Suricatavel CEF (Common Event Format) Extension Mapping Reference
================================================================

Suricatavel enriched alerts in CEF format are structured as follows:

CEF Header:
CEF:0|Suricatavel|Suricatavel|1.0|{signature_id}|{signature}|{severity}|

CEF Custom Enrichment Field Mappings (mapped to standard pre-allocated ArcSight extension keys):
---------------------------------------------------------------------------------------------

1. GeoIP Source Country
   - Extension Key: cs3
   - Extension Key Label: cs3Label
   - Label Value: SourceCountryCode
   - Example: cs3Label=SourceCountryCode cs3=US

2. AbuseIPDB Reputation Score
   - Extension Key: cn1
   - Extension Key Label: cn1Label
   - Label Value: AbuseIPDBScore
   - Example: cn1Label=AbuseIPDBScore cn1=85

3. VirusTotal Detection Count
   - Extension Key: cs4
   - Extension Key Label: cs4Label
   - Label Value: VirusTotalMaliciousCount
   - Example: cs4Label=VirusTotalMaliciousCount cs4=12

4. Extracted Indicator of Compromise (IOC) Type
   - Extension Key: cs5
   - Extension Key Label: cs5Label
   - Label Value: IocType
   - Example: cs5Label=IocType cs5=domain

5. Extracted Indicator of Compromise (IOC) Value
   - Extension Key: cs6
   - Extension Key Label: cs6Label
   - Label Value: IocValue
   - Example: cs6Label=IocValue cs6=malicious.xyz
