CEF to CSL
Synopsis
Parses a CEF message and maps it directly to Microsoft Sentinel's Common Security Log (CommonSecurityLog) schema in one fused pass, replacing the manual cef + normalize + move (+ enforce_schema) processor chain.
For details of CEF, see Appendix.
Schema
- cef_to_csl:
field: <ident>
use_table: <boolean>
use_kv_parser: <boolean>
description: <text>
if: <script>
tag: <string>
disabled: <boolean>
ignore_failure: <boolean>
on_failure: <processor[]>
on_success: <processor[]>
Configuration
The following fields are used to define the processor:
| Field | Required | Default | Description |
|---|---|---|---|
field | Y | Field containing the raw CEF message to convert. Must be a string starting with CEF: | |
use_table | N | false | Write the mapped fields into the typed CommonSecurityLog virtual table instead of the event map. The table must already exist (create_table) |
use_kv_parser | N | false | Parse the CEF extension field with the generic key-value parser instead of the built-in CEF-aware extension scanner |
description | N | Explanatory note | |
if | N | Condition to run | |
tag | N | Identifier | |
disabled | N | false | Skip this processor |
ignore_failure | N | false | See Handling Failures |
on_failure | N | See Handling Failures | |
on_success | N | See Handling Success |
Details
cef_to_csl parses the raw CEF message and hands the resulting fields straight to the internal cef→csl mapping in one pass, without ever materializing an intermediate cef object, a separate normalize step, or a move-to-root step. The result already reflects the same CSL schema enforcement that a manual cef + normalize + move + enforce_schema chain would produce—no separate enforce_schema step is needed afterward, and ignore_rules-style schema enforcement is not configurable on this processor; it always applies.
field must resolve to a string starting with CEF:. If the field is missing, is not a string, or does not start with CEF:, the processor fails. There is no ignore_missing option on this processor—unlike the plain cef parsing processor, a missing field is handled the same way as any other failure, through ignore_failure/on_failure.
use_table: false (default)
The mapped CSL fields replace the entire event map. Every field that existed on the event before this processor ran—including the source field itself—is discarded, except system (_vmetric) fields and any virtual tables already created on the entry.
use_table: true
Nothing is written to the event map. Instead, the mapped fields are written directly into the typed CommonSecurityLog virtual table, and the log entry's output source switches to that table. The table is not created by this processor—it must already exist via create_table; the caller owns the table's lifecycle (creation, truncation, dropping). The event map itself is left untouched. Field-for-field, the values written are identical to the use_table: false path—only the storage target differs.
use_kv_parser
Selects a generic key=value parser for the CEF extension field (the part of the message after the seven pipe-delimited header fields) instead of the built-in CEF-aware extension scanner. leef_to_csl has no equivalent option—LEEF's body is always parsed by a single dedicated LEEF tokenizer.
Unmapped fields
CEF extension fields with no corresponding CSL schema column are folded into AdditionalExtensions as key=value pairs joined with ;, in the order they appear in the source message.
Distinct from the cef processor
cef_to_csl is not the CEF parser. The cef processor parses a CEF message into a structured object at target_field (leaving the rest of the event untouched) and supports target_field/ignore_missing; cef_to_csl skips that intermediate object entirely and converts straight to CSL, replacing the event map (or writing to a table) and supporting neither target_field nor ignore_missing. For LEEF, see the sibling LEEF to CSL processor.
Examples
Basic Conversion
Converting a raw CEF message straight to CSL fields... | |
replaces the entire event map with the mapped CSL fields; unmapped extensions fold into | |
Writing into the CommonSecurityLog Table
Creating the typed table first, then converting with | |
writes the same mapped fields into the | |
Error Handling
Handling a field that isn't a valid CEF message... | |
leaves the event map untouched and adds an error tag instead of failing the pipeline... | |