TMEF Threat Logs
|
TMEF Key
|
Description
|
Value
|
|
Header (logVer)
|
TMEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Inspector
|
|
Header (pver)
|
Appliance version
|
Example: 3.8.1181
|
|
Header (eventid)
|
Event ID
|
|
|
Header (eventName)
|
Event Name
|
|
|
Header (severity)
|
Severity
|
|
|
act
|
The action in the event
|
blocked or not blocked
|
|
app
|
Protocol
|
Example: HTTP
|
|
appGroup
|
Protocol group
|
Example: HTTP
|
|
compressedFileHash
|
Compressed file SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
compressedFileName
|
File name in archive
|
Example: mtxlegih.dll
|
|
compressedFileType
|
Compressed file type
|
Example: 0
|
|
cnt
|
Total count
|
Example: 1
|
|
cn1
|
CCCA detection
|
0 or 1
|
|
cn1Label
|
CCCA detection
|
CCCA_Detection
|
|
cn2
|
Indicates an APT-related event
|
0 or 1
|
|
cn2Label
|
Indicates an APT-related event
|
APT Related
|
|
cn3
|
Potential risk
|
|
|
cn3Label
|
Potential risk
|
Deep Discovery_PotentialRisk
|
|
cn4
|
Threat type
|
|
|
cn4Label
|
Threat type
|
Deep Discovery_ThreatType
|
|
cn5
|
Aggregated count
|
Example: 1
|
|
cn5Label
|
Aggregated count
|
AggregatedCnt
|
|
cn6
|
CCCA Risk Level
|
|
|
cn6Label
|
CCCA Risk Level
|
CCCA_RiskLevel
|
|
cn7
|
Heuristic flag
|
|
|
cn7Label
|
Heuristic flag
|
HeurFlag
|
|
cs1
|
Channel name
|
Example: IRCChannel1
|
|
cs1Label
|
Channel name
|
IRCChannelName
|
|
cs2
|
Nickname
|
Example: IRCUser1
|
|
cs2Label
|
Nickname
|
IRCUserName
|
|
cs3
|
Host name
|
Example: CLIENT1
|
|
cs3Label
|
Host name
|
HostName_Ext
|
|
cs4
|
Network Group assigned to a source host
|
Example: monitor1
|
|
cs4Label
|
Network Group assigned to a source host
|
Deep Discovery_SrcGroup
|
|
cs5
|
Source zone
|
|
|
cs5Label
|
Source zone
|
Deep Discovery_SrcZone
|
|
cs6
|
Detection type
|
|
|
cs6Label
|
Detection type
|
Deep Discovery_DetectionType
|
|
cs7
|
BOT command
|
Example: COMMIT
|
|
cs7Label
|
BOT command
|
BOT_CMD
|
|
cs8
|
BOT url
|
Example: trend.com
|
|
cs8Label
|
BOT url
|
BOT_URL
|
|
cs9
|
Network Group assigned to a destination host
|
Example: monitor1
|
|
cs9Label
|
Network Group assigned to a destination host
|
Deep Discovery_DstGroup
|
|
cs10
|
Destination zone
|
|
|
cs10Label
|
Destination zone
|
Deep Discovery_DstZone
|
|
cs11
|
CCCA log is detected by
|
|
|
cs11Label
|
CCCA log is detected by
|
CCCA_DetectionSource
|
|
cs12
|
CCCA address
|
Example: 10.1.144.199
|
|
cs12Label
|
CCCA address
|
CCCA_Destination
|
|
cs13
|
CCCA type
|
|
|
cs13Label
|
CCCA type
|
CCCA_DestinationFormat
|
|
deviceDirection
|
Packet direction
|
|
|
deviceGUID
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
deviceMacAddress
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
devicePayloadId
|
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file
captured}{:extensions}*
|
Examples:
|
|
deviceRiskConfidenceLevel
|
Confidence level
|
|
|
dhost
|
Destination host name
|
Example: dhost1
|
|
dmac
|
Destination MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
dOSName
|
Destination host OS
|
Example: Android
|
|
dpt
|
Destination port
|
Value between 0 and 65535
|
|
dst
|
Destination IP address
|
Example: 10.1.144.199
|
|
duser
|
Mail recipient
|
Example: duser1
|
|
dUser1
|
Destination user name 1
|
Example: admin
|
|
dUser1LoginTime
|
Destination user log on time 1
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
dUser2
|
Destination user name 2
|
Example: admin
|
|
dUser2LoginTime
|
Destination user log on time 2
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
dUser3
|
Destination user name 3
|
Example: admin
|
|
dUser3LoginTime
|
Destination user log on time 3
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
evtCat
|
Event category
|
Example: Suspicious Traffic
|
|
evtSubCat
|
Event sub category
|
Example: Email
|
|
externalId
|
Log ID
|
Example: 11
|
|
fileHash
|
SHA1
|
Example:1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
filePath
|
File path
|
Example: SHARE\\
|
|
fileType
