Common Event Format (CEF) Data

Common Event Format (CEF) is a standardized logging format developed by ArcSight (now part of Micro Focus), a security information and event management (SIEM) solution provider. CEF is designed to simplify the process of logging security-related events, making it easier to integrate logs from different sources into a single system.

CEF is a text-based log format that uses Syslog as transport, which is standard for message logging, and is supported by most network devices and operating systems. The full format includes a Syslog header or "prefix," a CEF "header," and a CEF "extension." The extension contains a list of key-value pairs. Standard key names are provided, and user-defined extensions can be used for additional key names.

CEF Standard and Custom Key

This table displays CEF names along with full names for each CEF key. It is the key name that is required in events.

Key NameFull NameKey TypeModuleData TypeLengthDescription

act

deviceAction

Standard

All

String

63

Action mentioned in the event.

dvc

deviceAddress

Standard

All

IPV4 Address

16

Identifies the device that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”

dvchost

deviceHostName

Standard

All

String

100

The format should be a fully qualified domain name associated with the device node when a node is available. Examples: “host.domain.com”

duid

destination UserId

Standard

Deployments

String

1023

Identifies the destination user by ID. Salesforce org user ID

duser

destination UserName

Standard

Deployments

String

1023

Identifies the destination user by name. This is the user associated with the event's destination. E-mail addresses are also mapped into the UserName fields. The recipient is a candidate to put into destinationUserName. In ARM, this should be used for the destination Salesforce Org username.

end

endTime

Standard

All

Time Stamp

The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). An example would be reporting the end of a session. Process end time (eg: Build end time)

fname

fileName

Standard

All (Static Code Analysis)

String

1023

Name of the file.

fsize

fileSize

Standard

Deployments

Integer

Size of the file. Metadata package ZIP size.

msg

message

Standard

All

String

1023

An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new-line separator.

request

requestURL

Standard

CI Jobs

String

1023

In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well, e.g., “http://www.security.com”

CIJobs -> post deployments external URL.

requestMethod

requestMethod

Standard

CI Jobs

String

1023

The method used to access a URL. Possible values: “POST”, “GET”

suid

sourceUserId

Standard

Deployments

String

1023

Identifies the source user by ID. This is the user associated with the source of the event. Source Salesforce org user ID

suser

sourceUserName

Standard

Deployments

String

1023

Identifies the source user by name. E-mail addresses are also mapped into the UserName fields. The sender is a candidate to put into sourceUserName. Destination Salesforce org user ID

start

startTime

Standard

All

Time Stamp

The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970).

arAuthType

authenticationType

Custom

Admin

String

50

Authentication type for Salesforce Org registration

arBType

boardType

Custom

Version Control

String

50

Board type as mentioned in Version Control commit history page

arBrowserType

browserType

Custom

Admin

String

50

User login browser name

arActor

Actor

Custom

All

String

50

arApprovedBy

Approved By

Custom

Version Control

String

50

User email who approved the Pre-validation process (Merge / EZ-Commit Pre-validation)

arAssociatedPartner

Associated Partner

Custom

nCino

String

30

By default, for Associated Partner is nCino while creating a feature

deviceProcessName

Device process Name

Standard

All

String

1023

Process name associated with the event

arDeploymentSource

Deployment Source

Custom

Deployment, nCino

String

60

arLAuthMethod

Auth Method

Custom

Login

String

40

The authentication method used during user login

arBranchName

Branch Name

Custom

All

String

32

Name that is given in AR while registering/creating the branch.

arCIJobName

CI Job Name

Custom

Deployment

String

1023

Name given in ARM while creating the Job.

