Appearance
Microsoft Sentinel
Realm Security integrates seamlessly with Microsoft Sentinel, enabling intelligent routing and analysis of security event logs. Follow these concise steps to configure log forwarding to your Sentinel instance from Realm Security Data Fabric.
Prerequisites
- Ensure you have administrative access to your Azure console.
Overview
- Azure Console: Create Microsoft Entra app registration
- Azure Console: Create DCR (Azure Native table or Custom table) to send data to target table
- Azure Console: Assign Permissions to DCR
- Realm Console: Setup Microsoft Sentinel output feed
1. Azure: Create Microsoft Entra app registration
- Log in to the Azure console
- Navigate to App Registrations > New registration
- Give the App a name and click "Register"
- Navigate to the newly created App Registration.
- Store the client and tenant ids. These will be later used for configuring the MS Sentinel output feed in the Realm console.
- Navigate to Manage -> Certificate and secrets. Select the Client secrets tab and select "New client secret"
- Give the secret an optional description and select an expiration.
- Store the client secret value, as it will be used later for configuring the MS Sentinel output feed in the Realm console.
2. Azure: Create DCR (Azure Native table or Custom table) to send data to target table
2a. Create DCR for Azure Native table
- In the Azure console search "Deploy a custom template" and select Build your own template in the editor.
- Paste the Realm provided DCR template into the editor.
- If you are adding to an existing DCR, add additional columns and add additional stream declarations corresponding to the table you want the logs to be routed to.
- In the parameters block, replace the default values for location, inputStreamName, workspaceResourceId, dcrName, and logAnalyticsDestinationName.
- Select Next and fill in the form, workspace resource id can be found by navigating to your log analytics workspace, selecting JSON view, and copying the value for the resource id.
- Select Review + create, and upon successful validation, click Create.
- Ensure the DCR is visible in your Azure console before proceeding. Copy and paste the DCR
immutable idandlog ingestion api URL, as these will be needed to configure the sentinel outputfeed in the Realm console.You will also need the stream name found at dataflows.streams in the JSON view.
2b. Create DCR for custom table
- In the Azure console search "Deploy a custom template" and select Build your own template in the editor.
- Paste the Realm provided table template into the editor. Make sure to replace placeholders like table name and workspace. Custom table names must be suffixed with _CL.
- Select Next and fill in the Resource Group and Region form.
- Select Review + create, and upon successful validation, click Create.
- Ensure the table is visible in your log analytics workspace before proceeding.
- In the Azure console search "Deploy a custom template" and select Build your own template in the editor.
- Paste the Realm provided DCR template into the editor. Make sure to replace placeholders like table name, workspace, and log analytics workspace.
- If you are adding to an existing DCR, add additional columns and add additional stream declarations corresponding to the table you want the logs to be routed to.
- Select Next and fill in the form, workspace resource id can be found by navigating to your log analytics workspace, selecting JSON view, and copying the value for the resource id.
- Select Review + create, and upon successful validation, click Create.
- Ensure the DCR is visible in your Azure console before proceeding. Copy and paste the
DCR immutable idandlog ingestion api URL, as these will be needed to configure the Microsoft Sentinel outputfeed in the Realm console. You will also need the stream name found at dataflows.streams in the JSON view.
3. Azure: Assign Permissions to DCR
After the DCR has been created, the application needs to be given permission to it. Permission will allow any application using the correct application ID and application key to send data to the new DCR.
- From the DCR in the Azure portal, select Access Control (IAM) > Add role assignment.
- Select Monitoring Metrics Publisher and select Next. You could instead create a custom action with the Microsoft.Insights/Telemetry/Write data action.
- Select User, group, or service principal for Assign access to and choose Select members. Select the application that you created and choose Select.
- Select Review + assign and verify the details before you save your role assignment
4. Realm: Setup Output Feed
- Go to Destinations > Select a destination of type SIEM
- Click Add output Feed button
- Select type: Microsoft Sentinel
- Give the output feed a name and description of your choosing.
- Paste your log ingestion api url into the endpoint text box.
- Paste your DCR immutable id into the DCR Immutable ID text box.
- Paste you client secret into the secret value text box.
