Views:

CEF Threat Logs

CEF Key
Description
Value 
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Inspector
Header (pver)
Appliance version
Example: 3.8.1181
Header (eventid)
Event ID
Example: 8
Header (eventName)
Description
Example: Packed executable file copied to a network administrative share
Header (severity)
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
act
The action in the event
blocked or not blocked
app
Protocol
Example: HTTP
c6a1
Interested IPv6
Example: 2001:0:0:1::21
c6a1Label
Interested IPv6
InterestedIPv6
c6a2
Source IPv6 address
Example: 2001:0:0:1::21
c6a2Label
Source IPv6 address
 Source IPv6 Address
c6a3
Destination IPv6 address
Example: 2001:0:0:1::21
c6a3Label
Destination IPv6 address
Destination IPv6 Address
c6a4
Peer IPv6 address
Example: 2001:0:0:1::21
c6a4Label
Peer IPv6 address
PeerIPv6
cat
Event category
Example: File
cnt
Total count
Example: 1
cn1
CCCA detection
0 or 1
cn1Label
CCCA detection
CCCA_Detection
cn3
Threat type
  • 0: Malicious content
  • 1: Malicious behavior
  • 2: Suspicious behavior
  • 3: Exploit
  • 4: Grayware
cn3Label
Threat type
Threat Type
cs1
Mail subject
Example: hello
cs1Label
Mail subject
MailSubject
cs2
Malware name
Example: HEUR_NAMETRICK.A
cs2Label
Malware name
DetectionName
cs3
Host name
Example: CLIENT1
cs3Label
Host name
HostName_Ext
cs4
File name in archive
Example: mtxlegih.dll
cs4Label
File name in archive
FileNameInArchive
cs5
CCCA log is detected by
Example:
GLOBAL_INTELLIGENCE or
VIRTUAL_ANALYZER or
USER_DEFINED
cs5Label
CCCA log is detected by
CCCA_DetectionSource
cs6
Attack Phase
  • Intelligence Gathering
  • Point of Entry
  • Command and Control Communication
  • Lateral Movement
  • Asset and Data Discovery
  • Data Exfiltration
  • Nil (no applicable attack phase)
cs6Label
Attack Phase
pAttackPhase
destinationTranslatedAddress
Peer IP
Example: 10.1.144.199
deviceDirection
Packet direction
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
devicePayloadId
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*
Examples:
  • With pcap file captured: 2:10245:P
  • Without pcap file captured: 2:10245:
dhost
Destination host name
Example: dhost1
dmac
Destination MAC
Example: 00:0C:29:6E:CB:F9
dpt
Destination port
Value between 0 and 65535
dst
Destination IP address
Example: 10.1.144.199
duser
Mail recipient
Example: duser1
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
dvcmac
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
fileHash
SHA1
Example:1EDD5B38DE4729545767088C5CAB395E4197C8F3
filePath
File path
Example: SHARE\\
fileType
Real file type
Example: 1638400
flexNumber1
vLANId
Example: 4095
flexNumber1Label
vLANId
vLANId
fname
File name
Example: excel.rar
fsize
File size
Example: 131372
oldFileHash
Mail attachment SHA1
Example:1EDD5B38DE4729545767088C5CAB395E4197C8F3
oldFileName
Mail attachment file name
Example: excel.rar
oldFileSize
Mail attachment file size
Example: 150000
oldFileType
Mail attachment file type
Example: 1638400
requestClientApplication
User agent
Example: IE
request
URL
Example: http://1.2.3.4/query?term=value
rt
Log generation time
Example: Mar 09 2015 17:05:21 GMT+08:00
shost
Source host name
Example: shost1
smac
Source MAC
Example: 00:0C:29:6E:CB:F9
sourceTranslatedAddress
Interested IP
Example: 10.1.144.199
src
Source IP address
Example: 10.1.144.199
spt
Source port
Value between 0 and 65535
suid
User name
Example: User1
suser
Mail sender
Example: suser1
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|5.0.1329|0|
Eicar_test_file 
- HTTP (Response)|8|dvc=172.22.9.32 
dvcmac=00:50:56:AD:03:BD 
dvchost=localhost deviceExternalId=E9A3FA433916-
4738984C-A4BF-84A0-D603 
rt=Jun 22 2017 09:42:47 GMT+08:00 app=HTTP 
deviceDirection=1 
dhost=172.22.9.5 dst=172.22.9.5 dpt=57908 
dmac=00:50:56:82:e7:a9 
shost=172.22.9.54 src=172.22.9.54 spt=80 
smac=00:50:56:82:c6:ae 
cs3Label=HostName_Ext cs3=172.22.9.54 cs2Label=
DetectionName 
cs2=Eicar_test_file fname=eicarcom2.zip fileType=
262340608 
fsize=308 requestClientApplication=Wget/1.12 (linux-gnu) 
act=not blocked cn3Label=Threat Type cn3=0 
destinationTranslatedAddress=172.22.9.5 
fileHash=BEC1B52D350D721C7E22A6D4BB0A92909893A3AE 
cs4Label=FileNameInArchive cs4=eicar.com 
sourceTranslatedAddress=172.22.9.54 
cnt=1 cat=Malware cs6Label=pAttackPhase cs6=Point 
of Entry flexNumber1Label=vLANId flexNumber1=4095 
request=http://172.22.9.54/eicarcom2.zip 
devicePayloadId=0:143:P