Appendix 7 - Download Log Definition

This section explains the log definition for every log format that HaloENGINE supports.

What is SIEM Integration?

SIEM, which stands for Security Information and Event Management, is a comprehensive approach to managing an organization's security information and events. SIEM integration refers to the process of incorporating SIEM solutions into an organization's existing IT infrastructure to enhance its ability to monitor, detect, and respond to security incidents. To support this approach, HaloENGINE transmits logs in JavaScript Object Notation (JSON), Log Event Extended Format (LEEF), and Common Event Format (CEF).

Common Event Format is an open log management standard developed by HP ArcSight. CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
Log Event Extended Format is a customized event format for IBM Security QRadar. LEEF comprises a LEEF header, event attributes, and an optional Syslog header.
JavaScript Object Notation is a lightweight text-based open standard designed for human-readable data interchange.

These logs are forwarded to the communications module, which transmits them to your collection server via UDP or TCP. Ideally, a SIEM (Microsoft Azure Sentinel, Splunk, RSA, and others) server would scan the received messages, sort them, and alert your security team.

Forwarding logs

Why CEF Standard?

The CEF format is an open log management standard that simplifies log management. CEF allows third parties to create their device schemas that are compatible with a standard that is used industry-wide for normalizing security events. Technology companies and customers can use the standardized CEF format to facilitate data collection and aggregation, for later analysis by an enterprise management system. CEF is an extensible, text-based format designed to support multiple device types by offering the most relevant information. It defines the syntax for log records consisting of a standard header and a variable extension, formatted as key-value pairs.

Syslog and CEF Header

The data is normalized and categorized into the ArcSight CEF for easy correlation and analysis. CEF uses Syslog as a transport mechanism. It uses the following format, consisting of a Syslog prefix, a header, and an extension, as shown below. If an event producer is unable to write Syslog messages, it is still possible to write the events to a file.

Prefix │ Header │[Extension]

CEF format

CEF format sample

Format	Description	Example
Prefix	Syslog applies a prefix to each message, no matter which device it arrives from, that contains the date and hostname.	`10:29:48.486`
Header	Version is an integer and identifies the version of the CEF format. The current CEF version is 0 (CEF:0).	`CEF:0`
	Device Vendor, Device Product, and Device Version are strings that uniquely identify the type of sending device. Example for HaloCORE GA release 6.1	`\|Secude\|HaloCORE\|6.7.0.0\|`
	Device Event Class ID is a unique identifier per event-type (download, sent as attachment, copy-paste). This can be a string or an integer. Device Event Class ID identifies the type of event reported.	`100` Note: 100 – user download 101 – sent as an attachment 103 – download for viewing 200 – copy paste 999 – Export event
	Name is a string representing a human-readable and understandable description of the event (‘user download’, ‘sent as attachment’ or a ‘copy paste’).	`Export Event`
	Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High.	`1`
Extension	The Extension field contains a collection of key-value pairs. The keys are part of a predefined set. The standard allows for including additional keys as outlined in "ArcSight Extension Dictionary”. An event can contain any number of key-value pairs in any order, separated by spaces (""). If a field contains a space, such as a filename, this is valid and can be logged in exactly that manner. Secude uses only Standard Key Names from ArcSight Extension Directory and no custom extensions. The reason for that is to avoid significant limitations custom extensions will cause.	Please refer to the following table "CEF Key Names (Extension Fields)".

