Custom fields
The Nozomi Networks solution has defined custom label fields in our common event format (CEF) implementation. Ensure that your integration recognizes these custom labels and deals with them appropriately.
Field Value | Label Value | Label Sample | Field Sample |
---|---|---|---|
cs1 | cs1Label | Risk | Risk level for the alert |
cs2 | cs2Label | IsSecurity | Is this a security alert |
cs3 | cs3Label | Id | Alert ID (not Alert Type ID) of the alert in the Nozomi system |
cs4 | cs4Label | Detail | Alert details |
cs5 | cs5Label | Parents | Parent IDs of the alert if related to others |
cs6 | cs6Label | n2os_schema | This is the Nozomi Schema version |
flexString1 | flexString1Label | mitre_attack_techniques | T0843 |
flexString2 | flexString2Label | mitre_attack_tactics | Impair Process Control, Inhibit Response Function, Persistence |
flexString3 | flexString3Label | Name | Suspicious Activity |
The common event format (CEF) data integration now sends the name attribute of
alerts in the flexString CEF
field. For example:
nozomi-ids.local n2osevents[0]: CEF:0|Nozomi Networks|N2OS|
21.9.0-01051414_C13FC|SIGN:MULTIPLE-UNSUCCESSFUL-LOGINS|Multiple
unsuccessful logins|8|
app=smb
dvc=172.16.193.105
dvchost=nozomi-ids.local
cs1=8.0
cs2=true
cs5=["22114bf0-813c-434c-b4d7-933d2a54b4e1"]
cs6=3 cs1Label=Risk
cs2Label=IsSecurity
cs3Label=Id
cs5Label=Parents
cs6Label=n2os_schema
flexString1=T0843
flexString1Label=mitre_attack_techniques
flexString2=impair_process_control, inhibit_response_function, persistence
flexString2Label=mitre_attack_tactics
flexString3=suspicious_activity
flexString3Label=name
dst=192.168.1.77
dmac=f0:1f:af:f1:40:5c
dpt=445
msg=Multiple unsuccessful logins detected with protocol smb. The usernames
'', 'DOMAIN\VCA07_12$' attempted at least 40 connections in 15 seconds
src=192.168.1.227
smac=d8:9e:f3:3a:cb:3a
spt=57280
proto=TCP
start=1651456283700