- Paste tenant id and client id into their corresponding text boxes.
- Select JSON as the format.
- Click Add when output feed configuration is complete.
It takes about a minute to deploy the fabric update. At which point, the data should start flowing through to Microsoft Sentinel. It takes 30s-60s for the data to be ingested and indexed before KQL query can find it.
Troubleshooting
If the Microsoft Sentinel feed shows an error Critical Failure: Authentication failure, it is very likely because the DCR does not have the appropriate permissions. Follow step 3 to assign permission to newly created DCR rule.
Resources
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-api?tabs=dcr
Custom Table Templates
Realm provided custom table templates
Palo CEF
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "String",
"metadata": {
"description": "The name of the existing Log Analytics Workspace."
}
},
"tableName": {
"defaultValue": "PaloCEFTable_CL",
"type": "String",
"metadata": {
"description": "The name of the custom table (will be suffixed with _CL)."
}
},
"location": {
"defaultValue": "[resourceGroup().location]",
"type": "String",
"metadata": {
"description": "Location for the table resource."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2022-10-01",
"name": "[concat(parameters('workspaceName'), '/', parameters('tableName'))]",
"location": "[parameters('location')]",
"properties": {
"schema": {
"name": "[parameters('tableName')]",
"columns": [
{
"name": "TimeGenerated",
"type": "datetime",
"description": "The time at which the log record was generated by the source system."
},
{
"name": "RealmMetadata",
"type": "dynamic",
"description": "Realm.Security specifiy metadata"
},
{
"name": "PanOSRuleUUID",
"type": "string",
"description": "Custom field to identify the unique UUID of the matched rule on the Palo Alto device."
},
{
"name": "act",
"type": "string",
"description": "CEF Key (act) mapped to DeviceAction: The action mentioned in the event (e.g., Permit, Block, Drop)."
},
{
"name": "app",
"type": "string",
"description": "CEF Key (app) mapped to ApplicationProtocol: The protocol used in the application, such as HTTP or HTTPS."
},
{
"name": "cat",
"type": "string",
"description": "CEF Key (cat) mapped to DeviceEventCategory: Represents the category assigned by the originating device (e.g., /Monitor/Disk/Read)."
},
{
"name": "cefVersion",
"type": "int",
"description": "CEF Version field."
},
{
"name": "cn1",
"type": "int",
"description": "CEF Key (cn1) mapped to DeviceCustomNumber1: One of four custom number fields available for use."
},
{
"name": "cn1Label",
"type": "string",
"description": "CEF Key (cn1Label): Describes the purpose of the custom field cn1."
},
{
"name": "cn2",
"type": "int",
"description": "CEF Key (cn2) mapped to DeviceCustomNumber2: One of four custom number fields available for use."
},
{
"name": "cn2Label",
"type": "string",
"description": "CEF Key (cn2Label): Describes the purpose of the custom field cn2."
},
{
"name": "cn3",
"type": "int",
"description": "CEF Key (cn3) mapped to DeviceCustomNumber3: One of four custom number fields available for use."
},
{
"name": "cn3Label",
"type": "string",
"description": "CEF Key (cn3Label): Describes the purpose of the custom field cn3."
},
{
"name": "cnt",
"type": "string",
"description": "CEF Key (cnt) mapped to EventCount: A count associated with the event."
},
{
"name": "cs1",
"type": "string",
"description": "CEF Key (cs1) mapped to DeviceCustomString1: One of six custom string fields available for use."
},
{
"name": "cs1Label",
"type": "string",
"description": "CEF Key (cs1Label): Describes the purpose of the custom field cs1."
},
{
"name": "cs2",
"type": "string",
"description": "CEF Key (cs2) mapped to DeviceCustomString2: One of six custom string fields available for use."
},
{
"name": "cs2Label",
"type": "string",
"description": "CEF Key (cs2Label): Describes the purpose of the custom field cs2."
},
{
"name": "cs3",
"type": "string",
"description": "CEF Key (cs3) mapped to DeviceCustomString3: One of six custom string fields available for use."
},
{
"name": "cs3Label",
"type": "string",
"description": "CEF Key (cs3Label): Describes the purpose of the custom field cs3."