CEF Header details

16:23:22.908 CEF:0|Secude|HaloCORE|6.7.0.3|100|user download|1|deviceCustomDate1Label=exportTime deviceCustomDate1=Oct 17 2024 10:53:22 UTC externalId=000C29D631DD1EDFA38EBFC507186F79 deviceCustomDate2Label=logTime deviceCustomDate2=Oct 17 2024 10:53:22 UTC act=unblocked;labeled;protected fname=Tech data.tsv.pfile filePath=C:\Users\Administrator\Desktop\SAP Downloads\ fileType=TSV fsize=1298694 in=1321311 shost=HTE_800 duser=JOHN,type:SAP dst=10.41.14.69 requestClientApplication=[null] cs2Label=DataDestination cs2=[ platform\=[Windows NT], browser\=[null], browser_version\=[null], device_type\=[Unknown], terminal_id\=[SVLU0306] ] cs3Label=DataOrigin cs3=[ source_type\=[Netweaver], system_name\=[HTE_800], client_type\=[SAP], tcode\=[S_ALR_87012086], app_component\=[FI-GL-IS], table_names\=[], app_package\=[FREP], program_name\=[RFKKVZ00], web_dynpro_app\=[null], attributes\=[{ key\=[Runtime - Modifying File (Milliseconds)], value\=[3455], type\=[DD] }, { key\=[Label Name], value\=[HCAD Secret], type\=[DD] }, { key\=[Label UID], value\=[99f1473d-74f4-47ca-9843-e735f94fa797], type\=[DD] }, { key\=[Total Runtime (Milliseconds)], value\=[13444], type\=[DD] }], report_criteria\=[{ rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-XBRSEQU, rpt_slc_text\=Process Line Items Sequentiall, rpt_slc_low\=, rpt_slc_name\=ALCUR, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZCPDK, rpt_slc_text\=One-time vendors, rpt_slc_low\=, rpt_slc_name\=CPDKONTO, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=D, rpt_slc_kind\=P, rpt_slc_bscType\=DATE, rpt_slc_dtype\=DATE, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=.00.0000, rpt_slc_dbref\=BKPF-BUDAT, rpt_slc_text\=Posting Date, rpt_slc_low\=.00.0000, rpt_slc_name\=EXCDT, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGINLD, rpt_slc_text\=?...(INLAND), rpt_slc_low\=, rpt_slc_name\=INLAND, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFB1-AKONT, rpt_slc_text\=Reconciliation acct, rpt_slc_low\=, rpt_slc_name\=KD_AKONT, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFB1-BUKRS, rpt_slc_text\=?...(KD_BUKRS), rpt_slc_low\=, rpt_slc_name\=KD_BUKRS, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFB1-BUSAB, rpt_slc_text\=Accounting clerk, rpt_slc_low\=, rpt_slc_name\=KD_BUSAB, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFA1-KONZS, rpt_slc_text\=Group key, rpt_slc_low\=, rpt_slc_name\=KD_KONZS, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFA1-LAND1, rpt_slc_text\=Country, rpt_slc_low\=, rpt_slc_name\=KD_LAND1, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFA1-LIFNR, rpt_slc_text\=?...(KD_LIFNR), rpt_slc_low\=, rpt_slc_name\=KD_LIFNR, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=, rpt_slc_text\=KD_NOAUT, rpt_slc_low\=, rpt_slc_name\=KD_NOAUT, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=, rpt_slc_text\=KD_NOOAP, rpt_slc_low\=, rpt_slc_name\=KD_NOOAP, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=LFA1-VBUND, rpt_slc_text\=Trading Partner, rpt_slc_low\=, rpt_slc_name\=KD_VBUND, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=1, rpt_slc_dbref\=RFPDO-KKVZKSOR, rpt_slc_text\=Account Sorting, rpt_slc_low\=1, rpt_slc_name\=KONTSORT, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=5, rpt_slc_dbref\=RFPDO-KKVZPOST, rpt_slc_text\=Communication with vendor, rpt_slc_low\=5, rpt_slc_name\=KURZLIST, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGLOEZ, rpt_slc_text\=Only with delete flag, rpt_slc_low\=, rpt_slc_name\=LOESCHV, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZMIKF, rpt_slc_text\=Print Microfiche Line, rpt_slc_low\=, rpt_slc_name\=MI-FICHE, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZADTE, rpt_slc_text\=Address and telecom (master), rpt_slc_low\=, rpt_slc_name\=PA-A20, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZKOST, rpt_slc_text\=Account control and status, rpt_slc_low\=, rpt_slc_name\=PA-A3B2, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZSTEU, rpt_slc_text\=Tax info. and references, rpt_slc_low\=, rpt_slc_name\=PA-A40, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGMWID, rpt_slc_text\=Additional VAT reg.numbers, rpt_slc_low\=, rpt_slc_name\=PA-A50, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZQUPF, rpt_slc_text\=Subject to Withhold. Tax, rpt_slc_low\=, rpt_slc_name\=PA-A55, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZBANK, rpt_slc_text\=Bank Data, rpt_slc_low\=, rpt_slc_name\=PA-A60, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZZAHL, rpt_slc_text\=Payment Data, rpt_slc_low\=, rpt_slc_name\=PA-A7B5, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGLISB, rpt_slc_text\=List of Company Codes, rpt_slc_low\=, rpt_slc_name\=PA-A90, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGADBK, rpt_slc_text\=Creation data for company code, rpt_slc_low\=, rpt_slc_name\=PA-B10, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGVERZ, rpt_slc_text\=Interest Calculation, rpt_slc_low\=, rpt_slc_name\=PA-B30, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZQUST, rpt_slc_text\=Withholding Tax, rpt_slc_low\=, rpt_slc_name\=PA-B40, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGREFD, rpt_slc_text\=Reference Data, rpt_slc_low\=, rpt_slc_name\=PA-B45, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZMAHN, rpt_slc_text\=Dunning Data, rpt_slc_low\=, rpt_slc_name\=PA-B60, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-KKVZKORR, rpt_slc_text\=Vendor correspondence, rpt_slc_low\=, rpt_slc_name\=PA-B70, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO3-ALLGEQST, rpt_slc_text\=Extended Withholding Tax, rpt_slc_low\=, rpt_slc_name\=PA-B80, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=C, rpt_slc_bscType\=BOOLEAN, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=false, rpt_slc_dbref\=, rpt_slc_text\=Only with ext. withholding tax, rpt_slc_low\=, rpt_slc_name\=PA-B85, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO-ALLGSPZB, rpt_slc_text\=Only with posting block, rpt_slc_low\=, rpt_slc_name\=SPERRKZ, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO1-ALLGLINE, rpt_slc_text\=Additional Heading, rpt_slc_low\=, rpt_slc_name\=TITLE, rpt_slc_high\=}, {rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=P, rpt_slc_bscType\=STRING, rpt_slc_dtype\=CHAR, rpt_slc_optional\=, rpt_slc_dynnr\=1000, rpt_slc_value\=, rpt_slc_dbref\=RFPDO1-ALLGALTK, rpt_slc_text\=Alternative Account Number, rpt_slc_low\=, rpt_slc_name\=XALTKT, rpt_slc_high\= }] ] cs4Label=ClassifyProtectionData cs4=[ classification_by_system\=[Sensitivity\={Secret }], policy_id\=[99f1473d-74f4-47ca-9843-e735f94fa797], policy_name\=[HCAD Secret], policy_type\=[company_policy], error\=[false] ]

