Common Event Format (CEF) Data
Last updated
Last updated
Common Event Format (CEF) is a standardized logging format developed by ArcSight (now part of Micro Focus), a security information and event management (SIEM) solution provider. CEF is designed to simplify the process of logging security-related events, making it easier to integrate logs from different sources into a single system.
CEF is a text-based log format that uses Syslog as transport, which is standard for message logging, and is supported by most network devices and operating systems. The full format includes a Syslog header or "prefix," a CEF "header," and a CEF "extension." The extension contains a list of key-value pairs. Standard key names are provided, and user-defined extensions can be used for additional key names.
This table displays CEF names along with full names for each CEF key. It is the key name that is required in events.
| Key Name | Full Name | Key Type | Module | Data Type | Length | Description |
|---|---|---|---|---|---|---|
act
deviceAction
Standard
All
String
63
Action mentioned in the event.
dvc
deviceAddress
Standard
All
IPV4 Address
16
Identifies the device that an event refers to in an IP network. The format is an IPv4 address. Example: โ192.168.10.1โ
dvchost
deviceHostName
Standard
All
String
100
The format should be a fully qualified domain name associated with the device node when a node is available. Examples: โhost.domain.comโ
duid
destination UserId
Standard
Deployments
String
1023
Identifies the destination user by ID. Salesforce org user ID
duser
destination UserName
Standard
Deployments
String
1023
Identifies the destination user by name. This is the user associated with the event's destination. E-mail addresses are also mapped into the UserName fields. The recipient is a candidate to put into destinationUserName. In ARM, this should be used for the destination Salesforce Org username.
end
endTime
Standard
All
Time Stamp
The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). An example would be reporting the end of a session. Process end time (eg: Build end time)
fname
fileName
Standard
All (Static Code Analysis)
String
1023
Name of the file.
fsize
fileSize
Standard
Deployments
Integer
Size of the file. Metadata package ZIP size.
msg
message
Standard
All
String
1023
An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new-line separator.
request
requestURL
Standard
CI Jobs
String
1023
In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well, e.g., โhttp://www.security.comโ
CIJobs -> post deployments external URL.
requestMethod
requestMethod
Standard
CI Jobs
String
1023
The method used to access a URL. Possible values: โPOSTโ, โGETโ
suid
sourceUserId
Standard
Deployments
String
1023
Identifies the source user by ID. This is the user associated with the source of the event. Source Salesforce org user ID
suser
sourceUserName
Standard
Deployments
String
1023
Identifies the source user by name. E-mail addresses are also mapped into the UserName fields. The sender is a candidate to put into sourceUserName. Destination Salesforce org user ID
start
startTime
Standard
All
Time Stamp
The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970).
arAuthType
authenticationType
Custom
Admin
String
50
Authentication type for Salesforce Org registration
arBType
boardType
Custom
Version Control
String
50
Board type as mentioned in Version Control commit history page
arBrowserType
browserType
Custom
Admin
String
50
User login browser name
arActor
Actor
Custom
All
String
50
arApprovedBy
Approved By
Custom
Version Control
String
50
User email who approved the Pre-validation process (Merge / EZ-Commit Pre-validation)
arAssociatedPartner
Associated Partner
Custom
nCino
String
30
By default, for Associated Partner is nCino while creating a feature
deviceProcessName
Device process Name
Standard
All
String
1023
Process name associated with the event
arDeploymentSource
Deployment Source
Custom
Deployment, nCino
String
60
arLAuthMethod
Auth Method
Custom
Login
String
40
The authentication method used during user login
arBranchName
Branch Name
Custom
All
String
32
Name that is given in AR while registering/creating the branch.
arCIJobName
CI Job Name
Custom
Deployment
String
1023
Name given in ARM while creating the Job.