},
{
"name": "cs4",
"type": "string",
"description": "CEF Key (cs4) mapped to DeviceCustomString4: One of six custom string fields available for use."
},
{
"name": "cs4Label",
"type": "string",
"description": "CEF Key (cs4Label): Describes the purpose of the custom field cs4."
},
{
"name": "cs5",
"type": "string",
"description": "CEF Key (cs5) mapped to DeviceCustomString5: One of six custom string fields available for use."
},
{
"name": "cs5Label",
"type": "string",
"description": "CEF Key (cs5Label): Describes the purpose of the custom field cs5."
},
{
"name": "cs6",
"type": "string",
"description": "CEF Key (cs6) mapped to DeviceCustomString6: One of six custom string fields available for use."
},
{
"name": "cs6Label",
"type": "string",
"description": "CEF Key (cs6Label): Describes the purpose of the custom field cs6."
},
{
"name": "destinationTranslatedAddress",
"type": "string",
"description": "CEF Key (destinationTranslatedAddress) mapped to DestinationTranslatedAddress: The post-translation destination IPv4 address."
},
{
"name": "destinationTranslatedPort",
"type": "int",
"description": "CEF Key (destinationTranslatedPort) mapped to DestinationTranslatedPort: The post-translation destination port."
},
{
"name": "deviceEventClassId",
"type": "string",
"description": "CEF Key (deviceEventClassId) mapped to DeviceEventClassID: Identifies the type of event reported."
},
{
"name": "deviceExternalId",
"type": "string",
"description": "CEF Key (deviceExternalId) mapped to DeviceExternalID: An ID used by the originating device."
},
{
"name": "deviceInboundInterface",
"type": "string",
"description": "CEF Key (deviceInboundInterface) mapped to DeviceInboundInterface: The input interface on the device where the packet was received."
},
{
"name": "deviceOutboundInterface",
"type": "string",
"description": "CEF Key (deviceOutboundInterface) mapped to DeviceOutboundInterface: The output interface on the device where the packet was sent."
},
{
"name": "deviceProduct",
"type": "string",
"description": "CEF Key (deviceProduct) mapped to DeviceProduct: Identifies the product of a vendor."
},
{
"name": "deviceVendor",
"type": "string",
"description": "CEF Key (deviceVendor) mapped to DeviceVendor: The vendor of the device generating the event."
},
{
"name": "deviceVersion",
"type": "string",
"description": "CEF Key (deviceVersion) mapped to DeviceVersion: Identifies the version of the product."
},
{
"name": "dpt",
"type": "int",
"description": "CEF Key (dpt) mapped to DestinationPort: The destination port. Valid values: 0 - 65535."
},
{
"name": "dst",
"type": "string",
"description": "CEF Key (dst) mapped to DestinationIP: The destination IPv4 address."
},
{
"name": "duser",
"type": "string",
"description": "CEF Key (duser) mapped to DestinationUserName: Identifies the destination user by name."
},
{
"name": "dvchost",
"type": "string",
"description": "CEF Key (dvchost) mapped to DeviceHostName: The FQDN associated with the device node."
},
{
"name": "externalId",
"type": "string",
"description": "CEF Key (externalId) mapped to ExternalID: An ID used by the originating device."
},
{
"name": "flexNumber1",
"type": "int",
"description": "CEF Key (flexNumber1) mapped to FlexNumber1: One of four custom number fields available for use."
},
{
"name": "flexNumber1Label",
"type": "string",
"description": "CEF Key (flexNumber1Label): Describes the purpose of the custom field flexNumber1."
},
{
"name": "name",
"type": "string",
"description": "CEF Key (name) mapped to Activity: A human-readable description of the event."
},
{
"name": "out",
"type": "string",
"description": "CEF Key (out) mapped to DeviceOutboundInterface: The output interface on the device."
},
{
"name": "proto",
"type": "string",
"description": "CEF Key (proto) mapped to Protocol: The transport protocol used in the transaction (e.g., TCP, UDP)."
},
{
"name": "reason",
"type": "string",
"description": "CEF Key (reason) mapped to Reason: The reason the event was generated (e.g., 'Policy Mismatch')."
