Views:

CEF Violation Logs

CEF Key
Description
Value 
Header(logVer)
CEF format version
CEF: 0
Header(vendor)
Appliance vendor
 Trend Micro
Header(pname)
Appliance product
 Deep Discovery Web Inspector
Header(pver)
Appliance version
Example: 2.5.0.1105
Header(eventid)
Signature ID
Example: 100001
Header(eventName)
Description
Example: Ransomware
Header(severity)
Risk level
  • 0: user defined
  • 1: low
  • 2: medium
  • 3: high
  • 4: potential threat risk
rt
UTC timestamp
Example: Oct 20 2017 17:15:57 GMT+00:00
logType
Log type
6: Violation Log
companyId
Company ID
Reserved, value is default
adDomain
AD domain
Active Directory domain information
Example: trendnet.org
userName
Client IP
Example: 10.204.171.200
groupName
Group name
Active Directory group name information
department
Department
Active Directory department information
Example: commercial
device
Device
Reserved, default null
act
Action
Can be one of the following values:
  • allow
  • monitor
  • block
  • analyzing
app
Protocol channel
  • 1: HTTP
  • 2: HTTPS
  • 3: HTTP2
  • 4: FTP
tlsVersion
TLS version
  • 0: None TLS
  • 1: SSLv3
  • 2: TLSv1.0
  • 3: TLSv1.1
  • 4: TLSv1.2
  • 5: TLSv1.3
size
Transport bytes by Deep Discovery Web Inspector, unit bytes
Example: 15
dst
Destination IP address of request
Example: 54.148.125.151
src
Source IP address of request
Example: 10.204.171.200
upstreamSize
The upstream payload from Deep Discovery Web Inspector to server, unit bytes
Example: 54
downstreamSize
The downstream payload from server to Deep Discovery Web Inspector, unit bytes
Example: 49
domain
Domain
Example: ca95-1.winshipway.com
detectionType
Detection type
For a description of each type, see List of Detection Types
detectionSubType
Detection sub-type
Reserved, default 0
threatType
Threat type
  • 1: Ransomware
  • 2: C&C Callback
  • 3: Suspicious Malware
  • 4: Suspicious URLs
  • 5: Suspicious Documents
  • 6: Suspicious Scripts
  • 7: Malicious URL
  • 8: Malicious Content
  • 9: Suspicious Content
  • 10: Coin Miners
severity
Risk level
  • 0: user defined
  • 1: low
  • 2: medium
  • 3: high
  • 4: potential threat risk
policyName
Policy name
Example: test
profileName
Profile name
Reserved, currently displays as default
wrsThreshold
WRS threshold
Value is set to 50
principalName
Principal name
Reserved, default is null
request
URL
Example: hxxp://ca95-1.winshipway.com/
cat
URL category
Example: Ransomware
appName
Application name
Reserved, default is null
wrsScore
WRS score
Example: 81
malwareType
Malware type
Reserved, default 0
malwareName
Malware name
Example: Ransomware
soData
Suspicious object displayed on the Deep Discovery Web Inspector Detections page
Can be one of the following types:
  • Domain
  • URL
  • Server IP
  • File SHA1
fname
File name
Example: a.txt
filehash
SHA1
Example: 0d3d4cdfff683b0c17843a889e867fe29095c3ac
msg
Log description
Value is null
httpTrans
HTTP transaction
Example: {"http_req":{"headers":{"accept-encoding":"gzip,deflate","host":"10.204.170.7","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"},"host":"10.204.170.7","method":"GET","path":"TESTDATA/virus/NonCleanable/EXT_BOO.BOO","scheme":"http"}, "http_response":{"headers":{"content-length":"512","content-type":"text/plain"},"status_code":200},"ver":"1.0"}
debugInfo
Debug information
Example: {"conn_state":{"auth_id_type":"ip","auth_is_guest":false,"auth_reuse":false,"auth_user_id":"10.204.171.200","bypass_scan":false,"c_listen_addr":"0.0.0.0:8080","c_local_addr":"10.204.133.74:8080","c_peer_addr":"10.204.171.200:64353","c_recv_bytes":470,"c_sent_bytes":0,"gateway_ip":"10.204.171.200","s_recv_bytes":0,"s_sent_bytes":0,"tmufe_timeout":false},"errcode":"3055,IWSSHttpProxyProtocol.cpp:2569","src":"Proxy","trans":{"info":"","time":"1: 1508519757821, 2: 0, 13: 1, 14: 1, 33: 1, 15: 1, 16: 1, 34: 1, 38: 1"}, "ver":"1.0"}
Log sample:
CEF:0|Trend Micro|Deep Discovery Web Inspector|2.5.0.1105|
100001|Ransomware|3|wrsScore=49 userName=10.204.171.200               
domain=ca95-1.winshipway.com adDomain= policyName=default 
detectionType=21 app=1 principalName= logType=6 groupName= 
malwareType=0 httpTrans={"http_req":{"headers":{"accept-
encoding":"gzip, deflate","host":"ca95-1.winshipway.com",
"proxy-connection":"keep-alive","user-agent":"Mozilla/5.0 
(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/61.0.3163.100 Safari/537.36"},"host":
"ca95-1.winshipway.com","method":"GET","path":"/","scheme":
"http"},"http_response":{"headers":null,"status_code":-1},
"ver":"1.0"} device= profileName=default tlsVersion=0 soData= 
size=0 rt=Oct 20 2017 17:15:57 GMT+00:00 
src=10.204.171.200 threatType=1 wrsThreshold=50 severity=3 
malwareName=Ransomware from WRS companyId= 
filehash= dst=54.148.125.151 appName= 
request=http://ca95-1.winshipway.com/ techSubType=0 
cat=Ransomware upstreamSize=0 downstreamSize=0 
fname= act=block department= debugInfo={"conn_state":
{"auth_id_type":"ip","auth_is_guest":false,"auth_reuse":
false,"auth_user_id":"10.204.171.200","bypass_scan":false,
"c_listen_addr":"0.0.0.0:8080","c_local_addr":"10.204.133.74
:8080","c_peer_addr":"10.204.171.200:64353","c_recv_bytes"
:470,"c_sent_bytes":0,"gateway_ip":"10.204.171.200",
"s_recv_bytes":0,"s_sent_bytes":0,"tmufe_timeout":false},
"errcode":"3055,IWSSHttpProxyProtocol.cpp:2569","src":
"Proxy","trans":{"info":"","time":"1:1508519757821, 2: 0, 
13: 1, 14: 1, 33: 1, 15: 1, 16: 1, 34: 1, 38: 1"},"ver":"1.0"}  
msg=
Keywords: violation logs,CEF