Common Event Format (CEF) and Log Event Extended Format (LEEF) log message formats
are slightly different. For example, the "Source User" column in the GUI corresponds
to a field named "suser" in CEF; in LEEF, the same field is named "usrName" instead.
Log message fields also vary by whether the event originated on the agent or Server & Workload Protection and which feature created the log message.
 |
NoteIf your syslog messages are being truncated, it may be because you're using User Datagram
Protocol (UDP). To prevent truncation, transfer your syslog messages over Transport
Layer Security (TLS) instead. For instructions on switching to TLS, see Define a syslog configuration.
|
|
NoteBasic syslog format is not supported by the Anti-Malware, Web Reputation, Integrity
Monitoring, and Application Control protection modules.
|
If the syslog messages are sent from Server & Workload Protection, there are several differences. In order to preserve the original agent hostname
(the source of the event), a new extension ("dvc" or "dvchost") is present. "dvc"
is used if the hostname is an IPv4 address; "dvchost" is used for hostnames and IPv6
addresses.
Additionally, the extension "TrendMicroDsTags" is used if the events are tagged. This
applies only to auto-tagging with run on future, since events are forwarded via syslog
only as they are collected by Server & Workload Protection. The product for logs relayed through Workload Security will still read "Deep Security
Agent"; however, the product version is the version of Server & Workload Protection.
CEF syslog message format
All CEF events include 'dvc=IPv4 Address' or 'dvchost=Hostname' (or the IPv6 address)
for the purposes of determining the original agent that was the source of the event.
This extension is important for events sent from Server & Workload Protection, since in this case the syslog sender of the message is not the originator of the
event.
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
To determine whether the log entry comes from Server & Workload Protection or an agent, look at the "Device Product" field:
Sample CEF Log Entry: Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Workload Security Manager|<Workload Security version>|600|Administrator Signed In|4|suser=Master...
|
NoteEvents that occur on a VM that is protected by a virtual appliance, but that don't
have an in-guest agent, will still be identified as coming from an agent.
|
To further determine what kind of rule triggered the event, look at the "Signature
ID" and "Name" fields:
Sample Log Entry: Mar 19 15:19:15 root CEF:0|Trend Micro|Deep Security Agent|<Agent version>|123|Out
Of Allowed Policy|5|cn1=1...
The "Signature ID" value indicates what kind of event has been triggered:
|
Signature IDs
|
Description
|
|
10
|
Custom Intrusion Prevention (IPS) rule
|
|
20
|
Log-only Firewall rule
|
|
21
|
Deny Firewall rule
|
|
30
|
Custom Integrity Monitoring rule
|
|
40
|
Custom Log Inspection rule
|
|
100-7499
|
System events
|
|
100-199
|
Policy Firewall rule and Firewall stateful configuration
|
|
200-299
|
IPS internal errors
|
|
300-399
|
SSL/TLS events
|
|
500-899
|
IPS normalization
|
|
1,000,000-1,999,999
|
Trend Micro IPS rule. The signature ID is the same as the IPSrule ID.
|
|
2,000,000-2,999,999
|
Integrity Monitoring rule. The signature ID is the Integrity Monitoring rule ID +
1,000,000.
|
|
3,000,000-3,999,999
|
Log Inspection rule. The signature ID is the Log Inspection rule ID + 2,000,000.
|
|
4,000,000-4,999,999
|
Anti-Malware events. Currently, only these signature IDs are used:
|
|
5,000,000-5,999,999
|
Web Reputation events. Currently, only these signature IDs are used:
|
|
6,000,000-6,999,999
|
Application Control events. Currently, only these signature IDs are used:
|
|
7,000,000-7,999,999
|
Device Control events. Currently, only these signature IDs are used:
|
|
NoteLog entries don't always have all CEF extensions described in the event log format
tables below. CEF extensions also may not be always in the same order. If you are
using regular expressions (regex) to parse the entries, make sure your expressions
do not depend on each key-value pair to exist, or to be in a specific order.
|
|
NoteSyslog messages are limited to 64 KB by the syslog protocol specification. If the
message is longer, data may be truncated. The basic syslog format is limited to 1
KB.
