Reference: Format types

When you create or edit a connection, you can select the format of the data to send.

You can include identifying information with data sent to destinations, such as a SIEM, depending on the data format available for a source.

To include the system-generated source name, you can use a logging data format or JSON:

  • CEF data format - the default Source field value

  • LEEF data format - the default Source field value

  • JSON data format - select Wrap Data with Text

  • Syslog RFC 5424 data format - the default SD-ID field value

To include the system-generated saved question name, you can use the Syslog RFC 5424 data format with saved question-related sources:

  • Syslog RFC 5424 data format with Saved Question source - select Send Question Source

  • Syslog RFC 5424 data format with Tanium Data Service source - select Send Question Source

To include custom information, you can use column customizations, or specific fields for the CEF and Syslog RFC 5424 data formats:

  • CEF data format - the Signature ID field value, or a column customization

  • Syslog RFC 5424 data format - the MSG ID field value, or a column customization

  • other data formats - a column customization

For more information on column customizations, see Reference: Column customizations.

You cannot include identifying information with data from the Palo Alto WildFire, Tanium Endpoint Configuration, or Tanium Trends sources.

CEF

Common Event Format (CEF) is the default format for HP ArcSight. When you define CEF format for your destination, you can include Advanced Settings such as the device vendor, product and version, product name, version, source, and the end of entry separator character. For the separator, you can use escape characters such as: \t (tab), \n (new line), and \r (carriage return). Select the columns that you want to pass through to the destination. Some fields also support variable substitution, as listed in Reference: Variables.

You cannot select this format if you select an event data source.

You can use the Source field to include the system-generated source name with each entry, or the Signature ID field or column customizations to include custom information with each entry.

Field Default value Output value Notes
Signature ID n/a the defined value The CEF header includes the user-defined value.
Source {Source} source_name The CEF header includes the system-generated source name.

Default destinations: HP ArcSight

CSV

Comma-separated values. Select whether you want to include column headers in the output. Select the columns that you want to pass through to the destination.

You can use column customizations to include custom information with each entry.

Default destinations: AWS S3, File

Delimiter separated values

To create a delimiter separated values format, enter the characters that you want to use for column and row delimiters. In addition to single characters, you can use escape characters such as: \t (tab), \n (new line), and \r (carriage return). Select the columns that you want to pass through to the destination.

You can use column customizations to include custom information with each entry.

Elasticsearch

The Elasticsearch format is the only valid format when Elasticsearch is selected as the destination. If a saved question is selected as a source, you can expand Advanced in the Format section and select Group columns by sensor to return the results as an array of objects instead of an array of simple value types. You cannot customize the columns with this option. Select the columns that you want to pass through to the destination. For more information, see Configuring Elasticsearch destinations.

You can use column customizations to include custom information with each entry.

Default destinations: Elasticsearch

HTML

Select whether you want to include column headers in the output. Select the columns that you want to pass through to the destination.

You can use column customizations to include custom information with each entry.

Default destinations: Email

JSON

JavaScript Object Notation (JSON) is a lightweight data-interchange format. If a saved question is selected as a source, select Group columns by sensor to return the results as an array of objects instead of an array of simple value types. You cannot customize the columns with this option. You can specify the row delimiter that goes between the individual entries. In addition to single characters, you can use escape characters such as: \t (tab), \n (new line), and \r (carriage return). Select the columns that you want to pass through to the destination.

By default, the JSON format includes each entry as a JSON object inside braces ({}), without commas separating objects.

{"object_id":1,"audit_row_id":"38769","details":"User: admin; Session ID:
38467; Authentication Type: User; Originated from SOAPPluginScheduler",
"creation_time": "2021-08-31T14:02:38","modification_time":
"2021-08-31T14:02:38", "last_modified_by":"","modifier_user_id":0,
"mod_user":null,"mod_persona":null, "type":0,"object_name":"",
"object_type_name":"authentication_audit","type_name": "CreateObject",
"audit_type":"authentication_audit"}{"object_id":1,"audit_row_id":
"38770","details":"User: admin; Session ID: 38468; Authentication Type:
User; Originated from SOAPPluginScheduler","creation_time":
"2021-08-31T14:02:48", "modification_time":"2021-08-31T14:02:48",
"last_modified_by":"", "modifier_user_id":0,"mod_user":null,
"mod_persona":null,"type":0,"object_name": "","object_type_name":
"authentication_audit","type_name":"CreateObject", "audit_type":
"authentication_audit"}

Select Generate Document for a JSON array inside brackets ([]). The array contains each entry as a JSON object inside braces, with commas separating objects.

