 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. |
| 0.1 | deviceCustomString6Label | cs6Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | destinationDnsDomain | destinationDnsDomain | String | 255 | The DNS domain part of the complete fully qualified domain name (FQDN). |
| 0.1 | destinationServiceName | destinationServiceName | String | 1023 | The service targeted by this event. Example: “sshd” |
| 0.1 | destinationTranslatedAddress | destinationTranslatedAddress | IpAddress | Identifies the translated destination that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1” | |
| 0.1 | destinationTranslatedPort | destinationTranslatedPort | Integer | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | |
| 0.1 | deviceCustomDate1 | deviceCustomDate1 | DateTime | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. | |
| 0.1 | deviceCustomDate1Label | deviceCustomDate1Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceCustomDate2 | deviceCustomDate2 | DateTime | One of the two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.TIP: For tips on using these fields, see the guidelines defined under User-Defined Extensions. | |
| 0.1 | deviceCustomDate2Label | deviceCustomDate2Label | String | 1023 | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| 0.1 | deviceDirection | deviceDirection | DeviceDirectionEnumeration | Any information about what direction the observed communication has taken. The following values are supported: “0” for inbound or “1” for outbound | |
| 0.1 | deviceDnsDomain | deviceDnsDomain | String | 255 | The DNS domain part of the complete fully qualified domain name (FQDN). |
| 0.1 | deviceExternalId | deviceExternalId | String | 255 | A name that uniquely identifies the device generating this event. |
| 0.1 | deviceFacility | deviceFacility | String | 1023 | The facility generating this event. For example, Syslog has an explicit facility associated with every event. |
| 0.1 | deviceInboundInterface | deviceInboundInterface | String | 128 | Interface on which the packet or data entered the device. |
| 0.1 | deviceNtDomain | deviceNtDomain | String | 255 | The Windows domain name of the device address. |
| 0.1 | deviceOutboundInterface | deviceOutboundInterface | String | 128 | Interface on which the packet or data left the device. |
| 0.1 | devicePayloadId | DevicePayloadId | String | 128 | Unique identifier for the payload associated with the event. |
| 0.1 | deviceProcessName | deviceProcessName | String | 1023 | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. |
| 0.1 | deviceTranslatedAddress | deviceTranslatedAddress | IpAddress | Identifies the translated device address that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1” | |
| 0.1 | destinationHostName | dhost | String | 1023 | Identifies the destination that an event refers to in an IP network. The format must be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. Examples: “host.domain.com” or “host”. |
| 0.1 | destinationNtDomain | dntdom | String | 255 | The Windows domain name of the destination address. |
| 0.1 | destinationProcessId | dpid | Integer | Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, “105” is the process ID. | |
| 0.1 | destinationUserPrivileges | dpriv | String | 1023 | The typical values are “Administrator”, “User”, and “Guest”. This identifies the destination user’s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of “Administrator”. |
| 0.1 | destinationProcessName | dproc | String | 1023 | The name of the event’s destination process. Example: “telnetd” or “sshd”. |
| 0.1 | destinationPort | dpt | Integer | The valid port numbers are between 0 and 65535. | |
| 0.1 | destinationAddress | dst | IpAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1” | |
| 0.1 | deviceTimeZone | dtz | String | 255 | The timezone for the device generating the event. |
| 0.1 | destinationUserId | duid | String | 1023 | Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. |
| 0.1 | destinationUserName | duser | String | 1023 | Identifies the destination user by name. This is the user associated with the event’s destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. |
| 0.1 | deviceAddress | dvc | IpAddress | Identifies the device address that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”. | |
| 0.1 | deviceHostName | dvchost | String | 63 | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. Example: “host.domain.com” or “host”. |
| 0.1 | destinationMacAddress | dmac | MacAddress | Six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61” | |
| 0.1 | deviceProcessId | dvcpid | Integer | Provides the ID of the process on the device generating the event. | |
| 0.1 | endTime | end | DateTime | The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. | |
| 0.1 | externalId | externalId | String | 40 | The ID used by an originating device. They are usually increasing numbers, associated with events. |
| 0.1 | fileCreateTime | fileCreateTime | DateTime | Time when the file was created. | |
| 0.1 | fileHash | fileHash | String | 255 | Hash of a file. |
| 0.1 | fileId | fileId | String | 1023 | An ID associated with a file could be the inode. |
| 0.1 | fileModificationTime | fileModificationTime | DateTime | Time when the file was last modified. | |
| 0.1 | filePath | filePath | String | 1023 | Full path to the file, including file name itself. Example: C:\Program Files \WindowsNT\Accessories\ wordpad.exe or /usr/bin/zip |
