If one Attack Discovery detection log relates to more than 4 objects, Apex Central only forwards the first 4 objects.
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Apex Central |
|
Header (pver) |
Appliance version |
2019 |
|
Header (eventid) |
Event ID |
700220 |
|
Header (eventName) |
Log name |
Attack Discovery Detections |
|
Header (severity) |
Severity |
3 |
|
deviceExternalId |
ID |
Example: "38" |
|
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
|
dhost |
Endpoint host name |
Example: "ApexOneClient01" |
|
dst |
Client IPv4 address |
Example: "10.0.8.20" |
|
C6a3 |
Client IPv6 address |
Example: "fd96:7521:9502:6:b5b0:b2b5:4173:3f5d" |
|
duser |
User name |
Example: "Admin004" |
|
customerExternalID |
Instance ID |
Example: "8c1e2d8f-a03b-47ea-aef8-5aeab99ea697" |
|
cn1Label |
Corresponding label for the "cn1" field |
"SLF_RiskLevel" |
|
cn1 |
Risk Level |
Example: "0"
|
|
cn2Label |
Corresponding label for the "cn2" field |
"SLF_PatternNumber" |
|
cn2 |
Pattern Number |
Example: "30.1012.00" |
|
cs1Label |
Corresponding label for the "cs1" field |
"SLF_RuleID" |
|
cs1 |
Rule ID |
Example: "powershell invoke expression" |
|
cat |
Category ID |
Example: "point of entry" |
|
cs2Label |
Corresponding label for the "cs2" field |
"SLF_ADEObjectGroup_Info_1" |
|
cs2 |
Attack Discovery object information |
Example: process - powershell.exe - {
"META_FILE_MD5" :
"9393f60b1739074eb17c5f4ddd
efe239",
"META_FILE_NAME" :
"powershell.exe",
"META_FILE_SHA1" :
"887ce4a295c163791b60fc23d2
85e6d84f28ee4c",
"META_FILE_SHA2" :
"de96a6e50044335375dc1ac238
336066889d9ffc7d73628ef4fe
1b1b160ab32c",
"META_PATH" :
"c:\\windows\\system32\\wi
ndowspowershell\\v1.0\\",
"META_PROCESS_CMD" :
[ "powershell cmd " ],
"META_PROCESS_PID" : 7132,
"META_SIGNER" :
"microsoft windows",
"META_SIGNER_VALIDATION" :
true,
"META_USER_USER_NAME" :
"Administrator",
"META_USER_USER_SERVERNAME" :
"Host",
"OID" : 1
}
|
|
cs3Label |
Corresponding label for the "cs3" field |
"SLF_ADEObjectGroup_Info_2" |
|
cs3 |
Attack Discovery object information |
Example: process - powershell.exe - {
"META_FILE_MD5" :
"9393f60b1739074eb17c5f4ddd
efe239",
"META_FILE_NAME" :
"powershell.exe",
"META_FILE_SHA1" :
"887ce4a295c163791b60fc23d2
85e6d84f28ee4c",
"META_FILE_SHA2" :
"de96a6e50044335375dc1ac238
336066889d9ffc7d73628ef4fe
1b1b160ab32c",
"META_PATH" :
"c:\\windows\\system32\\wi
ndowspowershell\\v1.0\\",
"META_PROCESS_CMD" :
[ "powershell cmd " ],
"META_PROCESS_PID" : 7132,
"META_SIGNER" :
"microsoft windows",
"META_SIGNER_VALIDATION" :
true,
"META_USER_USER_NAME" :
"Administrator",
"META_USER_USER_SERVERNAME" :
"Host",
"OID" : 1
}
|
|
cs4Label |
Corresponding label for the "cs4" field |
"SLF_ADEObjectGroup_Info_3" |
|
cs4 |
Attack Discovery object information |
Example: process - powershell.exe - {
"META_FILE_MD5" :
"9393f60b1739074eb17c5f4ddd
efe239",
"META_FILE_NAME" :
"powershell.exe",
"META_FILE_SHA1" :
"887ce4a295c163791b60fc23d2
85e6d84f28ee4c",
"META_FILE_SHA2" :
"de96a6e50044335375dc1ac238
336066889d9ffc7d73628ef4fe
1b1b160ab32c",
"META_PATH" :
"c:\\windows\\system32\\wi
ndowspowershell\\v1.0\\",
"META_PROCESS_CMD" :
[ "powershell cmd " ],
"META_PROCESS_PID" : 7132,
"META_SIGNER" :
"microsoft windows",
"META_SIGNER_VALIDATION" :
true,
"META_USER_USER_NAME" :
"Administrator",
"META_USER_USER_SERVERNAME" :
"Host",
"OID" : 1
}
|
|
cs5Label |
Corresponding label for the "cs5" field |
"SLF_ADEObjectGroup_Info_4" |
|
cs5 |
Attack Discovery object information |
Example: process - powershell.exe - {
"META_FILE_MD5" :
"9393f60b1739074eb17c5f4ddd
efe239",
"META_FILE_NAME" :
"powershell.exe",
"META_FILE_SHA1" :
"887ce4a295c163791b60fc23d2
85e6d84f28ee4c",
"META_FILE_SHA2" :
"de96a6e50044335375dc1ac238
336066889d9ffc7d73628ef4fe
1b1b160ab32c",
"META_PATH" :
"c:\\windows\\system32\\wi
ndowspowershell\\v1.0\\",
"META_PROCESS_CMD" :
[ "powershell cmd " ],
"META_PROCESS_PID" : 7132,
"META_SIGNER" :
"microsoft windows",
"META_SIGNER_VALIDATION" :
true,
"META_USER_USER_NAME" :
"Administrator",
"META_USER_USER_SERVERNAME" :
"Host",
"OID" : 1
}
|
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
|
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
|
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
|
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
|
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
|
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
|
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|700211|Attack Discovery
Detections|3|deviceExternalId=5 rt=Jan 17 2019 03:38:06 GMT+
00:00 dhost=VCAC-Window-331 dst=10.201.86.150 customerExtern
alID=8c1e2d8f-a03b-47ea-aef8-5aeab99ea697 cn1Label=SLF_RiskL
evel cn1=0 cn2Label=SLF_PatternNumber cn2=30.1012.00 cs1Labe
l=SLF_RuleID cs1=powershell invoke expression cat=point of e
ntry cs2Label=SLF_ADEObjectGroup_Info_1 cs2=process - code9.
exe - {USER: administrator09} deviceNtDomain=APEXTMCM dntdom
=OSCEDomain1 TMCMLogDetectedHost=VCAC-Window-331 TMCMLogDete
ctedIP=10.201.86.150 ApexCentralHost=TW-CHRIS-W2019devicePay
loadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatfo
rm=Windows 7 6.1 (Build 7601) Service Pack 1