|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF:0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Apex Central
|
|
Header (pver)
|
Appliance version
|
2019
|
|
Header (eventid)
|
Event ID
|
700106
|
|
Header (eventName)
|
Log name
|
Data Loss Prevention
|
|
Header (severity)
|
Severity
|
3
|
|
cs1Label
|
Corresponding label for the
cs1field |
"Policy GUID"
|
|
cs1
|
Policy GUID
|
Example: "FAF492CF-164C-4672-9A79-F1AB9CB288A3"
|
|
cn1Label
|
Corresponding label for the
cn1field |
"Product"
|
|
cn1
|
Product type value
|
Example: "15"
|
|
rt
|
Event trigger time in UTC
|
Example:
Mar 22 2018 08:23:23 GMT+00:00 |
|
src
|
Source host IP address
|
Example: "10.0.57.160"
|
|
smac
|
Source host MAC address
|
Example: "74-27-00-0C-65-E7"
|
|
shost
|
Source host name
|
Example: "shost1"
|
|
cs4Label
|
Corresponding label for the
cs4field |
"Incident_Source_(AD_Account)"
|
|
cs4
|
The user name in violation
|
Example: "Trend"
|
|
suser
|
Email sender
|
Example: "sender@example.com"
|
|
request
|
The URL accessed
|
Example: "https://example.com/api/content"
|
|
duser
|
Comma (,) separated list of recipients
|
Example:
user1@example.com;user2@example.com; |
|
msg
|
Subject
|
Example:
Sample,20171017 |
|
filepath
|
File path
|
Example:
D:\\Windows Live Mail\\Storage Folders\\Imported Fo e52\\Local Folders\\Sent Items\\Archive Aft de1\\Clients,Adv 22b\\ |
|
fname
|
Trigger file name
|
Example:
2B43363A-000000A4.eml |
|
fsize
|
File size in bytes
|
Example:
3 |
|
cs5Label
|
Corresponding label for the
cs5field |
"Rule"
|
|
cs5
|
Rule name
|
Example: "SAMPLE RULE SET"
|
|
cs6Label
|
Corresponding label for the
cs6field |
Template |
|
cs6
|
Template name
|
Example:
Apex One policy |
|
cn3Label
|
Corresponding label for the
cn3field |
Channel |
|
cn3
|
Channel type
|
Example:
3 For more information, see Channel Mapping Table.
|
|
cn2Label
|
Corresponding label for the
cn2field |
Action |
|
cn2
|
Action result
|
Example:
4 For more information, see Action Result Mapping Table.
|
|
cs2Label
|
Corresponding label for the
cs2field |
Policy |
|
cs2
|
Policy name
|
Example:
OfficeScan |
|
cs3Label
|
Corresponding label for the
cs3field |
Product_Entity/Endpoint |
|
cs3
|
Endpoint host name
|
Example:
Sample_Host |
|
dvchost
|
Server host name
|
Example:
localhost |
|
deviceFacility
|
Product name
|
Example:
Apex One |
|
deviceNtDomain
|
Active Directory domain
|
Example: APEXTMCM
|
|
dntdom
|
Apex One domain hierarchy
|
Example: OSCEDomain1
|
|
externalId
|
Log ID of the event
|
Example:
101 |
|
cfp1Label
|
Corresponding label for the
cfp1Labelfield |
ForensicFileAvailable |
|
cfp1
|
Indicates whether the forensic file can be downloaded
|
|
|
TMCMLogDetectedHost
|
Endpoint name where the log event occurred
|
Example: MachineHostName
|
|
TMCMLogDetectedIP
|
IP address where the log event occurred
|
Example: 10.1.2.3
|
|
ApexCentralHost
|
Apex Central host name
|
Example: TW-CHRIS-W2019
|
|
devicePayloadId
|
Unique message GUID
|
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
|
|
TMCMdevicePlatform
|
Endpoint operating system
|
Example: Windows 7 6.1 (Build 7601) Service Pack 1
|
Log sample:
CEF:0|Trend Micro|Apex Central|2019|700106|Data Loss Prevent ion|3|cs3Label=Product_Entity/Endpoint cs3=Sample_Host dvc host=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac= 34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_ Account) cs4=12467 filePath=D:\\2. DRIVER\\drivers WIN7\\Dri vers\\DP_CardReader_14032.7z\\O2Micro\\FORCED\\6x86\\ fname= O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Temp late cs6=Apex One policy cn3Label=Channel cn3=0 cn2Label=Act ion cn2=4 deviceFacility=Apex One deviceNtDomain=APEXTMCM dn tdom=OSCEDomain1 externalId=101 cfp1Label=ForensicFileAvaila ble cfp1=0 dvchost=localhost TMCMLogDetectedHost=ApexOneClie nt01 TMCMLogDetectedIP=10.201.86.187 ApexCentralHost=TW-CHRI S-W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack 1