|
Real file type
|
Example: 1638400
|
|
fname
|
File name
|
Example: excel.rar
|
|
fsize
|
File size
|
Example: 131372
|
|
hackerGroup
|
Hacker group
|
Example: Comment Crew
|
|
hackingCampaign
|
Hacking campaign
|
Example: Aurora
|
|
hostSeverity
|
Host Severity
|
Example: 4
|
|
interestedIp
|
Interested IP
|
Example: 10.1.144.199
|
|
mailMsgSubject
|
Mail subject
|
Example: hello
|
|
malFamily
|
Malware family
|
Example: Duqu
|
|
malName
|
Malware name
|
Example: HEUR_NAMETRICK.A
|
|
malType
|
Malware type
|
Example: MALWARE
|
|
messageId
|
Message ID
|
Example: <20090130042416.7060505@jovencitasvirgenes.com.ar>
|
|
mitigationTaskId
|
Event task ID for mitigation
|
Example: dc036acb-9a2e-4939-8244-dedbda9ec4ba
|
|
oldFileHash
|
Mail attachment SHA1
|
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
|
|
oldFileName
|
Mail attachment file name
|
Example: excel.rar
|
|
oldFileSize
|
Mail attachment file size
|
Example: 150000
|
|
oldFileType
|
Mail attachment file type
|
Example: 1638400
|
|
pAttackPhase
|
Primary attack phase
|
|
|
pComp
|
Detection engine/component
|
Example: VSAPI
|
|
peerIP
|
Peer IP
|
Example: 10.1.144.199
|
|
ptype
|
Application type
|
IDS
|
|
reason
|
Reason
|
Example: ["Protocol: 4"]
|
|
request
|
URL
|
Example: http://1.2.3.4/query?term=value
|
|
requestClientApplication
|
User agent
|
Example: IE
|
|
rt
|
Log generation time
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
ruleId
|
Rule ID
|
Example: 52
|
|
ruleName
|
Description
|
Example: Email message sent through an unregistered SMTP server
|
|
sAttackPhase
|
Secondary attack phase
|
|
|
shost
|
Source host name
|
Example: shost1
|
|
smac
|
Source MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
sOSName
|
Source host OS
|
Example: Android
|
|
spt
|
Source port
|
Value between 0 and 65535
|
|
src
|
Source IP address
|
Example: 10.1.144.199
|
|
suid
|
User name
|
Example: User1
|
|
suser
|
Mail sender
|
Example: suser1
|
|
sUser1
|
Source user name 1
|
Example: admin
|
|
sUser1LoginTime
|
Source user log on time1
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
sUser2
|
Source user name 2
|
Example: admin
|
|
sUser2LoginTime
|
Source user log on time 2
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
sUser3
|
Source user name 3
|
Example: admin
|
|
sUser3LoginTime
|
Source user log on time 3
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
vLANId
|
VLANID
|
Value between 0 and 4095
|
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|
5.0.1329|100100|
MALWARE_DETECTION|8| ptype=IDS dvc=172.22.9.32
deviceMacAddress=00:50:56:AD:03:BD dvchost=localhost
deviceGUID=E9A3FA433916-4738984C-A4BF-84A0-D603
rt=Jun 22 2017 09:42:47 GMT+08:00 appGroup=HTTP
app=HTTP vLANId=4095 deviceDirection=1 dhost=172.22.9.5
dst=172.22.9.5 dpt=57908 dmac=00:50:56:82:e7:a9
shost=172.22.9.54 src=172.22.9.54 spt=80
smac=00:50:56:82:c6:ae
cs3Label=HostName_Ext cs3=172.22.9.54
malName=Eicar_test_file
malType=Virus fname=eicarcom2.zip fileType=262340608
fsize=308 ruleId=0 ruleName=Eicar_test_file -
HTTP (Response) deviceRiskConfidenceLevel=0 cn3Label=Deep
Discovery_PotentialRisk cn3=0 cs4Label=Deep
Discovery_SrcGroup
cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1
cs9Label=Deep Discovery_DstGroup cs9=Default
cs10Label=Deep
Discovery_DstZone cs10=1 cs6Label=Deep
Discovery_DetectionType
cs6=0 request=http://172.22.9.54/eicarcom2.zip
requestClientApplication=Wget/1.12 (linux-gnu)
pComp=VSAPI act=not blocked cn4Label=Deep
Discovery_ThreatType
cn4=0 peerIp=172.22.9.5
fileHash=BEC1B52D350D721C7E22A6D4BB0A92909893A3AE
compressedFileName=eicar.com interestedIp=172.22.9.54
cnt=1 dOSName=Linux cn5Label=AggregatedCount
cn5=1 evtCat=Malware evtSubCat=Trojan cn2Label=APT
Related cn2=0 pAttackPhase=Point of Entry externalId=143
cn7Label=HeurFlag cn7=0 compressedFileType=327680
compressedFileHash=3395856CE81F2B7382DEE72602F
798B642F14140 hostSeverity=8 reason=["Malware:
Eicar_test_file"] devicePayloadId=0:143:P