Views:

CEF Web Reputation Logs

CEF Key
Description
Value 
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Director
Header (pver)
Appliance version
Example: 5.3.0.1212
Header (eventid)
Signature ID
100101
Header (eventName)
Description
Example: Dangerous URL in Web Reputation Services database - HTTP (Request)
Header (severity)
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
app
Protocol
Example: HTTP
c6a1
Interested IPv6
Example: 2001:0:0:1::21
c6a1Label
Interested IPv6
InterestedIPv6
c6a2
Source IPv6 address
Example: 2001:0:0:1::21
c6a2Label
Source IPv6 address
Source IPv6 Address
c6a3
Destination IPv6 address
Example: 2001:0:0:1::21
c6a3Label
Destination IPv6 address
Destination IPv6 Address
c6a4
Peer IPv6 address
Example: 2001:0:0:1::21
c6a4Label
Peer IPv6 address
PeerIPv6
cn1
CCCA detection
0 or 1
cn1Label
CCCA detection
CCCA_Detection
cn2
Score
Example: 49
cn2Label
Score
WRSScore
cn3
Threat type
Example: 5
cn3Label
Threat type
Threat Type
cs1
Mail subject
Example: hello
cs1Label
Mail subject
MailSubject
cs2
Category
Example: Gambling
cs2Label
Category
URLCategory
cs3
Host name
Example: CLIENT1
cs3Label
Host name
HostName_Ext
cs4
Attack Phase
  • Intelligence Gathering
  • Point of Entry
  • Command and Control Communication
  • Lateral Movement
  • Asset and Data Discovery
  • Data Exfiltration
  • Nil (no applicable attack phase)
cs4Label
Attack Phase
pAttackPhase
destinationTranslatedAddress
Peer IP
Example: 10.1.144.199
deviceDirection
Packet direction
0, 1, or 2
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
devicePayloadId
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*
Examples:
  • With pcap file captured: 2:10245:P
  • Without pcap file captured: 2:10245:
dhost
Destination host name
Example: dhost1
dmac
Destination MAC
Example: 00:0C:29:6E:CB:F9
dpt
Destination port
Value between 1 and 65535
dst
Destination IP address
Example: 10.1.144.199
duser
Mail recipient
Example: duser1
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
flexNumber1
vLANId
Example: 4095
flexNumber1Label
vLANId
vLANId
request
URL
Example: http://1.2.3.4/query?term=value
requestClientApplication
User agent
Example: IE
rt
Log generation time
Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC)
Example: 1593761104000
shost
Source host name
Example: shost1
smac
Source MAC
Example: 00:0C:29:6E:CB:F9
sourceTranslatedAddress
Interested IP
Example: 10.1.144.199
spt
Source port
Value between 1 and 65535
src
Source IP address
Example: 10.1.144.199
suser
Mail sender
Example: suser1
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Dir
ector|5.3.0.1212|100101|Ransomware URL in Web Reputation Servi
ces database - HTTP (Request)|8|dvc=172.22.9.32 dvcmac=00:50:5
6:AD:03:BD dvchost=localhost deviceExternalId=E9A3FA433916-473
8984C-A4BF-84A0-D603 rt=1593761104000 cs3Label=HostName_Ext cs
3=ca95-1.winshipway.com cn2Label=WRSScore cn2=49 cn3Label=Thre
at Type cn3=5 dmac=00:16:c8:65:98:d5 shost=172.22.9.5 src =172
.22.9.5 spt=41757 smac=00:50:56:82:e7:a9 sourceTranslatedAddre
ss=172.22.9.5 cn1Label=CCCA_Detection cn1=1 request=http://ca9
5-1.winshipway.com/ requestClientApplication=Wget /1.12 (linux
-gnu) app=HTTP deviceDirection=1 dhost=150.70.1 62.115 dst=150
.70.162.115 dpt=80 cs2Label=URLCategory cs2=Ransomware destina
tionTranslatedAddress=150.70.162.115 cs4Label=pAttackPhase cs4
=Command and Control Communication flexNumber1Label=vLANId fle
xNumber1=4095 request=http://ca95-1.winshipway.com/ devicePayl
oadId=5:17: