ArcSight CEF CustomFieldMap

Idea ID 2785352

ArcSight CEF CustomFieldMap

0 Votes
Need to include CEF Custom String and Number Labels out of the box. Labels are different for each product.

~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomNumber1,cef.extensions.cn1
CEFCustomNumber2,cef.extensions.cn2
CEFCustomNumber3,cef.extensions.cn3
CEFCustomString1,cef.extensions.cs1
CEFCustomString2,cef.extensions.cs2
CEFCustomString3,cef.extensions.cs3
CEFCustomString4,cef.extensions.cs4
CEFCustomString5,cef.extensions.cs5
CEFCustomString6,cef.extensions.cs6
CustomerVar001,cef.extensions.cs1Label
CustomerVar002,cef.extensions.cs2Label
CustomerVar003,cef.extensions.cs3Label
CustomerVar004,cef.extensions.cs4Label
CustomerVar005,cef.extensions.cs5Label
CustomerVar006,cef.extensions.cs6Label
CustomerVar011,cef.extensions.cn1Label
CustomerVar012,cef.extensions.cn2Label
CustomerVar013,cef.extensions.cn3Label
1 Comment
Micro Focus Expert
Micro Focus Expert
CustomerVar* must not be used out of the box as they are reserved for customer use. Many customers are already using them. We'd need new fields for the labels. Generally speaking, it is the purpose of a SIEM to normalize data to its schema. So if we already have a native field that matches the semantics of the date being send by an event source, then that native field must be used instead of CEFCustom*.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.