diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 35eb22ab0..e84a5b017 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1343,6 +1343,14 @@ soc:
         - destination.ip
         - destination.port
         - message
+      ':cef:':
+        - soc_timestamp
+        - cef.device.event_class_id
+        - cef.device.vendor
+        - cef.device.product
+        - cef.device.version
+        - log.source.address
+        - message
     server:
       bindAddress: 0.0.0.0:9822
       baseUrl: /