Security Event Format - SEF Handbook
SEF is Oracle's data-centric event framework designed to extract, structure, and enrich log components into event elements with state-of-the-art security elements .
SEF Query Samples
Filtering SEF Queries
These query samples show how to construct SEF queries.
When looking for all records related to administrator level changes to hosts you can refer to the sefCategory field. In these instances the possible values are numerous: system.admin.(startup|shutdown|restart|disable|enable|create|modify)
Filtering with wildcards
Example B-1
‘SEF Device Class’ = host
‘SEF Device Class’ = host and ‘sef Category’ = ‘system.admin.%’
Filtering with null values
Example B-2 Filter out null values
'SEF Destination Endpoint Account Name' != null and ‘SEF Actor Endpoint Network Address’ not in (null, 10.0.14.1, 10.0.14.2, 10.0.14.3)
Example B-3 Filtering null values in specific fields only
Find only records that have null values in specific fields
‘SEF Application Protocol’ = http and ‘SEF Destination Top Level Domain’ = null ‘SEF Actor Endpoint Name’ in (null, localhost, 127.0.0.1)
Filtering based on Network Port vs Application Protocol attributes
While these fields can be used to find similar information, they have subtle differences between them but each have significant impact on the data returned when choosing one over the other. This can be affected by elements of each individual network, as well as the log sources being sent to SMA.
- SMA assigns it to sefApplicationProtocol field pending such log records are provided by your security log sources
- SMA automatically fills it in for selected security log sources even if no such data record is provided.
Scenario Examples
-
Web server logs may have 'HTTP' set for sefApplicationProtocol. In other cases where only the destination port number is available and protocol can’t be assumed with a high degree of accuracy, sefApplicationProtocol is not populated.
- It is possible that sefDestinationEndpointNetworkAddressPort = 80 will return information that isn’t HTTP related, like network scanning activity. It could also potentially miss HTTP related log entries where port information isn’t available in the log data, or when alternative ports are used for some HTTP traffic (81, 8080, 8081, 8888).
-
The same holds true for sefDestinationEndpointNetworkAddressPort, if the protocol is known but no port information is available in the log data, the field will be left blank.
- Similarly, sefApplicationProtocol = HTTP will return logs known to be related to web traffic, but will not return logs where no protocol is recorded and the information can’t be assumed with a high degree of accuracy.
Example B-4 Filtering with SEF field combinations
In general it is a good idea to leverage both fields together to ensure the most complete information is returned in SDE (Software-Defined Environment), custom queries, and dashboards. The best solution will depend on your network and the log sources being sent to SMA, and may require some testing.
‘sef Destination Endpoint Network Address Port’ = 80 OR ‘sef Application Protocol’ = http
Example B-5 Filtering with SEF field combinations and parameter specifications
In an environment where web development takes place, or where custom apps are configured to use alternative ports for HTTP traffic those additional ports may need to be added to an ‘IN’ statement in the query:
‘sef Destination Endpoint Network Address Port’ IN (80, 8080, 8081, 8888) OR ‘sef Application Protocol’ = HTTP
Example B-6 Filtering with more complex SEF field combinations and parameter specifications
Incorporating HTTPS into the query requires an additional ‘IN’ statement and additional ports:
‘sef Destination Endpoint Network Address Port’ IN (80, 8080, 8081, 8888, 443, 4343, 8043) OR ‘sef Application Protocol’ IN (http, https)
Commonly Used SEF Fields
Each field provides a set of attributes with enriched event data from your data logs.
