< Back
New-CEFMessage
Post
NAME New-CEFMessage
SYNOPSIS
Creates a CEF message string (without a SYSLOG prefix) that will typically be sent via SYSLOG or written to a file
SYNTAX
New-CEFMessage [-DeviceVendor] <String> [-DeviceProduct] <String> [-DeviceVersion] <String> [-DeviceEventClassId]
<String> [-Name] <String> [-Severity] <Int32> [-deviceDirection {inbound | outbound}] [-type {Base | Aggregated |
Correlation | Action}] [-c6a1 <IPAddress>] [-c6a2 <IPAddress>] [-c6a3 <IPAddress>] [-c6a4 <IPAddress>]
[-destinationTranslatedAddress <IPAddress>] [-deviceTranslatedAddress <IPAddress>] [-dst <IPAddress>] [-dvc
<IPAddress>] [-sourceTranslatedAddress <IPAddress>] [-src <IPAddress>] [-dmac <String>] [-dvcmac <String>] [-smac
<String>] [-cn1 <Int32>] [-cn2 <Int32>] [-cn3 <Int32>] [-cnt <Int32>] [-destinationTranslatedPort <Int32>] [-dpid
<Int32>] [-dpt <Int32>] [-dvcpid <Int32>] [-flexNumber1 <Int32>] [-flexNumber2 <Int32>] [-fsize <Int32>] [-in
<Int32>] [-oldFileSize <Int32>] [-out <Int32>] [-sourceTranslatedPort <Int32>] [-spid <Int32>] [-spt <Int32>]
[-deviceCustomDate1 <String>] [-deviceCustomDate2 <String>] [-end <String>] [-fileCreateTime <String>]
[-fileModificationTime <String>] [-flexDate1 <String>] [-oldFileCreateTime <String>] [-OldFileModificationTime
<String>] [-rt <String>] [-start <String>] [-cfp1 <Single>] [-cfp2 <Single>] [-cfp3 <Single>] [-cfp4 <Single>]
[-act <String>] [-app <String>] [-cs1 <String>] [-cs2 <String>] [-cs3 <String>] [-cs4 <String>] [-cs5 <String>]
[-cs6 <String>] [-destinationDnsDomain <String>] [-destinationServiceName <String>] [-deviceExternalId <String>]
[-deviceFacility <String>] [-deviceInboundInterface <String>] [-deviceNtDomain <String>] [-deviceOutboundInterface
<String>] [-devicePayloadId <String>] [-deviceProcessName <String>] [-dhost <String>] [-dntdom <String>] [-dpriv
<String>] [-dproc <String>] [-dtz <String>] [-duid <String>] [-duser <String>] [-dvchost <String>] [-externalId
<String>] [-fileHash <String>] [-fileId <String>] [-filePath <String>] [-filePermission <String>] [-fileType
<String>] [-flexstring1 <String>] [-flexstring2 <String>] [-fname <String>] [-msg <String>] [-oldFileHash
<String>] [-oldFileId <String>] [-oldFileName <String>] [-oldFilePath <String>] [-oldFilePermission <String>]
[-oldFileType <String>] [-outcome <String>] [-proto <String>] [-reason <String>] [-request <String>]
[-requestClientApplication <String>] [-requestContext <String>] [-requestCookies <String>] [-requestMethod
<String>] [-shost <String>] [-sntdom <String>] [-sourceDnsDomain <String>] [-sourceServiceName <String>] [-spriv
<String>] [-sproc <String>] [-suid <String>] [-suser <String>] [-CustomExtensionRawString <String>] [-c6a1Label
<String>] [-c6a2Label <String>] [-c6a3Label <String>] [-c6a4Label <String>] [-cfp1Label <String>] [-cfp2Label
<String>] [-cfp3Label <String>] [-cfp4Label <String>] [-cn1Label <String>] [-cn2Label <String>] [-cn3Label
<String>] [-cs1Label <String>] [-cs2Label <String>] [-cs3Label <String>] [-cs4Label <String>] [-cs5Label <String>]
[-cs6Label <String>] [-deviceCustomDate1Label <String>] [-deviceCustomDate2Label <String>] [-flexDate1Label
<String>] [-flexNumber1Label <String>] [-flexNumber2Label <String>] [-flexString1Label <String>]
[-flexString2Label <String>] [<CommonParameters>]
DESCRIPTION
Generate a properly formatted CEF message (CEF version 0 as specified by CommonEventFormatv23.pdf) consisting of
mandatory CEF header fields and optional CEF extension fields
PARAMETERS
-DeviceVendor <String>
Specifies the value to use for the "Device Vendor" portion of the CEF message header
Required? true
Position? 1
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DeviceProduct <String>
Specifies the value to use for the "Device Product" portion of the CEF message header
Required? true
Position? 2
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DeviceVersion <String>
Specifies the value to use for the "Device Version" portion of the CEF message header
Required? true
Position? 3
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DeviceEventClassId <String>
Specifies the value to use for the "Device Event Class ID" portion of the CEF message header
Required? true
Position? 4
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-Name <String>
Specifies the value to use for the "Name" portion of the CEF message header
Required? true
Position? 5
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Severity <Int32>
Specifies the severity value from 0 to 10 (0=lowest, 10=highest) to use for the "Severity" portion of the CEF
message header
Required? true
Position? 6
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceDirection
----------------------------enumtype extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-type
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a1 <IPAddress>
----------------------------ipaddress extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a2 <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a3 <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a4 <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationTranslatedAddress <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceTranslatedAddress <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dst <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvc <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceTranslatedAddress <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-src <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dmac <String>
----------------------------mac addr extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvcmac <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-smac <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn1 <Int32>
----------------------------int extensions----------------------------
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn2 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn3 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cnt <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationTranslatedPort <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dpid <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dpt <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvcpid <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber1 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber2 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fsize <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-in <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileSize <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-out <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceTranslatedPort <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-spid <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-spt <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate1 <String>
