|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Apex Central |
|
Header (pver) |
Appliance version |
2019 |
|
Header (eventid) |
Device event class ID |
Spyware Detected |
|
Header (eventName) |
Event name |
Spyware Detected |
|
Header (severity) |
Severity |
3 |
|
cnt |
Number of detections |
Example: "10" |
|
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
|
cn1Label |
Corresponding label for the "cn1" field |
Example: "Pattern Type" |
|
cn1 |
Pattern type |
Example: "1073741840" |
|
cs1Label |
Corresponding label for the "cs1" field |
Example: "VirusName" |
|
cs1 |
Spyware/Grayware |
Example: "ADW_OPENCANDY" |
|
cs2Label |
Corresponding label for the "cs2" field |
Example: "EngineVersion" |
|
cs2 |
Engine version |
Example: "6.2.3027" |
|
cs5Label |
Corresponding label for the "cs5" field |
Example: "ActionResult" |
|
cs5 |
Action |
Example: "Reboot system successfully" For more information, see Action Mapping Table. |
|
cs6Label |
Corresponding label for the "cs6" field |
Example: "PatternVersion" |
|
cs6 |
Pattern version |
Example: "1297" |
|
cat |
Log type |
Example: "1727" |
|
dvchost |
Endpoint host name |
Example: "ApexOneClient01" |
|
deviceExternalId |
ID |
Example: "3" |
|
fname |
Resource |
Example: "F:\\Malware\\psas\\rsrc2.bin" |
|
filePath |
Resource |
Example: "F:\\Malware\\psas\\rsrc2.bin" |
|
dhost |
Endpoint host name |
Example: "ApexOneClient01" |
|
dst |
Endpoint IPv4 address |
Examle: "50.8.1.1" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
Example: "SLP_DestinationIP" |
|
c6a3 |
Endpoint IPv6 address |
Example: "fe80::38ca:cd15:443c:40bb%11" |
|
fileHash |
File SHA-1 |
Example: "D6712CAE5EC821F910E14945153AE7871AA536CA" |
|
deviceFacility |
Product |
Example: "Apex One" |
|
duser |
User name |
Example: "Admin004" |
|
cn2Label |
Corresponding label for the "cn2" field |
Example: "Scan_Type" |
|
cn2 |
Scan type |
Example: "Scan Now" For more information, see Spyware/Grayware Scan Type Mapping Table. |
|
cn3Label |
Corresponding label for the "cn3" field |
Example: "Security_Threat_Type" |
|
cn3 |
Security threat type |
Example: "Adware" For more information, see Spyware/Grayware Risk Type Mapping Table. |
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
|
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
|
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
|
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
|
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
|
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
|
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|Spyware Detected|Spywa re Detected|3|deviceExternalId=3 rt=Oct 06 2017 08:39:46 GMT +00:00 cnt=1 dhost=ApexOneClient01 cn1Label=PatternType cn1= 1073741840 cs1Label=VirusName cs1=ADW_OPENCANDY cs2Label=Eng ineVersion cs2=6.2.3027 cs5Label=ActionResult cs5=Reboot sys tem successfully cs6Label=PatternVersion cs6=1297 cat=1727 d vchost=ApexOneClient01 fname=F:\\Malware\\psas\\rsrc2.bin fi lePath=F:\\Malware\\psas\\rsrc2.bin dst=50.8.1.1 deviceFacil ity=Apex One deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCM LogDetectedHost=ApexOneClient01 TMCMLogDetectedIP=50.8.1.1 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360- 9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (Bu ild 7601) Service Pack 1