Views:

LEEF Threat Logs

LEEF Key
Description
Value 
Header (logVer)
LEEF format version
LEEF: 1.0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Inspector
Header (pver)
Appliance version
Example: 3.8.1181
Header (eventName)
Event Name
  • MALWARE_DETECTION
  • MALWARE_OUTBREAK_DETECTION
  • SECURITY_RISK_DETECTION
act
The action in the event
blocked or not blocked
aggregatedCnt
Aggregated count
Example: 1
aptRelated
Indicates an APT-related event
0 or 1
botCommand
BOT command
Example: COMMIT
botUrl
BOT URL 
Example: trend.com
cccaDestination
CCCA address
Example: 10.1.144.199
cccaDestinationFormat
CCCA type
  • IP_DOMAIN
  • IP_DOMAIN_PORT
  • URL
  • EMAIL
cccaDetection CCCA detection
0 or 1
cccaDetectionSource
CCCA log is detected by
  • GLOBAL_INTELLIGENCE
  • VIRTUAL_ANALYZER
  • USER_DEFINED
cccaRiskLevel
CCCA Risk Level
  • 0: Unknown
  • 1: Low
  • 2: Medium
  • 3: High
channelName
Channel name
Example: IRCChannel1
chatUserName
Nickname
Example: IRCUser1
cnt
Total count
Example: 1
compressedFileName
File name in archive
Example: mtxlegih.dll
detectionType
Detection type
  • 0: Known detection
  • 1: Unknown detection
  • 2: OPS detection
deviceDirection
Packet direction
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
deviceRiskConfidenceLevel
Confidence level
  • 1: High
  • 2: Medium
  • 3: Low
  • 0: Undefined
devTime
Log generation time
Example: Mar 09 2015 17:05:21 GMT+08:00
devTimeFormat
Time format
MMM dd yyyy HH:mm:ss z
dhost
Destination host name
Example: dhost1
dOSName
Destination host OS
Example: Android
dst
Destination IP address
Example: 10.1.144.199
dstGroup 
Network Group assigned to a destination host
Example: monitor1
dstMAC
Destination MAC
Example: 00:0C:29:6E:CB:F9
dstPort
Destination port
Value between 0 and 65535
dstZone
Destination zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and untrusted
duser
Mail recipient
Example: duser1
dUser1
Destination user name 1
Example: admin
dUser1LoginTime
Destination user log on time 1
Example: Mar 09 2015 17:05:21 GMT+08:00
dUser2
Destination user name 2
Example: admin
dUser2LoginTime
Destination user log on time 2
Example: Mar 09 2015 17:05:21 GMT+08:00
dUser3
Destination user name 3
Example: admin
dUser3LoginTime
Destination user log on time 3
Example: Mar 09 2015 17:05:21 GMT+08:00
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
evtCat
Event category
Example: Suspicious Traffic
evtSubCat
Event subcategory
Example: Email
fileHash
SHA1
Example:1EDD5B38DE4729545767088C5CAB395E4197C8F3
filePath
File path
Example: SHARE\\
fileType
Real file type
Example: 1638400
fname
File name
Example: excel.rar
fsize
File size
Example: 131372
hackerGroup
Hacker group
Example: Comment Crew
hackingCampaign
Hacking campaign
Example:Aurora
hostName
Host name
Example: CLIENT1
interestedIp
Interested IP
Example: 10.1.144.199
mailMsgSubject
Mail subject
Example: hello
malFamily
Malware family
Example:Duqu
malName
Malware name
Example: HEUR_NAMETRICK.A
malType
Malware type
Example: MALWARE
mitigationTaskId
Event task ID for mitigation
Example: dc036acb-9a2e-4939-8244-dedbda9ec4ba
msg
Description
Example: HEUR_NAMETRICK.A - SMTP (Email)
oldFileHash
Mail attachment SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
oldFileName
Mail attachment file name
Example: excel.rar
oldFileSize
Mail attachment file size
Example: 150000
oldFileType
Mail attachment file type
Example: 1638400
pAttackPhase
Primary attack phase
  • Intelligence Gathering
  • Point of Entry
  • Command and Control Communication
  • Lateral Movement
  • Asset and Data Discovery
  • Data Exfiltration
  • Nil (no applicable attack phase)
pComp
Detection engine/component
Example: VSAPI
peerIP
Peer IP
Example: 10.1.144.199
proto
Protocol
Example: SMTP
protoGroup
Protocol group
Example: SMTP
ptype
Application type
IDS
requestClientApplication
User agent
Example: IE
riskType
Potential risk
  • 0: Known risk
  • 1: Potential risk
ruleId
Rule ID
Example: 52
sAttackPhase
Secondary attack phase
 Example: Point of Entry
sev
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
shost
Source host name
Example: shost1
sOSName
Source host OS
Example: Android
src
Source IP address
Example: 10.1.144.199
srcGroup
Network Group assigned to a source host
Example: monitor1
srcMAC
Source MAC
Example: 00:0C:29:6E:CB:F9
srcPort
Source port
Value between 0 and 65535
srcZone
Source zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and untrusted
suid
User name
Example: User1
suser
Mail sender
Example: suser1
sUser1
Source user name 1
Example: admin
sUser1LoginTime
Source user log on time 1
Example: Mar 09 2015 17:05:21 GMT+08:00
sUser2
Source user name 2
Example: admin
sUser2LoginTime
Source user log on time 2
Example: Mar 09 2015 17:05:21 GMT+08:00
sUser3
Source user name 3
Example: admin
sUser3LoginTime
Source user log on time 3
Example: Mar 09 2015 17:05:21 GMT+08:00
threatType
Threat type
  • 0: Malicious content
  • 1: Malicious behavior
  • 2: Suspicious behavior
  • 3: Exploit
  • 4: Grayware
url
URL
Example: http://1.2.3.4/query?term=value
vLANId
VLANID
Value between 0 and 4095
Log sample:
Note
Note
When using the LEEF log syntax, separate event attributes with <009> as a tab delimiter.
 
