Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Apex Central
Header (pver)
Appliance version
2019
Header (eventid)
NCIE:Action
NCIE:Pass
Header (eventName)
Name
Suspicious Connection
Header (severity)
Severity
3
deviceExternalId
ID
Example: 1
cat
Log type
Example: 1756
deviceFacility
Product
Example: Apex One
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
deviceProcessName
Process
Example: C:\\Windows\\system32\\svchost-1.exe
src
Local IPv4 address
Example: 10.201.86.152
c6a2Label
Corresponding label for the c6a2 field
Example: SLF_SourceIP
c6a2
Local IPv6 address
Example: 2620:101:4003:7a0:fd4b:52ed:53bd:ae3d
spt
Local IP address port
Example: 54594
dst
Remote IPv4 address
Example: 10.69.81.64
c6a3Label
Corresponding label for the c6a3 field
Example: SLF_DestinationIP
c6a3
Remote IPv6 address
Example: fe80::38ca:cd15:443c:40bb%11
dpt
Remote IP address port
Example: 80
act
Action
Example: Pass
  • 0: Unknown
  • 1: Pass
  • 2: Block
  • 3: Monitor
  • 4: Delete
  • 5: Quarantine
  • 6: Warn
  • 7: Warn and continue
  • 8: Override
deviceDirection
Traffic direction
Example: Inbound
  • 0: None
  • 1: Inbound
  • 2: Outbound
cn1Label
Corresponding label for the cn1 field
Example: SLF_PatternType
cn1
Pattern type
Example: 2
  • 0: Global C&C pattern
  • 1: Relevance rules
  • 2: User-defined block list
cs2Label
Corresponding label for the cs2 field
Example: NCIE_ThreatName
cs2
Threat name
Example: Malicious_identified_CnC_querying_on_UDP_detected
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
dvchost
Host name
Example: "localhost"
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|Suspicious 
Connection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+0
0:00 cat=1756 deviceFacility=Apex One deviceProcessName=C:\\W
indows\\system32\\svchost-1.exe act=Pass src=10.201.86.152 ds
t=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1Label=
SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Malicious_
identified_CnC_querying_on_UDP_detected reason=F deviceNtDoma
in=APEXTMCM dntdom=OSCEDomain1 dvchost=shost1 TMCMLogDetected
Host=shost1 TMCMLogDetectedIP=10.1.2.3ApexCentralHost=TW-CHRI
S-W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack 1
Keywords: Network Content Inspection