},
{
"name": "rt",
"type": "string",
"description": "CEF Key (rt) mapped to ReceiptTime: The time at which the event was received by the connector."
},
{
"name": "severity",
"type": "string",
"description": "CEF Key (severity) mapped to LogSeverity: A string or integer that describes the importance of the event."
},
{
"name": "sourceTranslatedAddress",
"type": "string",
"description": "CEF Key (sourceTranslatedAddress) mapped to SourceTranslatedAddress: The post-translation source IPv4 address."
},
{
"name": "sourceTranslatedPort",
"type": "int",
"description": "CEF Key (sourceTranslatedPort) mapped to SourceTranslatedPort: The post-translation source port."
},
{
"name": "spt",
"type": "int",
"description": "CEF Key (spt) mapped to SourcePort: The source port. Valid values: 0 - 65535."
},
{
"name": "src",
"type": "string",
"description": "CEF Key (src) mapped to SourceIP: The source IPv4 address."
},
{
"name": "suser",
"type": "string",
"description": "CEF Key (suser) mapped to SourceUserName: Identifies the source user by name."
}
]
}
}
}
]
}Data Collection Rule Templates
Realm provided DCR templates
Palo CEF DCR
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"dcrName": "PaloAltoCEF-API-Ingestion",
"location": "EastUS",
"workspaceResourceId": "/subscriptions/0000000-0000-0000-0000-0000000000000/resourceGroups/fizz/providers/Microsoft.OperationalInsights/workspaces/buzz",
"logAnalyticsDestinationName": "logAnalyticsWorkspaceName",
"inputStreamName": "Custom-PaloCEFDCR",
"outputTableName": "PaloCEFTable"
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2023-03-11",
"name": "[variables('dcrName')]",
"location": "[variables('location')]",
"kind": "Direct",
"properties": {
"streamDeclarations": {
"Custom-PaloCEFDCR": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "RealmMetadata",
"type": "dynamic"
},
{
"name": "PanOSRuleUUID",
"type": "string"
},
{
"name": "act",
"type": "string"
},
{
"name": "app",
"type": "string"
},
{
"name": "cat",
"type": "string"
},
{
"name": "cefVersion",
"type": "int"
},
{
"name": "cn1",
"type": "int"
},
{
"name": "cn1Label",
"type": "string"
},
{
"name": "cn2",
"type": "int"
},
{
"name": "cn2Label",
"type": "string"
},
{
"name": "cn3",
"type": "int"
},
{
"name": "cn3Label",
"type": "string"
},
{
"name": "cnt",
"type": "string"
},
{
"name": "cs1",
"type": "string"
},
{
"name": "cs1Label",
"type": "string"
},
{
"name": "cs2",
"type": "string"
},
{
"name": "cs2Label",
"type": "string"
},
{
"name": "cs3",
"type": "string"
},
{
"name": "cs3Label",
"type": "string"
},
{
"name": "cs4",
"type": "string"
},
{
"name": "cs4Label",
"type": "string"
},
{
"name": "cs5",
"type": "string"
},
{
"name": "cs5Label",
"type": "string"
},
{
"name": "cs6",
"type": "string"
},
{
"name": "cs6Label",
"type": "string"
},
{
"name": "destinationTranslatedAddress",
"type": "string"
},
{
"name": "destinationTranslatedPort",
"type": "int"
},
{
"name": "deviceEventClassId",
"type": "string"
},
{
"name": "deviceExternalId",
"type": "string"
},
{
"name": "deviceInboundInterface",
"type": "string"
},
{
"name": "deviceOutboundInterface",
"type": "string"
},
{
"name": "deviceProduct",
"type": "string"
},
{
"name": "deviceVendor",
"type": "string"
},
{
"name": "deviceVersion",
"type": "string"
},
{
"name": "dpt",
"type": "int"
},
{
"name": "dst",
"type": "string"
},
{
"name": "duser",
"type": "string"
},
{
"name": "dvchost",
"type": "string"
},
{
"name": "externalId",
"type": "string"
},
{
"name": "flexNumber1",
"type": "int"
},
{
"name": "flexNumber1Label",
"type": "string"
},
{
"name": "activityName",
"type": "string"