[{"object_id":1,"audit_row_id":"38769","details":"User: admin; Session ID:
38467; Authentication Type: User; Originated from SOAPPluginScheduler",
"creation_time":"2021-08-31T14:02:38","modification_time":
"2021-08-31T14:02:38","last_modified_by":"","modifier_user_id":0,
"mod_user":null,"mod_persona":null,"type":0,"object_name":"",
"object_type_name":"authentication_audit","type_name":"CreateObject",
"audit_type":"authentication_audit"},{"object_id":1,"audit_row_id":"38770",
"details":"User: admin; Session ID: 38468; Authentication Type: User;
Originated from SOAPPluginScheduler","creation_time":"2021-08-31T14:02:48",
"modification_time":"2021-08-31T14:02:48","last_modified_by":"",
"modifier_user_id":0,"mod_user":null,"mod_persona":null,"type":0,
"object_name":"","object_type_name":"authentication_audit","type_name":
"CreateObject","audit_type":"authentication_audit"}]

Select Wrap Data with Source for a JSON object inside braces. The object name is the source. The object value is a JSON array inside brackets. The array contains each entry as a JSON object inside braces, with commas separating objects.

{ "Tanium Audit Source": [{"object_id":1,"audit_row_id":"38769","details":
"User: admin; Session ID: 38467; Authentication Type: User;
Originated from SOAPPluginScheduler","creation_time":"2021-08-31T14:02:38",
"modification_time":"2021-08-31T14:02:38","last_modified_by":"",
"modifier_user_id":0,"mod_user":null,"mod_persona":null,"type":0,
"object_name":"","object_type_name":"authentication_audit","type_name":
"CreateObject","audit_type":"authentication_audit"},{"object_id":1,
"audit_row_id":"38770","details":"User: admin; Session ID: 38468;
Authentication Type: User; Originated from SOAPPluginScheduler",
"creation_time":"2021-08-31T14:02:48","modification_time":
"2021-08-31T14:02:48","last_modified_by":"","modifier_user_id":0,
"mod_user":null,"mod_persona":null,"type":0,"object_name":"",
"object_type_name":"authentication_audit","type_name":"CreateObject",
"audit_type":"authentication_audit"}] }

If your destination expects a valid JSON array, select Generate Document. If your document expects a valid JSON object, select Wrap Data with Source.

You can use the Wrap Data with Text field to include the system-generated source name with the file, or column customizations to include custom information with each entry.

Field Default value Output value Notes
Wrap Data with Text cleared the source name The system-generated source name value is the name in the JSON element, followed by an array of JSON elements, one entry per element. The source name value is not included with each entry.

Default destinations: HTTP

LEEF

Log Event Extended Format (LEEF) is the default format for: IBM QRadar, LogRhythm, and McAfee SIEM. When you define LEEF format for your destination, you can include Advanced Settings such as the LEEF version, product name, version, source, and the end of entry separator character. In addition to single characters, you can use escape characters such as: \t (tab), \n (new line), and \r (carriage return) for the separator. Some fields also support variable substitution, as listed in Reference: Variables.

You cannot select this format if you select an event data source.

You can use the Source field to include the system-generated source name with each entry, or column customizations to include custom information with each entry.

Field Default value Output value Notes
Source {Source} sourcename The LEEF header includes the system-generated source name. Spaces are removed from the source name value.

Default destinations: IBM QRadar, LogRhythm, and McAfee SIEM

SQL server

When you are exporting data to SQL server, you can map the columns from the source to the columns in the database table. For more information, see Configuring SQL Server destinations.

You can use column customizations to include custom information with each entry.

Syslog RFC 5424

A standard for message logging. You can define the syslog message components, including the facility code, severity, message identifier, and separator. For the separator, you can use escape characters such as: \t (tab), \n (new line), and \r (carriage return). If the source is a saved question, you can also select whether you want to send the question source to the output or not. The default for new connections is to send the question source. You can also select whether you want to send in BSD format. Select the columns that you want to pass through to the destination. Some fields also support variable substitution, as listed in Reference: Variables.

You cannot select this format if you select an event data source.

You can use the Source field to include the system-generated source name with each entry, or the Signature ID field or column customizations to include custom information with each entry.

Field Default value Output value Notes
MSG ID n/a the defined value The defined value precedes the structured-data brackets. Dashes replace spaces in the defined value.
SD-ID {Source}@017472 source-name@017472 The structured-data includes the system-generated source name and port number as the first value. Dashes replace spaces in the source name value.
Send Question Source cleared Question="saved-question-name" The structured-data includes the system-generated saved question name as the last value. Dashes replace spaces in the saved question name value.

Default destinations: Socket Receiver, Splunk