Views:

CEF Threat Logs

CEF Key
Description
Value 
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Director
Header (pver)
Appliance version
Example: 5.3.0.1212
Header (eventid)
Signature ID
Example: 8
Header (eventName)
Description
Example: Packed executable file copied to a network administrative share
Header (severity)
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
act
The action in the event
  • blocked
  • not blocked
app
Protocol
Example: HTTP
c6a1
Interested IPv6
Example: 2001:0:0:1::21
c6a1Label
Interested IPv6
InterestedIPv6
c6a2
Source IPv6 address
Example: 2001:0:0:1::21
c6a2Label
Source IPv6 address
Source IPv6 Address
c6a3
Destination IPv6 address
Example: 2001:0:0:1::21
c6a3Label
Destination IPv6 address
Destination IPv6 Address
c6a4
Peer IPv6 address
Example: 2001:0:0:1::21
c6a4Label
Peer IPv6 address
PeerIPv6
cat
Event category
Example: File
cnt
Total count
Example: 1
cn1
CCCA detection
0 or 1
cn1Label
CCCA detection
CCCA_Detection
cn3
Threat type
Value between 0 and 4
  • 0: Malicious content
  • 1: Malicious behavior
  • 2: Suspicious behavior
  • 3: Exploit
  • 4: Grayware
cn3Label
Threat type
Threat Type
cs1
Mail subject
Example: hello
cs1Label
Mail subject
MailSubject
cs2
Malware name
Example: HEUR_NAMETRICK.A
cs2Label
Malware name
DetectionName
cs3
Host name
Example: CLIENT1
cs3Label
Host name
HostName_Ext
cs4
File name in archive
Example: mtxlegih.dll
cs4Label
File name in archive
FileNameInArchive
cs5
CCCA log is detected by
Examples:
  • GLOBAL_INTELLIGENCE
  • VIRTUAL_ANALYZER
  • USER_DEFINED
cs5Label
CCCA log is detected by
CCCA_DetectionSource
cs6
Attack Phase
Examples:
  • Intelligence Gathering
  • Point of Entry
  • Command and Control Communication
  • Lateral Movement
  • Asset and Data Discovery
  • Data Exfiltration
  • Nil (no applicable attack phase)
cs6Label
Attack Phase
pAttackPhase
destinationTranslatedAddress
Peer IP
Example: 10.1.144.199
deviceDirection
Packet direction
0, 1, or 2
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
devicePayloadId
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*
Examples:
  • With pcap file captured: 2:10245:P
  • Without pcap file captured: 2:10245:
dhost
Destination host name
Example: dhost1
dmac
Destination MAC
Example: 00:0C:29:6E:CB:F9
dpt
Destination port
Value between 1 and 65535
dst
Destination IP address
Example: 10.1.144.199
duser
Mail recipient
Example: duser1
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
fileHash
SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
filePath
File path
Example: SHARE\\
fileType
Real file type
Example: 1638400
flexNumber1
vLANId
Example: 4095
flexNumber1Label
vLANId
vLANId
fname
File name
Example: excel.rar
fsize
File size
Example: 131372
oldFileHash
Mail attachment SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
oldFileName
Mail attachment file name
Example: excel.rar
oldFileSize
Mail attachment file size
Example: 150000
oldFileType
Mail attachment file type
Example: 1638400
requestClientApplication
User agent
Example: IE
request
URL
Example: http://1.2.3.4/query?term=value
rt
Log generation time
Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC)
Example: 1593761104000
shost
Source host name
Example: shost1
smac
Source MAC
Example: 00:0C:29:6E:CB:F9
sourceTranslatedAddress
Interested IP
Example: 10.1.144.199
src
Source IP address
Example: 10.1.144.199
spt
Source port
Value between 1 and 65535
suid
User name
Example: User1
suser
Mail sender
Example: suser1
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Dir
ector|5.3.0.1212|0|Eicar_test_file - HTTP (Response)|8|dvc=172
.22.9.32 dvcmac=00:50:56:AD:03:BD dvchost=localhost deviceExte
rnalId=E9A3FA433916-4738984C-A4BF-84A0-D603 rt=1593761104000 a
pp=HTTP deviceDirection=1 dhost=172.22.9.5 dst=172.22.9.5 dpt=
57908 dmac=00:50:56:82:e7:a9 shost=172.22.9.54 src=172.22.9.54
spt=80 smac=00:50:56:82:c6:ae cs3Label=HostName_Ext cs3=172.22
.9.54 cs2Label=DetectionName cs2=Eicar_test_file fname=eicarco
m2.zip fileType=262340608 fsize=308 requestClientApplication=W
get/1.12 (linux-gnu) act=not blocked cn3Label=Threat Type cn3=
0 destinationTranslatedAddress=172.22.9.5 fileHash=BEC1B52D350
D721C7E22A6D4BB0A92909893A3AE cs4Label=FileNameInArchive cs4=e
icar.com sourceTranslatedAddress=172.22.9.54 cnt=1 cat=Malware
cs6Label=pAttackPhase cs6=Point of Entry flexNumber1Label=vLAN
Id flexNumber1=4095 request=http://172.22.9.54/eicarcom2.zip d
evicePayloadId=0:143:P