From 10bf3e8fab0681d0f9f2f11fa7a23666f7fc5fe9 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Mon, 14 Jul 2025 12:07:02 -0400
Subject: [PATCH] FEATURE: Add SOC default fields for CEF logs #14837

---
 salt/soc/defaults.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 35eb22ab0..e84a5b017 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1343,6 +1343,14 @@ soc:
         - destination.ip
         - destination.port
         - message
+      ':cef:':
+        - soc_timestamp
+        - cef.device.event_class_id
+        - cef.device.vendor
+        - cef.device.product
+        - cef.device.version
+        - log.source.address
+        - message
     server:
       bindAddress: 0.0.0.0:9822
       baseUrl: /