arReleaseLabel

Release Label Name

Custom

Deployment

String

1023

Name given in ARM while creating the release label

arCommitLabel

Commit Label Name

Custom

Deployment

String

1023

Name that is given in AR while creating the commit label

arCIBuildNumber

CI Job Build number

Custom

Deployment

String

1023

Build number in AR

arRepoName

Repository Name

Custom

All

String

32

Name that is given in AR while registering the Repository

arCommitFP

Commit Full Profiles

Custom

Version Control

Boolean

6

Commit full profiles selection in Version Control

arCType

Commit Type

Custom

Version Control

String

30

arCommittedBy

Committed By

Custom

All

String

40

User mail who initiated the commit process

arCmpFailureCount

Failed components count

Custom

Deployment

Integer

1000

Failed components count in the deployment process

arComDeployedCount

Deployed components count

Custom

Deployment

Integer

1000

Successful components deployed count

arComSuccessCount

Success components count

Custom

Deployment

Integer

1000

Success components count

arCreateDataset

Create a dataset during the deployment process

Custom

nCino

Boolean

6

Create dataset criteria selection during the deployment process

arCredentialType

Credential type

Custom

All

String

10

Credential type refers to SSH / UWP / CA

arAccessKey

Access key name

Custom

All

String

32

Credential / Access key name used during Commit / Merge processes

arDMLType

DML Type

Custom

Dataloader, nCino

String

15

Data Manipulation type used for data migration. eg: insert/upsert

arDFrom

Deployment from

Custom

Deployment, nCino

String

50

Deployment from selection

arDeviceProcessStatus

Process status

Custom

All

String

50

eg: Deployment Status

arRepoURL

Repository URL

Custom

All

String

300

URL of the repository

arDAppliedMappings

Destination Applied Mappings

Custom

Dataloader, nCino

String

90

Applied mappings field selected for the destination.

