Expressions in LEEF format for structured data

Structured data in LEEF format contains one or more properties, which are represented as key-value pairs.

About this task

You can extract properties from an event that is presented in LEEF format by writing a LEEF expression that matches the property. Valid LEEF expressions are in the form of either a single key reference, or a special LEEF header field reference.

For example, you have an event that is formatted in LEEF V1.0, such as:

LEEF:1.0|ABC Company|SystemDefender|1.13|console_login|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ	
devTime=2017-10-18T11:26:03.060+0200	usrName=flastname	name=Firstname Lastname	
authType=interactivePassword	src=192.168.0.1
or an event that is formatted in LEEF V2.0 with the caret (^) separator character, such as:
LEEF:2.0|ABC Company|SystemDefender|1.13|console_login|^|devTimeFormat=yyyy-MMdd'T'HH:mm:ss.SSSZ^
devTime=2017-10-18T11:26:03.060+0200^usrName=flastname^name=Firstname Lastname
^authType=interactivePassword^src=192.168.0.1

You can extract a property or a header key property from the event by choosing one of the following methods:

Procedure

  1. To extract the 'usrName' property, enter usrName in the LEEF Key field.

    The possible keys that can be extracted are:

    • devTimeFormat
    • devTime
    • usrName
    • name
    • authType
    • src
  2. To extract a header key property, type the key in the following format in the LEEF Key field: 
    $eventid$
    The LEEF header values can be extracted by using the following expressions:
    • $leefversion$
    • $vendor$
    • $product$
    • $version$
    • $eventid$