CEF Suspicious File Logs

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

FH:Action

FH:Log

Header (eventName)

Name

Suspicious Files

Header (severity)

Severity

3

deviceExternalId

ID

Example: "1"

cat

Log type

Example: "1766"

deviceFacility

Product name

Example: "Apex One"

cn1Label

Corresponding label for the "cn1" field

Example: "SLF_ProductVersion"

cn1

Product version

Example: "11"

rt

Detection time

Example: "Nov 15 2017 02:47:21 GMT+00:00"

dst

Endpoint IPv4 address

Example: "10.201.86.151"

c6a3Label

Corresponding label for the "c6a3" field

Example: "Endpoint IPv6 Address"

c6a3

Endpoint IPv6 address

Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d"

dhost

Endpoint host name

Example: "APEX-ONE-CLIENT-1"

cs2Label

Corresponding label for the "cs2" field

Example: "SLF_TrueFileType"

cs2

File type

Example: "TEXT"

fileHash

File SHA-1

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

cs3Label

Corresponding label for the "cs3" field

Example: "SLF_FileSource"

cs3

File path

Example: "C:\\Users\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE"

cn2Label

Corresponding label for the "cn2" field

Example: "SLF_SourceType"

cn2

C&C list source

Example: "0"

• 0: Sandbox

• 1: User-defined

act

Action

Example: "Log"

• 1: Log

• 2: Block

• 3: Quarantine

cn3Label

Corresponding label for the "cn3" field

Example: "SLF_ScanType"

cn3

Scan type

Example: "1"

• 1: Scheduled scan

• 2: Manual scan

• 3: Scan now

• 4: Real-time scan