arReleaseLabel
Release Label Name
Custom
Deployment
String
1023
Name given in ARM while creating the release label
arCommitLabel
Commit Label Name
Custom
Deployment
String
1023
Name that is given in AR while creating the commit label
arCIBuildNumber
CI Job Build number
Custom
Deployment
String
1023
Build number in AR
arRepoName
Repository Name
Custom
All
String
32
Name that is given in AR while registering the Repository
arCommitFP
Commit Full Profiles
Custom
Version Control
Boolean
6
Commit full profiles selection in Version Control
arCType
Commit Type
Custom
Version Control
String
30
arCommittedBy
Committed By
Custom
All
String
40
User mail who initiated the commit process
arCmpFailureCount
Failed components count
Custom
Deployment
Integer
1000
Failed components count in the deployment process
arComDeployedCount
Deployed components count
Custom
Deployment
Integer
1000
Successful components deployed count
arComSuccessCount
Success components count
Custom
Deployment
Integer
1000
Success components count
arCreateDataset
Create a dataset during the deployment process
Custom
nCino
Boolean
6
Create dataset criteria selection during the deployment process
arCredentialType
Credential type
Custom
All
String
10
Credential type refers to SSH / UWP / CA
arAccessKey
Access key name
Custom
All
String
32
Credential / Access key name used during Commit / Merge processes
arDMLType
DML Type
Custom
Dataloader, nCino
String
15
Data Manipulation type used for data migration. eg: insert/upsert
arDFrom
Deployment from
Custom
Deployment, nCino
String
50
Deployment from selection
arDeviceProcessStatus
Process status
Custom
All
String
50
eg: Deployment Status
arRepoURL
Repository URL
Custom
All
String
300
URL of the repository
arDAppliedMappings
Destination Applied Mappings
Custom
Dataloader, nCino
String
90
Applied mappings field selected for the destination.
arDSFOrgName
Destination Salesforce org name
Custom
All
String
32
arEObjectFilter
Entry Object Filter
Custom
nCino
String
1000
arEObjects
Excluded objects
Custom
nCino
String
1000
arExternalId
External ID
Custom
nCino, Dataloader
String
100
arFVersion
Feature Version
Custom
nCino
String
52
arFName
Feature Name
Custom
nCino
String
52
arGGrantProfiles
Global grant profiles
Custom
All
Boolean
6
Global settings of permissions
arPermissionsAccess
Grant / Revoke access
Custom
All
String
10
Grant / Revoke
arIMVisibleSettings
Ignore missing visibility settings
Custom
All
Boolean
6
arIAttachments
Include Attachments
Custom
nCino, Dataloader
Boolean
6
arInsertNulls
Insert Nulls
Custom
nCino, Dataloader
Boolean
6
arIBackup
Is Backup
Custom
All
Boolean
6
arICommit
Is Commit
Custom
nCino
Boolean
6
arIDeploy
Is Deploy
Custom
nCino
Boolean
6
arIRollback
Is Rollback
Custom
All
Boolean
6
arISandbox
Is sandbox
Custom
All
Boolean
6
Destination SF org is Sandbox or not
arIUTF8
Is UTF8 enabled
Custom
nCino, Dataloader
Boolean
6
arLName
Login Name
Custom
Admin
String
30
arLType
Login Type
Custom
Admin
String
30
arMName
Module Name
Custom
All
String
50
arIObjects
Included Objects
Custom
nCino, Dataloader
String
1023
arPCheckDup
Pre-check duplicates
Custom
nCino, Dataloader
Boolean
6
arRFailureCount
Records Failure count
Custom
nCino, Dataloader
Integer
10000
arRExtracted
The number of records extracted
Custom
nCino, Dataloader
Integer
10000
arRSuccessCount
Success records count
Custom
nCino, Dataloader
Integer
10000
arRIPRanges
Remove IP Ranges
Custom
All
Boolean
6
arRUPerms
Remove User Permissions
Custom
All
Boolean
6
arRArtifact
Review artifact
