17.1.9. Endpoint applications log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

endpoint_applications

Name

Source type.

log

Threat Level

Default value.

0

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

A unique name of the device which generated the event.

35fb5820-74db-4eac-b05b-d01bc284c4e8

act

Action (start/stop the application).

start, stop

suser

User name.

DESKTOP-0731NFQ\User

filePath

The location of a file in a system structure.

C:\\Windows\\system32\\cmd.exe

cs1Label

Indicates the endpoint ID.

endpointId

cs1

Endpoint ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

cs2Label

Indicates the endpoint name.

endpointName

cs2

Endpoint NetBIOS name.

DESKTOP-0731NFQ

spid

Process ID.

3860

fileHash

Application hash.

B4979A9F970029889713D756C3F123643DDE73DA

cs3Label

Indicates the command line.

cmdLine

cs3

Command line query.

C:\\Windows\\system32\\sc.exe start w32time task_started

cs4Label

Indicates the session ID.

sessionId

cs4

Session ID.

1656395717