|
LEEF 2.0 syslog message format
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF 2.0 Log Entry (Workload Security System Event Log Sample): LEEF:2.0|Trend Micro|Server & Workload Protection Manager|<Agent version>|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold
Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System
msg=Alert: CPUWarning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity:Warning
TrendMicroDsTenant=Primary
Events originating in Server & Workload Protection
System event log format
Base CEF Format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Server & Workload Protection Manager|<Server & Workload Protection version>|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User
signed in from 2001:db8::5
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF 2.0 Log Entry: LEEF:2.0|Trend Micro|Server & Workload Protection Manager|<DSA version>|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold
Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System
msg=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning
TrendMicroDsTenant=Primary
|
NoteLEEF format uses a reserved "sev" key to show severity and "name" for the Name value.
|
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
||
|
src
|
src
|
Source IP Address
|
Server & Workload Protection IP address.
|
src=10.52.116.23
|
||
|
suser
|
usrName
|
Source User
|
Server & Workload Protection administrator's account.
|
suser=MasterAdmin
|
||
|
target
|
target
|
Target Entity
|
The subject of the event. It can be the administrator account logged into Server & Workload Protection, or a computer.
|
target=MasterAdmin target=server01
|
||
|
targetID
|
targetID
|
Target Entity ID
|
The identifier added in Server & Workload Protection.
|
targetID=1
|
||
|
targetType
|
targetType
|
Target Entity Type
|
The event target entity type.
|
targetType=Host
|
||
|
msg
|
msg
|
Details
|
Details of the system event. May contain a verbose description of the event.
|
msg=User password incorrect for username MasterAdmin on an attempt to sign in from
127.0.0.1 msg=A Scan for Recommendations on computer (localhost) has completed...
|
||
|
TrendMicroDsProcessImagePath
|
TrendMicroDsProcessImagePath
|
Process Image Path
|
The full path of the process that generates an anti-malware event detection.
|
TrendMicroDsProcessImagePath=/usr/bin/bash
|
||
|
TrendMicroDsProcessPid
|
TrendMicroDsProcessPid
|
Process PID
|
The PID of the process that generates an anti-malware event detection
|
TrendMicroDsProcessPid=4422
|
||
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Event Tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=suspicious
|
||
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant Name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
||
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
||
|
TrendMicroDsReasonId
|
TrendMicroDsReasonId
|
Event reason ID
|
Indicates the reason ID for event descriptions. Each event has its own reason ID definition.
|
TrendMicroDsReasonId=1
|
||
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=3
|
||
|
None
|
cat
|
Category
|
Event category
|
cat=System
|
||
|
None
|
name
|
Name
|
Event name
|
name=Alert Ended
|
||
|
None
|
desc
|
Description
|
Event description
|
desc:Alert: CPU Warning Threshold Exceeded
|
Events originating in the agent
Anti-Malware event format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|4000000|Eicar_test_file|6|cn1=1
cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName
| ContainerName | ContainerID cs6Label=Container filePath=C:\Users\trend\Desktop\eicar.exe
act=Delete result=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F
TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF Log Entry: LEEF: 2.0|Trend Micro|Deep Security Agent|<Agent version>|4000030|cat=Anti-Malware
name=HEU_AEGIS_CRYPT desc=HEU_AEGIS_CRYPT sev=6 cn1=241 cn1Label=Host ID dvc=10.0.0.1
TrendMicroDsTags=FS TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 filePath=C:\Windows\System32\virus.exe
act=Terminate msg=Realtime TrendMicroDsMalwareTarget=Multiple TrendMicroDsMalwareTargetType=File
System TrendMicroDsFileMD5=1947A1BC0982C5871FA3768CD025453E#011 TrendMicroDsFileSHA1=5AD084DDCD8F80FBF2EE3F0E4F812E812DEE60C1#011
TrendMicroDsFileSHA256=25F231556700749F8F0394CAABDED83C2882317669DA2C01299B45173482FA6E
TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=1
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
cn2
|
cn2
|
File Size
|
The size of the quarantine file. This extension is included only when the "direct
forward" from agent /appliance is selected.
|
cn2=100
|
|
cn2Label
|
cn2Label
|
File Size
|
The name label for the field cn2.
|
cn2Label=Quarantine File Size
|
|
cs3
|
cs3
|
Infected Resource
|
The path of the spyware item. This field is only for spyware detection events.
|
cs3=C:\test\atse_samples\SPYW_Test_Virus.exe
|
|
cs3Label
|
cs3Label
|
Infected Resource
|
The name label for the field cs3. This field is only for spyware detection events.
|
cs3Label=Infected Resource
|
|
cs4
|
cs4
|
Resource Type
|
Resource Type values:
10=Files and Directories
11=System Registry
12=Internet Cookies
13=Internet URL Shortcut
14=Programs in Memory
15=Program Startup Areas
16=Browser Helper Object
17=Layered Service Provider
18=Hosts File
19=Windows Policy Settings
20=Browser
23=Windows Shell Setting
24=IE Downloaded Program Files
25=Add/Remove Programs
26=Services
other=Other
For example, if there's a spyware file named spy.exe that creates a registry run key
to keep its persistence after system reboot, there will be two items in the spyware
report: the item for spy.exe has cs4=10 (Files and Directories), and the item for
the run key registry has cs4=11 (System Registry).
