CEF Key |
Description |
Value |
---|---|---|
Header (logVer) |
CEF format version |
CEF:0 |
Header (vendor) |
Appliance vendor |
Trend Micro |
Header (pname) |
Appliance product |
Apex Central |
Header (pver) |
Appliance version |
2019 |
Header (eventid) |
WB:Filter/Blocking Type |
WB:1 |
Header (eventName) |
"Blocking Rule" or "Filter/Blocking Type" |
5 |
Header (severity) |
Severity |
3 |
app |
Protocol |
Example: "3" For more information, see Protocol Mapping Table. |
cnt |
Detections |
Example: "10" |
dpt |
Server port |
Example: "80" |
act |
Action |
Example: "0"
|
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
src |
Endpoint IPv4 address |
Example: "10.1.128.34" |
c6a2Label |
Corresponding label for the "c6a2" field |
Example: "SLF_SourceIP" |
c6a2 |
Endpoint IPv6 address |
Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d" |
cs1Label |
Corresponding label for the "cs1" field |
Example: "SLF_PolicyName" |
cs1 |
Policy |
Example: "External User Policy" |
cs4Label |
Corresponding label for the "cs4" field |
Example: "CLF_ReasonCode" |
cs4 |
Reason Code |
Example: "access" |
cs5Label |
Corresponding label for the "cs5" field |
Example: "CLF_ReasonCodeSource" |
cs5 |
Reason code source |
Example: "web" |
deviceDirection |
Traffic/Connection |
Example: "2"
|
cat |
Filter/Blocking Type |
Example: "7" For more information, see Filter/Blocking Type Mapping Table. |
dvchost |
Endpoint host name |
Example: "ApexOneClient08" |
cn1Label |
Corresponding label for the "cn1" field |
Example: "CLF_SeverityCode" |
cn1 |
Severity code |
Example: "0"
|
deviceExternalId |
ID |
Example: "38" |
fname |
File |
Example: "test.txt" |
request |
URL |
Example: "http://www.violetsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c_pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1" |
deviceFacility |
Product |
Example: "Apex One" |
duser |
User name |
Example: "Admin004" |
shost |
Client host name |
Exmaple: "ABC-HOST-WKS12" |
cs2Label |
Corresponding label for the "cs2" field |
Example: "Blocking_Rule" |
cs2 |
Blocking rule |
Example: "content filter" |
deviceProcessName |
Process name |
Example: "C:\\Windows\ \system32\\svchost-1.exe" |
cn3Label |
Corresponding label for the "cn3" field |
Example: "ReputationScore" |
cn3 |
Reputation score |
Example: "49" |
dst |
Server IP address |
Example: "10.69.81.64" |
cn2Label |
Corresponding label for the "cn2" field |
Example: "SLF_SeverityLevel" |
cn2 |
Severity level |
Example: "100"
|
reason |
Critical threat type |
Example: "E"
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|WB:7|7|3|deviceExterna lId=38 rt=Nov 15 2017 08:43:57 GMT+00:00 app=17 cntLabel=Agg regatedCount cnt=1 dpt=80 act=1 src=10.1.128.46 cs1Label=SLF _PolicyName cs1=External User Policy deviceDirection=2 cat=7 dvchost=ApexOneClient08 fname=test.txt request=http://www.v ioletsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c _pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1 deviceFacil ity=Apex One shost=ABC-HOST-WKS12 reason=G deviceNtDomain=AP EXTMCM dntdom=OSCEDomain1 TMCMLogDetectedHost=ABC-HOST-WKS12 TMCMLogDetectedIP=10.1.128.46 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdev icePlatform=Windows 7 6.1 (Build 7601) Service Pack 1