CEF Key |
Description |
Value |
---|---|---|
Header (logVer) |
CEF format version |
CEF:0 |
Header (vendor) |
Appliance vendor |
Trend Micro |
Header (pname) |
Appliance product |
Apex Central |
Header (pver) |
Appliance version |
2019 |
Header (eventid) |
FH:Action |
FH:Log |
Header (eventName) |
Name |
Suspicious Files |
Header (severity) |
Severity |
3 |
deviceExternalId |
ID |
Example: "1" |
cat |
Log type |
Example: "1766" |
deviceFacility |
Product |
Example: "Apex One" |
cn1Label |
Corresponding label for the "cn1" field |
Example: "SLF_ProductVersion" |
cn1 |
Product version |
Example: "11" |
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
dst |
Endpoint IPv4 address |
Example: "10.201.86.151" |
c6a3Label |
Corresponding label for the "c6a3" field |
Example: "Endpoint IPv6 Address" |
c6a3 |
Endpoint IPv6 address |
Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d" |
dhost |
Endpoint host name |
Example: "APEX-ONE-CLIENT-1" |
cs2Label |
Corresponding label for the "cs2" field |
Example: "SLF_TrueFileType" |
cs2 |
File type |
Example: "TEXT" |
fileHash |
File SHA-1 |
Example: "D6712CAE5EC821F910E14945153AE7871AA536CA" |
cs3Label |
Corresponding label for the "cs3" field |
Example: "SLF_FileSource" |
cs3 |
File path |
Example: "C:\\Users\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE" |
cn2Label |
Corresponding label for the "cn2" field |
Example: "SLF_SourceType" |
cn2 |
C&C list source |
Example: "0"
|
act |
Action |
Example: "Log"
|
cn3Label |
Corresponding label for the "cn3" field |
Example: "SLF_ScanType" |
cn3 |
Scan type |
Example: "1"
|
reason |
Critical threat type |
Example: "E"
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|FH:Log|Suspicious File s|3|deviceExternalId=1 rt=Nov 15 2016 02:47:21 GMT+00:00 cat =1766 deviceFacility=Apex One cn1Label=SLF_ProductVersion cn 1=11 dst=10.201.86.151 dhost=APEX-ONE-CLIENT-1 cs2Label=SLF_ TrueFileType cs2=SLF_TrueFileType fileHash=D6712CAE5EC821F91 0E14945153AE7871AA536CA cs3Label=SLF_FileSource cs3=C:\\User s\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\0 17545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE cn2Label= SLF_SourceType cn2=0 act=Log cn3Label=SLF_ScanType cn3=1 rea son=E deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCMLogDete ctedHost=APEX-ONE-CLIENT-1 TMCMLogDetectedIP=10.201.86.151 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360- 9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (Bu ild 7601) Service Pack 1