Views:
Note
Note
If one Attack Discovery detection log relates to more than 4 objects, Apex Central only forwards the first 4 objects.
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Appliance vendor
TrendAI™
Header (pname)
Appliance product
Apex Central
Header (pver)
Appliance version
2019
Header (eventid)
Event ID
700220
Header (eventName)
Log name
Attack Discovery Detections
Header (severity)
Severity
3
deviceExternalId
ID
Example: 38
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
dhost
Endpoint host name
Example: ApexOneClient01
dst
Client IPv4 address
Example: 10.0.8.20
C6a3
Client IPv6 address
Example: fd96:7521:9502:6:b5b0:b2b5:4173:3f5d
duser
User name
Example: Admin004
customerExternalID
Instance ID
Example: 8c1e2d8f-a03b-47ea-aef8-5aeab99ea697
cn1Label
Corresponding label for the "cn1" field
SLF_RiskLevel
cn1
Risk Level
Example: 0
  • 0: Unknown
  • 100: Low risk
  • 500: Medium risk
  • 1000: High risk
cn2Label
Corresponding label for the "cn2" field
SLF_PatternNumber
cn2
Pattern Number
Example: 30.1012.00
cs1Label
Corresponding label for the "cs1" field
SLF_RuleID
cs1
Rule ID
Example: powershell invoke expression
cat
Category ID
Example: point of entry
cs2Label
Corresponding label for the "cs2" field
SLF_ADEObjectGroup_Info_1
cs2
Attack Discovery object information
Example:
process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}
cs3Label
Corresponding label for the "cs3" field
SLF_ADEObjectGroup_Info_2
cs3
Attack Discovery object information
Example:
process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}
cs4Label
Corresponding label for the "cs4" field
SLF_ADEObjectGroup_Info_3
cs4
Attack Discovery object information
Example:
process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}
cs5Label
Corresponding label for the "cs5" field
SLF_ADEObjectGroup_Info_4
cs5
Attack Discovery object information
Example:
process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|TrendAI™|Apex Central|2019|700211|Attack Discovery 
Detections|3|deviceExternalId=5 rt=Jan 17 2019 03:38:06 GMT+
00:00 dhost=VCAC-Window-331 dst=10.201.86.150 customerExtern
alID=8c1e2d8f-a03b-47ea-aef8-5aeab99ea697 cn1Label=SLF_RiskL
evel cn1=0 cn2Label=SLF_PatternNumber cn2=30.1012.00 cs1Labe
l=SLF_RuleID cs1=powershell invoke expression cat=point of e
ntry cs2Label=SLF_ADEObjectGroup_Info_1 cs2=process - code9.
exe - {USER: administrator09} deviceNtDomain=APEXTMCM dntdom
=OSCEDomain1 TMCMLogDetectedHost=VCAC-Window-331 TMCMLogDete
ctedIP=10.201.86.150 ApexCentralHost=TW-CHRIS-W2019devicePay
loadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatfo
rm=Windows 7 6.1 (Build 7601) Service Pack 1
Keywords: Attack Discovery Detections