Views:

TMEF Detection Logs: URL Detection Logs

TMEF Key
Description
Value 
Header (logVer)
TMEF format version
CEF: 0
Header (vendor)
Appliance vendor
 Trend Micro
Header (pname)
Appliance product
 Deep Discovery Email Inspector
Header (pver)
Appliance version
Example: 5.1.0.1110
Header (eventid)
Signature ID
100132
Header (eventName)
Description
URL_DETECTION
Header (severity)
URL severity
  • 4: Low
  • 6: Medium
  • 8: High
act
The action in the event
Examples:
  • analyzed
  • cleaned up
  • deleted
  • delivered directly
  • encrypted
  • file sanitized
  • passed
  • quarantined
  • recipient changed
  • stamped
  • stripped
  • subjectsTagged
cn1
Email severity
  • 4: Low
  • 6: Medium
  • 8: High
cn1Label
Email severity
emailSeverity
cn2
Email Size
Example: 30841
cn2Label
Email Size
msgSize
cn3
Threat type
  • 1: Targeted malware
  • 2: Malware
  • 3: Malicious URL
  • 4: Suspicious file
  • 5: Suspicious URL
  • 6: Spam/Graymail
  • 7: Phishing
  • 8: Content violation
  • 9: DLP incident
cn3Label
Threat type
emailThreatType
cs1
Names of threats in the email
Example: VAN_MALWARE.UMXX|FRAUD_PHISHING.WRS
cs1Label
Names of threats in the email
emailThreats
cs2
Internal email ID
Example: 6965222B-13A6-C705-89D4-6251B6C41E03
cs2Label
Internal email ID
msgUuid
cs3
Email ID
Example: <20150414032514.494EF1E9A365@internalbeta.bcc.ddei>
cs3Label
Email ID
messageId
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
duser
Email recipients
Example: user1@domain2.com;test@163.com
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
mailMsgSubject
Email subject
Example: hello
request
URL
Example: http://www.rainking.net/?utm_campaign=4-21-2014 |http://images.rainking.net/eloquaimage
rt
Log generation time
Example: Mar 09 2015 17:05:21 GMT+00:00
src
Source IP address
Example: 10.1.144.199
suser
Email sender
Example: user2@domain.com
threatName
Names of threats in the email
Example: VAN_MALWARE.UMXX|FRAUD_PHISHING.WRS
urlCat
Category
Example: 90:02
Log sample:
Jan 18 10:59:21 ddei5 CEF:0|Trend Micro|Deep Discovery Email In
spector|5.1.0.1288|100132|URL_DETECTION|6|rt=Jan 18 2023 10:59:
20 GMT+00:00 src=10.64.1.201 deviceGUID=411b541a-fa18-4bbf-8e6d
-9a9c19276bf7 cn1Label=emailSeverity cn1=6 mailMsgSubject=test 
url detection urlCat=74 request=http://wrs21.winshipway.com/ cs
3Label=messageId cs3=<2023021017391312383819@imsstest.com> dvch
ost=ddei5.1-c7-en-140.com dvc=10.64.1.140 act=quarantined duser
=floyd_recipient@imsstest.com cs2Label=msgUuid cs2=24FA1D28-F28
7-B105-BA7E-CB16F55712F2 cn3Label=emailThreatType cn3=3 suser=f
loyd_sender@imsstest.com dvcmac=00:50:56:98:9C:99 cn2Label=msgS
ize cn2=2286