Views:

LEEF Threat Logs

LEEF Key
Description
Value 
Header (logVer)
LEEF format version
LEEF: 1.0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Director
Header (pver)
Appliance version
Example: 5.3.0.1212
Header (eventName)
Event Name
  • MALWARE_DETECTION
  • MALWARE_OUTBREAK_DETECTION
  • SECURITY_RISK_DETECTION
origin
Deep Discovery appliance the log originated from
Inspector
act
The action in the event
  • blocked
  • not blocked
aggregatedCnt
Aggregated count
Example: 1
aptRelated
Indicates an APT-related event
0 or 1
botCommand
BOT command
Example: COMMIT
botUrl
BOT URL 
Example: trend.com
cccaDestination
CCCA address
Example: 10.1.144.199
cccaDestinationFormat
CCCA type
  • IP_DOMAIN
  • IP_DOMAIN_PORT
  • URL
  • EMAIL
cccaDetection
CCCA detection
0 or 1
cccaDetectionSource
CCCA log is detected by
  • GLOBAL_INTELLIGENCE
  • VIRTUAL_ANALYZER
  • USER_DEFINED
cccaRiskLevel
CCCA Risk Level
  • 0: Unknown
  • 1: Low
  • 2: Medium
  • 3: High
channelName
Channel name
Example: IRCChannel1
chatUserName
Nickname
Example: IRCUser1
cnt
Total count
Example: 1
compressedFileName
File name in archive
Example: mtxlegih.dll
detectionType
Detection type
  • 0: Known detection
  • 1: Unknown detection
  • 2: OPS detection
deviceDirection
Packet direction
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
deviceRiskConfidenceLevel
Confidence level
  • 1: High
  • 2: Medium
  • 3: Low
  • 0: Undefined
devTime
Log generation time
Example: Mar 09 2015 17:05:21 GMT+08:00
devTimeFormat
Time format
MMM dd yyyy HH:mm:ss z
dhost
Destination host name
Example: dhost1
dOSName
Destination host OS
Example: Android
dst
Destination IP address
Example: 10.1.144.199
dstGroup 
Network Group assigned to a destination host
Example: monitor1
dstMAC
Destination MAC
Example: 00:0C:29:6E:CB:F9
dstPort
Destination port
Value between 1 and 65535
dstZone
Destination zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and untrusted
duser
Mail recipient
Example: duser1
dUser1
Destination user name 1
Example: admin
dUser1LoginTime
Destination user log on time 1
Example: Mar 09 2015 17:05:21 GMT+08:00
dUser2
Destination user name 2
Example: admin
dUser2LoginTime
Destination user log on time 2
Example: Mar 09 2015 17:05:21 GMT+08:00
dUser3
Destination user name 3
Example: admin
dUser3LoginTime
Destination user log on time 3
Example: Mar 09 2015 17:05:21 GMT+08:00
dvc
Appliance IP address
Example: 10.1.96.147
dvchost
Appliance host name
Example: localhost
evtCat
Event category
Example: Suspicious Traffic
evtSubCat
Event subcategory
Example: Email
fileHash
SHA1
Example:1EDD5B38DE4729545767088C5CAB395E4197C8F3
filePath
File path
Example: SHARE\\
fileType
Real file type
Example: 1638400
fname
File name
Example: excel.rar
fsize
File size
Example: 131372
hackerGroup
Hacker group
Example: Comment Crew
hackingCampaign
Hacking campaign
Example:Aurora
hostName
Host name
Example: CLIENT1
interestedIp
Interested IP
Example: 10.1.144.199
mailMsgSubject
Mail subject
Example: hello
malFamily
Malware family
Example:Duqu
malName
Malware name
Example: HEUR_NAMETRICK.A
malType
Malware type
Example: MALWARE
mitigationTaskId
Event task ID for mitigation
Example: dc036acb-9a2e-4939-8244-dedbda9ec4ba
msg
Description
Example: HEUR_NAMETRICK.A - SMTP (Email)
oldFileHash
Mail attachment SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
oldFileName
Mail attachment file name
Example: excel.rar
oldFileSize
Mail attachment file size
Example: 150000
oldFileType
Mail attachment file type
Example: 1638400
pAttackPhase
Primary attack phase
  • Intelligence Gathering
  • Point of Entry
  • Command and Control Communication
  • Lateral Movement
  • Asset and Data Discovery
  • Data Exfiltration
  • Nil (no applicable attack phase)
pComp
Detection engine/component
Example: VSAPI
peerIP
Peer IP
Example: 10.1.144.199
proto
Protocol
Example: SMTP
protoGroup
Protocol group
Example: SMTP
ptype
Application type
IDS
requestClientApplication
User agent
Example: IE
riskType
Potential risk
  • 0: Known risk
  • 1: Potential risk
ruleId
Rule ID
Example: 52
sAttackPhase
Secondary attack phase
Example: Point of Entry
sev
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
shost
Source host name
Example: shost1
sOSName
Source host OS
Example: Android
src
Source IP address
Example: 10.1.144.199
srcGroup
Network Group assigned to a source host
Example: monitor1
srcMAC
Source MAC
Example: 00:0C:29:6E:CB:F9
srcPort
Source port
Value between 1 and 65535
srcZone
Source zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and untrusted
suid
User name
Example: User1
suser
Mail sender
Example: suser1
sUser1
Source user name 1
Example: admin
sUser1LoginTime
Source user log on time 1
Example: Mar 09 2015 17:05:21 GMT+08:00
sUser2
Source user name 2
Example: admin
sUser2LoginTime
Source user log on time 2
Example: Mar 09 2015 17:05:21 GMT+08:00
sUser3
Source user name 3
Example: admin
sUser3LoginTime
Source user log on time 3
Example: Mar 09 2015 17:05:21 GMT+08:00
threatType
Threat type
  • 0: Malicious content
  • 1: Malicious behavior
  • 2: Suspicious behavior
  • 3: Exploit
  • 4: Grayware
url
URL
Example: http://1.2.3.4/query?term=value
vLANId
VLANID
Value between 0 and 4095
Log sample:
Note
Note
When using the LEEF log syntax, separate event attributes with <009> as a tab delimiter.
 
