|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Apex Central |
|
Header (pver) |
Appliance version |
2019 |
|
Header (eventid) |
PML:Action result |
PML:File cleaned |
|
Header (eventName) |
Detection name |
virusa |
|
Header (severity) |
Severity |
3 |
|
rt |
The detection time in UTC |
Example: "Feb 14 2017 11:14:08 GMT+00:00" |
|
dvchost |
Product server |
Example: "Sample_Host" |
|
cn1Label |
Corresponding label for the "cn1" field |
"Probable Threat Type" |
|
cn1 |
Probable threat type |
Example: "35143" For more information, see Threat Type Mapping Table. |
|
cs2Label |
Corresponding label for the "cs2" field |
"Security Threat" |
|
cs2 |
Security threat |
Example: "Troj.Win32.TRX.XXPE002FF017" |
|
shost |
Infected endpoint |
Example: "10.0.0.1" |
|
suser |
Logon user |
Example: "TREND\User" |
|
cn2Label |
Corresponding label for the "cn2" field |
"Type" |
|
cn2 |
Detection type |
Example: "0"
|
|
filePath |
File path |
Example: "D:\" |
|
fname |
File name |
Example: "ALCORMP.EXE" |
|
deviceCustomDate1 |
File creation time |
Example: "2017-04-26 05:53:27.000" |
|
sproc |
System process |
Example: "notepad.exe" |
|
cn4Label |
Corresponding label for the "cn4" field |
"Process Command" |
|
cs4 |
Process command |
Example: "notepad.exe" |
|
duser |
Process owner |
Example: "user1" |
|
app |
Infection channel |
Example: "10"
|
|
cs3Label |
Corresponding label for the "cs3" field |
"Infection Source" |
|
cs3 |
Infection source |
Example: "http://10.0.0.1/" |
|
dst |
Product/Endpoint IPv4 Address |
Example: "10.0.17.6" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
"Product/Endpoint IP" |
|
c6a3 |
Product/Endpoint IPv6 Address |
Example: "fd66:5168:9882:6:b5b0:b2b5:4173:3f5d" |
|
cn3Label |
Corresponding label for the "cn3" field |
"Threat Probability" |
|
cn3 |
Threat probability |
Example: "82" |
|
act |
Action result |
Example: "21" For more information, see Action Result Mapping Table. |
|
filehash |
File SHA-1 |
Example: "52c17c785b45ee961f68fb17744276076f383085" |
|
dhost |
Product entity/endpoint |
Example: "dhost1" |
|
deviceExternalId |
Log sequence number |
Example: "100" |
|
deviceFacility |
Product |
Example: "Apex One" |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|virus a|3|deviceFacility=1 dvchost=Sample_Host cs2Label=DetectionN ame cs2=virusa suser=Sample\\Administrator cn2Label=Detectio nType cn2=0 filePath=C:\\WindowsFILENAME deviceCustomDate1La bel=FileCreationDate deviceCustomDate1=Nov 03 2016 08:58:03 GMT+00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4= notepad.exe -test duser=admin app=2 cs3Label=InfectionLocati on cs3=http://10.0.0.1/ dst=10.0.17.6 cn3Label=Confidence cn 3=82 act=21