CEF Content Security Logs | Trend Micro Service Central

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Apex Central
Header (pver)	Appliance product version	2019
Header (eventid)	MS: Filter action	MS:Clean
Header (eventName)	Policy name	Policy
Header (severity)	Severity	3
cnt	Number of detections	Example: 10
dhost	List of all recipients	Example: employee_a1@Acompany.com;employee_a2@Acompany.com
duser	One of the recipients	Example: employee_a1@Acompany.com
act	Filter action	Example: "Clean" For more information, see Filter Action Mapping Table.
cs1Label	Corresponding label for the "cs1" field	Example: "Policy_Settings"
cs1	Policy settings	Example: "Default_policy"
cs2Label	Corresponding label for the "cs2" field	Example: "Product_Version"
cs2	Product version	Example: "11"
cs3Label	Corresponding label for the "cs3" field	Example: "Filter_Type"
cs3	Filter type	Example: "URL reputation filter" 0: Unknown 1: ContentFilter 2: AttachmentFilter 3: StandardFilter 4: SizeFilter 5: DisclaimerMgr 6: SpamFilter 7: OPP 8: ImportFilter 9: PhishingFilter 10: UrlReputationFilter
cs4Label	Corresponding label for the "cs4" field	Example: "CLF_ReasonCode"
cs4	Reason Code	Example: "access"
cs5Label	Corresponding label for the "cs5" field	Example: "CLF_ReasonCodeSource"
cs5	Reason code source	Example: "web"
cs6Label	Corresponding label for the "cs6" field	Example: "Action_on_Message"
cs6	Action	Example: "3" 0: Unknown 1: N/A 2: Deliver 3: Delete 4: Quarantine 5: Postpone 6: Forward 7: Replace 8: Archive 100: Strip 101: Pass
cat	Log type	Example: "1705"
dvchost	Endpoint host name	Example: "ApexOneClient01"
rt	Event trigger time in UTC	Example: "Mar 22 2018 08:23:23 GMT+00:00"
cn1Label	Corresponding label for the "cn1" field	Example: "Severity"
cn1	Severity code	Example: "2" 0: Unknown 1: Information 2: Warning 3: Error 4: Critical
TMCMLogSeverity	Description of severity	Second scan engine
cn2Label	Corresponding label for the "cn2" field	Filter_Action_Result
cn2	Filter action result	Example: 21 For more information, see Filter Action Result Mapping Table.
deviceExternalId	ID	Example: "5"
fname	File	Example: "RERERW~42w.exe"
msg	Subject	Example: "Open this email to win a free phone"
shost	List of all senders/users in violation	Example: "bear" <bear@abc.mail.com>;"yumi" <yumi@abc.mail.com>
suser	One of the senders/users in violation	Example: "bear" <bear@abc.mail.com>
deviceFacility	Product	Example: "Deep Discovery Email Inspector"
src	Email sender IP address	Example: "10.206.155.122"
filepath	Suspicious file location	Example: "https://ca91-1.testurl.com:443"
request	Suspicious URL	Example: "https://ca91-1.testurl.com:443"
reason	Critical threat type	Example: "E" A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
ApexCentralHost	Apex Central host name	Example: TW-CHRIS-W2019
devicePayloadId	Unique message GUID	Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform	Endpoint operating system	Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|MS:Clean|This is a policy
name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00
:00 dhost=user@test.com duser=user@test.com act=Clean cs1Label
=Policy_Settings cs1=This is policy content cs2Label=CLF_Produ
ctVersion cs2=3.2 cs3Label=Filter_Type cs3=URL reputation filt
er cs5Label=CLF_ReasonCodeSource cs5=20 cs6Label=Action_on_Mes
sage cs6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=Severity
cn1=2 TMCMLogSeverity=Second scan engine fname=NE_AEP.1550
msg=plain_qp_no8_av1u_NE_AEP.1550 shost=user2@test.com suser=
user2@test.com cn2Label=Filter_Action_Result cn2=21 deviceFaci
lity=Deep Discovery Email Inspector src=10.206.155.122 reason=
B,G ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C036
0-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (B
uild 7601) Service Pack 1