|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Product vendor |
Trend Micro |
|
Header (pname) |
Product name |
Apex Central |
|
Header (pver) |
Product version |
2019 |
|
Header (eventid) |
PML:Action result |
PML:File cleaned |
|
Header (eventName) |
Detection name |
virusa |
|
Header (severity) |
Severity |
3 |
|
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
|
dvchost |
Product server |
Example: "Sample_Host" |
|
cn1Label |
Corresponding label for the "cn1" field |
"ThreatType" |
|
cn1 |
Probable threat type |
Example: "35143" For more information, see Threat Type Mapping Table. |
|
cs2Label |
Corresponding label for the "cs2" field |
"DetectionName" |
|
cs2 |
Security threat |
Example: "Troj.Win32.TRX.XXPE002FF017" |
|
shost |
Infected endpoint |
Example: "10.0.0.1" |
|
suser |
Logon user |
Example: "TREND\\User" |
|
cn2Label |
Corresponding label for the "cn2" field |
"DetectionType" |
|
cn2 |
Detection type |
Example: "0"
|
|
filePath |
File path |
Example: "D:\\" |
|
fname |
File name |
Example: "ALCORMP.EXE" |
|
deviceCustomDate1 |
File creation time |
Example: "2017-04-26 05:53:27.000" |
|
sproc |
System process |
Example: "notepad.exe" |
|
cn4Label |
Corresponding label for the "cn4" field |
"ProcessCommandLine" |
|
cs4 |
Process command |
Example: "notepad.exe" |
|
duser |
Process owner |
Example: "user1" |
|
app |
Infection channel |
Example: "10"
|
|
cs3Label |
Corresponding label for the "cs3" field |
"InfectionLocation" |
|
cs3 |
Infection source |
Example: "http://10.0.0.1/" |
|
dst |
Product/Endpoint IPv4 Address |
Example: "10.0.17.6" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
"Product/Endpoint IP" |
|
c6a3 |
Product/Endpoint IPv6 Address |
Example: "fd66:5168:9882:6:b5b0:b2b5:4173:3f5d" |
|
cn3Label |
Corresponding label for the "cn3" field |
"Confidence" |
|
cn3 |
Threat probability |
Example: "82" |
|
act |
Action result |
Example: "21" For more information, see Action Mapping Table. |
|
filehash |
File SHA-1 |
Example: "52c17c785b45ee961f68fb17744276076f383085" |
|
dhost |
Product entity/endpoint |
Example: "dhost1" |
|
deviceExternalId |
Log sequence number |
Example: "100" |
|
deviceFacility |
Product |
Example: "Apex One" |
|
reason |
Critical threat type |
Example: "E"
|
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
|
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
|
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
|
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
|
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
|
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
|
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|Detecti on01|3|deviceExternalId=1 rt=Dec 01 2018 16:01:00 GMT+00:00 deviceFacility=15 dvchost=OSCE01 cn1Label=ThreatType cn1=1 c s2Label=DetectionName cs2=Detection01 shost=10.0.0.1 suser=S ample_Domain\\Sample_User cn2Label=DetectionType cn2=0 fileP ath=C:\\test01\\aaa.exe fname=aaa.exe deviceCustomDate1Label =FileCreationDate deviceCustomDate1=Dec 02 2018 00:01:00 GMT +00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4=not epad.exe -test duser=admin01 app=1 cs3Label=InfectionLocatio n cs3=https://10.1.1.1 dst=80.1.1.1 cn3Label=Confidence cn3= 81 act=21 fileHash=177750B65A21A9043105FD0820B85B58CF148A01 dhost=OSCEClient11 reason=E deviceNtDomain=APEXTMCM dntdom=O SCEDomain1 TMCMLogDetectedHost=OSCEClient11 TMCMLogDetectedI P=80.1.1.1 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C 00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windo ws 7 6.1 (Build 7601) Service Pack 1