CEF Virtual Analyzer Analysis Logs: Deny List Transaction Events
|
CEF Key
|
Description
|
Value
|
|
Header (timestamp)
|
Local time in the format: "Mmm dd
hh:mm:ss"
|
Example: Dec 5 05:26:45
|
|
Header (host)
|
Hostname without the domain information
|
Example: internalAP1
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro |
|
Header (pname)
|
Appliance product
|
Deep Discovery Email Inspector |
|
Header (pver)
|
Appliance version
|
Example: 5.1.0.1110
|
|
Header (eventid)
|
Signature ID
|
200120
|
|
Header (eventName)
|
Description
|
Deny List updated
|
|
Header (severity)
|
Severity
|
3 |
|
act
|
The action in the event
|
|
|
cs1
|
Deny List type
|
|
|
cs1Label
|
Deny List type
|
type
|
|
cs2
|
Risk level
|
|
|
cs2Label
|
Risk level
|
RiskLevel
|
|
deviceExternalId
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
dhost
|
Destination host name
|
Example: dhost1
|
|
dpt
|
Destination port
|
Value between 0 and 65535
|
|
dst
|
Destination IP address
|
Example: 10.1.144.199
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
dvcmac
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
end
|
Report end time
|
Example: Mar 09 2015 17:05:21 GMT+00:00
|
|
fileHash
|
SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
request
|
URL
|
Example: http://www.rainking.net/?utm_campaign=4-21-2014
|http://images.rainking.net/eloquaimage
|
|
rt
|
Log generation time
|
Example: Mar 09 2015 17:05:21 GMT+00:00
|
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Email Inspector|2.5.1.1139|200120|Deny List updated|3|rt=Ma r 24 2015 10:10:20 GMT+00:00 dvc=10.64.1.131 dvchost=intern albeta.bcc.ddei dvcmac=C4:34:6B:B8:09:BC deviceExternalId=c 425624a-e9db-4f3f-8088-2726f15e6587 cs1Label=type cs1=Deny List File SHA1 end=Apr 19 2015 16:03:13 GMT+00:00 act=Add fileHash=41D188169D9B986818A437DD80814FA84B0522FB cs2Label= RiskLevel cs2=High