Idea ID 2810474
CEF standard was developed ages ago. Nowadays, there are so many cloud-based log sources which require additional fields. Most of the time we use custom/flex strings, but the number of those are limited and it becomes a mess to maintain all of these across the board. It is time to consider to issue a new CEF version.
When we consume AWS, GCP, Azure logs we have such entities as:
- account id | tenant id (I mean AWS account id, Google Cloud org Id, or other unique identifier.)
- availability zone
- storage bucket (S3, storage, blob)
- container name/id
- instance name (which may be not the same as deviceHostName or destinationHostName)
- instance id
- user type (root/ iam )
None of these have been properly represented in the schema since the cloud era began to spread. Therefore, random fields like fileId (access key ID) or filePath (full user path) are used to store some of the IDs or role names and so on.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.