Views:

CEF Detection Logs: Email Detection Logs

CEF Key
Description
Value 
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Director
Header (pver)
Appliance version
Example: 5.3.0.1212
Header (eventid)
Signature ID
100130
Header (eventName)
Description
EMAIL_DETECTION
Header (severity)
Email severity
  • 2: Unavailable
  • 4: Low
  • 6: Medium
  • 8: High
act
The action in the event
Examples:
  • quarantined
  • passed
  • stripped
  • analyzed
  • stamped
  • subjectsTagged
  • deleted
  • delivered directly
  • cleaned up
  • file sanitized
cn1
Threat type
  • 1: Targeted malware
  • 2: Malware
  • 3: Malicious URL
  • 4: Suspicious file
  • 5: Suspicious URL
  • 6: Spam/Graymail
  • 7: Phishing
  • 8: Content violation
  • 9: DLP incident
cn1Label
Threat type
threatType
cn2
Email Size
Example: 30841
cn2Label
Email Size
msgSize
cs1
Names of threats in the email
Example: VAN_MALWARE.UMXX|FRAUD_PHISHING.WRS
cs1Label
Names of threats in the email
threats
cs2
Internal email ID
Example: 6965222B-13A6-C705-89D4-6251B6C41E03
cs2Label
Internal email ID
msgUuid
cs3
Email ID
Example: <20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
cs3Label
Email ID
messageId
cs4
Sender email address
Example: user1@domain.com
cs4Label
Label for sender email address
senderMail
cs5
Recipient email address
Example: user2@domain.com
cs5Label
Label for recipient email address
rcptMail
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
duser
Email recipients
Example: user1@domain2.com;test@163.com
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
msg
Email subject
Example: hello
rt
Log generation time
Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC)
Example: 1593761104000
src
Source IP address
Example: 10.1.144.199
suser
Email sender
Example: user2@domain.com
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Dir
ector|5.3.0.1212|100130|EMAIL_DETECTION|6|rt=1593761104000 src
=150.70.186.134 cs3Label=messageId cs3=<20150323115314.BCA2C91
68EA@internalbeta.bcc.ddei> deviceExternalId=c425624a-e9db-4f3
f-8088-2726f15e6587 act=passed dvchost=internalbeta.bcc.ddei d
vc=10.64.1.131 duser=user1@domain1.com;user2@domain1.com;user3
@domain1.com msg=Virus_Report-20150323_02:00 cn2Label=msgSize 
cn2=83878 cn1Label=threatType cn1=3 suser=user@domain2.com dvc
mac=C4:34:6B:B8:09:BC cs2Label=msgUuid cs2=73A9FA6A-11F3-4F05-
BCEE-6BB5EC111FE7 cs1Label=threats cs1=PUA_Test_File|TROJ_GEN.
R04AC0PAH15|PAK_Generic.005|ADW_DOWNLOADER.WRS|LOW-REPUTATION-
URL_BLOCKED-LIST.SCORE.WRS|LOW-REPUTATION-URL_BLOCKED-LIST.SCO
RE.WRS|TROJ_GEN.R02SC0OLH14|TROJ_GENERIC.WRS|TROJ_DOWNLOADER.W
RS