Views:

LEEF ICAP Pre-scan Detection Logs

CEF Key
Description
Value
Header (logVer)
LEEF format version
LEEF: 1.0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Analyzer
Header (pver)
Appliance version
Example: 7.1.0.1088
Header (eventName)
Event name
ICAP_PRESCAN_EVENT
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
devTime
Log generation time
Example: Jan 28 2015 02:00:36 GMT+08:00
devTimeFormat
Time format
MMM dd yyyy HH:mm:ss z
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
fileHash
SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
fileType
True file type
Example: RIFF bitmap file
fname
File name
Example: excel.rar
sha256
SHA256
Example: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
sampleType
Sample type
  • 0: File sample
  • 1: URL sample
url
URL
Example: http://1.2.3.4/query?term=value
src
Source IPv4 address
Example: 10.1.144.199
dst
Destination IPv4 address
Example: 10.1.144.198
sourceUser
 X-Authenticated-User ICAP header sent by the ICAP client
Example: test
sev
Risk level
8: High
malName
Malware name
Example: HEUR_NAMETRICK.A
icapMode
ICAP mode
Example:
  • REQMOD: ICAP Request modification method
  • RESPMOD: ICAP Response modification method
identifiedBy
The name of the detection module that processed the object
Example:
  • Web Reputation Services
  • Advanced Threat Scan Engine
  • Virtual Analyzer
  • Suspicious Object
  • User-defined Suspicious Object
  • YARA Rule (+ Yara_file_name)
  • Predictive Machine Learning Engine
  • ICAP: Password-protected file (bypass scanning)
  • ICAP: Password-protected file (non-malicious, unextracted)
Log sample:
LEEF:1.0|Trend Micro|Deep Discovery Analyzer|7.1.0.1009|IC
AP_PRESCAN_EVENT|devTime=May 31 2021 15:56:04 GMT+08:00<00
9>devTimeFormat=MMM dd yyyy HH:mm:ss z<009>sev=8<009>dvc=1
0.204.191.223<009>dvchost=DDAN<009>deviceMacAddress=00:50:
56:98:39:75<009>deviceGUID=22DB5662-BDEC-4071-9D82-E5008EF
8B328<009>dst=10.204.190.8<009>src=10.204.190.7<009>sample
Type=1<009>fileHash=317D137FE590EE561648ECA137CB2B68985261
15<009>url=http://test.com:80/<009>malName=VAN_WEB_THREAT.
UMXX<009>submitterName=10.204.190.6<009>icapMode=RESPMODE<
009>sourceUser=auth_test2<009>identifiedBy=Web Reputation 
Services<009>sha256=F5C748A953D23B8CE4F5C792FDC1E7987471DD
48FE24ABA07C3CFD10B4AEF72F
LEEF:1.0|Trend Micro|Deep Discovery Analyzer|7.1.0.1009|IC
AP_PRESCAN_EVENT|devTime=Jun 02 2021 13:26:17 GMT+08:00<00
9>devTimeFormat=MMM dd yyyy HH:mm:ss z<009>sev=8<009>dvc=1
0.204.191.223<009>dvchost=DDAN<009>deviceMacAddress=00:50:
56:98:39:75<009>deviceGUID=22DB5662-BDEC-4071-9D82-E5008EF
8B328<009>dst=10.204.191.122<009>src=10.204.190.6<009>samp
leType=0<009>fname=\\x332d6c617965722e7a6970<009>fileType=
ZIP archive<009>fileHash=D7273555CB0AC08303415CBEB3F3D72DD
0893BC4<009>malName=TROJ_OLEXP.TPD,Eicar_test_file<009>sub
mitterName=10.204.190.6<009>icapMode=RESPMODE<009> sourceU
ser=auth_test<009>identifiedBy=Advanced Threat Scan Engine
<009>sha256=08F18BC62297A67DD91E192A27C1EEDE3C1BBEE19A90FC
0B1FADD07CE93B9823