Views:

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

WB:Filter/Blocking Type

WB:1

Header (eventName)

"Blocking Rule" or "Filter/Blocking Type"

5

Header (severity)

Severity

3

app

Protocol

Example: "3"

For more information, see Protocol Mapping Table.

cnt

Detections

Example: "10"

dpt

Server port

Example: "80"

act

Action

Example: "0"

  • 0: Unknown

  • 1: Pass

  • 2: Block

  • 3: Monitor

  • 4: Delete

  • 5: Quarantine

  • 6: Warn

  • 7: Warn and continue

  • 8: Override

rt

Event trigger time in UTC

Example: "Mar 22 2018 08:23:23 GMT+00:00"

src

Endpoint IPv4 address

Example: "10.1.128.34"

c6a2Label

Corresponding label for the "c6a2" field

Example: "SLF_SourceIP"

c6a2

Endpoint IPv6 address

Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d"

cs1Label

Corresponding label for the "cs1" field

Example: "SLF_PolicyName"

cs1

Policy

Example: "External User Policy"

cs4Label

Corresponding label for the "cs4" field

Example: "CLF_ReasonCode"

cs4

Reason Code

Example: "access"

cs5Label

Corresponding label for the "cs5" field

Example: "CLF_ReasonCodeSource"

cs5

Reason code source

Example: "web"

deviceDirection

Traffic/Connection

Example: "2"

  • 0: None

  • 1: Inbound

  • 2: Outbound

cat

Filter/Blocking Type

Example: "7"

For more information, see Filter/Blocking Type Mapping Table.

dvchost

Endpoint host name

Example: "ApexOneClient08"

cn1Label

Corresponding label for the "cn1" field

Example: "CLF_SeverityCode"

cn1

Severity code

Example: "0"

  • 0: Unknown

  • 1: Information

  • 2: Warning

  • 3: Error

  • 4: Critical

deviceExternalId

ID

Example: "38"

fname

File

Example: "test.txt"

request

URL

Example: "http://www.violetsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c_pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1"

deviceFacility

Product

Example: "Apex One"

duser

User name

Example: "Admin004"

shost

Client host name

Exmaple: "ABC-HOST-WKS12"

cs2Label

Corresponding label for the "cs2" field

Example: "Blocking_Rule"

cs2

Blocking rule

Example: "content filter"

deviceProcessName

Process name

Example: "C:\\Windows\ \system32\\svchost-1.exe"

cn3Label

Corresponding label for the "cn3" field

Example: "ReputationScore"

cn3

Reputation score

Example: "49"

dst

Server IP address

Example: "10.69.81.64"

cn2Label

Corresponding label for the "cn2" field

Example: "SLF_SeverityLevel"

cn2

Severity level

Example: "100"

  • 100: High

  • 300: Medium high

  • 500: Medium

  • 700: Medium low

  • 900: Low

reason

Critical threat type

Example: "E"

  • A: Known Advanced Persistent Threat (APT)

  • B: Social engineering attack

  • C: Vulnerability attack

  • D: Lateral movement

  • E: Unknown threats

  • F: C&C callback

  • G: Ransomware

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

TMCMdevicePlatform

Endpoint operating system

Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|WB:7|7|3|deviceExterna
lId=38 rt=Nov 15 2017 08:43:57 GMT+00:00 app=17 cntLabel=Agg
regatedCount cnt=1 dpt=80 act=1 src=10.1.128.46 cs1Label=SLF
_PolicyName cs1=External User Policy deviceDirection=2 cat=7
 dvchost=ApexOneClient08 fname=test.txt request=http://www.v
ioletsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c
_pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1 deviceFacil
ity=Apex One shost=ABC-HOST-WKS12 reason=G deviceNtDomain=AP
EXTMCM dntdom=OSCEDomain1 TMCMLogDetectedHost=ABC-HOST-WKS12 
TMCMLogDetectedIP=10.1.128.46 ApexCentralHost=TW-CHRIS-W2019
devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdev
icePlatform=Windows 7 6.1 (Build 7601) Service Pack 1