-
Notifications
You must be signed in to change notification settings - Fork 0
Log Format
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
| Field | Value | Notes |
|---|---|---|
| Version | CEF:0 | Version is the CEF: prefix followed by an integer and identifies the version of the CEF format. The current CEF version is 0 (CEF:0). |
| Device Vendor | git.io/powershellforlockpath | Device Vendor string that when used with the Device Product, Device Version strings uniquely identify the type of sending device. Defaults to 'git.io/powershellforlockpath' but can be overridden in the configuration to be an internal support organization. |
| Device Product | PowerShellForLockpath | Device Product string that when used with the Device Vendor, Device Version strings uniquely identify the type of sending device. |
| Device Version | Module Version | Device Version string that when used with the Device Vendor, Device Product strings uniquely identify the type of sending device. |
| Device Event Class ID | Calling Function Name | Device Event Class ID is a unique identifier per event-type. Device Event Class ID identifies the type of event reported. |
| Name | (See Notes) | Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. The message is passed as a parameter on each call to the logging function. |
| Serverity | (See table below) | Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High. |
| PowerShell Logging Level | CEF Severity | CEF Numeric |
|---|---|---|
| Error | Very-High | 9 |
| Warning | High | 7 |
| Information | Medium | 5 |
| Verbose | Low | 3 |
| Debug | Low | 1 |
The Extension field contains a collection of key-value pairs. The keys are part of a predefined set. The standard allows for including additional keys as outlined in “ArcSight Extension Directory” later in this document. An event can contain any number of key-value pairs in any order, separated by spaces (" "). If a field contains a space, such as a file name, this is valid and can be logged in exactly that manner.
Because CEF uses the UTF-8 Unicode encoding method, certain symbols must use character encoding. Within this context, character encoding specifies how to represent characters that could be misinterpreted within the schema.
Spaces used in the header are valid. Do not encode a space character by using <space>.
If a pipe (|) is used in the header, it has to be escaped with a backslash (\). But note that pipes in the extension do not need escaping.
If a backslash (\) is used in the header or the extension, it has to be escaped with another backslash (\).
If an equal sign (=) is used in the extensions, it has to be escaped with a backslash (\). Equal signs in the header need no escaping.
Multi-line fields can be sent by CEF by encoding the newline character as \n or \r. Note that multiple lines are only allowed in the value part of the extensions.
Custom extension names should take the form VendornameProductnameExplanatoryKeyName
Custom extension names should meet the following requirements.
Custom extension name(s):
- Must be made up of a single word, with no spaces.
- Must be alphanumeric
- Should be as clear and concise as possible.
- May not be named the same as any name listed in ArcSight Extension Dictionary.
The date format used in the log uses the following .NET custom date formatting:
MMM dd HH:mm:ss.fff zzz
Example: Dec 07 2020 21:03:19.335 +00:00
CEF Keys in bold have been implemented in the logging.
| PowerShellForLockpath | Source in Module | CEF Key Name | CEF Full Name | CEF Data Type | CEF Length | Notes |
|---|---|---|---|---|---|---|
| Time Stamp of Log Entry | Write-LockpathLog Function | rt | deviceReceiptTime | Date | The time at which the event related to the activity was received. (See section on date formats.) | |
| API URL | Calling Function | request | requestUrl | String | 1024 | In the case of an HTTP request, this field contains the URL accessed including the protocol. |
| API Request Method | Calling Function | requestMethod | requestMethod | String | 1024 | The method used to access a URL. |
| The body of POST or DELETE API call | Calling Function | msg | message | String | 1024 | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. |
| Result of Invoke-LockpathRestMethod | Calling Function | outcome | eventOutcome | String | 64 | Displays the outcome, usually as ‘success’ or ‘failure’. |
| Error Message | Calling Function | reason | Reason | String | 1024 | The reason an audit event was generated. For example “bad password” or “unknown user”. |
| Start of the stopwatch | Calling Function | start | startTime | Date | The time when the activity the event referred to started. (See section on date formats.) | |
| End of the stopwatch | Calling Function | end | endTime | Date | The time at which the activity related to the event ended. (See section on date formats.) | |
| FQDN of system running module | Script Configuration Object | shost | sourceHostName | String | 2014 | The format should be a fully qualified domain name (FQDN) associated with the |
| 'PowerShell' | Script Configuration Object | sourceServiceName | sourceServiceName | String | 1024 | The service that is responsible for generating this event. |
| PowerShell (PWSH.exe) Process Id | Script Configuration Object | spid | sourceProcessId | Integer | Int32 | The ID of the source process associated with the event. |
| Username for PowerShell Process | Script Configuration Object | suer | sourceUserName | String | 1024 | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. |
| Path to file for any file operation | Calling Function | filePath | filePath | String | 1024 | Full path to the file, including file name itself. |
| File size for any file operation | Calling Function | fsize | fileSize | Integer | Int32 | Size of the file. |
Back to PowerShellForLockpath
Import-LockpathConfiguration
Remove-LockpathCredential
Reset-LockpathConfiguration
Set-LockpathConfiguration
Set-LockpathCredential
Show-LockpathConfiguration
Get-LockpathComponent
Get-LockpathComponentByAlias
Get-LockpathComponentList
Get-LockpathField
Get-LockpathFieldList
Get-LockpathFieldLookupReportColumns
Get-LockpathRecord
Get-LockpathRecordAttachment
Get-LockpathRecordAttachments
Get-LockpathRecordCount
Get-LockpathRecordDetail
Get-LockpathRecords
Get-LockpathRecordsAvailableForLookup
Get-LockpathRecordsDetails
Import-LockpathFile
New-LockpathRecord
Remove-LockpathRecord
Remove-LockpathRecordAttachments
Set-LockpathRecord
Set-LockpathRecordAttachments
Set-LockpathRecordTransition
Set-LockpathRecordVote
Get-LockpathGroup
Get-LockpathGroups
Get-LockpathGroupsDetails
Get-LockpathUser
Get-LockpathUserCount
Get-LockpathUsers
Get-LockpathUsersDetails
Get-LockpathWorkflow
Get-LockpathWorkflows
New-LockpathGroup
New-LockpathUser
Remove-LockpathGroup
Remove-LockpathUser
Send-LockpathLogin
Send-LockpathLogout
Send-LockpathPing
Set-LockpathGroup
Set-LockpathUser