OT Security Custom CEF Keys

The following table explains the custom CEF keys that OT Security uses in the Extension section of log entries. For each custom key, there is a corresponding Label key that describes its purpose as used by OT Security.

CEF Key Name Full Name Data Type Length Description
cn1 deviceCustomNumber1 Long   A custom number field. OT Security uses this field for Snapshot Diff detected events, to show which revision number didn't match the previous revision. Format: "cn1=%d"
cn1Label deviceCustomNumber1Label String 1023

The label field that describes the purpose of the corresponding custom field.

For OT Security, cn1Label="revision".
cn2 deviceCustomNumber2 Long  

A custom number field. OT Security uses this field for Firmware Version Change detected events, to show which backplane slot the firmware change occurred on.

Format: "cn2=%d"
cn2Label deviceCustomNumber2Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cn2Label="bpslot".
cn3 deviceCustomNumber2 Long  

A custom number field. OT Security uses this field for Intrusion Detection Events to show the ID of the Vulnerability (in the CVE listing) that it detected.

Format: "cn3=%d"
cn3Label deviceCustomNumber3Label String 1023

The label field describing the purpose of the corresponding custom field.

For OT Security, cn3Label="rule_sid".
cs1 deviceCustomString1 String 4000

A custom string field. OT Security uses this field for Controller State Change detected and Controller Key State Change detected events to show the former and current states of the controller.

Format: "cs1=%s->%s" (old status->new status, for example: "running->stopped")
cs1Label deviceCustomString1Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cs1Label="value_change".
cs2 deviceCustomString2 String 4000 A custom string field. OT Security uses this field for Tag Write Values detected events to show the tags that were written to and the values that were written. Format: "cs2=%s:%s",(tag name:tag value)
cs2Label deviceCustomString2Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cs2Label="tag".
cs3 deviceCustomString3 String 4000 A custom string field. OT Security uses this field for New Module detected events, to show the name of the backplane that added the module. Format: "cs3=%s"
cs3Label deviceCustomString3Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cs3Label="Bpname".
cs4 deviceCustomString4 String 4000 A custom string field. OT Security uses this field for IP Conflict detected and ARP Scan detected events, to show the IP addresses involved. Format: "cs4=%s"
cs4Label deviceCustomString4Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cs4Label="addresses".
cs5 deviceCustomString5 String 4000 A custom string field. OT Security uses this field for SYN Scan detected events, to show the involved ports. Format: "cs5=%s"
cs5Label deviceCustomString5Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cs5Label="ports".
cs6 deviceCustomString6 String 4000 A custom string field .OT Security uses this field to show the name of the Policy that generated the Event. Format: "cs6=%s"
cs6Label deviceCustomString6Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, cs6Label="policy_name".
deviceCustomDate1 deviceCustomDate1 TimeStamp   A custom TimeStamp field. OT Security uses this field for inactive asset events, to show the date and time that the asset was last active. Format: "last deviceCustomDate1=%s"
deviceCustomDate1Label deviceCustomDate1Label String 1023 The label field that describes the purpose of the corresponding custom field. For OT Security, deviceCustomDate1Label ="last".