Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Product vendor
Trend Micro
Header (pname)
Product name
Apex Central
Header (pver)
Product version
2019
Header (eventid)
Event ID
Log
Header (eventName)
Log name
Intrusion Prevention
Header (severity)
Severity
3
dvchost
Display name of the managed endpoint
Example: localhost
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
src
Source IPv4 address
Example: "10.1.152.12"
c6a2Label
Corresponding label for the "c6a2" field
SLF_SourceIPv6
c6a2
Source IPv6 address
"2001:b011:1004:325b:8db7:6ca9:8fc5:321a"
smac
Source MAC address
Example: "18:31:BF:4F:30:DD"
spt
Source port
Example: "60886"
dst
Destination IPv4 address
Example: "10.1.153.151"
c6a3Label
Corresponding label for the "c6a3" field
SLF_DestinationIPv6
c6a3
Destination IPv6 address
Example: "2001:b011:1004:325b:8db7:6ca9:8fc5:654a"
dmac
Destination host MAC address
Example: "D0:17:C2:95:ED:71"
dpt
Destination port
Example: "139"
cn2Label
Corresponding label for the "cn2" field
Mode
cn2
Indicates whether the system is in "detection only" mode
Example: "0"
  • 0 or NULL = No
  • 1 = Yes
act
Action
Example: "LOG"
SLF_ACTION maps:
  • 0 = UNKNOWN
  • 3 = DELETE
  • 6 = LOG
  • 10 = INSERT/REPLACE
  • 13 = BLOCK
  • 257 = RESET
deviceDirection
Incoming or outgoing direction
Example: "Apex One"
cn3Label
Corresponding label for the "cn3" field
Priority
cn3
Weighted priority of the incident
Example: "3"
Calculated from Severity x Asset Value
cn4Label
Corresponding label for the "cn4" field
Severity
cn4
The system defined incident severity value
Example: "1"
  • 1 = LOW
  • 2 = MEDIUM
  • 3 = HIGH
  • 4 = CRITICAL
proto
The network protocol being exploited
Example: "10009"
  • 28 = ICMP
  • 46 = ICMPv6
  • 10003 = TCP
  • 10004 = UDP
  • 10005 = IGMP
  • 10006 = GGP
  • 10007 = PUP
  • 10008 = IDP
  • 10009 = ND
  • 10010 = RAW
cs2Label
Corresponding label for the "cs2" field
Application_Type
cs2
The network application name
Example: "DCERPC Services"
cn1Label
Corresponding label for the "cn1" field
Rule
cn1
The ID of the inspection rule
Example: "1005448"
cs1Label
Corresponding label for the "cs1" field
Reason/Rule
cs1
The string literal of the rule ID and description
Example: "1005448 - SMB Null Session Detected - 1"
cnt
Aggregated count
Example: "1"
deviceFacility
Product
Example: "Apex One"
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|
rt=Apr 20 2020 03:33:20 GMT+00:00 dvchost=OSCEClient23 device
Facility=Apex One act=Log,src=10.1.1.9 dst=80.1.1.9 smac=54-B
F-64-84-7F-09 spt=89 dmac=54-BF-64-84-7F-19 dpt=449 cn2Label=
Mode cn2=0 deviceDirection=Inbound cn3Label=Priority cn3=1 cn
4Label=Severity cn4=1 proto=10009 cs2Label=Application_Type c
s2=N/A cn1Label=Rule cn1=1009549 cs1Label=Reason/Rule cs1=100
9549 - Detected Terminal Services (RDP) Server Traffic - 1 (A
TT&CK T1015,T1043,T1076,T1048,T1032,T1071) cnt=1 deviceNtDoma
in=APEXTMCM dntdom=OSCEDomain1 deviceFacility=Apex One TMCMLo
gDetectedHost=shost1 TMCMLogDetectedIP=10.1.1.9 devicePayload
Id=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=W
indows 7 6.1 (Build 7601) Service Pack 1
Keywords: Intrusion Prevention Logs