Custom
Version Control
Boolean
6
arRevNumber
Revision number
Custom
All
String
10
arSOQLQuery
SOQL Query
Custom
nCino, Dataloader
String
1023
arSSRules
Search & Substitute rules
Custom
All
String
1023
arFDSType
Feature Deployment Source type
Custom
nCino
String
50
arStdFVersion
Standard Feature version
Custom
nCino
String
52
arStdFName
Standard Feature Name
Custom
nCino
String
52
arSubMName
Sub module name
Custom
All
String
50
arUCheckFields
Unique check fields
Custom
nCino, Dataloader
String
1023
arVRImpact
Validation rules impacted
Custom
nCino, Dataloader
String
1023
arWRImpact
Workflow rules impacted
Custom
nCino, Dataloader
String
1023
arCStatus
Commit status
Custom
All
String
50
arBulkAPI
Bulk API enabled
Custom
nCino, Dataloader
Boolean
6
arReviewedBy
Reviewed By
Custom
Version Control
String
1023
arSFAPIVersion
Salesforce API Version
Custom
Deployment
String
6
arSSFOrgName
Source Salesforce Org Name
Custom
Deployment
String
1023
Source SF org name, which is registered in ARM
arIterationNumber
Iteration Number
Custom
Deployment
String
1023
Iteration number of deployments
arRevertIterationNumber
Revert Iteration Number
Custom
Deployment
String
1023
Revert Iteration number of deployments
arTriggeredBy
Triggered By
Custom
CI
String
50
User email triggered by CI Job build
arBuildLabel
Build Label Name
Custom
CI
String
1023
Name that is given in AR while triggering the CI Build
arSRepoURL
Source Repository URL
Custom
All
String
300
URL of the repository viz. selected as Source
arSBranchName
Source branch name
Custom
All
String
32
arSRepoName
Source repository name
Custom
All
String
32
arFRevNumber
From Revision number
Custom
All
String
10
arTRevNumber
To Revision number
Custom
All
String
10
arPostActivity
Post Activity
Custom
CI
Boolean
arFunctionalTests
Functional Tests
Custom
CI
Boolean
arSCodeCoverage
Source Code Coverage
Custom
CI
Boolean
arDCodeCoverage
Destination Code Coverage
Custom
CI
Boolean
arQDeploy
Quick Deploy
Custom
CI
Boolean
arObject
Object Name
Custom
nCino
String
1000
arTeam
Team Name
Custom
All
String
40
Account name / Org Name
arCMsg
Commit message
Custom
All
String
1023
Commit message or commit comment
arSAppliedMappings
Source Applied mappings
Custom
nCino, Dataloader
String
50
arCIBStatus
Build status
Custom
CI, nCino
String
50
Build status
arCIDStatus
Deploy status
Custom
CI, nCino
String
50
Deployment status
arDBranchName
Destination Branch name
Custom
Version Control
String
32
arGrantProfiles
Grant Profiles
Custom
Version Control
String
30
arRevokeProfiles
Revoke Profiles
Custom
Version Control
String
30
arRArtifact
Review Artifact
Custom
Version Control
Boolean
arPullRequest
Pull Request
Custom
Version Control
Boolean
Prints true if pull request enabled else, prints false
arApproved
Approval status
Custom
Version Control
Boolean
Prints true if commit request/merge request approved else, prints false
arScaStatus
Static Code Analysis status
Custom
Version Control
String
20
arVDeployStatus
Validate Deploy status
Custom
Version Control
String
20
arDiffReportStatus
Diff Report status
Custom
Version Control
String
20
arCategory
Dataloader category
Custom
Dataloader
String
1023
arBatchSize
Batch size
Custom
Dataloader, nCino
String
1023
Batch size to process records
arLimitCount
Limit Count
Custom
Dataloader
String
1023
Number of records to be extracted
arIncDelRecords
Include deleted records
Custom
Dataloader
String
1023
Whether to include deleted records during the extract
arObjectFields
Object unique fieldset
Custom
Dataloader
