|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Product vendor |
Trend Micro |
|
Header (pname) |
Product name |
Apex Central |
|
Header (pver) |
Product version |
2019 |
|
Header (eventid) |
Event ID |
|
|
Header (eventName) |
Log name |
|
|
Header (severity) |
Severity |
3 |
|
dvchost |
Display name of the managed endpoint |
Example: "localhost" |
|
rt |
Log generation time in UTC |
Example: "Nov 15 2017 08:43:57 GMT +00:00" |
|
src |
Source IPv4 address |
Example: "10.1.152.12" |
|
c6a2Label |
Corresponding label for the "c6a2" field |
SLF_SourceIPv6 |
|
c6a2 |
Source IPv6 address |
"2001:b011:1004:325b:8db7:6ca9:8fc5:321a" |
|
smac |
Source MAC address |
Example: "18:31:BF:4F:30:DD" |
|
spt |
Source port |
Example: "60886" |
|
dst |
Destination IPv4 address |
Example: "10.1.153.151" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
SLF_DestinationIPv6 |
|
c6a3 |
Destination IPv6 address |
Example: "2001:b011:1004:325b:8db7:6ca9:8fc5:654a" |
|
dmac |
Destination host MAC address |
Example: "D0:17:C2:95:ED:71" |
|
dpt |
Destination port |
Example: "139" |
|
cn2Label |
Corresponding label for the "cn2" field |
SLF_IsDetectionOnly |
|
cn2 |
Indicates whether the system is in "detection only" mode |
Example: "0"
|
|
act |
Action |
Example: "LOG" SLF_ACTION maps:
|
|
deviceDirection |
Incoming or outgoing direction |
Example: "Apex One" |
|
cn3Label |
Corresponding label for the "cn3" field |
SLF_Rank |
|
cn3 |
Weighted priority of the incident |
Example: "3" Calculated from Severity x Asset Value |
|
cn4Label |
Corresponding label for the "cn4" field |
SLF_SeverityCode |
|
cn4 |
The system defined incident severity value |
Example: "1"
|
|
proto |
The network protocol being exploited |
Example: "10009"
|
|
cs2Label |
Corresponding label for the "cs2" field |
SLF_ConnectionType |
|
cs2 |
The network application name |
Example: "DCERPC Services" |
|
cn1Label |
Corresponding label for the "cn1" field |
SLF_RuleID |
|
cn1 |
The ID of the inspection rule |
Example: "1005448" |
|
cs1Label |
Corresponding label for the "cs1" field |
SLF_RuleContent |
|
cs1 |
The string literal of the rule ID and description |
Example: "1005448 - SMB Null Session Detected - 1" |
|
cnt |
Aggregated count |
Example: "1" |
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
|
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|Log|1009549 - Detected T erminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T104 3,T1076,T1048,T1032,T1071)|3|rt=Apr 20 2020 03:33:20 GMT+00: 00 dvchost=OSCEClient23 deviceFacility=Apex One act=Log,src= 10.1.1.9 dst=80.1.1.9 smac=54-BF-64-84-7F-09 spt=89 dmac=54- BF-64-84-7F-19 dpt=449 cn2Label=SLF_IsDetectionOnly cn2=0 de viceDirection=Inbound cn3Label=SLF_Rank cn3=1 cn4Label=SLF_S everityCode cn4=1 proto=10009 cs2Label=SLF_ConnectionType cs 2=N/A cn1Label=SLF_RuleID cn1=1009549 cs1Label=SLF_RuleConte nt cs1=1009549 - Detected Terminal Services (RDP) Server Tra ffic - 1 (ATT&CK T1015,T1043,T1076,T1048,T1032,T1071) cnt=1 deviceNtDomain=APEXTMCM dntdom=OSCEDomain1