----------------------------Timestamps as [string] types----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate2 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-end <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileCreateTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileModificationTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexDate1 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileCreateTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-OldFileModificationTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-rt <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-start <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp1 <Single>
----------------------------float extensions----------------------------
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp2 <Single>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp3 <Single>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp4 <Single>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-act <String>
----------------------------String extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-app <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs1 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs2 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs3 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs4 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs5 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs6 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationDnsDomain <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationServiceName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceExternalId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceFacility <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceInboundInterface <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceNtDomain <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceOutboundInterface <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-devicePayloadId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceProcessName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dhost <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dntdom <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dpriv <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dproc <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dtz <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-duid <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-duser <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvchost <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-externalId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileHash <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-filePath <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-filePermission <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileType <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexstring1 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexstring2 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fname <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-msg <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileHash <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFilePath <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFilePermission <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileType <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-outcome <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-proto <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-reason <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-request <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestClientApplication <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestContext <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestCookies <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestMethod <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-shost <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sntdom <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceDnsDomain <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceServiceName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-spriv <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sproc <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-suid <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-suser <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-CustomExtensionRawString <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a1Label <String>
----------------------------custom label extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a4Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp4Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs4Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs5Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs6Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexDate1Label <String>
----------------------------flex label extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexString1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexString2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
All parameters can accept input from the pipeline
OUTPUTS
CEF message as a [string]
NOTES
Name: New-CEFMessage
Author: Jared Poeppelman (powershellshock)
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-CEFMessage -DeviceVendor 'Contoso' -DeviceProduct 'MyPowershellScript' -DeviceVersion '1.0'
-DeviceEventClassId 'Alert' -Name 'Bad Thing Detected' -Severity 10 -externalId 12345 -dmac '01-23-45-67-89-AF'
-src 192.168.1.1 -deviceDirection Outbound -spriv Administrator -Type Base -In 6213467 -cfp1 3.141592653589
-CustomExtensionRawString 'key=value'
RELATED LINKS
https://github.com/poshsecurity/posh-cef
https://github.com/powershellshock
SYNOPSIS
Creates a CEF message string (without a SYSLOG prefix) that will typically be sent via SYSLOG or written to a file
SYNTAX