CEF Key Names (Extension Fields)

CEF Extension Field	HaloCORE Log Entry	Description
`deviceCustomDate1Label`	`exportTime`	The actual date time of the export event.
`deviceCustomDate1`	`Apr 11 2024 04:59:42 UTC`	The actual date time of the export event.
`externalId`	`000C299ECF5B1EECA89F00606AF66E16`	A name that uniquely identifies the device generating this event. The hexadecimal representation of SAP Download LogID with base 32.
`deviceCustomDate2Label`	`logTime`	The actual date time of the export event.
`deviceCustomDate2`	`Apr 11 2024 04:59:48 UTC`	The actual date time of the export event.
`act`	`unblocked;labeled;protected`	Action taken, if the export was: blocked if the exported file got classified (labeling) and if the exported file got protected XXL display Spool printing
`fname`	`export.XLSX`	The filename of the exported file can be null for copy paste events.
`filePath`	`D:\SAP Downloads\`	The location where the file was saved.
`fileType`	`OOXML`	File type can be null, if not available, or unknown.
`fsize`	`4811`	Original file size or copied data size.
`in`	`35840`	Downloaded file size can be larger than fsize if protection was applied.
`shost`	`HTECLNT800`	Source (SAP) system from which the data was exported.
`duser, type:SAP`	`JOHN, SAP`	Name of the user who triggered the export, with the type of user. Hint: The complete name is not persistently logged; it is read from the user master at the time of the log display.
`dst`	`10.41.14.98`	The IP address of the destination system.
requestClientApplication	`[null]`	The User-Agent associated with the request.
`cs2Label`	`DataDestination`	It is a custom label.
`cs2`	`[ platform\=[Windows NT], browser\=[null], browser_version\=[null], device_type\=[Unknown], terminal_id\=[JOHN] ]`	Platform −> OS Terminal_id −> hostname of the destination
`cs3Label`	`DataOrigin`	It is a custom label.
`cs3`	cs3=[ source_type\=[Netweaver], system_name\=[HTECLNT800], tcode\=[SE16], app_component\=[BC-CTS-CCO], table_names\=[T000], app_package\=[STRM], program_name\=[/1BCDWB/DBT000], web_dynpro_app\=[null], attributes\=[{ key\=[Runtime - Modifying File (Milliseconds)], value\=[2203], type\=[DD] }, { key\=[Template Name], value\=[HCAD CONFIDENTIAL], type\=[DD] }, { key\=[Template UID], value\=[1521571f-b5ab-406a-8237-69dc295a51c7], type\=[DD] }, { key\=[Total Runtime (Milliseconds)], value\=[20670], type\=[DD] }], report_criteria\=[{ rpt_slc_sign\=, rpt_slc_type\=C, rpt_slc_kind\=S,...	Indicates where the data originated. Transaction, table, application_component and more, comes from the HaloCORE SAP Add-On. Universes, dimensions, measures, data Providers and more, come from the HaloCORE BO Add-On. Hint: The Transaction text is not persistently logged; it is read from the Data Dictionary at the time of log display.
`cs4Label`	`ClassifyProtectionData`	It is a custom label.
`cs4`	`[ classification_by_system\=[Sensitivity\={Secret }], policy_id\=[1521571f-b5ab-406a-8237-69dc295a51c7], policy_name\=[HCAD CONFIDENTIAL], policy_type\=[company_policy], error\=[false] ]`	Classification_by_system, what the system found for classification. Classification_by_user, what the user chose for the classification. DOM is for Domain. SENS is for Sensitivity. ORG is for organization. Policy_id, UID of the policy. Policy_name, readable name of the policy.

