CEF Sandbox Detection Logs

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Device event class ID

VAD

Header (eventName)

Event name

Virtual Analyzer detection name

Header (severity)

Severity

3

deviceExternalId

ID

Example: "2"

rt

Log generation time in UTC

Example: "Mar 22 2018 08:23:23 GMT+00:00"

deviceFacility

Product type

Example: "Apex One"

dvchost

Server name

Example: "OSCE01"

dhost

Endpoint name

Example: "Isolate-ClientA"

dst

Endpoint IPv4 address

Example: "10.0.17.6"

c6a3

Endpoint IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

app

Entry channel

Example: "0"

For more information, see Protocol Mapping Table

sourceServiceName

Source

Example: "Test1@tmcm.extbeta.com"

destinationServiceName

Destination

Example: "Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com"

sproc

Process name

Example: "VA"

fileHash

File SHA-1 hash

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

fname

File name

Example: "C:\\\\QA_Log.zip"

request

URL

Example: "http://127.1.1.1"

cs1

The name of the security threat determined by Virtual Analyzer

Example: "VAN_RANSOMWARE.umxxhelloransom_abc"

cn1

Displays the risk level assigned by Virtual Analyzer

Example: "0"

• 0: No risk

• 1: Low risk

• 2: Medium risk

• 3: High risk

• 9999: Unknown

cs2

Displays the security threat type

Example: "Anti-security, self-preservation"

cs3

Cloud storage vendor

Example: "Google Drive"

• Dropbox

• Box

• Google Drive

• Microsoft OneDrive

• SugarSync

• Hightail

• Evernote

• Microsoft Exchange Online

• Microsoft SharePoint Online

• Unknown

• N/A