Correlation Incident Logs
|
TMEF Key
|
Description
|
Value
|
|
Header (logVer)
|
TMEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Inspector
|
|
Header (pver)
|
Appliance version
|
Example: 3.8.1181
|
|
Header (eventid)
|
Signature ID
|
100127
|
|
Header (eventName)
|
Event Name
|
SUSPICIOUS_BEHAVIOUR_DETECTION
|
|
Header (severity)
|
Severity
|
|
|
app
|
Protocol
|
Example: HTTP
|
|
cs1
|
Interested group
|
Example: Default
|
|
cs1Label
|
Interested group
|
DD_InterestedGroup
|
|
cs2
|
Malware server address
|
Example: 10.1.144.199
|
|
cs2Label
|
Malware server address
|
Malware_Server_IP_Address
|
|
cs3
|
Number of downloaded malware files
|
Example: 1
|
|
cs3Label
|
Number of downloaded malware files
|
Number_of_Malware_Files_Downloaded
|
|
cs10
|
Malware name
|
Example: HEUR_NAMETRICK.A
|
|
cs10Label
|
Malware name
|
Malware_Name
|
|
deviceDirection
|
Packet direction
|
|
|
deviceGUID
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
deviceMacAddress
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
interestedHost
|
Interested host
|
Example: trend.net
|
|
interestedIp
|
Interested IP
|
Example: 10.1.144.199
|
|
interestedMacAddress
|
Interested MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
interestedUser
|
Interested user 1
|
Example: user1
|
|
interestedUser2
|
Interested user 2
|
Example: user2
|
|
interestedUser3
|
Interested user 3
|
Example: user3
|
|
pComp
|
Detection engine/component
|
Correlation
|
|
peerHost
|
Peer host
|
Example: 10.1.144.199
|
|
peerIp
|
Peer IP
|
Example: 10.1.144.199
|
|
ptype
|
Application type
|
IDS
|
|
rt
|
Log generation time
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
ruleId
|
Rule ID
|
Example: 52
|
|
ruleName
|
Description
|
Example: Email message sent through an unregistered SMTP server
|
|
threatName
|
Threat name
|
Example: Malware File Downloaded
|
|
threatType
|
Threat type
|
Example: Malware-related
|
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1181|100127|S USPICIOUS_BEHAVIOUR_DETECTION|2|dvc=10.201.156.143 deviceMac Address=00:0C:29:A6:53:0C dvchost=ddi38-143 pComp=Correlatio n ptype=IDS deviceGUID=D2C1D6D20FF8-4FC98F92-25EB-D7DA-AF0E rt=Mar 11 2015 22:05:50 GMT-04:00 deviceDirection=1 interest edIp=172.16.0.100 interestedHost=172.16.0.100 interestedMacA ddress=00:0c:29:70:45:36 ruleId=47 ruleName=This host has re sponded to DNS queries. threatType=Unregistered Service thre atName=Unregistered DNS Server app=DNS Response cs1Label=DD_ InterestedGroup cs1=Default peerHost=172.16.1.141 peerIp=172 .16.1.141