},
{
"name": "outboundInt",
"type": "string"
},
{
"name": "proto",
"type": "string"
},
{
"name": "reason",
"type": "string"
},
{
"name": "rt",
"type": "string"
},
{
"name": "severity",
"type": "string"
},
{
"name": "sourceTranslatedAddress",
"type": "string"
},
{
"name": "sourceTranslatedPort",
"type": "int"
},
{
"name": "spt",
"type": "int"
},
{
"name": "src",
"type": "string"
},
{
"name": "suser",
"type": "string"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "[variables('logAnalyticsDestinationName')]"
}
]
},
"dataFlows": [
{
"streams": [
"[variables('inputStreamName')]"
],
"destinations": [
"[variables('logAnalyticsDestinationName')]"
],
"transformKql": "source \n | project TimeGenerated, PanOSRuleUUID, act, app, cat, cefVersion, cn1, cn1Label, cn2, cn2Label, cn3, cn3Label, cnt, cs1, cs1Label, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, destinationTranslatedAddress, destinationTranslatedPort, deviceEventClassId, deviceExternalId, deviceInboundInterface, deviceOutboundInterface, deviceProduct, deviceVendor, deviceVersion, dpt, dst, duser, dvchost, externalId, flexNumber1, flexNumber1Label, proto, reason, rt, severity, sourceTranslatedAddress, sourceTranslatedPort, spt, src, suser, ActivityName=activityName, RealmMetadata=tostring(RealmMetadata)",
"outputStream": "Custom-PaloCEFTable_CL"
}
]
}
}
]
}DCR for CommonSecurityEventLog table
If you are sending data to the CommonSecurityEventLog native table, here is a DCR template for parsing Palo CEF to match the table schema.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dcrName": {
"defaultValue": "Rlm-Palo-CEF-DCR",
"type": "String",
"metadata": {
"description": "Name of the Data Collection Rule."
}
},
"location": {
"defaultValue": "EastUS",
"type": "String",
"metadata": {
"description": "Location for the DCR. Must match the Log Analytics Workspace region."
}
},
"workspaceResourceId": {
"defaultValue": "/subscriptions/0000000-0000-0000-0000-0000000000000/resourceGroups/fizz/providers/Microsoft.OperationalInsights/workspaces/buzz",
"type": "String",
"metadata": {
"description": "Full Resource ID of the target Log Analytics Workspace."
}
},
"logAnalyticsDestinationName": {
"defaultValue": "analytics-workspace-name",
"type": "String",
"metadata": {
"description": "The name used for the destination workspace within the DCR definition."
}
},
"inputStreamName": {
"defaultValue": "Custom-PaloCEFDCR",
"type": "String",
"metadata": {
"description": "The name of the custom input stream used in the Logs Ingestion API URL."
}
}
},
"variables": {
"outputStreamName": "Microsoft-CommonSecurityLog"
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2023-03-11",
"name": "[parameters('dcrName')]",
"location": "[parameters('location')]",
"kind": "Direct",
"properties": {
"streamDeclarations": {
"[parameters('inputStreamName')]": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "RealmMetadata",
"type": "dynamic"
},
{
"name": "act",
"type": "string"
},
{
"name": "app",
"type": "string"
},
{
"name": "cat",
"type": "string"
},
{
"name": "cefVersion",
"type": "int"
},
{
"name": "cn1",
"type": "int"
},
{
"name": "cn1Label",
"type": "string"
},
{
"name": "cn2",
"type": "int"
},
{
"name": "cn2Label",
"type": "string"
},
{
"name": "cn3",
"type": "int"
},
{
"name": "cn3Label",
"type": "string"
},
{
"name": "cnt",
"type": "string"
},
{
"name": "cs1",
"type": "string"
},
{
"name": "cs1Label",
"type": "string"
},
{
"name": "cs2",
"type": "string"
},
{
"name": "cs2Label",
"type": "string"
},
{
"name": "cs3",
"type": "string"
},
{
"name": "cs3Label",
"type": "string"
},
{
