AVitg
commented
2 years ago tl;dr: it is aplicable across all SIEMs using CEF.
The CEF standard was created by the ArcSight ppl some time ago archive.org link.
You can see the CEF Std. actually as the schema definition of the internal ArcSight Database.
According to CEF V25 Std. the fields I manipulated need to look exactly like that... they keys that were chosen for this by Imperva actually do not make any sense.
There are some other issues to the logs Imperva produces in their Incapsula CEF implementation, for example: there are not more than 6 custom strings (cs6) accourding to CEF guide, as the underling (ArcSight) database-schema only defines up to cs6.
Also the way Imperva implemented "vendor specific key" does not stick to CEF guide. And to be honest, it is also not a good practice - as a re-mapping into existing arcsight/CEF fields need to happen,
There is CEF0 (also known as CEF0.1) and CEF1, which is not represented into the CEF guide, however the main difference is only that in CEF1 IP-Address related Fields can contain IPv4 and IPv6 data, whereas in CEF0 only IPv4 can be used and IPv6 needs to go to a special field. The reason for this, is that "older" Schema Defintions of the ArcSight ESM (and logger maybe) were not IPv6 ready, and could not handle the "IPv6 strings" in an address field. (ESM prior to 6.5 or 6.8)
remove control chars from decrypted_file string, as splitlines() will otherwise split at those