CEF Notable Characteristics Events
|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Inspector
|
|
Header (pver)
|
Appliance version
|
Example: 3.8.1181
|
|
Header (eventid)
|
Signature ID
|
200127
|
|
Header (eventName)
|
Description
|
Notable Characteristics of the analyzed sample
|
|
Header (severity)
|
Severity
|
6 (fixed value)
|
|
cs1
|
Violated policy name
|
Example: Suspicious network or messaging activity
|
|
cs1Label
|
Violated policy name
|
PolicyCategory
|
|
cs2
|
Analysis violated event
|
Example: Uses spoofed version information
|
|
cs2Label
|
Analysis violated event
|
PolicyName
|
|
deviceExternalId
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
dvcmac
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
fileHash
|
SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
fileType
|
True file type
|
Example: WIN32 EXE
|
|
fname
|
File name
|
Example: excel.rar
|
|
fsize
|
File size
|
Example: 131372
|
|
msg
|
Details
|
Example: The file has no company information.
|
|
rt
|
Analysis time
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1181|200127|N otable Characteristics of the analyzed sample|6|rt=Mar 11 20 15 05:00:26 GMT-04:00 dvc=10.201.156.143 dvchost=ddi38-143 d vcmac=00:0C:29:A6:53:0C deviceExternalId=D2C1D6D20FF8-4FC98F 92-25EB-D7DA-AF0E fname=DTAS_WIN32_07 fileHash=672B1A8ADB412 C272CCA21A214732C447B650349 fileType=WIN32 EXE fsize=290304 cs1Label=PolicyCategory cs1=Deception, social engineering ms g=The file has no company information. cs2Label=PolicyName c s2=Uses spoofed version information