Security Event Format - SEF Handbook

SEF is Oracle's data-centric event framework designed to extract, structure, and enrich log components into event elements with state-of-the-art security elements .

Topics:

• SEF Elements

• SEF Query Samples

• Commonly Used SEF Fields

SEF Query Samples

Filtering SEF Queries

Filtering with wildcards Filtering with null values Filtering based on Network Port vs Application Protocol attributes

Filtering SEF Queries

These query samples show how to construct SEF queries.

When looking for all records related to administrator level changes to hosts you can refer to the sefCategory field. In these instances the possible values are numerous: system.admin.(startup|shutdown|restart|disable|enable|create|modify)

Filtering with wildcards

Example B-1

There are other log source types that contain additional system.admin values. Filter using wildcards to remove irrelevant information:

‘SEF Device Class’ = host

Instead of creating an ‘IN’ statement containing all possible values we can leverage a wildcard value to capture all possible values, making the query:

‘SEF Device Class’ = host and ‘sef Category’ = ‘system.admin.%’

Filtering with null values

Example B-2 Filter out null values

'SEF Destination Endpoint Account Name' != null and ‘SEF Actor Endpoint Network Address’ not in (null, 10.0.14.1, 10.0.14.2, 10.0.14.3) 

Example B-3 Filtering null values in specific fields only

Find only records that have null values in specific fields

‘SEF Application Protocol’ = http and ‘SEF Destination Top Level Domain’ = null ‘SEF Actor Endpoint Name’ in (null, localhost, 127.0.0.1)

Filtering based on Network Port vs Application Protocol attributes

While these fields can be used to find similar information, they have subtle differences between them but each have significant impact on the data returned when choosing one over the other. This can be affected by elements of each individual network, as well as the log sources being sent to SMA.

Some security devices, like firewalls, are 'protocol aware' where the protocol names (http, dns, ftp) are recorded in your log data when these protocols are detected. This information is implemented during the data-enrichment phase for security logs, where:

• SMA assigns it to sefApplicationProtocol field pending such log records are provided by your security log sources
• SMA automatically fills it in for selected security log sources even if no such data record is provided.

Scenario Examples

1. Web server logs may have 'HTTP' set for sefApplicationProtocol. In other cases where only the destination port number is available and protocol can’t be assumed with a high degree of accuracy, sefApplicationProtocol is not populated.

   1. It is possible that sefDestinationEndpointNetworkAddressPort = 80 will return information that isn’t HTTP related, like network scanning activity. It could also potentially miss HTTP related log entries where port information isn’t available in the log data, or when alternative ports are used for some HTTP traffic (81, 8080, 8081, 8888).

2. The same holds true for sefDestinationEndpointNetworkAddressPort, if the protocol is known but no port information is available in the log data, the field will be left blank.

   1. Similarly, sefApplicationProtocol = HTTP will return logs known to be related to web traffic, but will not return logs where no protocol is recorded and the information can’t be assumed with a high degree of accuracy.

Example B-4 Filtering with SEF field combinations

In general it is a good idea to leverage both fields together to ensure the most complete information is returned in SDE (Software-Defined Environment), custom queries, and dashboards. The best solution will depend on your network and the log sources being sent to SMA, and may require some testing.

‘sef Destination Endpoint Network Address Port’ = 80 OR ‘sef Application Protocol’ = http

Example B-5 Filtering with SEF field combinations and parameter specifications

In an environment where web development takes place, or where custom apps are configured to use alternative ports for HTTP traffic those additional ports may need to be added to an ‘IN’ statement in the query:

‘sef Destination Endpoint Network Address Port’ IN (80, 8080, 8081, 8888) OR ‘sef Application Protocol’ = HTTP

Example B-6 Filtering with more complex SEF field combinations and parameter specifications

Incorporating HTTPS into the query requires an additional ‘IN’ statement and additional ports:

‘sef Destination Endpoint Network Address Port’ IN (80, 8080, 8081, 8888, 443, 4343, 8043) OR ‘sef Application Protocol’ IN (http, https)

Commonly Used SEF Fields

Each field provides a set of attributes with enriched event data from your data logs.

