Views:
CEF Key
Description
Example
Header (Device Event Class ID)
A unique identifier per event-type
  • 900002
Header (Device Product)
Product of sending device
  • Vision One
Header (Device Vendor)
Product vendor
  • Trend Micro
Header (Device Version)
Service version
  • 1.0.0
Header (Name)
Category of the event
  • Vision One Observed Attack Techniques
Header (Severity)
Importance of the event
  • 1: Undefined
  • 2: Info
  • 3: Low
  • 5: Medium
  • 7: High
  • 9: Critical
Header (Version)
CEF format version
  • CEF:0
act
Action taken for the violation
  • Not blocked
  • Block
  • Reset
app
Network protocol being exploited
  • HTTP
  • KERBEROS
  • TCP
cat
Detection name
  • Connection to Commonly Used Ports
cs1
MITRE tactics list
  • TA0002, TA0006
cs1Label
Corresponding label for the "cs1" field
  • MITRE Tactic IDs
cs2
MITRE techniques list
  • T1003.001, T1059.001
cs2Label
Corresponding label for the "cs2" field
  • MITRE Technique IDs
deviceDirection
Device direction
  • 0 (inbound)
  • 1 (outbound)
deviceExternalId
GUID of the agent which reported this detection
  • B0DA10B4-EA5A-44EA-8D78-41FE6CD1C3E2
deviceFacility
Product name
  • Trend Micro Deep Security
  • Deep Discovery Inspector
  • Apex One
deviceProcessName
Process name in device
  • C:\\Users\\Administrator\\AppData\\Local\\Programs\\Python\\Python38-32\\python.exe
dst
Destination IP
  • 239.255.255.250
dhost
Destination hostname
  • 10.46.91.40
dpt
Port of "dst"
  • 8080
dvchost
Endpoint hostname
  • ip-10-209-120-47.ap-northeast-1.compute.internal
externalId
Event ID
  • 100116
  • 100117
  • 100119
msg
Filter description
  • Detects the connection to commonly used ports
request
Notable URL
  • http://detectportal.firefox.com/canonical.html
  • http://35.247.144.219/
  • http://35.247.144.219
rt
Event time
  • Dec 05 2022 05:26:45
shost
Source hostname
  • dns.google
src
Source IP
  • 8.8.8.8
spt
Port of "src"
  • 544
TrendMicroV1CompanyID
Company ID
  • 68960c94-9be6-4343-a4ca-6408de7aa331