Common Event Format (CEF) Data
Common Event Format (CEF) is a standardized logging format developed by ArcSight (now part of Micro Focus), a security information and event management (SIEM) solution provider. CEF is designed to simplify the process of logging security-related events, making it easier to integrate logs from different sources into a single system.
CEF is a text-based log format that uses Syslog as transport, which is standard for message logging, and is supported by most network devices and operating systems. The full format includes a Syslog header or "prefix," a CEF "header," and a CEF "extension." The extension contains a list of key-value pairs. Standard key names are provided, and user-defined extensions can be used for additional key names.
CEF Standard and Custom Key
This table displays CEF names along with full names for each CEF key. It is the key name that is required in events.
| Key Name | Full Name | Key Type | Module | Data Type | Length | Description |
|---|---|---|---|---|---|---|
act | deviceAction | Standard | All | String | 63 | Action mentioned in the event. |
dvc | deviceAddress | Standard | All | IPV4 Address | 16 | Identifies the device that an event refers to in an IP network. The format is an IPv4 address. Example: β192.168.10.1β |
dvchost | deviceHostName | Standard | All | String | 100 | The format should be a fully qualified domain name associated with the device node when a node is available. Examples: βhost.domain.comβ |
duid | destination UserId | Standard | Deployments | String | 1023 | Identifies the destination user by ID. Salesforce org user ID |
duser | destination UserName | Standard | Deployments | String | 1023 | Identifies the destination user by name. This is the user associated with the event's destination. E-mail addresses are also mapped into the UserName fields. The recipient is a candidate to put into destinationUserName. In ARM, this should be used for the destination Salesforce Org username. |
end | endTime | Standard | All | Time Stamp |
| The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). An example would be reporting the end of a session. Process end time (eg: Build end time) |
fname
| fileName | Standard | All (Static Code Analysis) | String | 1023 | Name of the file. |
fsize | fileSize | Standard | Deployments | Integer |
| Size of the file. Metadata package ZIP size. |
msg | message | Standard | All | String | 1023 | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new-line separator. |
request | requestURL | Standard | CI Jobs | String | 1023 | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well, e.g., βhttp://www.security.comβ CIJobs -> post deployments external URL. |
requestMethod | requestMethod | Standard | CI Jobs | String | 1023 | The method used to access a URL. Possible values: βPOSTβ, βGETβ |
suid | sourceUserId | Standard | Deployments | String | 1023 | Identifies the source user by ID. This is the user associated with the source of the event. Source Salesforce org user ID |
suser | sourceUserName | Standard | Deployments | String | 1023 | Identifies the source user by name. E-mail addresses are also mapped into the UserName fields. The sender is a candidate to put into sourceUserName. Destination Salesforce org user ID |
start | startTime | Standard | All | Time Stamp |
| The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). |
arAuthType | authenticationType | Custom | Admin | String | 50 | Authentication type for Salesforce Org registration |
arBType | boardType | Custom | Version Control | String | 50 | Board type as mentioned in Version Control commit history page |
arBrowserType | browserType | Custom | Admin | String | 50 | User login browser name |
arActor | Actor | Custom | All | String | 50 |
|
arApprovedBy | Approved By | Custom | Version Control | String | 50 | User email who approved the Pre-validation process (Merge / EZ-Commit Pre-validation) |
arAssociatedPartner | Associated Partner | Custom | nCino | String | 30 | By default, for Associated Partner is nCino while creating a feature |
deviceProcessName | Device process Name | Standard | All | String | 1023 | Process name associated with the event |
arDeploymentSource | Deployment Source | Custom | Deployment, nCino | String | 60 |
|