sef | Field Properties
sef { data | mlti-val?} | SEF Display LabelDescription |
---|---|
sefAddlAttrs { STRING | Yes } |
SEF Additional Attributes not provided |
sefEnrichmentTime { TIMESTAMP | No } |
SEF Enrichment Time Time at which event was enriched |
sefRecordType { STRING | Yes } |
SEF Record Type Type of SEF event (base, anomaly, correlation) |
sefActor | Field Properties
sefActor | Data Type | Multi-valued? | SEF Display Label | Description |
---|---|---|---|---|
sefActorEPAccountSummaryRisk |
STRING |
No |
SEF Actor Endpoint Account Summary Risk |
Summary Risk associated with the Actor Account Name. |
sefActorEPAddlAttrs |
STRING |
Yes |
SEF Actor Endpoint Additional Attributes |
Customized attributes |
sefActorEPCriticality |
STRING |
No |
SEF Actor Endpoint Criticality |
Criticality associated with the actor endpoint. For example low, medium, and high. |
sefActorEPLocation |
STRING |
Yes |
SEF Actor Endpoint Location |
Location of endpoint actor. This can be a street address, datacenter name, rack location, etc. |
sefActorEPSecurityCategory |
STRING |
No |
SEF Actor Endpoint Security Category |
Security categorization of the actor endpoint. |
sefActorEPTags |
STRING |
Yes |
SEF Actor Endpoint Tags |
Tags associated with Actor Endpoint. |
sefActorUserName |
STRING |
No |
SEF Actor Username |
User associated with the actor endpoint account name. |
sefActorUserOrgs |
STRING |
Yes |
SEF Actor User Organizations |
Organization(s) of the actor user. |
sefActorUserPrimaryOrg |
STRING |
No |
SEF Actor User Primary Organization |
The primary organization of the user associated with the actor endpoint account. |
sefActorUserSummaryRisk |
STRING |
No |
SEF Actor User Summary Risk |
Summary risk associated with the actor user account. |
sefDestination | Field Properties
sef { data | mlti-val?} | SEF Display Label Description |
---|---|
sefDestinationEPAccountSummaryRisk { STRING | No } |
SEF Destination Endpoint Account Summary Risk Summary Risk associated with the destination account |
sefDestinationEPAddlAttrs { STRING | Yes } |
SEF Destination Endpoint Additional Attributes Additional attributes related to the destination endpoint |
sefDestinationEPClassCategory { STRING | No } |
SEF Destination Endpoint Class Category Categorization of destination endpoint |
sefDestinationEPClassSubCategory { STRING | No } |
SEF Destination Endpoint Class Subcategory Subcategory of the service that is publishing the destination endpoint |
sefDestinationEPClassService { STRING | No } |
SEF Destination Endpoint Class Service Category of the service that is publishing the destination endpoint |
sefDestinationEPCriticality { STRING | No } |
SEF Destination Endpoint Criticality Criticality associated with the destination endpoint |
sefDestinationEPLocation { STRING | Yes } |
SEF Destination Endpoint Location Location can be Street Address, Rack location in data center |
sefDestinationEPSecurityCategory { STRING | No } |
SEF Destination Endpoint Security Category Security categorization of the destination endpoint |
sefDestinationEPServiceProvider { STRING | No } |
SEF Destination Endpoint Service Provider The service provider for the destination endpoint |
sefDestinationEPTags { STRING | Yes } |
SEF Destination Endpoint Tags Tags that have been applied to this log entry because of some criteria of the destination endpoint |
sefDestinationUserName { STRING | No } |
SEF Destination Username User associated with the destination account |
sefDestinationUserOrgs { STRING | Yes } |
SEF Destination User Organizations Organization(s) of the SEF Destination User |
sefDestinationUserPrimaryOrg { STRING | No } |
SEF Destination User Primary Organization |
sefDestinationUserSummaryRisk { STRING | No } |
SEF Destination User Summary Risk |
sefOriginalActor | Field Properties
(SEF) ORIGINAL ACTOR has Endpoint, User elements, part of SEF Field: sefOriginalActor
Table B-1 Field Properties: sefOriginalActor[ EP|User ]Attributes.
sefOriginalActor | Data Type | Multi-valued? | SEF Display Label | Applied Action |
---|---|---|---|---|
sefOriginalActorEffectiveAccountName |
STRING |
No |
SEF Original Actor Effective Account Name |
The effective account used by the original sessionized actor |
sefOriginalActorEPLocation |
STRING |
Yes |
SEF Original Actor Endpoint Location |
Location can be a street address, rack location in data center, etc. |
sefOriginalActorUserName |
STRING |
No |
SEF Original Actor Username |
The username of the original actor for a security event |
sefOriginalActorEffectiveAccountName |
The effective account used by the original sessionized actor
|
||||||
sefOriginalActorEPLocation |
Location can be a street address, rack location in data center, etc.
|
||||||
sefOriginalActorUserName |
The username of the original actor for a security event
|