tg
commented
6 years ago Implemented in v1.6.0. Example of CEF events:
CEF:0|AlphaSOC|NFR|v1.6.0|dga_volume|Multiple requests for DGA domains indicating infection|8|app=dns rt=Sep 07 2018 19:30:07.000 UTC src=10.14.1.39 cs1=beacon,perplexing_domain,unreachable_domain cs1Label=flags cs2=default cs2Label=groups query=mkrvovamcunmdk.net requestMethod=A
CEF:0|AlphaSOC|NFR|v1.6.0|suspicious_domain_volume|Multiple requests to suspicious domains|6|app=dns rt=Sep 07 2018 19:30:07.000 UTC src=10.14.1.39 cs1=beacon,perplexing_domain,unreachable_domain cs1Label=flags cs2=default cs2Label=groups query=mkrvovamcunmdk.net requestMethod=A
CEF format has been requested for syslog, but we can support it for all the outputs taking custom strings (currently syslog and file).
One thing to consider is whether we should generate a single CEF event per alert (containing top severity threat only), or to generate multiple CEF events for alerts containing more than one threat. We could also support both approaches.