| 0.1 | filePermission | filePermission | String | 1023 | Permissions of the file. |
| 0.1 | fileType | fileType | String | 1023 | Type of file (pipe, socket, etc.) |
| 0.1 | flexDate1 | flexDate1 | DateTime | A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. | |
| 0.1 | flexDate1Label | flexDate1Label | String | 128 | The label field is a string and describes the purpose of the flex field. |
| 0.1 | flexString1 | flexString1 | String | 1023 | One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| 0.1 | flexString1Label | flexString1Label | String | 128 | The label field is a string and describes the purpose of the flex field. |
| 0.1 | flexString2 | flexString2 | String | 1023 | One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| 0.1 | flexString2Label | flexString2Label | String | 128 | The label field is a string and describes the purpose of the flex field. |
| 0.1 | fileName | fname | String | 1023 | Name of the file only (without its path). |
| 0.1 | fileSize | fsize | Long | Size of the file. | |
| 0.1 | bytesIn | in | Integer | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | |
| 0.1 | message | msg | String | 1023 | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. |
| 0.1 | oldFileCreateTime | oldFileCreateTime | DateTime | Time when old file was created. | |
| 0.1 | oldFileHash | oldFileHash | String | 255 | Hash of the old file. |
| 0.1 | oldFileId | oldFileId | String | 1023 | An ID associated with the old file could be the inode. |
| 0.1 | oldFileModificationTime | oldFileModificationTime | DateTime | Time when old file was last modified. | |
| 0.1 | oldFileName | oldFileName | String | 1023 | Name of the old file. |
| 0.1 | oldFilePath | oldFilePath | String | 1023 | Full path to the old file, including the file name itself. Examples: c:\Program Files\ WindowsNT\Accessories \wordpad.exe or /usr/bin/zip |
| 0.1 | oldFilePermission | oldFilePermission | String | 1023 | Permissions of the old file. |
| 0.1 | oldFileSize | oldFileSize | Long | Size of the old file. | |
| 0.1 | oldFileType | oldFileType | String | 1023 | Type of the old file (pipe, socket, etc.) |
| 0.1 | bytesOut | out | Integer | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | |
| 0.1 | eventOutcome | outcome | String | 63 | Displays the outcome, usually as ‘success’ or ‘failure’. |
| 0.1 | transportProtocol | proto | String | 31 | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. |
| 0.1 | reason | reason | String | 1023 | The reason an audit event was generated. For example “badd password” or “unknown user”. This could also be an error or return code. Example: “0x1234” |
| 0.1 | requestUrl | request | String | 1023 | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. Example: “http://www/secure.com” |
| 0.1 | requestClientApplication | requestClientApplication | String | 1023 | The User-Agent associated with the request. |
| 0.1 | requestContext | requestContext | String | 2048 | Description of the content from which the request originated (for example, HTTP Referrer) |
| 0.1 | requestCookies | requestCookies | String | 1023 | Cookies associated with the request. |
| 0.1 | requestMethod | requestMethod | String | 1023 | The method used to access a URL. Possible values: “POST”, “GET”, etc. |
| 0.1 | deviceReceiptTime | rt | DateTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | |
| 0.1 | sourceHostName | shost | String | 1023 | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: “host” or “host.domain.com”. |
| 0.1 | sourceMacAddress | smac | MacAddress | Six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61” | |
| 0.1 | sourceNtDomain | sntdom | String | 255 | The Windows domain name for the source address. |
| 0.1 | sourceDnsDomain | sourceDnsDomain | String | 255 | The DNS domain part of the complete fully qualified domain name (FQDN). |
| 0.1 | sourceServiceName | sourceServiceName | String | 1023 | The service that is responsible for generating this event. |
| 0.1 | sourceTranslatedAddress | sourceTranslated Address | IpAddress | Identifies the translated source that the event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”. | |
| 0.1 | sourceTranslatedPort | sourceTranslatedPort | Integer | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | |
| 0.1 | sourceProcessId | spid | Integer | The ID of the source process associated with the event. | |
| 0.1 | sourceUserPrivileges | spriv | String | 1023 | The typical values are “Administrator”, “User”, and “Guest”. It identifies the source user’s privileges. In UNIX, for example, activity executed by the root user would be identified with “Administrator”. |
| 0.1 | sourceProcessName | sproc | String | 1023 | The name of the event’s source process. |
| 0.1 | sourcePort | spt | Integer | The valid port numbers are 0 to 65535. | |
| 0.1 | sourceAddress | src | IpAddress | Identifies the source that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”. | |
| 0.1 | startTime | start | DateTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | |
| 0.1 | sourceUserId | suid | String | 1023 | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. |
| 0.1 | sourceUserName | suser | String | 1023 | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. |
| 0.1 | type | type | TypeEnumeration | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). |
Swedish 
English