LEEF-Based Format Definition

The following table describes the LEEF-based format of the syslog records sent by PTA.

Field

Description

Specified value

Prefix fields

LEEF:[number]

The LEEF header and version. The version number identifies the version of the LEEF format.

LEEF:[number]

Device Vendor,

Device Product,

Device Version

Information about the device sending the message. For PTA, the Device

Vendor is CyberArk, and the Device Product is PTA.

CyberArk, PTA, 13.2

Event Type

A unique ID that identifies the event type that is reported.

{21-55}

Cat

A description of the reported event type.

{Suspected credentials theft, Unmanaged privileged account, Privileged access during irregular hours, etc…}

 

For a complete list of PTA detections, indicators of compromise and their descriptions, see What Detections Does PTA Report?.

sev

A numeric value that indicates the severity of the event.

1 is the lowest event severity
10 is the highest event severity

{1,2,3,4,5,6,7,8,9,10}

Extension fields

src

Source host/IP address

Any host/IP

usrName

Destination user name associated with the event.

Any user

dst

Destination host/IP address

Any host/IP

extraDataLabel

The label of the Extra data field.

“extraData”

extraData

Additional information relevant for the reported security event

For example, SPN, Session, and Suspicious session activity <command name>

eventIdLabel

The label of the Security Event ID field

“eventID”

eventID

The ID of the reported security event

52b06812ec3500ed864c461e

devTime

The system time when PTA identified the security event

1388577600000

linkLabel

The label of the link field

“ptaLink”

ptaLink

The HTTPS link to the Security Events page in PVWA.

https://10.1.1.1./PasswordVault/v10/pta/events

suserLabel

The label of the Event Name field.

“suser”

suser

Source User Name

Any user

externalLinkLabel

The label of the external link field.

“externalLink”

externalLink

An HTTPS link to other CyberArk or third party products that can add more information to the security event.

Note: Due to a LEEF limitation, if the link includes the equals sign (=), the link will be broken. To view the link, copy the relevant URL and remove the backslash (\) before the equals sign (=).

http://...

suspiciousSessionActivityLabel

The label of the suspicious session activity

"suspiciousSessionActivity"

suspiciousSessionActivity

The command describing the suspicious session activity

The command, for example, DeleteDB
 
  • suser, shost, src, duser, dhost and dst fields may contain a single value or a list of values. If the field contains a list of values, these values will be separated by a comma, and if they are larger than 1024, data will be omitted and “etc..” will be added to the end.
  • dhost and dst fields could be a single host or a database instance. If it is a database instance, the dhost destination will be in the format <machine:instance>.
  • When the src, dst, duser, suser or cs1 field has no value, the field is sent with the value None.

The following example shows syslog output generated by PTA

 

LEEF:1.0|CyberArk|PTA|13.2|1|Cat=Suspected credentials theft|sev=8| src=src1 userName=mike dst=192.168.0.1 ExtraDataLabel=ExtraData ExtraData=None EventIdLabel=EventID EventID=52b06812ec3500ed864c461e devTime= 1388577600000 LinkLabel=PTALink PTALink=https://1.1.1.1/incidents/52b06812ec3500ed864c461e suserLabel=SourceUserName suser=mike2 ExternalLinkLabel=ExternalLink ExternalLink=None