CEF web reputation logs

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF: 0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Deep Discovery Inspector
Header (pver)	Appliance version	Example: 3.8.1181
Header (eventid)	Signature ID	100101
Header (eventName)	Description	Example: Dangerous URL in Web Reputation Services database - HTTP (Request)
Header (severity)	Severity	2: Informational 4: Low 6: Medium 8: High
app	Protocol	Example: HTTP
c6a1	Interested IPv6	Example: 2001:0:0:1::21
c6a1Label	Interested IPv6	InterestedIPv6
c6a2	Source IPv6 address	Example: 2001:0:0:1::21
c6a2Label	Source IPv6 address	Source IPv6 Address
c6a3	Destination IPv6 address	Example: 2001:0:0:1::21
c6a3Label	Destination IPv6 address	Destination IPv6 Address
c6a4	Peer IPv6 address	Example: 2001:0:0:1::21
c6a4Label	Peer IPv6 address	PeerIPv6
cn1	CCCA detection	0 or 1
cn1Label	CCCA detection	CCCA_Detection
cn2	Score	Example: 49
cn2Label	Score	WRSScore
cn3	Threat type	Example: 5
cn3Label	Threat type	Threat Type
cs1	Mail subject	Example: hello
cs1Label	Mail subject	MailSubject
cs2	Category	Example: Gambling
cs2Label	Category	URLCategory
cs3	Host name	Example: CLIENT1
cs3Label	Host name	HostName_Ext
cs4	Attack Phase	Intelligence Gathering Point of Entry Command and Control Communication Lateral Movement Asset and Data Discovery Data Exfiltration Nil (no applicable attack phase)
cs4Label	Attack Phase	pAttackPhase
destinationTranslatedAddress	Peer IP	Example: 10.1.144.199
deviceDirection	Packet direction	0: Source is external 1: Source is internal 2: Unknown
deviceExternalId	Appliance GUID	Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
devicePayloadId	An extendable field. Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*	Examples: With pcap file captured: 2:10245:P Without pcap file captured: 2:10245:
dhost	Destination host name	Example: dhost1
dmac	Destination MAC	Example: 00:0C:29:6E:CB:F9
dpt	Destination port	Value between 0 and 65535
dst	Destination IP address	Example: 10.1.144.199
duser	Mail recipient	Example: duser1
dvc	Appliance IP address	Example: 10.1.144.199
dvchost	Appliance host name	Example: localhost
dvcmac	Appliance MAC address	Example: 00:0C:29:6E:CB:F9
flexNumber1	vLANId	Example: 4095
flexNumber1Label	vLANId	vLANId
request	URL	Example: http://1.2.3.4/query?term=value
requestClientApplication	User agent	Example: IE
rt	Log generation time	Example: Mar 09 2015 17:05:21 GMT+08:00
shost	Source host name	Example: shost1
smac	Source MAC	Example: 00:0C:29:6E:CB:F9
sourceTranslatedAddress	Interested IP	Example: 10.1.144.199
spt	Source port	Value between 0 and 65535
src	Source IP address	Example: 10.1.144.199
suser	Mail sender	Example: suser1

Log sample:

CEF:0|Trend Micro|Deep Discovery Inspector
|5.0.1329|100101|Ransomware 
URL in Web Reputation Services database - HTTP 
(Request)|8|dvc=172.22.9.32 dvcmac=00:50:56:AD:03:BD 
dvchost=localhost deviceExternalId=E9A3FA433916-4738984
C-A4BF-84A0-D603 
rt=Jun 22 2017 10:00:17 GMT+08:00 cs3Label=HostName_Ext 
cs3=ca95-1.winshipway.com cn2Label=WRSScore cn2=49 
cn3Label=Threat Type cn3=5 dmac=00:16:c8:65:98:d5 
shost=172.22.9.5 src=172.22.9.5 spt=41757 
smac=00:50:56:82:e7:a9 
sourceTranslatedAddress=172.22.9.5 
cn1Label=CCCA_Detection 
cn1=1 request=http://ca95-1.winshipway.com/ 
requestClientApplication=Wget/1.12 
(linux-gnu) app=HTTP deviceDirection=1 
dhost=150.70.162.115 
dst=150.70.162.115 dpt=80 cs2Label=URLCategory 
cs2=Ransomware destinationTranslatedAddress=
150.70.162.115 
cs4Label=pAttackPhase cs4=Command and Control 
Communication flexNumber1Label=vLANId flexNumber1=4095 
request=http://ca95-1.winshipway.com/ 
devicePayloadId=5:17: