LEEF Integrated Product Detection Logs: Detection Results Events

Views:

LEEF Integrated Product Detection Logs: Detection Results Events

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF: 1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Deep Discovery Analyzer
Header (pver)	Appliance version	Example: 5.5.0.1191
Header (eventName)	Description	SUBMISSION_ANALYZED
app	Application protocol	Example: FTP/HTTPS/MSN/...
appGroup	Application protocol group	Example: SMTP/HTTP/…
deviceDirection	Associated direction	For ICAP protocol: 0: ICAP REQMOD 1: ICAP RESPMOD For other protocols: 0: inbound 1: outbound 2: unknown
deviceProcessName	Appliance process name	Example: explorer.exe
devTime	Event generation time at submitter	Example: Jan 28 2015 02:00:36 GMT+08:00
devTimeFormat	Time format	MMM dd yyyy HH:mm:ss z
dhost	Destination host name	Example: dhost1
dst	Destination IPv4 address Destination IPv6 address	Example: 10.1.144.199 Example: 2001:db8:a0b:12f0::1
dstMAC	Destination MAC address	Example: 00:0C:29:6E:CB:F9
dstPort	Destination port	Value between 0 and 65535
duser	Email recipients	Example: user1@domain2.com;test@163.com
dvc	Appliance IP address	Example: 10.1.144.199
dvchost	Appliance host name	Example: localhost
deviceGUID	Appliance GUID	Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress	Appliance MAC address	Example: 00:0C:29:6E:CB:F9
fileHash	SHA1	Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
fileType	True file type	Example: RIFF bitmap file
fname	File name	Example: excel.rar
fsize	File size	Example: 131372
mailMsgSubject	Email subject	Example: hello
malName	Malware name	Example: HEUR_NAMETRICK.A
messageId	Email ID	Example: <20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
requestClientApplication	User agent	Example: IE
sampleType	Sample type	0: File sample 1: URL sample
sev	Deep Discovery Analyzer risk level mapping:	1: Unrated 2: No risk 4: Low 6: Medium 8: High
sha256	SHA256	Example: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
shost	Source host name	Example: shost1
src	Source IPv4 address Source IPv6 address	Example: 10.1.144.199 Example: 2001:db8::1
srcMAC	Source MAC address	Example: 00:0D:60:AF:1B:61
srcPort	Source port	Value between 0 and 65535
submitter	Submitter
submitterName	Submitter host name or user name for manual sample submission	Example: shost1
suser	Email sender	Example: user2@domain.com
url	URL	Example: http://1.2.3.4/query?term=value
submittedTime	Sample submission time	Example: Mar 03 2016 16:28:20 GMT+08:00
submittedTimeFormat	Time format	MMM dd yyyy HH:mm:ss z
completedTime	Sample analysis completion time	Example: Mar 03 2016 16:28:20 GMT+08:00
completedTimeFormat	Time format	MMM dd yyyy HH:mm:ss z

Log sample:

LEEF: 1.0|Trend Micro|Deep Discovery Analyzer|7.5.0.1115|S
UBMISSION_ANALYZED|devTime=Mar 21 2023 17:05:04 GMT+08:00#
011devTimeFormat=MMM dd yyyy HH:mm:ss z#011sev=8#011dvc=19
2.168.1.1#011dvchost=DDAN#011deviceMacAddress=EC:F4:BB:DE:
E1:F8#011deviceGUID=B4F796E5-C139-4241-80FD-248D10F7CCB2#0
11src=192.168.88.108#011srcPort=13861#011dst=42.62.93.35#0
11dstPort=6891#011sampleType=0#011fname=evasion-000002#011
fsize=2868884#011fileType=ELF Executable#011fileHash=BD846
3790E46BB9B7571378FA2ADBA69F0342576#011malName=Troj.ELF.TR
X.XXELFC1DFF026,VAN_TROJAN.UMXX#011submitter=Deep Discover
y Inspector#011submitterName=localhost.localdomain#011sha2
56=1BC25EF196A08EA25DBBF2832E010C3AE4A3E227B1F7A3F5D014C80
DDC3AEE32#011submittedTime=Mar 21 2023 17:02:06 GMT+08:00#
011submittedTimeFormat=MMM dd yyyy HH:mm:ss z#011completed
Time=Mar 21 2023 17:04:54 GMT+08:00#011completedTimeFormat
=MMM dd yyyy HH:mm:ss z