String
1023
arIsSaveRun
Save and Run
Custom
Dataloader
String
1023
arSrcUserSuffix
Source user suffix
Custom
Dataloader
String
1023
arDestUserSuffix
Destination user suffix
Custom
Dataloader
String
1023
arParents
Related parent objects
Custom
Dataloader
String
1023
arChilds
Related child objects
Custom
Dataloader
String
1023
arScheduleTime
Scheduled time
Custom
Dataloader
String
1023
arScheduleTimeInterval
Scheduled time interval
Custom
Dataloader
String
1023
arScheduleDays
Scheduled days
Custom
Dataloader
String
1023
arScheduleType
Type of schedule
Custom
Dataloader
String
1023
arIgnoreCommunityUsers
Ignore Community Users
Custom
Dataloader
String
1023
arIsAccountIncluded
Is Account included
Custom
Dataloader
String
1023
arIsMaskingEnabled
Is masking enabled
Custom
Dataloader
String
1023
arScheduleFromDate
Schedule from Date
Custom
Dataloader
String
1023
arScheduleToDate
Schedule to date
Custom
Dataloader
String
1023
arScheduleRuns
Schedule runs
Custom
Dataloader
String
1023
No. of scheduled executions performed
arProcessId
Process Build
Custom
Dataloader
String
1023
arAutoFilter
Auto Filter
Custom
Dataloader
String
1023
Consider only the filter applied on the master object for a complete hierarchy
arMinMulRef
Minimize multiple references
Custom
Dataloader
String
1023
arIsIncremental
Incremental data migration
Custom
Dataloader
String
1023
arStartDate
Start date
Custom
Dataloader
String
1023
The base date for incremental data migration
arMaskingField
Masking field
Custom
Dataloader
String
1023
arMaskingName
Masking name
Custom
Dataloader
String
1023
arMaskingType
Masking type
Custom
Dataloader
String
1023
arMaskingStyle
Masking style
Custom
Dataloader
String
1023
arVRName
Validation rule name
Custom
Dataloader, nCino
String
1023
arWFName
Workflow rule name
Custom
Dataloader, nCino
String
1023
arVRId
Validation rule Id
Custom
Dataloader, nCino
String
1023
arWFId
Workflow rule id
Custom
Dataloader, nCino
String
1023
arObjectType
Object type
Custom
Dataloader
String
1023
Whether the object is selected or an ancestor or child
arCPSOnly
Commit permission set only
Custom
Version Control
Boolean
Commit Access Settings for selected metadata (Permission Set ONLY)
arIInstalledComp
Ignore Installed Components
Custom
Version Control
Boolean
arDXPDir
DX package directory
Custom
Version Control
String
30
arPostCommitOptions
Post-Commit Options
Custom
Version Control
String
30
arDryRun
Merge Dry Run
Custom
Version Control
Boolean
Prints true if dry run selected else, prints false
arMergeType
Merge Type
Custom
Version Control
String
20
arDeleteSourceBranch
Delete Source Branch
Custom
Version Control
Boolean
arIsBulkAPISerialMode
Bulk API Serial Mode Enabled
Custom
Dataloader
Boolean
6
Bulk API supports two modes Serial and Parallel. The value specifies if Serial mode is chosen or not.
arSIsSandbox
Is sandbox
Custom
ALL
Boolean
6
Source SF org is Sandbox or not
arSSFOrgType
Source SF org type
Custom
ALL
String
30
Source SF org type, which is configured in AutoRABIT
arDSFOrgType
Destination SF org type
Custom
ALL
String
30
Destination SF org type, which is configured in AutoRABIT
arSSFOrgURL
Source SF URL
Custom
ALL
String
30
Source Salesforce org login URL
arDSFOrgURL
Destination SF URL
Custom
ALL
String
30
Destination Salesforce org login URL
CreateUser
Create User
Custom
Admin
String
30
Recently registered user details
UpdateUser
Update User
Custom
Admin
String
30
Recently modified/updated user details
DeleteUser
Delete User
Custom
Admin
String
30
The deleted userโs details