LEEF Virtual Analyzer Analysis Logs: Notable Characteristics Events
|
LEEF Key
|
Description
|
Value
|
|
Header (timestamp)
|
Local time in the format: "Mmm dd
hh:mm:ss"
|
Example: Dec 5 05:26:45
|
|
Header (host)
|
Hostname without the domain information
|
Example: internalAP1
|
|
Header (logVer)
|
LEEF format version
|
LEEF: 1.0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro |
|
Header (pname)
|
Appliance product
|
Deep Discovery Email Inspector |
|
Header (pver)
|
Appliance version
|
Example: 5.1.0.1110
|
|
Header (eventName)
|
Event Name
|
NOTABLE_CHARACTERISITICS
|
|
deviceGUID
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
deviceMacAddress
|
Appliance MAC address
|
Example: 00:0C:29:56:B3:57
|
|
deviceOSName
|
Sandbox image type
|
Example: win7
|
|
devTime
|
Log generation time
|
Example: Jan 28 2015 02:00:36 GMT+00:00
|
|
devTimeFormat
|
Time format
|
MMM dd yyyy HH:mm:ss z
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
fileHash
|
SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
fileType
|
True file type
|
Example: RIFF bitmap file
|
|
fname
|
File name
|
Example: excel.rar
|
|
fsize
|
File size
|
Example: 131372
|
|
msg
|
Details
|
Example: msg=Dropping Process ID: 2984\n File:
%USERPROFILE%\AppData\Local\MICROSOFT\INTERNET EXPLORER\ Recovery\High\LAST
ACTIVE\{D78424A0 E1AA-11E4-B7C5-7CC9C8DA4AD 2}.DAT\nType: VSDT_WINWORD\
|
|
pComp
|
Detection engine / component
|
Sandbox
|
|
ruleCategory
|
Violated policy name
|
Example: Internet Explorer Setting Modification
|
|
ruleName
|
Violated event analysis
|
Example: Modified important registry items
|
|
sev
|
Severity
|
3
|
 |
NoteWhen using the LEEF log syntax, separate event attributes with \0x09 as
a tab delimiter.
|
Log sample:
May 15 16:00:47 localhost LEEF:1.0|Trend Micro|Deep Discovery
Email Inspector|2.5.1.1161|NOTABLE_CHARACTERISTICS|devTime=Ap
r 13 2015 07:01:13 GMT+00:00\0x09devTimeFormat=MMM dd yyyy HH:
mm:ss z\0x09sev=6\0x09pComp=Sandbox\0x09dvc=10.64.1.132\0x09dv
chost=internalbeta.tapping.ddei\0x09deviceMacAddress=B0:83:FE:
DD:21:98\0x09deviceGUID=e57f0651-b197-42d4-a643-271c1277b5ff\0
x09fname=http://yt1nutj.wvp78.com/\0x09fileHash=8213271FD287C3
F27D6975FE0545AB77DC8EBF73\0x09fileType=URL\0x09fsize=0\0x09ru
leCategory=File drop, download, sharing, or replication\0x09ru
leName=Drops file that can be used to infect systems\0x09msg=D
ropping Process ID: 2984\nFile: %USERPROFILE%\AppData\Local\MI
CROSOFT\INTERNET EXPLORER\Recovery\High\LAST ACTIVE\{D78424A0-
E1AA-11E4-B7C5-7CC9C8DA4AD2}.DAT\nType: VSDT_WINWORD\0x09devic
eOSName=win7sp1en