This CEF helper template was written to be highly configurable as well as adhere to revision 16 of the Common Event Format (CEF) standards document. Its aim is to be able to parse meta data into any meta key in RSA Netwitness from any security appliance with the least amount of programming.
This is performed by several routines within the code that associates “csX” and “cnX” within a CEF extension with their appropriate “csXLabel” and “cnXLabel”. If no “csLabel” exists, it will use “csX” or “cnX” as the key name (where X is a numeric value). For example, a CEF message containing “cs3=name cs3Label=Ian” will set the key name to “name” and the value to “Ian” whereas a CEF message containing “cs3=Ian” will set the key name to “cs3” and the value to “Ian”. However, using scripts configuration, you can translate cs3 to any meta key name you want (i.e. username). This is configured in the t_keys_to_use variable. More information on that below!
As CEF messages can also contain carriage returns (\n), if a carriage return is found, it will parse each line into a separate meta value of the same key name. For example, a CEF message containing “cs2=user.names cs2Label=iredden\nepartington” will result in 2 meta values (user.names) containing “iredden” and “epartington”.
The template can be downloaded at the bottom of this article. It is configured for a FireEye HX appliance but can be easily modified for anything!
The main configuration of the script is in 2 variables. These variables are t_keys_to_use and b_debug.
t_keys_to_use – Is a LUA key/value table containing which keys to parse.
b_debug – By default, this variable is set to true. This means that no meta will be created. Instead, output will be provided for debugging to logs.
You also need to configure the cefhelper:setKeys() section of the script. It needs to contain all the same keys from the t_keys_to_use table. For example:
CEF:0|fireeye|hx|3.1.3|IOC Hit Found|IOC Hit Found|10|rt=Sep 29 2016 02:39:54 UTC dvchost=lab.rsa.local categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=YUGh0fvlBG5ewBBahhbEZH dst=172.16.10.50 dmac=aa-bb-7a-fa-75-d8 dhost=victim-a3c696c8 dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Sep 29 2016 02:39:49 UTC cs2Label=FireEye Agent Version cs2=21.33.0 cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows 7 Professional 7601 Service Pack 1 externalId=1049717 start=Sep 29 2016 02:39:28 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Execute categoryTechnique=Exploit act=Detection IOC Hit msg=Host victim-a3c696c8 IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise indication. cs4Label=IOC Name cs4=SANDSTORM (FAMILY)
DISCLAIMER: As always, this script is provided as is. If you have any questions, feel free to reach out to me at firstname.lastname@example.org.
Update 5/26/2017 - Updated CEF template fixing several bugs.