CEF Behavior Monitoring Logs | Trend Micro Service Central

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Product vendor	Trend Micro
Header (pname)	Product name	Apex Central
Header (pver)	Product version	2019
Header (eventid)	Behavior Monitoring policy ID	BM:1000
Header (eventName)	Log name	Behavior Monitoring
Header (severity)	Severity	3
rt	Event trigger time in UTC	Example: "Mar 22 2018 08:23:23 GMT+00:00"
dvchost	Host name	Example: "localhost"
cs2Label	Corresponding label for the "cs2" field	"Policy"
cs2	Policy type	Compromised executable file New startup program Host file modification Program library injection New Internet Explorer plugin Internet Explorer setting modification Shell modification New service Security policy modification Firewall policy modification System file modification Duplicated system file Layered service provider System process modification Suspicious behavior Newly encountered programs Unauthorized file encryption Threat behavior analysis User-defined policy
sproc	Target of the event	Example: "C:\\Windows\\SysWOW64\\rundll32.exe"
cs3Label	Corresponding label for the "cs3" field	"Event_Type"
cs3	Event type	Process Process image Registry File system Driver SDT System API User Mode Exploit All
cs4Label	Corresponding label for the "cs4" field	"Operation"
cs4	The operation to be performed by the target of the event	Create Process Open Terminate Delete Write Access Create File Close Execute Invoke Exploit Unhandled Operation
cs5Label	Corresponding label for the "cs5" field	"Risk_Level"
cs5	Risk level	Example: "1" 0: Low 1: High
TMCMLogTarget	Target host	Example: "HKCU\\Software\\Microsoft\\Windows\ \CurrentVersion\\Run\\COM+"
act	Translated action	Allow Ask Deny Terminate Read Only Read/Write Only Read/Execute Only Feedback Clean Unknown Assess Terminated. Files were recovered. Terminated. Some files were not recovered. Terminated. Files were not recovered. Terminated. Restart result: Files were recovered. Terminated: Restart result: Some files were not recovered. Terminated: Restart result: Files were not recovered.
shost	Source host (endpoint)	Example: "shost1"
src	Source host IP address	Example: "10.0.147.105"
deviceFacility	Product	Example: "Apex One"
reason	Critical threat type	Example: "E" A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	Active Directory domain	Example: APEXTMCM
dntdom	Apex One domain hierarchy	Example: OSCEDomain1
TMCMLogDetectedHost	Endpoint name where the log event occurred	Example: MachineHostName
TMCMLogDetectedIP	IP address where the log event occurred	Example: 10.1.2.3
ApexCentralHost	Apex Central host name	Example: TW-CHRIS-W2019
devicePayloadId	Unique message GUID	Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform	Endpoint operating system	Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monitor
ing|3|rt=Sep 20 2019 01:02:03 GMT+00:00 dvchost=localhost cs
5Label=Risk_Level cs5=1 cs2Label=Policy cs2=Threat Behavior 
Analysis sproc=subject cs3Label=Event_Type cs3=File system 
TMCMLogTarget=HKCU\\Software\\Microsoft\\Windows\\CurrentVer
sion\\Run\\COM+ act=Ask cs4Label=Operation cs4=Create Proces
s shost=shost1 src=10.0.76.40 deviceFacility=Apex One reason
=G deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCMLogDetecte
dHost=shost1 TMCMLogDetectedIP=10.0.76.40 ApexCentralHost=TW
-CHRIS-W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F
-C697 TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service 
Pack 1