CEF Data Loss Prevention Logs | Trend Micro Service Central

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Apex Central
Header (pver)	Appliance version	2019
Header (eventid)	Event ID	700106
Header (eventName)	Log name	Data Loss Prevention
Header (severity)	Severity	3
cs1Label	Corresponding label for the "cs1" field	"Policy GUID"
cs1	Policy GUID	Example: "FAF492CF-164C-4672-9A79-F1AB9CB288A3"
cn1Label	Corresponding label for the "cn1" field	"Product"
cn1	Product type value	Example: "15"
rt	Event trigger time in UTC	Example: "Mar 22 2018 08:23:23 GMT+00:00"
src	Source host IP address	Example: "10.0.57.160"
smac	Source host MAC address	Example: "74-27-00-0C-65-E7"
shost	Source host name	Example: "shost1"
cs4Label	Corresponding label for the "cs4" field	"Incident_Source_(AD_Account)"
cs4	The user name in violation	Example: "Trend"
suser	Email sender	Example: "sender@example.com"
request	The URL accessed	Example: "https://example.com/api/content"
duser	Comma (,) separated list of recipients	Example: "user1@example.com;user2@example.com;"
msg	Subject	Example: "Sample,20171017"
filepath	File path	Example: "D:\\Windows Live Mail\\Storage Folders\\Imported Fo e52\\Local Folders\\Sent Items\\Archive Aft de1\\Clients,Adv 22b\\"
fname	Trigger file name	Example: "2B43363A-000000A4.eml"
fsize	File size in bytes	Example: "3"
cs5Label	Corresponding label for the "cs5" field	"Rule"
cs5	Rule name	Example: "SAMPLE RULE SET"
cs6Label	Corresponding label for the "cs6" field	"Template"
cs6	Template name	Example: "Apex One policy"
cn3Label	Corresponding label for the "cn3" field	"Channel"
cn3	Channel type	Example: "3" For more information, see Channel Mapping Table.
cn2Label	Corresponding label for the "cn2" field	"Action"
cn2	Action result	Example: "4" For more information, see Action Result Mapping Table.
cs2Label	Corresponding label for the "cs2" field	"Policy"
cs2	Policy name	Example: "OfficeScan"
cs3Label	Corresponding label for the "cs3" field	"Product_Entity/Endpoint"
cs3	Endpoint host name	Example: "Sample_Host"
dvchost	Server host name	Example: "localhost"
deviceFacility	Product name	Example: "Apex One"
deviceNtDomain	Active Directory domain	Example: APEXTMCM
dntdom	Apex One domain hierarchy	Example: OSCEDomain1
externalId	Log ID of the event	Example: "101"
cfp1Label	Corresponding label for the "cfp1Label" field	"ForensicFileAvailable"
cfp1	Indicates whether the forensic file can be downloaded	0: The file cannot be downloaded 1: The file can be downloaded
TMCMLogDetectedHost	Endpoint name where the log event occurred	Example: MachineHostName
TMCMLogDetectedIP	IP address where the log event occurred	Example: 10.1.2.3
ApexCentralHost	Apex Central host name	Example: TW-CHRIS-W2019
devicePayloadId	Unique message GUID	Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform	Endpoint operating system	Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|700106|Data Loss Prevent
ion|3|cs3Label=Product_Entity/Endpoint cs3=Sample_Host dvc
host=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product 
cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac=
34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_
Account) cs4=12467 filePath=D:\\2. DRIVER\\drivers WIN7\\Dri
vers\\DP_CardReader_14032.7z\\O2Micro\\FORCED\\6x86\\ fname=
O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Temp
late cs6=Apex One policy cn3Label=Channel cn3=0 cn2Label=Act
ion cn2=4 deviceFacility=Apex One deviceNtDomain=APEXTMCM dn
tdom=OSCEDomain1 externalId=101 cfp1Label=ForensicFileAvaila
ble cfp1=0 dvchost=localhost TMCMLogDetectedHost=ApexOneClie
nt01 TMCMLogDetectedIP=10.201.86.187 ApexCentralHost=TW-CHRI
S-W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697
 TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack
 1