Views:

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Device event class ID

  • 0: Allow

  • 1: Block

  • 2: Lockdown

Header (eventName)

Event name

Endpoint Application Control Violation Information

Header (severity)

Severity

3

deviceExternalId

ID

Example: "39"

rt

Event trigger time in UTC

Example: "Mar 22 2018 08:23:23 GMT+00:00"

dvchost

Computer name

Example: "localhost"

shost

Client host name

Example: "shost1"

cs1

Product server pattern version

Example: "1297"

suser

Client user name

Example: "TREND\User"

cs2

Client IPv4 address

Example: "10.0.17.6"

c6a3

Client IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

cn1

Client status

  • 1: Rebuilding database

  • 2: Online

  • 3: Offline

filehash

Application file SHA-1 hash

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

fname

Application file name

Example: "notepad.exe"

cs3

Application process command line

Example: "notepad.exe"

duser

User name

Example: "Admin004"

cs4

Rule name

Example: "SAMPLE RULE SET"

cs5

Policy name

Example: "SAMPLE POLICY"

act

Policy action

  • 0: Allowed

  • 1: Blocked

  • 2: Reported as allowed

  • 3: Reported as blocked

deviceFacility

Product name

Example: "Trend Micro Endpoint Application Control"

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

TMCMdevicePlatform

Endpoint operating system

Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|EAC:1|Endpoint Applica
tion Control Violation Information|3|deviceExternalId=39 rt=
Jun 27 2012 03:14:03 GMT+00:00 cs1Label=Version cs1=1.299.00
 suser=TMCM\\QA cs2Label=ApplicationControlEvent_ClientIPAdd
ress_V4 cs2=0.0.0.0 cn1Label=Connection_Status cn1=0 fileHas
h=c0869b72C5606D22D92A6AC986686BB87485A25b fname=P2P_TEST.ex
e cs3Label=Command cs3=C:\\P2P_TEST.exe duser=QA cs4Label=Ru
le cs4=Test cs5Label=Policy cs5=TestPolicy act=Blocked devic
eFacility=Trend Micro Endpoint Application Control deviceNtD
omain=APEXTMCM dntdom=OSCEDomain1 ApexCentralHost=TW-CHRIS-
W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 
TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack 
1