CEF Key |
Description |
Value |
---|---|---|
Header (logVer) |
CEF format version |
CEF:0 |
Header (vendor) |
Appliance vendor |
Trend Micro |
Header (pname) |
Appliance product |
Apex Central |
Header (pver) |
Appliance version |
2019 |
Header (eventid) |
Device event class ID |
|
Header (eventName) |
Event name |
Endpoint Application Control Violation Information |
Header (severity) |
Severity |
3 |
deviceExternalId |
ID |
Example: "39" |
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
dvchost |
Computer name |
Example: "localhost" |
shost |
Client host name |
Example: "shost1" |
cs1 |
Product server pattern version |
Example: "1297" |
suser |
Client user name |
Example: "TREND\User" |
cs2 |
Client IPv4 address |
Example: "10.0.17.6" |
c6a3 |
Client IPv6 address |
Example: "fe80::38ca:cd15:443c:40bb%11" |
cn1 |
Client status |
|
filehash |
Application file SHA-1 hash |
Example: "D6712CAE5EC821F910E14945153AE7871AA536CA" |
fname |
Application file name |
Example: "notepad.exe" |
cs3 |
Application process command line |
Example: "notepad.exe" |
duser |
User name |
Example: "Admin004" |
cs4 |
Rule name |
Example: "SAMPLE RULE SET" |
cs5 |
Policy name |
Example: "SAMPLE POLICY" |
act |
Policy action |
|
deviceFacility |
Product name |
Example: "Trend Micro Endpoint Application Control" |
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|EAC:1|Endpoint Applica tion Control Violation Information|3|deviceExternalId=39 rt= Jun 27 2012 03:14:03 GMT+00:00 cs1Label=Version cs1=1.299.00 suser=TMCM\\QA cs2Label=ApplicationControlEvent_ClientIPAdd ress_V4 cs2=0.0.0.0 cn1Label=Connection_Status cn1=0 fileHas h=c0869b72C5606D22D92A6AC986686BB87485A25b fname=P2P_TEST.ex e cs3Label=Command cs3=C:\\P2P_TEST.exe duser=QA cs4Label=Ru le cs4=Test cs5Label=Policy cs5=TestPolicy act=Blocked devic eFacility=Trend Micro Endpoint Application Control deviceNtD omain=APEXTMCM dntdom=OSCEDomain1 ApexCentralHost=TW-CHRIS- W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack 1