CEF Detection Logs
|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
TMES
|
|
Header (pver)
|
Appliance version
|
Example: 1.0.0.0
|
|
Header (eventid)
|
Signature ID
|
100101
|
|
Header (eventName)
|
Description
|
DETECTION
|
|
Header (severity)
|
Email severity
|
6
|
|
rt
|
Log generation time
|
Example: 2019-12-10T08:26:46.728Z
|
|
cs1Label
|
Event type
|
eventType
|
|
cs1
|
Event type
|
Example: ransomware
|
|
cs2Label
|
Domain name
|
domainName
|
|
cs2
|
Domain name
|
Example: example1.com
|
|
suser
|
Email sender
|
Example: user1@example1.com
|
|
duser
|
Email recipients
|
Example: user2@example2.com
|
|
cs3Label
|
Email message direction
|
direction
|
|
cs3
|
Email message direction
|
|
|
cs4Label
|
Unique message identifier
|
messageId
|
|
cs4
|
Unique message identifier
|
Example: 201605181642138223747@trend.com
|
|
msg
|
Email subject
|
Example: hello
|
|
cn1Label
|
Email message size
|
messageSize
|
|
cn1
|
Email message size
|
Example: 1809
|
|
cs5Label
|
Violated event analysis
|
policyName
|
|
cs5
|
Violated event analysis
|
Example: Spam
|
|
cs6Label
|
Violated event details
|
details
|
|
cs6
|
Violated event details
|
Example:
{"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e",
"threatName":"Troj"}]} |
|
act
|
Action in the event
|
|
Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2019-12-10T08:26:46.728Z
cs1Label=eventType cs1=virus cs2Label=domainName cs2=example1.com
suser=user1@example1.com duser=user2@example2.com cs3Label=direction
cs3=incoming cs4Label=messageId cs4=201605181642138223747@trend.com
msg=test sample cn1Label=messageSize cn1=1809 cs5Label=policyName
cs5=Test Rule act=Quarantine cs6Label=details cs6={"threatNames":"Troj",
"fileInfo":[{"fileName":"file1",
"fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e",
"threatName":"Troj"}]}