Views:

CEF Detection Logs: Email Detection Logs

CEF Key
Description
Value 
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
 Trend Micro
Header (pname)
Appliance product
 Deep Discovery Email Inspector
Header (pver)
Appliance version
Example: 5.1.0.1110
Header (eventid)
Signature ID
100130
Header (eventName)
Description
EMAIL_DETECTION
Header (severity)
Email severity
  • 2: Unavailable
  • 4: Low
  • 6: Medium
  • 8: High
act
The action in the event
Examples:
  • analyzed
  • cleaned up
  • deleted
  • delivered directly
  • encrypted
  • file sanitized
  • passed
  • quarantined
  • recipient changed
  • stamped
  • stripped
  • subjectsTagged
cn1
Threat type
  • 1: Targeted malware
  • 2: Malware
  • 3: Malicious URL
  • 4: Suspicious file
  • 5: Suspicious URL
  • 6: Spam/Graymail
  • 7: Phishing
  • 8: Content violation
  • 9: DLP incident
cn1Label
Threat type
threatType
cn2
Email Size
Example: 30841
cn2Label
Email Size
msgSize
cs1
Names of threats in the email
Example: VAN_MALWARE.UMXX|FRAUD_PHISHING.WRS
cs1Label
Names of threats in the email
threats
cs2
Internal email ID
Example: 6965222B-13A6-C705-89D4-6251B6C41E03
cs2Label
Internal email ID
msgUuid
cs3
Email ID
Example: <20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
cs3Label
Email ID
messageId
cs4
Sender email address
Example: user1@domain.com
cs4Label
Label for sender email address
senderMail
cs5
Recipient email address
Example: user2@domain.com
cs5Label
Label for recipient email address
rcptMail
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
duser
Email recipients
Example: user1@domain2.com;test@163.com
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
msg
Email subject
Example: hello
rt
Log generation time
Example: Mar 09 2015 17:05:21 GMT+00:00
src
Source IP address
Example: 10.1.144.199
suser
Email sender
Example: user2@domain.com
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery 
Email Inspector|2.5.1.1139|100130|EMAIL_DETECTION|6|rt=Mar 
23 2015 11:53:17 GMT+00:00 src=150.70.186.134 cs3Label=mess
ageId cs3=<20150323115314.BCA2C9168EA@internalbeta.bcc.ddei
> deviceExternalId=c425624a-e9db-4f3f-8088-2726f15e6587 act
=passed dvchost=internalbeta.bcc.ddei dvc=10.64.1.131 duser
=user1@domain1.com;user2@domain1.com;user3@domain1.com msg=
Virus_Report-20150323_02:00 cn2Label=msgSize cn2=83878 cn1L
abel=threatType cn1=3 suser=user@domain2.com dvcmac=C4:34:6
B:B8:09:BC cs2Label=msgUuid cs2=73A9FA6A-11F3-4F05-BCEE-6BB
5EC111FE7 cs1Label=threats cs1=PUA_Test_File|TROJ_GEN.R04AC
0PAH15|PAK_Generic.005|ADW_DOWNLOADER.WRS|LOW-REPUTATION-UR
L_BLOCKED-LIST.SCORE.WRS|LOW-REPUTATION-URL_BLOCKED-LIST.SC
ORE.WRS|TROJ_GEN.R02SC0OLH14|TROJ_GENERIC.WRS|TROJ_DOWNLOAD
ER.WRS