New-CEFMessage [-DeviceVendor] <String> [-DeviceProduct] <String> [-DeviceVersion] <String> [-DeviceEventClassId]
<String> [-Name] <String> [-Severity] <Int32> [-deviceDirection {inbound | outbound}] [-type {Base | Aggregated |
Correlation | Action}] [-c6a1 <IPAddress>] [-c6a2 <IPAddress>] [-c6a3 <IPAddress>] [-c6a4 <IPAddress>]
[-destinationTranslatedAddress <IPAddress>] [-deviceTranslatedAddress <IPAddress>] [-dst <IPAddress>] [-dvc
<IPAddress>] [-sourceTranslatedAddress <IPAddress>] [-src <IPAddress>] [-dmac <String>] [-dvcmac <String>] [-smac
<String>] [-cn1 <Int32>] [-cn2 <Int32>] [-cn3 <Int32>] [-cnt <Int32>] [-destinationTranslatedPort <Int32>] [-dpid
<Int32>] [-dpt <Int32>] [-dvcpid <Int32>] [-flexNumber1 <Int32>] [-flexNumber2 <Int32>] [-fsize <Int32>] [-in
<Int32>] [-oldFileSize <Int32>] [-out <Int32>] [-sourceTranslatedPort <Int32>] [-spid <Int32>] [-spt <Int32>]
[-deviceCustomDate1 <String>] [-deviceCustomDate2 <String>] [-end <String>] [-fileCreateTime <String>]
[-fileModificationTime <String>] [-flexDate1 <String>] [-oldFileCreateTime <String>] [-OldFileModificationTime
<String>] [-rt <String>] [-start <String>] [-cfp1 <Single>] [-cfp2 <Single>] [-cfp3 <Single>] [-cfp4 <Single>]
[-act <String>] [-app <String>] [-cs1 <String>] [-cs2 <String>] [-cs3 <String>] [-cs4 <String>] [-cs5 <String>]
[-cs6 <String>] [-destinationDnsDomain <String>] [-destinationServiceName <String>] [-deviceExternalId <String>]
[-deviceFacility <String>] [-deviceInboundInterface <String>] [-deviceNtDomain <String>] [-deviceOutboundInterface
<String>] [-devicePayloadId <String>] [-deviceProcessName <String>] [-dhost <String>] [-dntdom <String>] [-dpriv
<String>] [-dproc <String>] [-dtz <String>] [-duid <String>] [-duser <String>] [-dvchost <String>] [-externalId
<String>] [-fileHash <String>] [-fileId <String>] [-filePath <String>] [-filePermission <String>] [-fileType
<String>] [-flexstring1 <String>] [-flexstring2 <String>] [-fname <String>] [-msg <String>] [-oldFileHash
<String>] [-oldFileId <String>] [-oldFileName <String>] [-oldFilePath <String>] [-oldFilePermission <String>]
[-oldFileType <String>] [-outcome <String>] [-proto <String>] [-reason <String>] [-request <String>]
[-requestClientApplication <String>] [-requestContext <String>] [-requestCookies <String>] [-requestMethod
<String>] [-shost <String>] [-sntdom <String>] [-sourceDnsDomain <String>] [-sourceServiceName <String>] [-spriv
<String>] [-sproc <String>] [-suid <String>] [-suser <String>] [-CustomExtensionRawString <String>] [-c6a1Label
<String>] [-c6a2Label <String>] [-c6a3Label <String>] [-c6a4Label <String>] [-cfp1Label <String>] [-cfp2Label
<String>] [-cfp3Label <String>] [-cfp4Label <String>] [-cn1Label <String>] [-cn2Label <String>] [-cn3Label
<String>] [-cs1Label <String>] [-cs2Label <String>] [-cs3Label <String>] [-cs4Label <String>] [-cs5Label <String>]
[-cs6Label <String>] [-deviceCustomDate1Label <String>] [-deviceCustomDate2Label <String>] [-flexDate1Label
<String>] [-flexNumber1Label <String>] [-flexNumber2Label <String>] [-flexString1Label <String>]
[-flexString2Label <String>] [<CommonParameters>]
DESCRIPTION
Generate a properly formatted CEF message (CEF version 0 as specified by CommonEventFormatv23.pdf) consisting of
mandatory CEF header fields and optional CEF extension fields
PARAMETERS
-DeviceVendor <String>
Specifies the value to use for the "Device Vendor" portion of the CEF message header
Required? true
Position? 1
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DeviceProduct <String>
Specifies the value to use for the "Device Product" portion of the CEF message header
Required? true
Position? 2
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DeviceVersion <String>
Specifies the value to use for the "Device Version" portion of the CEF message header
Required? true
Position? 3
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DeviceEventClassId <String>
Specifies the value to use for the "Device Event Class ID" portion of the CEF message header
Required? true
Position? 4
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-Name <String>
Specifies the value to use for the "Name" portion of the CEF message header
Required? true
Position? 5
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Severity <Int32>
Specifies the severity value from 0 to 10 (0=lowest, 10=highest) to use for the "Severity" portion of the CEF
message header
Required? true
Position? 6
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceDirection
----------------------------enumtype extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-type
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a1 <IPAddress>
----------------------------ipaddress extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a2 <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a3 <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a4 <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationTranslatedAddress <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceTranslatedAddress <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dst <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvc <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceTranslatedAddress <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-src <IPAddress>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dmac <String>
----------------------------mac addr extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvcmac <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-smac <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn1 <Int32>
----------------------------int extensions----------------------------
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn2 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn3 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cnt <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationTranslatedPort <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dpid <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dpt <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvcpid <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber1 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber2 <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fsize <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-in <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileSize <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-out <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceTranslatedPort <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-spid <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-spt <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate1 <String>