Extension Fields

Why LEEF Standard?

The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar that contains readable and easily processed events for QRadar.

Syslog and LEEF Header

The LEEF format consists of a Syslog header, a LEEF header, and event attributes. The Syslog header is an optional field. The Syslog header contains the timestamp and IPv4 address or hostname of the system that sends the event. The LEEF header is a required field for LEEF events. The LEEF header is a pipe delimited (|) set of values that identifies your software or appliance to QRadar. Event attributes identify the payload information of the event that is produced by your appliance or software. Every event attribute is a key-value pair with a tab that separates individual payload events.

Syslog Header │ LEEF Header │[Event Attributes]

LEEF format

16:35:19.400 LEEF:2.0|Secude|HaloCORE|6.7.0.3|100|^|exportTime=Oct 17 2024 11:05:17 UTC^eventName=user download^externalId=000C29D631DD1EDFA38EF4F45D6C4F79^logTime=Oct 17 2024 11:05:19 UTC^act=unblocked;labeled;protected^fname=Vendor.tsv.pfile^filePath=C:\Users\Administrator\Desktop\SAP Downloads\^ftype=TSV^fsize=1298694^fdwnsize=1321311^shost=HTE_800^usrName=JOHN,type:SAP^dst=10.41.14.69^usrAgent=[null]^dataDestination=[ platform=[Windows NT], browser=[null], browser_version=[null], device_type=[Unknown], terminal_id=[SVLU0306] ]^dataOrigin=[ source_type=[Netweaver], system_name=[HTE_800], client_type=[SAP], tcode=[S_ALR_87012086], app_component=[FI-GL-IS], table_names=[], app_package=[FREP], program_name=[RFKKVZ00], web_dynpro_app=[null], attributes=[ {key=[Runtime - Modifying File (Milliseconds)], value=[4251], type=[DD]}, {key=[Label Name], value=[HCAD Secret], type=[DD]}, {key=[Label UID], value=[99f1473d-74f4-47ca-9843-e735f94fa797], type=[DD]}, {key=[Total Runtime (Milliseconds)], value=[14292], type=[DD]} ], report_criteria=[ {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-XBRSEQU, rpt_slc_text=Process Line Items Sequentiall, rpt_slc_low=, rpt_slc_name=ALCUR, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZCPDK, rpt_slc_text=One-time vendors, rpt_slc_low=, rpt_slc_name=CPDKONTO, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=D, rpt_slc_kind=P, rpt_slc_bscType=DATE, rpt_slc_dtype=DATE, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=.00.0000, rpt_slc_dbref=BKPF-BUDAT, rpt_slc_text=Posting Date, rpt_slc_low=.00.0000, rpt_slc_name=EXCDT, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGINLD, rpt_slc_text=?...(INLAND), rpt_slc_low=, rpt_slc_name=INLAND, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFB1-AKONT, rpt_slc_text=Reconciliation acct, rpt_slc_low=, rpt_slc_name=KD_AKONT, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFB1-BUKRS, rpt_slc_text=?...(KD_BUKRS), rpt_slc_low=, rpt_slc_name=KD_BUKRS, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFB1-BUSAB, rpt_slc_text=Accounting clerk, rpt_slc_low=, rpt_slc_name=KD_BUSAB, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFA1-KONZS, rpt_slc_text=Group key, rpt_slc_low=, rpt_slc_name=KD_KONZS, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFA1-LAND1, rpt_slc_text=Country, rpt_slc_low=, rpt_slc_name=KD_LAND1, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFA1-LIFNR, rpt_slc_text=?...