|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Apex Central |
|
Header (pver) |
Appliance version |
2019 |
|
Header (eventid) |
AV:Action |
AV:File renamed |
|
Header (eventName) |
Virus/Malware name |
JS_EXPLOIT.SMDN |
|
Header (severity) |
Severity |
3 |
|
cnt |
Detections |
Example: "10" |
|
dhost |
Endpoint |
Example: "ApexOneClient01" |
|
duser |
User |
Example: "Admin004" |
|
act |
Action |
Example: "File renamed" For more information, see Action Mapping Table. |
|
rt |
Log generation time in UTC |
Example: Oct 06 2017 08:39:46 GMT+00:00 |
|
cn1Label |
Corresponding label for the "cn1" field |
Example: "VLF_PatternNumber" |
|
cn1 |
Pattern/Rule version |
Example: "920500" |
|
cn2Label |
Corresponding label for the "cn2" field |
Example: "VLF_SecondAction" |
|
cn2 |
Second action |
Example: "3" For more information, see Second Action Mapping Table. |
|
cs1Label |
Corresponding label for the "cs1" field |
Example: "VLF_FunctionCode" |
|
cs1 |
Scan type |
Example: "Manual Scan"
|
|
cs2Label |
Corresponding label for the "cs2" field |
Example: "VLF_EngineVersion" |
|
cs2 |
Engine version |
Example: "9.500.1005" |
|
cs3Label |
Corresponding label for the "cs3" field |
Example: "CLF_ProductVersion" |
|
cs3 |
Product version |
Example: "11" |
|
cs4Label |
Corresponding label for the "cs4" field |
Example: "CLF_ReasonCode" |
|
cs4 |
Reason code |
Example: "virus log" |
|
cs5Label |
Corresponding label for the "cs5" field |
Example: "VLF_FirstActionResult" |
|
cs5 |
First action result |
Example: "Unable to clean file" For more information, see Action Mapping Table. |
|
cs6Label |
Corresponding label for the "cs6" field |
Example: "Second Action Result" |
|
cs6 |
Second action result |
Example: "Unable to clean file. Passed" For more information, see Action Mapping Table. |
|
cat |
Log type |
Example: "1703" |
|
dvchost |
Product server name |
Example: "ApexOneServer01" |
|
cn3Label |
Corresponding label for the "cn3" field |
Example: "Overall_Risk_Rating" |
|
cn3 |
Severity code |
Example: "0"
|
|
deviceExternalId |
ID |
Example: "3" |
|
fname |
File |
Example: "FakeMalwareRebootDel.exe" |
|
filePath |
File path |
Example: "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Rar$DR01.046\\" |
|
msg |
File in compressed file |
Example: "BMAC Schedule of Events.xls" |
|
shost |
Source host |
Example: "ABC-OSCE-WKS12" |
|
suser |
Source host |
Example: "ABC-OSCE-WKS12" |
|
dst |
Endpoint IPv4 address |
Examle: "50.8.1.1" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
Example: "SLP_DestinationIP" |
|
c6a3 |
Endpoint IPv6 address |
Example: "fe80::38ca:cd15:443c:40bb%11" |
|
fileHash |
File SHA-1 |
Example: "D6712CAE5EC821F910E14945153AE7871AA536CA" |
|
deviceFacility |
Product name |
Example: "Apex One" |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|AV:File renamed|JS_EXP LOIT.SMDN|3|deviceExternalId=104 rt=Feb 18 2016 14:34:00 GMT +00:00 cnt=1 dhost=ApexOneClient01 duser=Admin004 act=File r enamed cn1Label=VLF_PatternNumber cn1=920500 cn2Label=VLF_Se condAction cn2=3 cs1Label=VLF_FunctionCode cs1=Manual Scan c s2Label=VLF_EngineVersion cs2=9.500.1005 cs3Label=CLF_Produc tVersion cs3=10.6 cs4Label=CLF_ReasonCode cs4=virus log cs5L abel=VLF_FirstActionResult cs5=File renamed cs6Label=VLF_Sec ondActionResult cs6=N/A cat=1703 dvchost=ApexOneServer01 cn3 Label=CLF_ServerityCode cn3=2 fname=0348C693056617D34FC5B5BA B4643885FEE5FEDF;0xD5D56AC2 filePath=C:\\Users\\Administrato r\\Desktop\\trend_test_virus\\Trojans\\ msg=BMAC Schedule of Events.xls shost=ABC-OSCE-WKS12 suser=ABC-OSCE-WKS12 dst=10 .201.129.24 deviceFacility=Apex One