Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Product vendor
Trend Micro
Header (pname)
Product name
Apex Central
Header (pver)
Product version
2019
Header (eventid)
PML:Action result
PML:File cleaned
Header (eventName)
Detection name
virusa
Header (severity)
Severity
3
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
dvchost
Product server
Example: Sample_Host
cn1Label
Corresponding label for the cn1 field
ThreatType
cn1
Probable threat type
Example: 35143
For more information, see Threat Type Mapping Table.
cs2Label
Corresponding label for the cs2 field
DetectionName
cs2
Security threat
Example: Troj.Win32.TRX.XXPE002FF017
shost
Infected endpoint
Example: 10.0.0.1
suser
Logon user
Example: TREND\\User
cn2Label
Corresponding label for the cn2 field
DetectionType
cn2
Detection type
Example: 0
  • 0: File
  • 1: Process
filePath
File path
Example: "D:\\"
fname
File name
Example: "ALCORMP.EXE"
deviceCustomDate1
File creation time
Example: 2017-04-26 05:53:27.000
sproc
System process
Example: notepad.exe
cn4Label
Corresponding label for the cn4 field
ProcessCommandLine
cs4
Process command
Example: notepad.exe
duser
Process owner
Example: user1
app
Infection channel
Example: 10
  • 0: Unknown
  • 1: Local drive
  • 2: Network drive
  • 3: AutoRun files
  • 10: Web
  • 11: Email
  • 999: Local or network drive
cs3Label
Corresponding label for the cs3 field
InfectionLocation
cs3
Infection source
Example: http://10.0.0.1/
dst
Product/Endpoint IPv4 Address
Example: 10.0.17.6
c6a3Label
Corresponding label for the c6a3 field
Product/Endpoint IP
c6a3
Product/Endpoint IPv6 Address
Example: fd66:5168:9882:6:b5b0:b2b5:4173:3f5d
cn3Label
Corresponding label for the cn3 field
Confidence
cn3
Threat probability
Example: 82
act
Action result
Example: 21
For more information, see Action Mapping Table.
filehash
File SHA-1
Example: 52c17c785b45ee961f68fb17744276076f383085
dhost
Product entity/endpoint
Example: dhost1
deviceExternalId
Log sequence number
Example: 100
deviceFacility
Product
Example: Apex One
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|Detecti
on01|3|deviceExternalId=1 rt=Dec 01 2018 16:01:00 GMT+00:00 
deviceFacility=15 dvchost=OSCE01 cn1Label=ThreatType cn1=1 c
s2Label=DetectionName cs2=Detection01 shost=10.0.0.1 suser=S
ample_Domain\\Sample_User cn2Label=DetectionType cn2=0 fileP
ath=C:\\test01\\aaa.exe fname=aaa.exe deviceCustomDate1Label
=FileCreationDate deviceCustomDate1=Dec 02 2018 00:01:00 GMT
+00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4=not
epad.exe -test duser=admin01 app=1 cs3Label=InfectionLocatio
n cs3=https://10.1.1.1 dst=80.1.1.1 cn3Label=Confidence cn3=
81 act=21 fileHash=177750B65A21A9043105FD0820B85B58CF148A01 
dhost=OSCEClient11 reason=E deviceNtDomain=APEXTMCM dntdom=O
SCEDomain1 TMCMLogDetectedHost=OSCEClient11 TMCMLogDetectedI
P=80.1.1.1 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C
00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windo
ws 7 6.1 (Build 7601) Service Pack 1
Related information
Keywords: Predictive Machine Learning