(KD_LIFNR), rpt_slc_low=, rpt_slc_name=KD_LIFNR, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=, rpt_slc_text=KD_NOAUT, rpt_slc_low=, rpt_slc_name=KD_NOAUT, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=, rpt_slc_text=KD_NOOAP, rpt_slc_low=, rpt_slc_name=KD_NOOAP, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=S, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=LFA1-VBUND, rpt_slc_text=Trading Partner, rpt_slc_low=, rpt_slc_name=KD_VBUND, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=1, rpt_slc_dbref=RFPDO-KKVZKSOR, rpt_slc_text=Account Sorting, rpt_slc_low=1, rpt_slc_name=KONTSORT, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=5, rpt_slc_dbref=RFPDO-KKVZPOST, rpt_slc_text=Communication with vendor, rpt_slc_low=5, rpt_slc_name=KURZLIST, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGLOEZ, rpt_slc_text=Only with delete flag, rpt_slc_low=, rpt_slc_name=LOESCHV, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZMIKF, rpt_slc_text=Print Microfiche Line, rpt_slc_low=, rpt_slc_name=MI-FICHE, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZADTE, rpt_slc_text=Address and telecom (master), rpt_slc_low=, rpt_slc_name=PA-A20, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZKOST, rpt_slc_text=Account control and status, rpt_slc_low=, rpt_slc_name=PA-A3B2, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZSTEU, rpt_slc_text=Tax info. and references, rpt_slc_low=, rpt_slc_name=PA-A40, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGMWID, rpt_slc_text=Additional VAT reg.numbers, rpt_slc_low=, rpt_slc_name=PA-A50, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZQUPF, rpt_slc_text=Subject to Withhold. Tax, rpt_slc_low=, rpt_slc_name=PA-A55, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZBANK, rpt_slc_text=Bank Data, rpt_slc_low=, rpt_slc_name=PA-A60, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZZAHL, rpt_slc_text=Payment Data, rpt_slc_low=, rpt_slc_name=PA-A7B5, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGLISB, rpt_slc_text=List of Company Codes, rpt_slc_low=, rpt_slc_name=PA-A90, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGADBK, rpt_slc_text=Creation data for company code, rpt_slc_low=, rpt_slc_name=PA-B10, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGVERZ, rpt_slc_text=Interest Calculation, rpt_slc_low=, rpt_slc_name=PA-B30, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZQUST, rpt_slc_text=Withholding Tax, rpt_slc_low=, rpt_slc_name=PA-B40, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGREFD, rpt_slc_text=Reference Data, rpt_slc_low=, rpt_slc_name=PA-B45, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZMAHN, rpt_slc_text=Dunning Data, rpt_slc_low=, rpt_slc_name=PA-B60, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-KKVZKORR, rpt_slc_text=Vendor correspondence, rpt_slc_low=, rpt_slc_name=PA-B70, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO3-ALLGEQST, rpt_slc_text=Extended Withholding Tax, rpt_slc_low=, rpt_slc_name=PA-B80, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=C, rpt_slc_bscType=BOOLEAN, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=false, rpt_slc_dbref=, rpt_slc_text=Only with ext. withholding tax, rpt_slc_low=, rpt_slc_name=PA-B85, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO-ALLGSPZB, rpt_slc_text=Only with posting block, rpt_slc_low=, rpt_slc_name=SPERRKZ, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO1-ALLGLINE, rpt_slc_text=Additional Heading, rpt_slc_low=, rpt_slc_name=TITLE, rpt_slc_high=}, {rpt_slc_sign=, rpt_slc_type=C, rpt_slc_kind=P, rpt_slc_bscType=STRING, rpt_slc_dtype=CHAR, rpt_slc_optional=, rpt_slc_dynnr=1000, rpt_slc_value=, rpt_slc_dbref=RFPDO1-ALLGALTK, rpt_slc_text=Alternative Account Number, rpt_slc_low=, rpt_slc_name=XALTKT, rpt_slc_high=} ] ]^classifyProtectionData=[ classification_by_system=[Sensitivity={Secret }], policy_id=[99f1473d-74f4-47ca-9843-e735f94fa797], policy_name=[HCAD Secret], policy_type=[company_policy], error=[false] ]

