TMEF Integrated Product Detection Logs: Detection Results Events
|
TMEF Key
|
Description
|
Value
|
|
Header (logVer)
|
TMEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Analyzer
|
|
Header (pver)
|
Appliance version
|
Example: 5.5.0.1191
|
|
Header (eventid)
|
Signature ID
|
200128
|
|
Header (eventName)
|
Description
|
SUBMISSION_ANALYZED
|
|
Header (severity)
|
Deep Discovery Analyzer risk level mapping:
|
|
|
app
|
Application protocol
|
Example: FTP/HTTPS/MSN/...
|
|
appGroup
|
Application protocol group
|
Example: SMTP/HTTP/…
|
|
c6a2
|
Source IPv6 address
|
Example: 2001:db8::1
|
|
c6a2Label
|
Source IPv6 address
|
srcIPv6
|
|
c6a3
|
Destination IPv6 address
|
Example: 2001:db8:a0b:12f0::1
|
|
c6a3Label
|
Destination IPv6 address
|
dstIPv6
|
|
cn1
|
Sample type
|
|
|
cn1Label
|
Sample type
|
sampleType
|
|
cs1
|
Email ID
|
Example:
<20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
|
|
cs1Label
|
Email ID
|
messageId
|
|
cs2
|
Submitter
|
|
|
cs2Label
|
Submitter
|
submitter
|
|
cs3
|
Submitter host name or user name for manual sample
submission
|
Example: shost1
|
|
cs3Label
|
Submitter host name
|
submitterName
|
|
cs6
|
SHA256
|
Example:
275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
|
|
cs6Label
|
SHA256
|
|
|
cs7
|
Sample submission time
|
Example: Mar 03 2016 16:28:20 GMT+08:00
|
|
cs7Label
|
Submitted time
|
submittedTime
|
|
cs8
|
Sample analysis completion time
|
Example: Mar 03 2016 16:28:20 GMT+08:00
|
|
cs8Label
|
Completed time
|
completedTime
|
|
deviceDirection
|
Associated direction
|
For ICAP protocol:
For other protocols:
|
|
deviceGUID
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
deviceMacAddress
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
deviceProcessName
|
Appliance process name
|
Example: explorer.exe
|
|
dhost
|
Destination host name
|
Example: dhost1
|
|
dmac
|
Destination MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
dpt
|
Destination port
|
Value between 0 and 65535
|
|
dst
|
Destination IPv4 address
|
Example: 10.1.144.199
|
|
duser
|
Email recipients
|
Example: user1@domain2.com;test@163.com
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
fileHash
|
SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
fileType
|
True file type
|
Example: RIFF bitmap file
|
|
fname
|
File name
|
Example: excel.rar
|
|
fsize
|
File size
|
Example: 131372
|
|
mailMsgSubject
|
Email subject
|
Example: hello
|
|
malName
|
Malware name
|
Example: HEUR_NAMETRICK.A
|
|
request
|
URL
|
Example: http://www.rainking.net/?utm_campaign=4-21-2014
|http://images.rainking.net/eloquaimage
|
|
requestClientApplication
|
User agent
|
Example: IE
|
|
rt
|
Event generation time at submitter
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
shost
|
Source host name
|
Example: shost1
|
|
smac
|
Source MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
spt
|
Source port
|
Value between 0 and 65535
|
|
src
|
Source IPv4 address
|
Example: 10.1.144.199
|
|
suser
|
Email sender
|
Example: user2@domain.com
|
Log sample:
CEF: 0|Trend Micro|Deep Discovery Analyzer|7.5.0.1115|2001 28|SUBMISSION_ANALYZED|8|rt=Mar 21 2023 17:32:22 GMT+08:00 dvc=192.168.1.1 dvchost=DDAN deviceMacAddress=EC:F4:BB:DE :E1:F8 deviceGUID=B4F796E5-C139-4241-80FD-248D10F7CCB2 src =69.65.60.111 spt=18442 dst=116.32.60.114 dpt=50200 cn1Lab el=sampleType cn1=1 fileHash=A5D14065EC35E86101F2EF1F8550C 02A8CF7C49F request=http://easienglish.com/IWhCoZ malName= VAN_WEB_THREAT.UMXX cs2Label=submitter cs2=Deep Discovery Inspector cs3Label=submitterName cs3=localhost.localdomain cs6Label=sha256 cs6=E845A4884E75D4465BCDC19D864AA63B26BBEE8 3147CD515F39511CBC03B2BB3 cs7Label=submittedTime cs7=Mar 21 2023 17:29:24 GMT+08:00 cs8Label=completedTime cs8=Mar 21 2023 17:29:38 GMT+08:00