arLAuthMethod | Auth Method | Custom | Login | String | 40 | The authentication method used during user login |
arBranchName | Branch Name | Custom | All | String | 32 | Name that is given in AR while registering/creating the branch. |
arCIJobName | CI Job Name | Custom | Deployment | String | 1023 | Name given in ARM while creating the Job. |
arReleaseLabel | Release Label Name | Custom | Deployment | String | 1023 | Name given in ARM while creating the release label |
arCommitLabel | Commit Label Name | Custom | Deployment | String | 1023 | Name that is given in AR while creating the commit label |
arCIBuildNumber | CI Job Build number | Custom | Deployment | String | 1023 | Build number in AR |
arRepoName | Repository Name | Custom | All | String | 32 | Name that is given in AR while registering the Repository |
arCommitFP | Commit Full Profiles | Custom | Version Control | Boolean | 6 | Commit full profiles selection in Version Control |
arCType | Commit Type | Custom | Version Control | String | 30 |
|
arCommittedBy | Committed By | Custom | All | String | 40 | User mail who initiated the commit process |
arCmpFailureCount | Failed components count | Custom | Deployment | Integer | 1000 | Failed components count in the deployment process |
arComDeployedCount | Deployed components count | Custom | Deployment | Integer | 1000 | Successful components deployed count |
arComSuccessCount | Success components count | Custom | Deployment | Integer | 1000 | Success components count |
arCreateDataset | Create a dataset during the deployment process | Custom | nCino | Boolean | 6 | Create dataset criteria selection during the deployment process |
arCredentialType | Credential type | Custom | All | String | 10 | Credential type refers to SSH / UWP / CA |
arAccessKey | Access key name | Custom | All | String | 32 | Credential / Access key name used during Commit / Merge processes |
arDMLType | DML Type | Custom | Dataloader, nCino | String | 15 | Data Manipulation type used for data migration. eg: insert/upsert |
arDFrom | Deployment from | Custom | Deployment, nCino | String | 50 | Deployment from selection |
arDeviceProcessStatus | Process status | Custom | All | String | 50 | eg: Deployment Status |
arRepoURL | Repository URL | Custom | All | String | 300 | URL of the repository |
arDAppliedMappings | Destination Applied Mappings | Custom | Dataloader, nCino | String | 90 | Applied mappings field selected for the destination. |
arDSFOrgName | Destination Salesforce org name | Custom | All | String | 32 |
|
arEObjectFilter | Entry Object Filter | Custom | nCino | String | 1000 |
|
arEObjects | Excluded objects | Custom | nCino | String | 1000 |
|
arExternalId | External ID | Custom | nCino, Dataloader | String | 100 |
|
arFVersion | Feature Version | Custom | nCino | String | 52 |
|
arFName | Feature Name | Custom | nCino | String | 52 |
|
arGGrantProfiles | Global grant profiles | Custom | All | Boolean | 6 | Global settings of permissions |
arPermissionsAccess | Grant / Revoke access | Custom | All | String | 10 | Grant / Revoke |
arIMVisibleSettings | Ignore missing visibility settings | Custom | All | Boolean | 6 |
|
arIAttachments | Include Attachments | Custom | nCino, Dataloader | Boolean | 6 |
|
arInsertNulls | Insert Nulls | Custom | nCino, Dataloader | Boolean | 6 |
|
arIBackup | Is Backup | Custom | All | Boolean | 6 |
|
arICommit | Is Commit | Custom | nCino | Boolean | 6 |
|
arIDeploy | Is Deploy | Custom | nCino | Boolean | 6 |
|
arIRollback | Is Rollback | Custom | All | Boolean | 6 |
|
arISandbox | Is sandbox | Custom | All | Boolean | 6 | Destination SF org is Sandbox or not |
arIUTF8 | Is UTF8 enabled | Custom | nCino, Dataloader | Boolean | 6 |
|
arLName | Login Name | Custom | Admin | String | 30 |
|
arLType | Login Type | Custom | Admin | String | 30 |
|
arMName | Module Name | Custom | All | String | 50 |
|
arIObjects | Included Objects | Custom | nCino, Dataloader | String | 1023 |
|
arPCheckDup | Pre-check duplicates | Custom | nCino, Dataloader | Boolean | 6 |
|
arRFailureCount | Records Failure count | Custom | nCino, Dataloader | Integer | 10000 |
|
arRExtracted | The number of records extracted | Custom | nCino, Dataloader | Integer | 10000 |
|
arRSuccessCount | Success records count | Custom | nCino, Dataloader | Integer | 10000 |