LEEF format sample

Format	Description	Example
Syslog Header	The Syslog header contains the timestamp.	17:10:28.743
LEEF Header	LEEF:version	An integer value that identifies the major and minor version of the LEEF format that is used for the event, for example, `LEEF:1.0\|Vendor\|Product\|Version\|EventID\|`
	Product name	A text string that identifies the product that sends the event log to QRadar, for example, `LEEF:2.0\|Secude\|HaloCORE\|6.7.0.0\|100\|`
	Product version	A string that identifies the version of the software or appliance that sends the event log, for example, `LEEF:2.0\|Secude\|HaloCORE\|6.7.0.0\|100\|`
	EventID	A unique identifier for an event.
	Delimiter Character	Pipe Specifies an alternative delimiter to the attributes. You can use a single character or the hex value for that character. The hex value can be represented by the prefix 0x or x, followed by a series of 1-4 characters (0-9A-Fa-f).
Event Attributes	Predefined Key Entries	A set of key-value pairs that provide detailed information about the security event. Each event attribute must be separated by a tab or the delimiter character, but the order of attributes is not enforced.

LEEF Header details

LEEF Key Names (Extension Fields)

LEEF Extension Field	HaloCORE Log Entry	Description
`exportTime`	`Apr 11 2024 04:43:44 UTC`	The actual date time of the export event in format - MMM dd yyyy HH:mm:ss.SSS
`eventName`	`userdownload`	The event occurred.
`externalId`	`000C299ECF5B1EECA89EB6E55BB90E16`	A name that uniquely identifies the device generating this event. The hexadecimal representation of SAP Download LogID with base 32.
`logTime`	`Apr 11 2024 04:43:53 UTC`	The actual date time of the export event.
`act`	`unblocked;labeled;protected`	Action taken, if the export was: blocked if the exported file got classified (labeling) and if the exported file got protected XXL display Spool printing
`fname`	`Export_Table`	The filename of the exported file can be null for copy paste events.
`filePath`	`D:\SAP Downloads\`	The location where the file was saved.
`ftype`	`OOXML`	File type can be null, if not available, or unknown.
`fsize`	`4811`	Original file size or copied data size.
`fdwnsize`	`35840`	Downloaded file size can be larger than fsize if protection was applied.
`shost`	`HTECLNT800`	Source (SAP) system from which the data was exported.
`usrName`	`JOHN,type:SAP`	Name of the user who triggered the export, with the type of user. Hint: The complete name is not persistently logged; it is read from the user master at the time of the log display.
`dst`	`10.41.14.98`	The IP address of the destination system.
`usrAgent`	`[null]`	The User-Agent associated with the request
`dataDestination`	`[ platform=[Windows NT], browser=[null], browser_version=[null], device_type=[Unknown], terminal_id=[JOHN]`	Platform −> OS Terminal_id −> hostname of the destination. File_path −> location where the file was saved.
`dataOrigin`	dataOrigin=[ source_type=[Netweaver], system_name=[HTECLNT800], tcode=[SE16], app_component=[BC-CTS-CCO], table_names=[T000], app_package=[STRM], program_name=[/1BCDWB/DBT000], web_dynpro_app=[null], attributes=[ {key=[Runtime - Modifying File (Milliseconds)], value=[13156], type=[DD]}, {key=[Template Name], value=[HCAD CONFIDENTIAL], type=[DD]}, {key=[Template UID], value=[1521571f-b5ab-406a-8237-69dc295a51c7], type=[DD]}, {key=[Total Runtime (Milliseconds)], value=[49709], type=[DD]} ], report_criteria=[ {rpt_slc_sign=, rpt_slc_type=C, ...	Indicates where the data originated. Transaction, table, application_component and more, comes from the HaloCORE SAP Add-On. Universes, dimensions, measures, data Providers and more, come from the HaloCORE BO Add-On. Hint: The Transaction text is not persistently logged; it is read from the Data Dictionary at the time of log display.
`classifyProtectionData`	`[ classification_by_system=[Sensitivity={Secret }], policy_id=[1521571f-b5ab-406a-8237-69dc295a51c7], policy_name=[HCAD CONFIDENTIAL], policy_type=[company_policy], error=[false] ]`	It is a custom label. It holds the classification and label information. Classification_by_system, what the system found for classification. Classification_by_user, what the user chose for the classification. Policy_id, UID of the policy. Policy_name, readable name of the policy.

Extension Fields

Why JSON Standard?

The JSON format is a lightweight text-based interchange format used for serializing and transmitting structured data over the network connection. Furthermore, it supports Security Information and Event Management solutions (e.g., Microsoft Azure Sentinel, Splunk, etc.,) seamlessly.

JSON syntax is considered as a subset of JavaScript syntax; it includes the following:

Data is represented in name/value pairs.
Curly braces hold objects and each name is followed by ':'(colon), the name/value pairs are separated by ','(comma).
Square brackets hold arrays and values are separated by ','(comma).

