|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Apex Central |
|
Header (pver) |
Appliance version |
2019 |
|
Header (eventid) |
Event ID |
700106 |
|
Header (eventName) |
Log name |
Data Loss Prevention |
|
Header (severity) |
Severity |
3 |
|
cs1Label |
Corresponding label for the "cs1" field |
"Policy GUID" |
|
cs1 |
Policy GUID |
Example: "FAF492CF-164C-4672-9A79-F1AB9CB288A3" |
|
cn1Label |
Corresponding label for the "cn1" field |
"Product" |
|
cn1 |
Product type value |
Example: "15" |
|
rt |
Log generation time in UTC |
Example: "Feb 14 2017 11:14:08 GMT+00:00" |
|
src |
Source host IP address |
Example: "10.0.57.160" |
|
smac |
Source host MAC address |
Example: "74-27-00-0C-65-E7" |
|
shost |
Source host name |
Example: "shost1" |
|
cs4Label |
Corresponding label for the "cs4" field |
"Incident_Source_(AD_Account)" |
|
cs4 |
The user name in violation |
Example: "Trend" |
|
suser |
Email sender |
Example: "sender@example.com" |
|
request |
The URL accessed |
Example: "https://example.com/api/content" |
|
duser |
Comma (,) separated list of recipients |
Example: "user1@example.com;user2@example.com;" |
|
msg |
Subject |
Example: "Sample,20171017" |
|
filepath |
File path |
Example: "D:\\Windows Live Mail\\Storage Folders\\Imported Fo e52\\Local Folders\\Sent Items\\Archive Aft de1\\Clients,Adv 22b\\" |
|
fname |
Trigger file name |
Example: "2B43363A-000000A4.eml" |
|
fsize |
File size in bytes |
Example: "3" |
|
cs5Label |
Corresponding label for the "cs5" field |
"Rule" |
|
cs5 |
Rule name |
Example: "SAMPLE RULE SET" |
|
cs6Label |
Corresponding label for the "cs6" field |
"Template" |
|
cs6 |
Template name |
Example: "Apex One policy" |
|
cn3Label |
Corresponding label for the "cn3" field |
"Channel" |
|
cn3 |
Channel type |
Example: "3" For more information, see Channel Mapping Table. |
|
cn2Label |
Corresponding label for the "cn2" field |
"Action" |
|
cn2 |
Action result |
Example: "4" For more information, see Action Result Mapping Table. |
|
cs2Label |
Corresponding label for the "cs2" field |
"Policy" |
|
cs2 |
Policy name |
Example: "OfficeScan" |
|
cs3Label |
Corresponding label for the "cs3" field |
"Product_Entity/Endpoint" |
|
cs3 |
Endpoint host name |
Example: "Sample_Host" |
|
dvchost |
Server host name |
Example: "localhost" |
|
deviceFacility |
Product name |
Example: "Apex One" |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|700106|Data Loss Prevent ion|3|cs3Label=Product_Entity/Endpoint cs3=Sample_Host dvc host=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac= 34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_ Account) cs4=12467 filePath=D:\\2. DRIVER\\drivers WIN7\\Dri vers\\DP_CardReader_14032.7z\\O2Micro\\FORCED\\6x86\\ fname= O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Temp late cs6=Apex One policy cn3Label=Channel cn3=0 cn2Label=Act ion cn2=4 deviceFacility=Apex One