Common Event Format (CEF)

Janrain SIEM Integration supports two standard formats for information delivery: the Common Event Format (CEF) and the Log Event Extended Format (LEEF). Most SIEM platforms support at least one of these file formats. If your's does not, and if you are still interested in Janrain SIEM Integration, contact your Janrain representative.

The Common Event Format

The Common Event Format (CEF) was developed by ArcSight as a way to standardize event logging. A CEF file generated by Janrain SIEM Integration looks similar to this:


CEF:0|Janrain|Janrain Identity Cloud|1.0|traditional_signin|Traditional Sign In|3|app=HTTPS cat=identity request=https://myapp.janrain.com/oauth/auth_native_traditional src=1.1.1.1 shost=host.domain.com requestClientApplication=Mozilla/5.0 (X11; Fedora; Linux x86_64) suid=2b565a0c-a863-11e7-abc4-cec278b6b50a rt=Jan 01 1979 18:00:00 spriv=user cs1=abc123abc123def456def456gh cs2=abc123abc123def456def456ghi789gh forward_headers=[{'name': 'header_name', 'value': 'header_value'}]
     

In turn, that file can be parsed as shown in the following table:

File Data

CEF Field Name

Description

CEF:0

CEF Version

Common Event Format version number used to construct the data file. Analytics programs use the CEF Version when uploading and parsing a file.

Janrain

Device Vendor

Vendor responsible for producing the CEF file. 

Janrain Identity Cloud

Device Product

Product that produced the CEF file. 

1.0

Device Version

Version number of the product.

traditional_signin

Signature ID

Unique identifier for the event. For a complete list of Janrain event types, see Janrain SIEM Event Types.

Traditional Sign In

Name

Human readable – and understandable – name for the event. 

3

Severity

Importance of the event. Severities can be any integer value from 0 to 10 (inclusive), with 0 representing the least important event and 10 the most important event. Severities are commonly grouped as follows: Severities 0-3 = Low; Severities 4-6 = Medium; Severities 7-8 = High; Severities 9-10 = Very High.

app=HTTPS

applicationProtocol

Application level protocol associated with the event; for example, HTTP, HTTPS, Telnet, POP, IMAP, etc.

cat=identity

EventCategory

Category assigned to the event by the product. There is no universal standard for event categories; categories are typically product-specific.

request=https://myapp.janrain.com/oauth/
auth_native_traditional

requestURL

URL accessed at the time that the event occurred.

src=1.1.1.1

sourceAddress

IP address of the computer where the event occurred.

shost=host.domain.com

sourceHostName

Fully qualified domain name of the computer where the event occurred.

requestClientApplication=Mozilla/5.0 (X11; Fedora; Linux x86_64)

requestClientApplication

User agent for the client application employed when the event occurred. For Janrain events, the user agent typically identifies the web browser in use when the event took place.

suid=2b565a0c-a863-11e7-abc4-cec278b6b50a

sourceUserId

UUID of the user responsible for the event.

rt=Jan 01 1979 18:00:00

receiptTime

Date and time when the event occurred. The datetime value is expressed using the format MMM DD YYYY HH:MM:SS (Month Day Year Hour:Minute:Seconds).

spriv=user

sourceUserPrivileges

Role associated with the user responsible for the event. Allowed values are:

  • administrator
  • user
  • guest

cs1=abc123abc123def456def456gh

deviceCustomString1

ID of the Janrain application in use when the event occurred.

cs2=abc123abc123def456def456ghi789gh

deviceCustomString2

ID of the Janrain client in use when the event occurred.

forward_headers=[{'name': 'header_name', 'value': 'header_value'}]

Message header information.