17.1.7. Endpoint events log format

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

endpoint_log

Name

Source type.

log

Severity

Event severity.

Available values:

• 0: info;

• 6: warning;

• 8: error;

• 10: critical.

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

A unique name of the device which generated the event.

35fb5820-74db-4eac-b05b-d01bc284c4e8

suser

User name.

Admin

msg

Event details.

Windows Defender status successfully changed to SECURITY_PRODUCT_STATE_ON.

cs1Label

Indicates the endpoint ID.

endpointId

cs1

Endpoint or sensor ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

cs2Label

Indicates the name of endpoint or sensor.

endpointName

cs2

Endpoint or sensor name.

DESKTOP-0731NFQ

cs3Label

Indicates the event type.

logLevel

cs3

Log event type.

Success Audit, Warning, Information, Failure Audit, Error

cs4Label

Indicates the incident category.

logCategoryString

cs4

Incident category.

Special Logon

cs5Label

Indicates the event log type.

logFile

cs5

Event log file containing information about software and hardware security events.

Security, Application, System, Windows PowerShell

cs6Label

Indicates the log event source.

sourceName

cs6

Log event source.

Microsoft-Windows-Security-Auditing

flexString1Label

Indicates the insertion string.

insertionString

flexString1

Insertion string is data from the Windows EventData block.

Windows DefenderSECURITY_PRODUCT_STATE_ON

cn1Label

Indicates the log event code.

logEventCode

cn1

Log event code.

1154

cn2Label

Indicates the log event ID.

logEventId

cn2

Log event ID.

10016

cn3Label

Indicates the log event type.

logEventType

cn3

Log event type.

1 (error), 2 (warning), 3 (information), 4 (audit success), 5 (audit failure).