Views:

TMEF Web Reputation Logs

TMEF Key
Description
Value 
Header (logVer)
TMEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Inspector
Header (pver)
Appliance version
Example: 3.8.1181
Header (eventid)
Signature ID
100101
Header (eventName)
Event Name
WEB_THREAT_DETECTION
Header (severity)
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
app
Protocol
Example: HTTP
appGroup
Protocol group
Example: HTTP
cn1
CCCA detection
0 or 1
cn1Label
CCCA detection
CCCA_Detection
cn2
Score
Example: 49
cn2Label
Score
Score
cn4
Threat type
5
cn4Label
Threat type
Deep Discovery_ThreatType
cn6
CCCA Risk Level
  • 0: Unknown
  • 1: Low
  • 2: Medium
  • 3: High
cn6Label
CCCA Risk Level
CCCA_RiskLevel
cs3
Host name
Example: CLIENT1
cs3Label
Host name
HostName_Ext
cs4
Network Group assigned to a source host
Example: monitor1
cs4Label
Network Group assigned to a source host
Deep Discovery_SrcGroup
cs5
Source zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and not trusted
cs5Label
Source zone
Deep Discovery_SrcZone
cs9
Network Group assigned to a destination host
Example: monitor1
cs9Label
Network Group assigned to a destination host
Deep Discovery_DstGroup
cs10
Destination zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and not trusted
cs10Label
Destination zone
Deep Discovery_DstZone
cs11
CCCA log is detected by
  • GLOBAL_INTELLIGENCE
  • VIRTUAL_ANALYZER
  • USER_DEFINED
  • RELEVANCE_RULE
cs11Label
CCCA log is detected by
CCCA_DetectionSource
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
devicePayloadId
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*
Examples:
  • With pcap file captured: 2:10245:P
  • Without pcap file captured: 2:10245:
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
deviceDirection
Packet direction
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
dhost
Destination host name
Example: 'dhost1
dmac
Destination MAC
Example: 00:0C:29:6E:CB:F9
dOSName
Destination host OS
Example: Android
dpt
Destination port
Value between 0 and 65535
dst
Destination IP address
Example: 10.1.144.199
duser
Mail recipient
Example: duser1
externalId
Log ID
Example: 11
hostSeverity
Host Severity
Example: 4
interestedIp
Interested IP
Example: 10.1.144.199
mailMsgSubject
Mail subject
Example: hello
msg
Description
Example: C&C Server URL in Web Reputation Services database - HTTP (Request)
pAttackPhase
Primary attack phase
  • Intelligence Gathering
  • Point of Entry
  • Command and Control Communication
  • Lateral Movement
  • Asset and Data Discovery
  • Data Exfiltration
  • Nil (no applicable attack phase)
pComp
Detection engine/component
Example: VSAPI
peerIp
Peer IP
Example: 10.1.144.199
ptype
Application type
IDS
reason
Reason
Example: ["Protocol: 4"]
request
URL
Example: http://1.2.3.4/query?term=value
requestClientApplication
User agent
Example: IE
rt
Log generation time
Example: Mar 09 2015 17:05:21 GMT+08:00
sAttackPhase
Secondary attack phase
Example: Point of Entry
shost
Source host name
Example: shost1
smac
Source MAC
Example: 00:0C:29:6E:CB:F9
sOSName
Source host OS
Example: Android
spt
Source port
Value between 0 and 65535
src
Source IP address
Example: 10.1.144.199
suser
Mail sender
Example: suser1
urlCat
URL category
Example: C&C Server
vLANId
VLANID
Value between 0 and 4095
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|5.0.1329|
100101|WEB_THREAT_DETECTION|8|dvc=172.22.9.32 
deviceMacAddress=00:50:56:AD:03:BD dvchost=localhost 
deviceGUID=E9A3FA433916-4738984C-A4BF-84A0-D603 
ptype=IDS rt=Jun 22 2017 10:00:17 GMT+08:00 
cs3Label=HostName_Ext 
cs3=ca95-1.winshipway.com cs4Label=Deep 
Discovery_SrcGroup 
cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 
cs10Label=Deep Discovery_DstZone cs10=0 cn2Label=Score 
cn2=49 cn4Label=Deep Discovery_ThreatType cn4=5 
dmac=00:16:c8:65:98:d5 shost=172.22.9.5 src=172.22.9.5 
spt=41757 smac=00:50:56:82:e7:a9 interestedIp=172.22.9.5 
cn1Label=CCCA_Detection cn1=1 msg=Ransomware URL 
in Web Reputation Services database - HTTP (Request) 
request=http://ca95-1.winshipway.com/ 
requestClientApplication=Wget/1.12 
(linux-gnu) pComp=TMUFE appGroup=HTTP app=HTTP 
vLANId=4095 deviceDirection=1 dhost=150.70.162.115 
dst=150.70.162.115 dpt=80 urlCat=Ransomware 
peerIp=150.70.162.115 
sOSName=Linux cn6Label=CCCA_RiskLevel cn6=3 
cs11Label=CCCA_DetectionSource 
cs11=RELEVANCE_RULE externalId=17 hostSeverity=8 
reason=["URL: http://ca95-1.winshipway.com/"] 
pAttackPhase=Command and Control Communication 
devicePayloadId=5:17:P