arDSFOrgName

Destination Salesforce org name

Custom

All

String

32

arEObjectFilter

Entry Object Filter

Custom

nCino

String

1000

arEObjects

Excluded objects

Custom

nCino

String

1000

arExternalId

External ID

Custom

nCino, Dataloader

String

100

arFVersion

Feature Version

Custom

nCino

String

52

arFName

Feature Name

Custom

nCino

String

52

arGGrantProfiles

Global grant profiles

Custom

All

Boolean

6

Global settings of permissions

arPermissionsAccess

Grant / Revoke access

Custom

All

String

10

Grant / Revoke

arIMVisibleSettings

Ignore missing visibility settings

Custom

All

Boolean

6

arIAttachments

Include Attachments

Custom

nCino, Dataloader

Boolean

6

arInsertNulls

Insert Nulls

Custom

nCino, Dataloader

Boolean

6

arIBackup

Is Backup

Custom

All

Boolean

6

arICommit

Is Commit

Custom

nCino

Boolean

6

arIDeploy

Is Deploy

Custom

nCino

Boolean

6

arIRollback

Is Rollback

Custom

All

Boolean

6

arISandbox

Is sandbox

Custom

All

Boolean

6

Destination SF org is Sandbox or not

arIUTF8

Is UTF8 enabled

Custom

nCino, Dataloader

Boolean

6

arLName

Login Name

Custom

Admin

String

30

arLType

Login Type

Custom

Admin

String

30

arMName

Module Name

Custom

All

String

50

arIObjects

Included Objects

Custom

nCino, Dataloader

String

1023

arPCheckDup

Pre-check duplicates

Custom

nCino, Dataloader

Boolean

6

arRFailureCount

Records Failure count

Custom

nCino, Dataloader

Integer

10000

arRExtracted

The number of records extracted

Custom

nCino, Dataloader

Integer

10000

arRSuccessCount

Success records count

Custom

nCino, Dataloader

Integer

10000

arRIPRanges

Remove IP Ranges

Custom

All

Boolean

6

arRUPerms

Remove User Permissions

Custom

All

Boolean

6

arRArtifact

Review artifact

Custom

Version Control

Boolean

6

arRevNumber

Revision number

Custom

All

String

10

arSOQLQuery

SOQL Query

Custom

nCino, Dataloader

String

1023

arSSRules

Search & Substitute rules

Custom

All

String

1023

arFDSType

Feature Deployment Source type

Custom

nCino

String

50

arStdFVersion

Standard Feature version

Custom

nCino

String

52

arStdFName

Standard Feature Name

Custom

nCino

String

52

arSubMName

Sub module name

Custom

All

String

50

arUCheckFields

Unique check fields

Custom

nCino, Dataloader

String

1023

arVRImpact

Validation rules impacted

Custom

nCino, Dataloader

String

1023

arWRImpact

Workflow rules impacted

Custom

nCino, Dataloader

String

1023

arCStatus

Commit status

Custom

All

String

50

arBulkAPI

Bulk API enabled

Custom

nCino, Dataloader

Boolean

6

arReviewedBy

Reviewed By

Custom

Version Control

String

1023

arSFAPIVersion

Salesforce API Version

Custom

Deployment

String

6

arSSFOrgName

Source Salesforce Org Name

Custom

Deployment

String

1023

Source SF org name, which is registered in ARM

arIterationNumber

Iteration Number

Custom

Deployment

String

1023

Iteration number of deployments

arRevertIterationNumber

Revert Iteration Number

Custom

Deployment

String

1023

Revert Iteration number of deployments

arTriggeredBy

Triggered By

Custom

CI

String

50

User email triggered by CI Job build

arBuildLabel

Build Label Name

Custom

CI

String

1023

Name that is given in AR while triggering the CI Build

arSRepoURL

Source Repository URL

Custom

All

String

300

URL of the repository viz. selected as Source

arSBranchName

Source branch name

Custom

All

String

32

arSRepoName

Source repository name

Custom

All

String

32

arFRevNumber

From Revision number

Custom

All

String

10

arTRevNumber

To Revision number

Custom

All

String

10

arPostActivity

Post Activity

Custom

CI

Boolean

arFunctionalTests

Functional Tests

Custom

CI

Boolean

arSCodeCoverage

Source Code Coverage

Custom

CI

Boolean

arDCodeCoverage

Destination Code Coverage

Custom

CI

Boolean

arQDeploy

Quick Deploy

Custom

CI

Boolean

arObject

Object Name

Custom

nCino

String

1000

arTeam

Team Name

Custom

All

String

40

Account name / Org Name

arCMsg

Commit message

Custom

All

String

1023

Commit message or commit comment

arSAppliedMappings

Source Applied mappings

Custom

nCino, Dataloader

String

50

arCIBStatus

Build status

Custom

CI, nCino

String

50

Build status

arCIDStatus

Deploy status

Custom

CI, nCino

String

50

Deployment status

arDBranchName

Destination Branch name

Custom

Version Control

String

32

arGrantProfiles

Grant Profiles

Custom

Version Control

String

30

arRevokeProfiles

Revoke Profiles

Custom

Version Control

String

30

arRArtifact

Review Artifact

Custom

Version Control

Boolean

arPullRequest

Pull Request

