Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Apex Central
Header (pver)
Appliance version
2019
Header (eventid)
WB:Filter/Blocking Type
WB:1
Header (eventName)
Blocking Rule or Filter/Blocking Type
5
Header (severity)
Severity
3
app
Protocol
Example: 3
For more information, see Protocol Mapping Table.
cnt
Detections
Example: 10
dpt
Server port
Example: 80
act
Action
Example: 0
  • 0: Unknown
  • 1: Pass
  • 2: Block
  • 3: Monitor
  • 4: Delete
  • 5: Quarantine
  • 6: Warn
  • 7: Warn and continue
  • 8: Override
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
src
Endpoint IPv4 address
Example: 10.1.128.34
c6a2Label
Corresponding label for the c6a2 field
Example: SLF_SourceIP
c6a2
Endpoint IPv6 address
Example: 2620:101:4003:7a0:fd4b:52ed:53bd:ae3d
cs1Label
Corresponding label for the cs1 field
Example: SLF_PolicyName
cs1
Policy
Example: External User Policy
cs4Label
Corresponding label for the cs4 field
Example: CLF_ReasonCode
cs4
Reason Code
Example: access
cs5Label
Corresponding label for the cs5 field
Example: CLF_ReasonCodeSource
cs5
Reason code source
Example: web
deviceDirection
Traffic/Connection
Example: 2
  • 0: None
  • 1: Inbound
  • 2: Outbound
cat
Filter/Blocking Type
Example: 7
For more information, see Filter/Blocking Type Mapping Table.
dvchost
Endpoint host name
Example: ApexOneClient08
cn1Label
Corresponding label for the cn1 field
Example: CLF_SeverityCode
cn1
Severity code
Example: 0
  • 0: Unknown
  • 1: Information
  • 2: Warning
  • 3: Error
  • 4: Critical
deviceExternalId
ID
Example: 38
fname
File
Example: test.txt
request
URL
Example: http://www.violetsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c_pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1
deviceFacility
Product
Example: Apex One
duser
User name
Example: Admin004
shost
Client host name
Exmaple: ABC-HOST-WKS12
cs2Label
Corresponding label for the cs2 field
Example: Blocking_Rule
cs2
Blocking rule
Example: content filter
deviceProcessName
Process name
Example: C:\\Windows\ \system32\\svchost-1.exe
cn3Label
Corresponding label for the cn3 field
Example: ReputationScore
cn3
Reputation score
Example: 49
dst
Server IP address
Example: 10.69.81.64
cn2Label
Corresponding label for the cn2 field
Example: SLF_SeverityLevel
cn2
Severity level
Example: 100
  • 100: High
  • 300: Medium high
  • 500: Medium
  • 700: Medium low
  • 900: Low
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|Trend Micro|Apex Central|2019|WB:7|7|3|deviceExterna
lId=38 rt=Nov 15 2017 08:43:57 GMT+00:00 app=17 cntLabel=Agg
regatedCount cnt=1 dpt=80 act=1 src=10.1.128.46 cs1Label=SLF
_PolicyName cs1=External User Policy deviceDirection=2 cat=7
 dvchost=ApexOneClient08 fname=test.txt request=http://www.v
ioletsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c
_pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1 deviceFacil
ity=Apex One shost=ABC-HOST-WKS12 reason=G deviceNtDomain=AP
EXTMCM dntdom=OSCEDomain1 TMCMLogDetectedHost=ABC-HOST-WKS12 
TMCMLogDetectedIP=10.1.128.46 ApexCentralHost=TW-CHRIS-W2019
devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdev
icePlatform=Windows 7 6.1 (Build 7601) Service Pack 1
Related information
Keywords: Web Security