Log Event Extended Format (LEEF)

The Log Event Extended Format (LEEF) was developed for use with IBM’s QRadar analytics software; however, LEEF is an open standard that can be, and is, used by other SIEM platforms. A Janrain-generated LEEF file looks similar to this:


LEEF:2.0|Janrain|Janrain Identity Cloud|1.0|traditional_signin|sev=3 proto=HTTPS cat=identity url=https://myapp.janrain.com/oauth/auth_native_traditional src=127.0.0.1 devTime=Dec 29 2016 00:26:40 devTimeFormat=MMM dd yyyy HH:mm:ss usrName=2b565a0c-a863-11e7-abc4-cec278b6b50a role=user userAgent=Mozilla/5.0 (X11; Fedora; Linux x86_64) janrainApp=abc123abc123def456def456gh janrainClient=abc123abc123def456def456ghi789gh origin=https://ui.janrain.com forward_headers=[{'name': 'header_name', 'value': 'header_value'}]
     

The LEEF file is explained in the following table:

File Data

LEEF Field Name

Description

LEEF:2.0

LEEF Version

Log Event Extended Format version number used to construct the data file. Analytics programs use the LEEF Version when uploading and parsing a file.

Janrain

Vendor

Vendor responsible for producing the LEEF file. 

Janrain Identity Cloud

Product Name

Name of the product that produced the LEEF file. 

1.0

Product Version

Version number of the product.

traditional_signin

EventID

Unique identifier for the event. For a complete list of Janrain event types, see Janrain SIEM Event Types.

sev=3

sev

Importance of the event. Severities can be any integer value from 0 to 10 (inclusive), with 0 representing the least important event and 10 the most important event. Severities are commonly grouped as follows: Severities 0-3 = Low; Severities 4-6 = Medium; Severities 7-8 = High; Severities 9-10 = Very High.

proto=HTTPS

proto

Application level protocol associated with the event; for example, HTTP, HTTPS, Telnet, POP, IMAP, etc.

cat=admin

cat

Category assigned to the event by the device product. There is no universal standard for event categories; categories are typically product-specific.

url=https://myapp.janrain.com/oauth/
auth_native_traditional

url

URL accessed at the time that the event occurred.

src=127.0.0.1

src

IP address of the computer where the event occurred.

devTime=Jan 01 1979 18:00:00 devTime Format used when expressing datetime values. For Janrain Universal SIEM Integration, the datetime format is MMM dd yyyy HH:mm:dd(Month Day Year Hour:Minute:Seconds).

devFormat=MMM dd yyyy HH:mm:ss

devTimeFormat

Date and time when the event occurred.

usrName=2b565a0c-a863-11e7-abc4-cec278b6b50a

usrName

UUID of the user responsible for the event.

role=user

Role associated with the user responsible for the event. Allowed values are:

  • administrator
  • user
  • guest

userAgent=Mozilla/5.0 (X11;
Fedora; Linux x86_64)

userAgent

User agent for the client application employed when the event occurred. For Janrain events, the user agent typically identifies the web browser in use when the event took place.

janrainApp=abc123abc123def456def456gh

ID of the Janrain application in use when the event occurred.

janrainClient=abc123abc123def456def456
ghi789gh

ID of the Janrain client in use when the event occurred.

origin=https://ui.janrain.com

Originating server.

forward_headers=[{'name': 'header_name', 'value': 'header_value'}]

Message header information.