Custom

Version Control

Boolean

Prints true if pull request enabled else, prints false

arApproved

Approval status

Custom

Version Control

Boolean

Prints true if commit request/merge request approved else, prints false

arScaStatus

Static Code Analysis status

Custom

Version Control

String

20

arVDeployStatus

Validate Deploy status

Custom

Version Control

String

20

arDiffReportStatus

Diff Report status

Custom

Version Control

String

20

arCategory

Dataloader category

Custom

Dataloader

String

1023

arBatchSize

Batch size

Custom

Dataloader, nCino

String

1023

Batch size to process records

arLimitCount

Limit Count

Custom

Dataloader

String

1023

Number of records to be extracted

arIncDelRecords

Include deleted records

Custom

Dataloader

String

1023

Whether to include deleted records during the extract

arObjectFields

Object unique fieldset

Custom

Dataloader

String

1023

arIsSaveRun

Save and Run

Custom

Dataloader

String

1023

arSrcUserSuffix

Source user suffix

Custom

Dataloader

String

1023

arDestUserSuffix

Destination user suffix

Custom

Dataloader

String

1023

arParents

Related parent objects

Custom

Dataloader

String

1023

arChilds

Related child objects

Custom

Dataloader

String

1023

arScheduleTime

Scheduled time

Custom

Dataloader

String

1023

arScheduleTimeInterval

Scheduled time interval

Custom

Dataloader

String

1023

arScheduleDays

Scheduled days

Custom

Dataloader

String

1023

arScheduleType

Type of schedule

Custom

Dataloader

String

1023

arIgnoreCommunityUsers

Ignore Community Users

Custom

Dataloader

String

1023

arIsAccountIncluded

Is Account included

Custom

Dataloader

String

1023

arIsMaskingEnabled

Is masking enabled

Custom

Dataloader

String

1023

arScheduleFromDate

Schedule from Date

Custom

Dataloader

String

1023

arScheduleToDate

Schedule to date

Custom

Dataloader

String

1023

arScheduleRuns

Schedule runs

Custom

Dataloader

String

1023

No. of scheduled executions performed

arProcessId

Process Build

Custom

Dataloader

String

1023

arAutoFilter

Auto Filter

Custom

Dataloader

String

1023

Consider only the filter applied on the master object for a complete hierarchy

arMinMulRef

Minimize multiple references

Custom

Dataloader

String

1023

arIsIncremental

Incremental data migration

Custom

Dataloader

String

1023

arStartDate

Start date

Custom

Dataloader

String

1023

The base date for incremental data migration

arMaskingField

Masking field

Custom

Dataloader

String

1023

arMaskingName

Masking name

Custom

Dataloader

String

1023

arMaskingType

Masking type

Custom

Dataloader

String

1023

arMaskingStyle

Masking style

Custom

Dataloader

String

1023

arVRName

Validation rule name

Custom

Dataloader, nCino

String

1023

arWFName

Workflow rule name

Custom

Dataloader, nCino

String

1023

arVRId

Validation rule Id

Custom

Dataloader, nCino

String

1023

arWFId

Workflow rule id

Custom

Dataloader, nCino

String

1023

arObjectType

Object type

Custom

Dataloader

String

1023

Whether the object is selected or an ancestor or child

arCPSOnly

Commit permission set only

Custom

Version Control

Boolean

Commit Access Settings for selected metadata (Permission Set ONLY)

arIInstalledComp

Ignore Installed Components

Custom

Version Control

Boolean

arDXPDir

DX package directory

Custom

Version Control

String

30

arPostCommitOptions

Post-Commit Options

Custom

Version Control

String

30

arDryRun

Merge Dry Run

Custom

Version Control

Boolean

Prints true if dry run selected else, prints false

arMergeType

Merge Type

Custom

Version Control

String

20

arDeleteSourceBranch

Delete Source Branch

Custom

Version Control

Boolean

arIsBulkAPISerialMode

Bulk API Serial Mode Enabled

Custom

Dataloader

Boolean

6

Bulk API supports two modes Serial and Parallel. The value specifies if Serial mode is chosen or not.

arSIsSandbox

Is sandbox

Custom

ALL

Boolean

6

Source SF org is Sandbox or not

arSSFOrgType

Source SF org type

Custom

ALL

String

30

Source SF org type, which is configured in AutoRABIT

arDSFOrgType

Destination SF org type

Custom

ALL

String

30

Destination SF org type, which is configured in AutoRABIT

arSSFOrgURL

Source SF URL

Custom

ALL

String

30

Source Salesforce org login URL

arDSFOrgURL

Destination SF URL

Custom

ALL

String

30

Destination Salesforce org login URL

CreateUser

Create User

Custom

Admin

String

30

Recently registered user details

UpdateUser

Update User

Custom

Admin

String

30

Recently modified/updated user details

DeleteUser

Delete User

Custom

Admin

String

30

The deleted user’s details

Last updated