OT Security Standard CEF Keys

The following table explains the standard CEF keys used by OT Security. For a complete listing of CEF keys, see CommonEventFormatV26.

CEF Key Name Full Name Data Type Length Description
cat deviceEventCategory String 1023

Shows the general category of the events, such as:

  • Configuration Events:

    • Controller Validation Events: These policies detect changes that take place in the controllers in the network.

    • Controller Activity Events: Activity policies that relate to the activities that occur in the network. The activities can be the “commands” implemented between assets in the network.

  • SCADA Events — Policies that identify changes to the data plane of controllers.

  • Network Threats Events — Policies that identify network traffic indicative of intrusion threats.

  • Network Events — Policies that relate to the assets in the network and the communication streams between assets.
duser destinationUserName String 1023 The name of the destination asset that received the activity. This value can be any name by which OT Security identifies the asset, such as a user-defined name, the DNS name, the IP address, and so on.
dvchost devicehostname String 100 The device that sent the log entry. For OT Security logs, the value is Tenable OT Security.
dst destinationAddress IPv4 Address   The IP address of the destination asset that received the activity. The format is an IPv4 address. For example: “192.168.10.1”
dpt destinationPort Integer   The port on the destination asset that received the activity. Valid port numbers are between 0 and 65535.
externalId externalId String 40 The log ID that OT Security uses to refer to the event.
in bytesIn Integer   The volume of data transferred from the source asset to the destination asset during the event (in bytes).
outcome eventOutcome String 63 Displays the outcome of the event. For example, "success" or "failure".
proto transportProtocol String 31 Identifies the Layer-4 protocol used for the activity. The possible values are TCP or UDP.
rt deviceRecipientTime Time Stamp   The date and time OT Security registered the event. The format is MMM D YYYY HH:mm:ss.
smac sourceMacAddress MAC address   The MAC address of the source* asset that initiated the activity. The format is six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61”
dmac destinationMacAddress MAC address   The MAC address of the destination asset that received the activity. The format is six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61”
spt sourcePort Integer   The port indicated in the event. Used in Open Port Events to show the discovered open port. Valid port numbers are 0 to 65535.
src sourceAddress IPv4 Address   The IP address of the source1 asset that initiated the activity. The format is an IPv4 address. Example: “192.168.10.1”
suser sourceUserName String 1023 The name of the source1 asset which initiated the activity. This value can be any name by which OT Security identifies the asset, such as a user-defined name, the DNS name, the IP address, and so on.
msg message String 1023 A message with additional details about the event. Used for anomaly detection events. Example: msg= :: ET SCAN NMAP -sS window 1024

*For events that do not involve communication between a source and destination asset, all source parameters refer to the asset affected by the event.