LEEF:1.0|Trend Micro|Deep Discovery Inspector|3.8.1175|SECUR
ITY_RISK_DETECTION|devTimeFormat=MMM dd yyyy HH:mm:ss z<009>
ptype=IDS<009>dvc=10.201.156.143<009>deviceMacAddress=00:0C:
29:A6:53:0C<009>dvchost=ddi38-143<009>deviceGUID=6B593E17AFB
7-40FBBB28-A4CE-0462-A536<009>devTime=Mar 09 2015 11:58:24 G
MT+08:00<009>sev=6<009>protoGroup=HTTP<009>proto=HTTP<009>vL
ANId=4095<009>deviceDirection=1<009>dhost=www.freewebs.com<0
09>dst=216.52.115.2<009>dstPort=80<009>dstMAC=00:1b:21:35:8b
:98<009>shost=172.16.1.197<009>src=172.16.1.197<009>srcPort=
12121<009>srcMAC=fe:ed:be:ef:5a:c6<009>malType=MALWARE<009>s
AttackPhase=Point of Entry<009>fname=setting.doc<009>fileTyp
e=0<009>fsize=0<009>ruleId=20<009>msg=HEUR_NAMETRIC
K.A - SMTP (Email)<009>deviceRiskConfidenceLevel=2
<009>url=http://www.freewebs.com/setting3/setting.doc
<009>pComp=CAV<009>riskType=1<009>
srcGroup=Default<009>srcZone=1<009>dstZone=0<009>dete
ctionType=1<009>act=not blocked<009>threatType=1<009>interes
tedIp=172.16.1.197<009>peerIp=216.52.115.2<009>hostName=www.
freewebs.com<009>cnt=1<009>aggregatedCnt=1<009>cccaDestinati
onFormat=URL<009>cccaDetectionSource=GLOBAL_INTELLIGENCE<009
>cccaRiskLevel=2<009>cccaDestination=http://www.freewebs.com
/setting3/setting.doc<009>cccaDetection=1<009>evtCat=Callbac
k evtSubCat=Bot<009>pAttackPhase=Command and Control Communi
cation