CEF Integrated Product Detection Logs: Detection Results Events
|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Analyzer
|
|
Header (pver)
|
Appliance version
|
Example: 5.5.0.1191
|
|
Header (eventid)
|
Signature ID
|
200128
|
|
Header (eventName)
|
Description
|
SUBMISSION_ANALYZED
|
|
Header (severity)
|
Deep Discovery Analyzer risk level mapping:
|
|
|
app
|
Application protocol
|
Example: FTP/HTTPS/MSN/...
|
|
c6a2
|
Source IPv6 address
|
Example: 2001:db8::1
|
|
c6a2Label
|
Source IPv6 address
|
srcIPv6
|
|
c6a3
|
Destination IPv6 address
|
Example: 2001:db8:a0b:12f0::1
|
|
c6a3Label
|
Destination IPv6 address
|
dstIPv6
|
|
cn1
|
Sample type
|
|
|
cn1Label
|
Sample type
|
sampleType
|
|
cs1
|
Malware name
|
Example: HEUR_NAMETRICK.A
|
|
cs1Label
|
Malware name
|
malName
|
|
cs2
|
Email ID
|
Example:
<20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
|
|
cs2Label
|
Email ID
|
messageId
|
|
cs3
|
Application protocol group
|
Example: SMTP/HTTP/…
|
|
cs3Label
|
Application protocol group
|
appGroup
|
|
cs4
|
Submitter
|
|
|
cs4Label
|
Submitter
|
submitter
|
|
cs5
|
Submitter host name or user name for manual sample
submission
|
Example: shost1
|
|
cs5Label
|
Submitter host name
|
submitterName
|
|
cs6
|
SHA256
|
Example:
275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
|
|
cs6Label
|
sha256
|
|
|
cs7
|
Sample submission time
|
Example: Mar 03 2016 16:28:20 GMT+08:00
|
|
cs7Label
|
Submitted time
|
submittedTime
|
|
cs8
|
Sample analysis completion time
|
Example: Mar 03 2016 16:28:20 GMT+08:00
|
|
cs8Label
|
Completed time
|
completedTime
|
|
deviceDirection
|
Associated direction
|
For ICAP protocol:
For other protocols:
|
|
deviceExternalId
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
deviceProcessName
|
Appliance process name
|
Example: explorer.exe
|
|
dhost
|
Destination host name
|
Example: dhost1
|
|
dmac
|
Destination MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
dpt
|
Destination port
|
Value between 0 and 65535
|
|
dst
|
Destination IPv4 address
|
Example: 10.1.144.199
|
|
duser
|
Email recipients
|
Example: user1@domain2.com;test@163.com
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
dvcmac
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
fileHash
|
SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
fileType
|
True file type
|
Example: RIFF bitmap file
|
|
fname
|
File name
|
Example: excel.rar
|
|
fsize
|
File size
|
Example: 131372
|
|
msg
|
Email subject
|
Example: hello
|
|
request
|
URL
|
Example: http://www.rainking.net/?utm_campaign=4-21-2014
|http://images.rainking.net/eloquaimage
|
|
requestClientApplication
|
User agent
|
Example: IE
|
|
rt
|
Event generation time at submitter
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
shost
|
Source host name
|
Example: shost1
|
|
smac
|
Source MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
spt
|
Source port
|
Value between 0 and 65535
|
|
src
|
Source IPv4 address
|
Example: 10.1.144.199
|
|
suser
|
Email sender
|
Example: user2@domain.com
|
Log sample:
CEF: 0|Trend Micro|Deep Discovery Analyzer|7.5.0.1115|2001 28|SUBMISSION_ANALYZED|8|rt=Mar 21 2023 15:32:50 GMT+08:00 dvc=192.168.1.1 dvchost=DDAN dvcmac=B8:CA:3A:68:2F: CC de viceExternalId=B4F796E5-C139-4241-80FD-248D10F7CCB2 src=19 6.109.36.118 spt=39899 dst=108.109.7.8 dpt=11503 cn1Label= sampleType cn1=1 fileHash=F00C4312D16CBC0B2926A45544B01BE2 FF24E184 request=http://www.bq998.com/DownFiles/FoxJD.Rar cs1Label=malName cs1=VAN_WEB_THREAT.UMXX cs4Label=submitte r cs4=Deep Discovery Inspector cs5Label=submitterName cs5= localhost.localdomain cs6Label=sha256 cs6=E0EFF50D6D817BE9 9AAD183A131A29DFC34CAECCA43F93D55A9347A1C2B27F72 cs7Label= submittedTime cs7=Mar 21 2023 15:29:51 GMT+08:00 cs8Label= completedTime cs8=Mar 21 2023 15:29:58 GMT+08:00