CEF mail tracking logs (accepted traffic)

Views:

CEF Mail Tracking Logs (Accepted Traffic)

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF: 0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	TMES
Header (pver)	Appliance version	Example: 1.0.0.0
Header (eventid)	Signature ID	400101
Header (eventName)	Description	TRACKING
Header (severity)	Email severity	4
rt	Log generation time	Example: 2019-12-10T08:26:46.728Z
suser	Email sender	Example: user1@example1.com
duser	Email recipients	Example: user2@example2.com
msg	Email subject	Example: hello
src	Source IP address	Example: 10.1.144.199
deviceTranslatedAddress	Relay MTA IP address	Example: 204.92.31.146
cs1Label	Internal email message ID	mailUuid
cs1	Internal email message ID	Example: 6965222B-13A6-C705-89D4-6251B6C41E03
cs2Label	Email message direction	direction
cs2	Email message direction	incoming outgoing
cs3Label	Unique message identifier	messageId
cs3	Unique message identifier	Example: 201605181642138223747@trend.com
cs4Label	Email attachments	attachments
cs4	Email attachments	Example: [["filename", "sha256"], ["filename", "sha256"], ...]
cn1Label	Email message size	messageSize
cn1	Email message size	Example: 1809
act	Action on an email message	Bounced Temporary delivery error Deleted Delivered Expired Quarantined Redirected Submitted to sandbox Password analyzing
cs5Label	TLS information	tlsInfo
cs5	TLS information	Example: upstreamTLS: None; downstreamTLS: TLS 1.2
cs6Label	URLs embedded in email	embeddedUrl
cs6	URLs embedded in email	Example: ["http://example1.com", "http://example2.com"]

Log sample:

CEF:0|Trend Micro|TMES|1.0.0.0|400101|TRACKING|4|rt=2019-12-10T08:26:46.728Z 
suser=user1@example1.com duser=user2@example2.com msg=DLP--test src=1.1.1.1 
deviceTranslatedAddress=2.2.2.2 cs1Label=mailUuid 
cs1=7ea8f636-c26e-4b78-a341-9b5becb83db7 cs2Label=direction cs2=incoming 
cs3Label=messageId cs3=<201802061558581772031@example.com> 
cn1Label=messageSize cn1=41438 act=Delivered cs4Label=attachments 
cs4=[{"sha256":"f78960148721b59dcb563b9964a4d47e2a834a4259f46cd12db7c1cfe82ff32e"}] 
cs5Label=tlsInfo cs5=upstreamTLS: None; downstreamTLS: TLS 1.2
cs6Lable=embeddedUrl cs6=["http://example1.com", "http://example2.com"]