|
arRIPRanges | Remove IP Ranges | Custom | All | Boolean | 6 |
|
arRUPerms | Remove User Permissions | Custom | All | Boolean | 6 |
|
arRArtifact | Review artifact | Custom | Version Control | Boolean | 6 |
|
arRevNumber | Revision number | Custom | All | String | 10 |
|
arSOQLQuery | SOQL Query | Custom | nCino, Dataloader | String | 1023 |
|
arSSRules | Search & Substitute rules | Custom | All | String | 1023 |
|
arFDSType | Feature Deployment Source type | Custom | nCino | String | 50 |
|
arStdFVersion | Standard Feature version | Custom | nCino | String | 52 |
|
arStdFName | Standard Feature Name | Custom | nCino | String | 52 |
|
arSubMName | Sub module name | Custom | All | String | 50 |
|
arUCheckFields | Unique check fields | Custom | nCino, Dataloader | String | 1023 |
|
arVRImpact | Validation rules impacted | Custom | nCino, Dataloader | String | 1023 |
|
arWRImpact | Workflow rules impacted | Custom | nCino, Dataloader | String | 1023 |
|
arCStatus | Commit status | Custom | All | String | 50 |
|
arBulkAPI | Bulk API enabled | Custom | nCino, Dataloader | Boolean | 6 |
|
arReviewedBy | Reviewed By | Custom | Version Control | String | 1023 |
|
arSFAPIVersion | Salesforce API Version | Custom | Deployment | String | 6 |
|
arSSFOrgName | Source Salesforce Org Name | Custom | Deployment | String | 1023 | Source SF org name, which is registered in ARM |
arIterationNumber | Iteration Number | Custom | Deployment | String | 1023 | Iteration number of deployments |
arRevertIterationNumber | Revert Iteration Number | Custom | Deployment | String | 1023 | Revert Iteration number of deployments |
arTriggeredBy | Triggered By | Custom | CI | String | 50 | User email triggered by CI Job build |
arBuildLabel | Build Label Name | Custom | CI | String | 1023 | Name that is given in AR while triggering the CI Build |
arSRepoURL | Source Repository URL | Custom | All | String | 300 | URL of the repository viz. selected as Source |
arSBranchName | Source branch name | Custom | All | String | 32 |
|
arSRepoName | Source repository name | Custom | All | String | 32 |
|
arFRevNumber | From Revision number | Custom | All | String | 10 |
|
arTRevNumber | To Revision number | Custom | All | String | 10 |
|
arPostActivity | Post Activity | Custom | CI | Boolean |
|
|
arFunctionalTests | Functional Tests | Custom | CI | Boolean |
|
|
arSCodeCoverage | Source Code Coverage | Custom | CI | Boolean |
|
|
arDCodeCoverage | Destination Code Coverage | Custom | CI | Boolean |
|
|
arQDeploy | Quick Deploy | Custom | CI | Boolean |
|
|
arObject | Object Name | Custom | nCino | String | 1000 |
|
arTeam | Team Name | Custom | All | String | 40 | Account name / Org Name |
arCMsg | Commit message | Custom | All | String | 1023 | Commit message or commit comment |
arSAppliedMappings | Source Applied mappings | Custom | nCino, Dataloader | String | 50 |
|
arCIBStatus | Build status | Custom | CI, nCino | String | 50 | Build status |
arCIDStatus | Deploy status | Custom | CI, nCino | String | 50 | Deployment status |
arDBranchName | Destination Branch name | Custom | Version Control | String | 32 |
|
arGrantProfiles | Grant Profiles | Custom | Version Control | String | 30 |
|
arRevokeProfiles | Revoke Profiles | Custom | Version Control | String | 30 |
|
arRArtifact | Review Artifact | Custom | Version Control | Boolean |
|
|
arPullRequest | Pull Request | Custom | Version Control | Boolean |
| Prints true if pull request enabled else, prints false |
arApproved | Approval status | Custom | Version Control | Boolean |
| Prints true if commit request/merge request approved else, prints false |
arScaStatus | Static Code Analysis status | Custom | Version Control | String | 20 |
|
arVDeployStatus | Validate Deploy status | Custom | Version Control | String | 20 |
|
arDiffReportStatus | Diff Report status | Custom | Version Control | String | 20 |
|
arCategory | Dataloader category | Custom | Dataloader | String | 1023 |
|
arBatchSize | Batch size | Custom | Dataloader, nCino | String | 1023 | Batch size to process records |
arLimitCount | Limit Count | Custom | Dataloader | String | 1023 | Number of records to be extracted |
arIncDelRecords | Include deleted records | Custom | Dataloader | String | 1023 | Whether to include deleted records during the extract |