"name": "cs4",
"type": "string"
},
{
"name": "cs4Label",
"type": "string"
},
{
"name": "cs5",
"type": "string"
},
{
"name": "cs5Label",
"type": "string"
},
{
"name": "cs6",
"type": "string"
},
{
"name": "cs6Label",
"type": "string"
},
{
"name": "destinationTranslatedAddress",
"type": "string"
},
{
"name": "destinationTranslatedPort",
"type": "int"
},
{
"name": "deviceEventClassId",
"type": "string"
},
{
"name": "deviceExternalId",
"type": "string"
},
{
"name": "deviceInboundInterface",
"type": "string"
},
{
"name": "deviceOutboundInterface",
"type": "string"
},
{
"name": "deviceProduct",
"type": "string"
},
{
"name": "deviceVendor",
"type": "string"
},
{
"name": "deviceVersion",
"type": "string"
},
{
"name": "dpt",
"type": "int"
},
{
"name": "dst",
"type": "string"
},
{
"name": "duser",
"type": "string"
},
{
"name": "dvchost",
"type": "string"
},
{
"name": "externalId",
"type": "string"
},
{
"name": "flexNumber1",
"type": "int"
},
{
"name": "flexNumber1Label",
"type": "string"
},
{
"name": "activityName",
"type": "string"
},
{
"name": "outboundInt",
"type": "string"
},
{
"name": "proto",
"type": "string"
},
{
"name": "reason",
"type": "string"
},
{
"name": "rt",
"type": "string"
},
{
"name": "severity",
"type": "string"
},
{
"name": "sourceTranslatedAddress",
"type": "string"
},
{
"name": "sourceTranslatedPort",
"type": "int"
},
{
"name": "spt",
"type": "int"
},
{
"name": "src",
"type": "string"
},
{
"name": "suser",
"type": "string"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[parameters('logAnalyticsDestinationName')]"
}
]
},
"dataFlows": [
{
"streams": [
"[parameters('inputStreamName')]"
],
"destinations": [
"[parameters('logAnalyticsDestinationName')]"
],
"outputStream": "[variables('outputStreamName')]",
"transformKql": "source | project TimeGenerated,AdditionalExtensions=tostring(RealmMetadata), Activity=tostring(activityName), ApplicationProtocol=tostring(app), DeviceEventCategory=tostring(cat), DestinationPort=toint(dpt), DestinationIP=tostring(dst), DestinationUserName=tostring(duser), DeviceHostName=tostring(dvchost), Protocol=tostring(proto), Reason=tostring(reason), ReceiptTime=tostring(rt), LogSeverity=tostring(severity), SourcePort=toint(spt), SourceIP=tostring(src), SourceUserName=tostring(suser), DeviceAction=tostring(act), DeviceVersion=tostring(cefVersion), DeviceCustomNumber1=toint(cn1), DeviceCustomNumber1Label=tostring(cn1Label), DeviceCustomNumber2=toint(cn2), DeviceCustomNumber2Label=tostring(cn2Label), DeviceCustomNumber3=toint(cn3), DeviceCustomNumber3Label=tostring(cn3Label), EventCount=toint(cnt), DeviceCustomString1=tostring(cs1), DeviceCustomString1Label=tostring(cs1Label), DeviceCustomString2=tostring(cs2), DeviceCustomString2Label=tostring(cs2Label),DeviceCustomString3=tostring(cs3), DeviceCustomString3Label=tostring(cs3Label), DeviceCustomString4=tostring(cs4), DeviceCustomString4Label=tostring(cs4Label), DeviceCustomString5=tostring(cs5), DeviceCustomString5Label=tostring(cs5Label), DeviceCustomString6=tostring(cs6), DeviceCustomString6Label=tostring(cs6Label), DestinationTranslatedAddress=tostring(destinationTranslatedAddress), DestinationTranslatedPort=toint(destinationTranslatedPort), DeviceEventClassID=tostring(deviceEventClassId), DeviceExternalID=tostring(deviceExternalId), DeviceInboundInterface=tostring(deviceInboundInterface), DeviceOutboundInterface=tostring(deviceOutboundInterface), DeviceProduct=tostring(deviceProduct), DeviceVendor=tostring(deviceVendor), SourceTranslatedAddress=tostring(sourceTranslatedAddress), SourceTranslatedPort=toint(sourceTranslatedPort)"
}
]
}
}
]
}