Views:

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

CnC:Action

CnC:Block

Header (eventName)

Name

CnC Callback

Header (severity)

Severity

3

deviceExternalId

ID

Example: "12"

cat

Log type

Example: "1756"

deviceFacility

Product

Example: "Apex One"

cs2Label

Corresponding label for the "cs2" field

Example: "El_ProductVersion"

cs2

Product version

Example: "11.0"

rt

Log generation time in UTC

Example: "Oct 11 2017 06:34:09 GMT+00:00"

shost

Endpoint host name

Example: "ApexOneClient01"

src

Endpoint IPv4 address

Example: "10.201.86.187"

c6a2Label

Corresponding label for the "c6a2" field

Example: "SLF_ClientIP"

c6a2

Endpoint IPv6 address

Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d"

cs3Label

Corresponding label for the "cs3" field

Example: "SLF_DomainName"

cs3

Domain name

Example: "DOMAIN1"

cs4Label

Corresponding label for the "cs4" field

Example: "SLF_PolicyName"

cs4

Policy name

Example: "C&C Server URL in Web Reputation Services database - HTTP (Request)"

act

Action

Example: "Block"

  • 0: Unknown

  • 1: Pass

  • 2: Block

  • 3: Monitor

  • 4: Delete

  • 5: Quarantine

  • 6: Warn

  • 7: Warn and continue

  • 8: Override

cn1Label

Corresponding label for the "cn1" field

Example: "SLF_CCCA_RiskLevel"

cn1

C&C risk level

Example: "1"

  • 0: SLF_CCCA_RISKLEVEL_UNKNOWN

  • 1: SLF_CCCA_RISKLEVEL_LOW

  • 2: SLF_CCCA_RISKLEVEL_MEDIUM

  • 3: SLF_CCCA_RISKLEVEL_HIGH

cn2Label

Corresponding label for the "cn2" field

Example: "SLF_CCCA_DetectionSource"

cn2

C&C list source

Example: "1"

  • 0: SLF_CCCA_GLOBAL_LIST

  • 1: SLF_CCCA_CUSTOM_LIST

  • 2: SLF_CCCA_CUSTOM_LIST_USER_DEFINED

cn3Label

Corresponding label for the "cn3" field

Example: "SLF_CCCA_DetectionFormat"

cn3

Callback address format

Example: "1"

  • 0: IP

  • 1: IP

  • 2: HTTP

  • 3: SMTP

request

URL

Example: "http://CC13.jojo.com"

deviceCustomDate1Label

Corresponding label for the "deviceCustomDate1" field

Example: "SLF_FirstSeen"

deviceCustomDate1

The UTC time when the callback attempt was first monitored

Example: "Oct 10 2017 16:58:03 GMT+00:00"

deviceCustomDate2Label

Corresponding label for the "deviceCustomDate2" field

Example: "SLF_LastSeen"

deviceCustomDate2

The UTC time when the callback attempt was last monitored

Example: "Oct 11 2017 10:58:03 GMT+00:00"

cs5Label

Corresponding label for the "cs5" field

Example: "CnCDestination"

cs5

Callback URL address

Example: "http://CC13.jojo.com"

dst

Callback IPv4 address

Example: "10.201.86.195"

c6a3Label

Corresponding label for the "c6a3" field

Example: "CnCDestination"

c6a3

Callback IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

deviceProcessName

Process name

Example: "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"

Log sample:

CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback
|3|deviceExternalId=12 rt=Oct 11 2017 06:34:09 GMT+00:00 cat
=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2
=11.0 shost=ApexOneClient01 src=10.201.86.187 cs3Label=SLF_D
omainName cs3=DOMAIN act=Block cn1Label=SLF_CCCA_RiskLevel c
n1=1 cn2Label=SLF_CCCA_DetectionSource cn2=1 cn3Label=SLF_CC
CA_DestinationFormat cn3=1 dst=10.201.86.195 deviceProcessNa
me=C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe
Parent topic: Syslog Content Mapping - CEF