CEF to CommonSecurityLog normlization query
Cef To Common Security Log
Query
N/AAbout this query
Explanation
This query is designed to transform Syslog messages formatted in Common Event Format (CEF) into a structure compatible with the CommonSecurityLog table in Microsoft Sentinel. Here's a simplified breakdown of what the query does:
-
Parsing CEF Data: The query starts by parsing the incoming Syslog CEF messages using regular expressions. It extracts key components from the CEF message, such as the device vendor, product, version, event class ID, activity, and log severity.
-
Extracting Additional Fields: It further extracts additional fields from the CEF message's extensions. These fields include details like device actions, application protocols, event categories, IP addresses, ports, user information, file details, and more.
-
Handling Custom Fields: The query also handles custom fields that may be present in the CEF message, extracting them into specific columns.
-
Data Type Conversion: Some extracted fields are converted into appropriate data types, such as integers or real numbers, to ensure they are correctly formatted for analysis.
-
Projection: Finally, the query projects the necessary fields into a new structure, aligning them with the CommonSecurityLog schema. It removes unnecessary fields from the final output.
-
Considerations: The query notes that the CEF headers and schema might vary depending on the source system (e.g., CheckPoint vs. PaloAlto), so adjustments may be needed based on the specific data source.
Overall, this query is a comprehensive script for normalizing and structuring CEF log data into a format suitable for security analysis in Microsoft Sentinel.
Details

Robbe Van den Daele
Released: January 25, 2025
Tables
Keywords
Operators