Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Apex Central
Header (pver)
Appliance version
2019
Header (eventid)
FH:Action
FH:Log
Header (eventName)
Name
Suspicious Files
Header (severity)
Severity
3
deviceExternalId
ID
Example: 1
cat
Log type
Example: 1766
deviceFacility
Product
Example: Apex One
cn1Label
Corresponding label for the cn1 field
Example: SLF_ProductVersion
cn1
Product version
Example: 11
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
dst
Endpoint IPv4 address
Example: 10.201.86.151
c6a3Label
Corresponding label for the c6a3 field
Example: Endpoint IPv6 Address
c6a3
Endpoint IPv6 address
Example: 2620:101:4003:7a0:fd4b:52ed:53bd:ae3d
dhost
Endpoint host name
Example: APEX-ONE-CLIENT-1
cs2Label
Corresponding label for the cs2 field
Example: SLF_TrueFileType
cs2
File type
Example: TEXT
fileHash
File SHA-1
Example: D6712CAE5EC821F910E14945153AE7871AA536CA
cs3Label
Corresponding label for the cs3 field
Example: SLF_FileSource
cs3
File path
Example: C:\\Users\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE
cn2Label
Corresponding label for the cn2 field
Example: SLF_SourceType
cn2
C&C list source
Example: 0
  • 0: Sandbox
  • 1: User-defined
act
Action
Example: Log
  • 1: Log
  • 2: Block
  • 3: Quarantine
cn3Label
Corresponding label for the cn3 field
Example: SLF_ScanType
cn3
Scan type
Example: 1
  • 1: Scheduled scan
  • 2: Manual scan
  • 3: Scan now
  • 4: Real-time scan
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|Trend Micro|Apex Central|2019|FH:Log|Suspicious File
s|3|deviceExternalId=1 rt=Nov 15 2016 02:47:21 GMT+00:00 cat
=1766 deviceFacility=Apex One cn1Label=SLF_ProductVersion cn
1=11 dst=10.201.86.151 dhost=APEX-ONE-CLIENT-1 cs2Label=SLF_
TrueFileType cs2=SLF_TrueFileType fileHash=D6712CAE5EC821F91
0E14945153AE7871AA536CA cs3Label=SLF_FileSource cs3=C:\\User
s\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\0
17545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE cn2Label=
SLF_SourceType cn2=0 act=Log cn3Label=SLF_ScanType cn3=1 rea
son=E deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCMLogDete
ctedHost=APEX-ONE-CLIENT-1 TMCMLogDetectedIP=10.201.86.151
ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360-
9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (Bu
ild 7601) Service Pack 1
Keywords: Suspicious File