May 15 16:00:47 localhost LEEF:1.0|Trend Micro|Deep Discovery 
Director|5.3.0.1212|SECURITY_RISK_DETECTION|origin=Inspector<0
09>devTimeFormat=MMM dd yyyy HH:mm:ss z<009>ptype=IDS<009>dvc=
10.1.105.120<009>deviceMacAddress=00:50:56:B6:FE:C0<009>dvchos
t=twddiv-120<009>deviceGUID=92A12204F15F-48B59215-C17B-C516-B2
CB<009>devTime=Apr 01 2019 10:24:45 GMT+00:00<009>sev=8<009>pr
otoGroup=TCP<009>proto=TCP<009>vLANId=4095<009>deviceDirection
=1<009>dhost=2.2.2.2<009>dst=2.2.2.2<009>dstPort=443<009>dstMA
C=58:35:d9:de:4a:42<009>shost=10.1.117.172<009>src=10.1.117.17
2<009>srcPort=35702<009>srcMAC=00:08:e3:ff:fd:90<009>malName=U
SR_SUSPICIOUS_IP.UMXX<009>malType=MALWARE<009>fileType=-65536<
009>fsize=0<009>ruleId=729<009>msg=Callback to IP address in C
ontrol Manager and Deep Discovery Director User-Defined Suspic
ious Objects list<009>deviceRiskConfidenceLevel=1<009>pComp=CA
V<009>riskType=1<009>srcGroup=My Company/TW 12F<009>srcZone=1<
009>dstZone=0<009>detectionType=1<009>act=not blocked<009>thre
atType=1<009>interestedIp=10.1.117.172<009>peerIp=2.2.2.2<009>
cnt=5<009>aggregatedCnt=1<009>cccaDestinationFormat=IP_DOMAIN<
009>cccaDetectionSource=USER_DEFINED<009>cccaRiskLevel=3<009>c
ccaDestination=2.2.2.2<009>cccaDetection=1<009>evtCat=Callback
<009>evtSubCat=Bot<009>aptRelated=0<009>pAttackPhase=Command a
nd Control Communication