|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Apex Central |
|
Header (pver) |
Appliance version |
2019 |
|
Header (eventid) |
NCIE:Action |
NCIE:Pass |
|
Header (eventName) |
Name |
Suspicious Connection |
|
Header (severity) |
Severity |
3 |
|
deviceExternalId |
ID |
Example: "1" |
|
cat |
Log type |
Example: "1756" |
|
deviceFacility |
Product name |
Example: "Apex One" |
|
rt |
Log generation time in UTC |
Example: "Oct 11 2017 06:34:06 GMT+00:00" |
|
deviceProcessName |
Target Process |
Example: "C:\\Windows\\system32\\svchost-1.exe" |
|
src |
Source IPv4 address |
Example: "10.201.86.152" |
|
c6a2Label |
Corresponding label for the "c6a2" field |
Example: "SLF_SourceIP" |
|
c6a2 |
Source IPv6 address |
Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d" |
|
spt |
Source port |
Example: "54594" |
|
dst |
Destination IPv4 address |
Example: "10.69.81.64" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
Example: "SLF_DestinationIP" |
|
c6a3 |
Destination IPv6 address |
Example: "fe80::38ca:cd15:443c:40bb%11" |
|
dpt |
Destination port |
Example: "80" |
|
act |
Action |
Example: "Pass"
|
|
deviceDirection |
Traffic/Connection |
Example: "Inbound"
|
|
cn1Label |
Corresponding label for the "cn1" field |
Example: "SLF_PatternType" |
|
cn1 |
Pattern type |
Example: "2"
|
|
cs2Label |
Corresponding label for the "cs2" field |
Example: "NCIE_ThreatName" |
|
cs2 |
Threat name |
Example: "Malicious_identified_CnC_querying_on_UDP_detected" |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|Suspicious C onnection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+0 0:00 cat=1756 deviceFacility=Apex One deviceProcessName=C: \\Windows\\system32\\svchost-1.exe act=Pass src=10.201.86.15 2 dst=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1L abel=SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Mali cious_identified_CnC_querying_on_UDP_detected