Views:

TMEF Detection Logs: Attachment Detection Logs

TMEF Key
Description
Value 
Header (logVer)
TMEF format version
CEF: 0
Header (vendor)
Appliance vendor
 Trend Micro
Header (pname)
Appliance product
 Deep Discovery Email Inspector
Header (pver)
Appliance version
Example: 5.1.0.1110
Header (eventid)
Signature ID
100131
Header (eventName)
Description
ATTACHMENT_DETECTION
Header (severity)
Attachment severity
  • 2: Unavailable
  • 4: Low
  • 6: Medium
  • 8: High
act
The action in the event
Examples:
  • analyzed
  • cleaned up
  • deleted
  • delivered directly
  • encrypted
  • file sanitized
  • passed
  • quarantined
  • recipient changed
  • stamped
  • stripped
  • subjectsTagged
cn1
Email severity
  • 2: Unavailable
  • 4: Low
  • 6: Medium
  • 8: High
cn1Label
Email severity
emailSeverity
cn2
Email Size
Example: 30841
cn2Label
Email Size
msgSize
cn3
Threat type
  • 1: Targeted malware
  • 2: Malware
  • 3: Malicious URL
  • 4: Suspicious file
  • 5: Suspicious URL
  • 6: Spam/Graymail
  • 7: Phishing
  • 8: Content violation
  • 9: DLP incident
cn3Label
Threat type
emailThreatType
cs1
Names of threats in the email
Example: VAN_MALWARE.UMXX|FRAUD_PHISHING.WRS
cs1Label
Names of threats in the email
emailThreats
cs2
Internal email ID
Example: 6965222B-13A6-C705-89D4-6251B6C41E03
cs2Label
Internal email ID
msgUuid
cs3
Email ID
Example: <20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
cs3Label
Email ID
messageId
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
duser
Email recipients
Example: user1@domain2.com;test@163.com
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
fileHash
SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
fileType
True file type
Example: RIFF bitmap file
fname
File name
Example: excel.rar
fsize
File size
Example: 131372
mailMsgSubject
Email subject
Example: hello
rt
Log generation time
Example: Mar 09 2015 17:05:21 GMT+00:00
src
Source IP address
Example: 10.1.144.199
suser
Email sender
Example: user2@domain.com
threatName
Names of threats in the email
Example: VAN_MALWARE.UMXX|FRAUD_PHISHING.WRS
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Ema
il Inspector|2.5.1.1161|100131|ATTACHMENT_DETECTION|8|rt=Apr 1
3 2015 16:58:22 GMT+00:00 src=141.251.58.19 cs3Label=messageId
 cs3=<20150413084922.2052D1E9A066@internalbeta.bcc.ddei cn1Lab
el=emailSeverity cn1=8 mailMsgSubject=phishwatch Digest, Vol 2
933, Issue 13 fileHash=E07B349245FCDDB31CBF5A52012807E955D2EB7
A fileType=Directory act=passed dvchost=internalbeta.bcc.ddei 
dvc=10.64.1.131 deviceGUID=034eb532-9318-40d9-b27b-d9feba7c269
e duser=user1@domain.com cn2Label=msgSize cn2=1204948 cn3Label
=emailThreatType cn3=4 fname=JNSA%20CSIRT-%E3%82%AA%E3%83%AA%E
3%83%91%E3%83%A9.pdf suser=user2@domain.com dvcmac=C4:34:6B:B8
:09:BC cs1Label=emailThreats cs1=VAN_MALWARE.UMXX threatName=V
AN_MALWARE.UMXX cs2Label=msgUuid cs2=ECBC7B7E-1397-3005-94C5-0
BA1DA0913D2