----------------------------Timestamps as [string] types----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate2 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-end <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileCreateTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileModificationTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexDate1 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileCreateTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-OldFileModificationTime <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-rt <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-start <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp1 <Single>
----------------------------float extensions----------------------------
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp2 <Single>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp3 <Single>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp4 <Single>
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-act <String>
----------------------------String extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-app <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs1 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs2 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs3 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs4 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs5 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs6 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationDnsDomain <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-destinationServiceName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceExternalId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceFacility <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceInboundInterface <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceNtDomain <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceOutboundInterface <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-devicePayloadId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceProcessName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dhost <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dntdom <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dpriv <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dproc <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dtz <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-duid <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-duser <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dvchost <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-externalId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileHash <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-filePath <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-filePermission <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fileType <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexstring1 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexstring2 <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-fname <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-msg <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileHash <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileId <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFilePath <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFilePermission <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-oldFileType <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-outcome <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-proto <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-reason <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-request <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestClientApplication <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestContext <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestCookies <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-requestMethod <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-shost <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sntdom <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceDnsDomain <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sourceServiceName <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-spriv <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-sproc <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-suid <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-suser <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-CustomExtensionRawString <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a1Label <String>
----------------------------custom label extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-c6a4Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cfp4Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cn3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs3Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs4Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs5Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-cs6Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-deviceCustomDate2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexDate1Label <String>
----------------------------flex label extensions----------------------------
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexNumber2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexString1Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-flexString2Label <String>
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
All parameters can accept input from the pipeline
OUTPUTS
CEF message as a [string]
NOTES
Name: New-CEFMessage
Author: Jared Poeppelman (powershellshock)
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-CEFMessage -DeviceVendor 'Contoso' -DeviceProduct 'MyPowershellScript' -DeviceVersion '1.0'
-DeviceEventClassId 'Alert' -Name 'Bad Thing Detected' -Severity 10 -externalId 12345 -dmac '01-23-45-67-89-AF'
-src 192.168.1.1 -deviceDirection Outbound -spriv Administrator -Type Base -In 6213467 -cfp1 3.141592653589
-CustomExtensionRawString 'key=value'
RELATED LINKS
https://github.com/poshsecurity/posh-cef
https://github.com/powershellshock