Commonly Used SEF Fields

• sef | Field Properties

• sefActor | Field Properties

• sefDestination | Field Properties

• sefOriginalActor | Field Properties

sef | Field Properties

sef { data | mlti-val?}	SEF Display LabelDescription
sefAddlAttrs { STRING | Yes }	SEF Additional Attributes not provided
sefEnrichmentTime { TIMESTAMP | No }	SEF Enrichment Time Time at which event was enriched
sefRecordType { STRING | Yes }	SEF Record Type Type of SEF event (base, anomaly, correlation)

sefActor | Field Properties

sefActor	Data Type	Multi-valued?	SEF Display Label	Description
sefActorEPAccountSummaryRisk	STRING	No	SEF Actor Endpoint Account Summary Risk	Summary Risk associated with the Actor Account Name.
sefActorEPAddlAttrs	STRING	Yes	SEF Actor Endpoint Additional Attributes	Customized attributes
sefActorEPCriticality	STRING	No	SEF Actor Endpoint Criticality	Criticality associated with the actor endpoint. For example low, medium, and high.
sefActorEPLocation	STRING	Yes	SEF Actor Endpoint Location	Location of endpoint actor. This can be a street address, datacenter name, rack location, etc.
sefActorEPSecurityCategory	STRING	No	SEF Actor Endpoint Security Category	Security categorization of the actor endpoint.
sefActorEPTags	STRING	Yes	SEF Actor Endpoint Tags	Tags associated with Actor Endpoint.
sefActorUserName	STRING	No	SEF Actor Username	User associated with the actor endpoint account name.
sefActorUserOrgs	STRING	Yes	SEF Actor User Organizations	Organization(s) of the actor user.
sefActorUserPrimaryOrg	STRING	No	SEF Actor User Primary Organization	The primary organization of the user associated with the actor endpoint account.
sefActorUserSummaryRisk	STRING	No	SEF Actor User Summary Risk	Summary risk associated with the actor user account.

sefDestination | Field Properties

sef { data | mlti-val?}	SEF Display Label Description
sefDestinationEPAccountSummaryRisk { STRING | No }	SEF Destination Endpoint Account Summary Risk Summary Risk associated with the destination account
sefDestinationEPAddlAttrs { STRING | Yes }	SEF Destination Endpoint Additional Attributes Additional attributes related to the destination endpoint
sefDestinationEPClassCategory { STRING | No }	SEF Destination Endpoint Class Category Categorization of destination endpoint
sefDestinationEPClassSubCategory { STRING | No }	SEF Destination Endpoint Class Subcategory Subcategory of the service that is publishing the destination endpoint
sefDestinationEPClassService { STRING | No }	SEF Destination Endpoint Class Service Category of the service that is publishing the destination endpoint
sefDestinationEPCriticality { STRING | No }	SEF Destination Endpoint Criticality Criticality associated with the destination endpoint
sefDestinationEPLocation { STRING | Yes }	SEF Destination Endpoint Location Location can be Street Address, Rack location in data center
sefDestinationEPSecurityCategory { STRING | No }	SEF Destination Endpoint Security Category Security categorization of the destination endpoint
sefDestinationEPServiceProvider { STRING | No }	SEF Destination Endpoint Service Provider The service provider for the destination endpoint
sefDestinationEPTags { STRING | Yes }	SEF Destination Endpoint Tags Tags that have been applied to this log entry because of some criteria of the destination endpoint
sefDestinationUserName { STRING | No }	SEF Destination Username User associated with the destination account
sefDestinationUserOrgs { STRING | Yes }	SEF Destination User Organizations Organization(s) of the SEF Destination User
sefDestinationUserPrimaryOrg { STRING | No }	SEF Destination User Primary Organization
sefDestinationUserSummaryRisk { STRING | No }	SEF Destination User Summary Risk

sefOriginalActor | Field Properties

(SEF) ORIGINAL ACTOR has Endpoint, User elements, part of SEF Field: sefOriginalActor

Table B-1 Field Properties: sefOriginalActor[ EP|User ]Attributes.

sefOriginalActor	Data Type	Multi-valued?	SEF Display Label	Applied Action
sefOriginalActorEffectiveAccountName	STRING	No	SEF Original Actor Effective Account Name	The effective account used by the original sessionized actor
sefOriginalActorEPLocation	STRING	Yes	SEF Original Actor Endpoint Location	Location can be a street address, rack location in data center, etc.
sefOriginalActorUserName	STRING	No	SEF Original Actor Username	The username of the original actor for a security event

sefOriginalActorEffectiveAccountName	The effective account used by the original sessionized actor Type: STRING Multi-valued: No SEF Label: SEF Original Actor Effective Account Name
sefOriginalActorEPLocation	Location can be a street address, rack location in data center, etc. Type: STRING Multi-valued: No SEF Label: SEF Original Actor Endpoint Location
sefOriginalActorUserName	The username of the original actor for a security event Type: STRING Multi-valued: No SEF Label: SEF Original Actor Username