16:39:21.113 {"log_id":"000C29D631DD1EDFA38F07189080EF79","product":"HaloCORE","source_host":{"shost":"HTE_800"},"protection":{"policy_id":"99f1473d-74f4-47ca-9843-e735f94fa797","extended_tags":[],"policy_name":"HCAD Secret","error":false},"destination_info":{"hostname":"SVLU0306","destination_attributes":[],"destination_ip":"10.41.14.69","os":"Windows NT","recipients":[],"browser":"null","device_type":"Unknown","browser_version":"null","user_agent":"null"},"classification":{"classification_by_system":["Sensitivity=Secret"],"classification_by_user":[]},"version":"6.7.0.3","log_time":"Oct 17 2024 11:09:21 UTC","event_id":100,"data_origin":{"generic_info":"null","sap_info":{"tcode":"S_ALR_87012086","app_component":["FI","GL","IS"],"table_names":[],"app_package":"FREP","program_name":"RFKKVZ00","attributes":[{"type":"DD","value":"3647","key":"Runtime - Modifying File (Milliseconds)"},{"type":"DD","value":"HCAD Secret","key":"Label Name"},{"type":"DD","value":"99f1473d-74f4-47ca-9843-e735f94fa797","key":"Label UID"},{"type":"DD","value":"14383","key":"Total Runtime (Milliseconds)"}]},"system_name":"HTE_800","report_criteria":[{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-XBRSEQU","rpt_slc_text":"Process Line Items Sequentiall","rpt_slc_low":"","rpt_slc_name":"ALCUR","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZCPDK","rpt_slc_text":"One-time vendors","rpt_slc_low":"","rpt_slc_name":"CPDKONTO","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"D","rpt_slc_kind":"P","rpt_slc_bscType":"DATE","rpt_slc_dtype":"DATE","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":".00.0000","rpt_slc_dbref":"BKPF-BUDAT","rpt_slc_text":"Posting Date","rpt_slc_low":".00.0000","rpt_slc_name":"EXCDT","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGINLD","rpt_slc_text":"?...(INLAND)","rpt_slc_low":"","rpt_slc_name":"INLAND","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFB1-AKONT","rpt_slc_text":"Reconciliation acct","rpt_slc_low":"","rpt_slc_name":"KD_AKONT","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFB1-BUKRS","rpt_slc_text":"?...(KD_BUKRS)","rpt_slc_low":"","rpt_slc_name":"KD_BUKRS","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFB1-BUSAB","rpt_slc_text":"Accounting clerk","rpt_slc_low":"","rpt_slc_name":"KD_BUSAB","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFA1-KONZS","rpt_slc_text":"Group key","rpt_slc_low":"","rpt_slc_name":"KD_KONZS","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFA1-LAND1","rpt_slc_text":"Country","rpt_slc_low":"","rpt_slc_name":"KD_LAND1","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFA1-LIFNR","rpt_slc_text":"?...(KD_LIFNR)","rpt_slc_low":"","rpt_slc_name":"KD_LIFNR","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"","rpt_slc_text":"KD_NOAUT","rpt_slc_low":"","rpt_slc_name":"KD_NOAUT","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"","rpt_slc_text":"KD_NOOAP","rpt_slc_low":"","rpt_slc_name":"KD_NOOAP","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"S","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"LFA1-VBUND","rpt_slc_text":"Trading Partner","rpt_slc_low":"","rpt_slc_name":"KD_VBUND","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"1","rpt_slc_dbref":"RFPDO-KKVZKSOR","rpt_slc_text":"Account Sorting","rpt_slc_low":"1","rpt_slc_name":"KONTSORT","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"5","rpt_slc_dbref":"RFPDO-KKVZPOST","rpt_slc_text":"Communication with vendor","rpt_slc_low":"5","rpt_slc_name":"KURZLIST","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGLOEZ","rpt_slc_text":"Only with delete flag","rpt_slc_low":"","rpt_slc_name":"LOESCHV","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZMIKF","rpt_slc_text":"Print Microfiche Line","rpt_slc_low":"","rpt_slc_name":"MI-FICHE","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZADTE","rpt_slc_text":"Address and telecom (master)","rpt_slc_low":"","rpt_slc_name":"PA-A20","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZKOST","rpt_slc_text":"Account control and status","rpt_slc_low":"","rpt_slc_name":"PA-A3B2","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZSTEU","rpt_slc_text":"Tax info. and references","rpt_slc_low":"","rpt_slc_name":"PA-A40","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGMWID","rpt_slc_text":"Additional VAT reg.numbers","rpt_slc_low":"","rpt_slc_name":"PA-A50","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZQUPF","rpt_slc_text":"Subject to Withhold. Tax","rpt_slc_low":"","rpt_slc_name":"PA-A55","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZBANK","rpt_slc_text":"Bank Data","rpt_slc_low":"","rpt_slc_name":"PA-A60","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZZAHL","rpt_slc_text":"Payment Data","rpt_slc_low":"","rpt_slc_name":"PA-A7B5","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGLISB","rpt_slc_text":"List of Company Codes","rpt_slc_low":"","rpt_slc_name":"PA-A90","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGADBK","rpt_slc_text":"Creation data for company code","rpt_slc_low":"","rpt_slc_name":"PA-B10","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGVERZ","rpt_slc_text":"Interest Calculation","rpt_slc_low":"","rpt_slc_name":"PA-B30","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZQUST","rpt_slc_text":"Withholding Tax","rpt_slc_low":"","rpt_slc_name":"PA-B40","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGREFD","rpt_slc_text":"Reference Data","rpt_slc_low":"","rpt_slc_name":"PA-B45","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZMAHN","rpt_slc_text":"Dunning Data","rpt_slc_low":"","rpt_slc_name":"PA-B60","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-KKVZKORR","rpt_slc_text":"Vendor correspondence","rpt_slc_low":"","rpt_slc_name":"PA-B70","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO3-ALLGEQST","rpt_slc_text":"Extended Withholding Tax","rpt_slc_low":"","rpt_slc_name":"PA-B80","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"C","rpt_slc_bscType":"BOOLEAN","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"false","rpt_slc_dbref":"","rpt_slc_text":"Only with ext. withholding tax","rpt_slc_low":"","rpt_slc_name":"PA-B85","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO-ALLGSPZB","rpt_slc_text":"Only with posting block","rpt_slc_low":"","rpt_slc_name":"SPERRKZ","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO1-ALLGLINE","rpt_slc_text":"Additional Heading","rpt_slc_low":"","rpt_slc_name":"TITLE","rpt_slc_high":""},{"rpt_slc_sign":"","rpt_slc_type":"C","rpt_slc_kind":"P","rpt_slc_bscType":"STRING","rpt_slc_dtype":"CHAR","rpt_slc_optional":"","rpt_slc_dynnr":"1000","rpt_slc_value":"","rpt_slc_dbref":"RFPDO1-ALLGALTK","rpt_slc_text":"Alternative Account Number","rpt_slc_low":"","rpt_slc_name":"XALTKT","rpt_slc_high":""}],"pre_process_info":[],"source_type":"Netweaver","client_type":"SAP","plm_info":"null","bi_info":"null"},"user_info":{"user_email":"null","user_type":"SAP","user_name":"JOHN"},"file_info":{"file_path":"C:\\Users\\Administrator\\Desktop\\SAP Downloads\\","file_name":"Acc.tsv.pfile","file_type":"TSV","download_file_size":1321311,"original_file_size":1298694},"action":["unblocked","labeled","protected"],"export_time":"Oct 17 2024 11:09:20 UTC","event":"user download"}