This field is only for spyware detection events.
|
cs4=10
|
|
cs4Label
|
cd4Label
|
Resource Type
|
The name label for the field cs4. This field is only for spyware detection events.
|
cs4Label=Resource Type
|
|
cs5
|
cs5
|
Risk Level
|
Risk level values:
0=Very Low
25=Low
50=Medium
75=High
100=Very High
This field is only for spyware detection events.
|
cs5=25
|
|
cs5Label
|
cs5Label
|
Risk Level
|
The name label for the field cs5. This field is only for spyware detection events.
|
cs5Label=Risk Level
|
|
cs6
|
cs6
|
Container
|
The image name of the Docker container, container name, and container ID where the
malware was detected.
|
cs6=ContainerImageName | ContainerName | ContainerID
|
|
cs6Label
|
cs6Label
|
Container
|
The name label for the field cs6.
|
cs6Label=Container
|
|
filePath
|
filePath
|
File Path
|
The location of the malware file.
|
filePath=C:\\Users\\Mei\\Desktop\\virus.exe
|
|
act
|
act
|
Action
|
The action performed by the Anti-Malware engine. Possible values are: Deny Access,
Quarantine, Delete, Pass, Clean, Terminate, and Unspecified.
|
act=Clean act=Pass
|
|
result
|
result
|
Result
|
The result of the failed Anti-Malware action.
|
result=Passed result=Deleted result=Quarantined result=Cleaned result=Access Denied
result=Terminated result=Log result=Failed result=Pass Failed result=Delete Failed
result=Quarantine Failed result=Clean Failed result=Terminate Failed result=Log Failed
result=Scan Failed result=Passed (Scan Failed) result=Quarantined (Scan Failed) result=Quarantine
Failed (Scan Failed) result=Deny Access (Scan Failed)
|
|
msg
|
msg
|
Message
|
The type of scan. Possible values are: Realtime, Scheduled, and Manual.
|
msg=Realtime msg=Scheduled
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
|
dvc=10.1.144.199
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=www.example.com dvchost=fe80::f018:a3c6:20f9:afa6%5
|
|
TrendMicroDsBehaviorRuleID
|
TrendMicroDsBehaviorRuleID
|
Behavior monitoring rule ID
|
The behavior monitoring rule ID for internal malware case tracking.
|
BehaviorRuleID=CS913
|
|
TrendMicroDsBehaviorType
|
TrendMicroDsBehaviorType
|
Behavior Monitoring type
|
The type of behavior monitoring event detected.
|
BehaviorType=Threat-Detection
|
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Events tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=suspicious
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
TrendMicroDsMalwareTargetCount
|
TrendMicroDsMalwareTargetCount
|
Target count
|
The number of target files.
|
TrendMicroDsMalwareTargetCount=3
|
|
TrendMicroDsMalwareTarget
|
TrendMicroDsMalwareTarget
|
Target(s)
|
The file, process, or registry key (if any) that the malware was trying to affect.
If the malware was trying to affect more than one, this field will contain the value
"Multiple."
Only suspicious activity monitoring and unauthorized change monitoring have values
for this field.
|
TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTarget=C:\\Windows\\System32\\cmd.exe
TrendMicroDsMalwareTarget=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings TrendMicroDsMalwareTarget=Multiple
|
|
TrendMicroDsMalwareTargetType
|
TrendMicroDsMalwareTargetType
|
Target Type
|
The type of system resource that this malware was trying to affect, such as the file
system, a process, or Windows registry.