arObjectFields | Object unique fieldset | Custom | Dataloader | String | 1023 |
|
arIsSaveRun | Save and Run | Custom | Dataloader | String | 1023 |
|
arSrcUserSuffix | Source user suffix | Custom | Dataloader | String | 1023 |
|
arDestUserSuffix | Destination user suffix | Custom | Dataloader | String | 1023 |
|
arParents | Related parent objects | Custom | Dataloader | String | 1023 |
|
arChilds | Related child objects | Custom | Dataloader | String | 1023 |
|
arScheduleTime | Scheduled time | Custom | Dataloader | String | 1023 |
|
arScheduleTimeInterval | Scheduled time interval | Custom | Dataloader | String | 1023 |
|
arScheduleDays | Scheduled days | Custom | Dataloader | String | 1023 |
|
arScheduleType | Type of schedule | Custom | Dataloader | String | 1023 |
|
arIgnoreCommunityUsers | Ignore Community Users | Custom | Dataloader | String | 1023 |
|
arIsAccountIncluded | Is Account included | Custom | Dataloader | String | 1023 |
|
arIsMaskingEnabled | Is masking enabled | Custom | Dataloader | String | 1023 |
|
arScheduleFromDate | Schedule from Date | Custom | Dataloader | String | 1023 |
|
arScheduleToDate | Schedule to date | Custom | Dataloader | String | 1023 |
|
arScheduleRuns | Schedule runs | Custom | Dataloader | String | 1023 | No. of scheduled executions performed |
arProcessId | Process Build | Custom | Dataloader | String | 1023 |
|
arAutoFilter | Auto Filter | Custom | Dataloader | String | 1023 | Consider only the filter applied on the master object for a complete hierarchy |
arMinMulRef | Minimize multiple references | Custom | Dataloader | String | 1023 |
|
arIsIncremental | Incremental data migration | Custom | Dataloader | String | 1023 |
|
arStartDate | Start date | Custom | Dataloader | String | 1023 | The base date for incremental data migration |
arMaskingField | Masking field | Custom | Dataloader | String | 1023 |
|
arMaskingName | Masking name | Custom | Dataloader | String | 1023 |
|
arMaskingType | Masking type | Custom | Dataloader | String | 1023 |
|
arMaskingStyle | Masking style | Custom | Dataloader | String | 1023 |
|
arVRName | Validation rule name | Custom | Dataloader, nCino | String | 1023 |
|
arWFName | Workflow rule name | Custom | Dataloader, nCino | String | 1023 |
|
arVRId | Validation rule Id | Custom | Dataloader, nCino | String | 1023 |
|
arWFId | Workflow rule id | Custom | Dataloader, nCino | String | 1023 |
|
arObjectType | Object type | Custom | Dataloader | String | 1023 | Whether the object is selected or an ancestor or child |
arCPSOnly | Commit permission set only | Custom | Version Control | Boolean |
| Commit Access Settings for selected metadata (Permission Set ONLY) |
arIInstalledComp | Ignore Installed Components | Custom | Version Control | Boolean |
|
|
arDXPDir | DX package directory | Custom | Version Control | String | 30 |
|
arPostCommitOptions | Post-Commit Options | Custom | Version Control | String | 30 |
|
arDryRun | Merge Dry Run | Custom | Version Control | Boolean |
| Prints true if dry run selected else, prints false |
arMergeType | Merge Type | Custom | Version Control | String | 20 |
|
arDeleteSourceBranch | Delete Source Branch | Custom | Version Control | Boolean |
|
|
arIsBulkAPISerialMode | Bulk API Serial Mode Enabled | Custom | Dataloader | Boolean | 6 | Bulk API supports two modes Serial and Parallel. The value specifies if Serial mode is chosen or not. |
arSIsSandbox | Is sandbox | Custom | ALL | Boolean | 6 | Source SF org is Sandbox or not |
arSSFOrgType | Source SF org type | Custom | ALL | String | 30 | Source SF org type, which is configured in AutoRABIT |
arDSFOrgType | Destination SF org type | Custom | ALL | String | 30 | Destination SF org type, which is configured in AutoRABIT |
arSSFOrgURL | Source SF URL | Custom | ALL | String | 30 | Source Salesforce org login URL |
arDSFOrgURL | Destination SF URL | Custom | ALL | String | 30 | Destination Salesforce org login URL |
CreateUser | Create User | Custom | Admin | String | 30 | Recently registered user details |
UpdateUser | Update User | Custom | Admin | String | 30 | Recently modified/updated user details |
DeleteUser | Delete User | Custom | Admin | String | 30 | The deleted userβs details |
Last updated