JSON format

JSON Key Names (Extension Fields)

JSON Field	HaloCORE Log Entry	Description
`log_id`	`000C2915527B1EDE9E914D4FCE2960B4`	A name that uniquely identifies the device generating this event. The hexadecimal representation of SAP Download LogID with base 32.
`product`	`HaloCORE, protection`	A text string that identifies the product that sends the event log.
`policy_id`	`b23e58ab-ef3a-4aee-bfde-0efa3a279ac9`	UID of the policy
`extended_tags`	`[]`	Additional information set in HaloENGINE for the clients.
`policy_name`	`QC_Confidential, error:false`	Name of the applied policy
`destination_info`	`"hostname":"DESKTOP-JTN37P4","destination_attributes":[]`	Platform --> OS Terminal_id --> hostname of the destination File_path --> location where the file was saved
`destination_ip`	`10.0.2.15`	The IP address of the destination system.
`os`	`Windows NT`	Type of operating system used to download
`recipients`	`[]`	E-mail recipients from e-mail
`browser`	`null`	Type of browser used
`device_type`	`Unknown`	Type of device used for upload and export
`browser_version`	`null`	Browser version
`user_agent`	`null`	The User-Agent associated with the request.
`classification`	`"classification_by_system":["TEST=T4"]`	It is a custom label.
`classification_by_user`	`[]`	Classification_by_user, what the user chose for the classification. DOM is for Domain. SENS is for Sensitivity. ORG is for organization.
`version`	`6.7.0.0`	A string that identifies the version of the software or appliance that sends the event log.
`log_time`	`Apr 01 2024 07:44:10 UTC`	The actual date time of the log event
`event_id`	`100`	Event ID is a unique identifier per event-type (download, sent as attachment, copy paste).
`data_origin`	"generic_info":"null","sap_info":{"tcode":"SE16","app_component":["BC","CTS","CCO"],"table_names":["T000"],"app_package":"STRM","program_name":"/1BCDWB/DBT000","attributes":[{"type":"DD","value":"906","key":"Runtime - Modifying File (Milliseconds)"},{"type":"DD","value":"QC_Confidential","key":"Label Name"},{"type":"DD","value":"b23e58ab-ef3a-4aee-bfde-0efa3a279ac9","key":"Label UID"},{"type":"DD","value":"5924","key":"Total Runtime (Milliseconds)"}]},"system_name":"QI1_800","report_criteria":[{"rpt_slc_sign":"","rpt_slc_type":"C"...	Indicates where the data originated. Transaction, table, application_component and more, comes from the HaloCORE SAP Add-On. Universes, dimensions, measures, data Providers and more, come from the HaloCORE BO Add-On. Hint: The Transaction text is not persistently logged; it is read from the Data Dictionary at the time of log display.
`user_info`	`{"user_email":"null","user_type":"SAP","user_name":"john"}`	Name, email, and type of user who triggered the export, with the type of user.
`file_info`	`{"file_path":"C:\\Users\\User2\\Documents\\SAP\\SAP GUI\\","file_name":"asdf.rtf.pfile","file_type":"RTF","download_file_size":49792,"original_file_size":11966}`	File type can be null, if not available, or unknown.
`action`	`["unblocked","labeled","protected"],"export_time":"Nov 01 2023 07:44:07 UTC","event":"user download"`	Action taken, if the export was: blocked if the exported file got classified (labeling) and if the exported file got protected XXL display Spool printing

JSON details