Only suspicious activity monitoring and unauthorized change monitoring have values
for this field.
|
TrendMicroDsMalwareTargetType=N/A TrendMicroDsMalwareTargetType=Exploit TrendMicroDsMalwareTargetType=File
System TrendMicroDsMalwareTargetType=Process TrendMicroDsMalwareTargetType=Registry
|
|
TrendMicroDsProcess
|
TrendMicroDsProcess
|
Process
|
Process Name
|
TrendMicroDsProcess= abc.exe
|
|
TrendMicroDsFileMD5
|
TrendMicroDsFileMD5
|
File MD5
|
The MD5 hash of the file
|
TrendMicroDsFileMD5=1947A1BC0982C5871FA3768CD025453E
|
|
TrendMicroDsFileSHA1
|
TrendMicroDsFileSHA1
|
File SHA1
|
The SHA1 hash of the file
|
TrendMicroDsFileSHA1=5AD084DDCD8F80FBF2EE3F0E4F812E812DEE60C1
|
|
TrendMicroDsFileSHA256
|
TrendMicroDsFileSHA256
|
File SHA256
|
The SHA256 hash of the file
|
TrendMicroDsFileSHA256=25F231556700749F8F0394CAABDED83C2882317669DA2C01299B45173482FA6E
|
|
TrendMicroDsDetectionConfidence
|
TrendMicroDsDetectionConfidence
|
Threat Probability
|
Indicates how closely (in %) the file matched the malware model
|
TrendMicroDsDetectionConfidence=95
|
|
TrendMicroDsRelevantDetectionNames
|
TrendMicroDsRelevantDetectionNames
|
Probable Threat Type
|
Indicates the most likely type of threat contained in the file after Predictive Machine
Learning compared the analysis to other known threats(separate by semicolon";" )
|
TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=6
|
|
None
|
cat
|
Category
|
Category
|
cat=Anti-Malware
|
|
None
|
name
|
Name
|
Event name
|
name=SPYWARE_KEYL_ACTIVE
|
|
None
|
desc
|
Description
|
Event description. Anti-Malware uses the event name as the description.
|
desc=SPYWARE_KEYL_ACTIVE
|
|
TrendMicroDsCommandLine
|
TrendMicroDsCommandLine
|
Command Line
|
The commands that the subject process executes
|
TrendMicroDsCommandLine=/tmp/orca-testkit-sample/testsys_m64 -u 1000 -g 1000 -U 1000
-G 1000 -e cve_2017_16995 1 -d 4000000
|
|
TrendMicroDsCve
|
TrendMicroDsCve
|
CVE
|
CVE information, if the process behavior is identified in one of Common Vulnerabilities
and Exposures.
|
TrendMicroDsCve=CVE-2016-5195,CVE-2016-5195,CVE-2016-5195
|
|
TrendMicroDsMitre
|
TrendMicroDsMitre
|
MITRE
|
The MITRE information, if the process behavior is identified in one of MITRE attack
scenarios.
|
TrendMicroDsMitre=T1068,T1068,T1068
|
|
suser
|
suser
|
user name
|
The user account name who triggered this event
|
suser=root
|
Application Control event format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Example CEF Log Entry:
CEF: 0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202
cn1Label=Host ID dvc=192.168.33.128 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root
suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20
aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C
cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Example LEEF Log Entry:
LEEF:2.0|Trend Micro|Deep Security Agent|10.0.2883|60|cat=AppControl name=blocked
desc=blocked sev=6 cn1=2 cn1Label=Host ID dvc=10.203.156.39 TrendMicroDsTenant=Primary
TrendMicroDsTenantId=0 fileHash=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
suser=root suid=0 act=blocked filePath=/bin/my.jar fsize=123857 aggregationType=0
repeatCount=1 cs1=notWhitelisted cs1Label=actionReason|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=2
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
cs1
|
cs1
|
Reason
|
The reason why application control performed the specified action, such as "notWhitelisted"
(the software did not have a matching rule, and application control was configured
to block unrecognized software).
|
cs1=notWhitelisted
|
|
cs1Label
|
cs1Label
|
The name label for the field cs1.
|
cs1Label=actionReason
|
|
|
cs2
|
cs2
|
If it was calculated, the SHA-1 hash of the file.
|
cs2=156F4CB711FDBD668943711F853FB6DA89581AAD
|
|
|
cs2Label
|
cs2Label
|
The name label for the field cs2.
|
cs2Label=sha1
|
|
|
cs3
|
cs3
|
If it was calculated, the MD5 hash of the file.
|
cs3=4E8701AC951BC4537F8420FDAC7EFBB5
|
|
|
cs3Label
|
cs3Label
|
The name label for the field cs3.
|
cs3Label=md5
|
|
|
act
|
act
|
Action
|
The action performed by the Application Control engine. Possible values are: Blocked,
Allowed.
|
act=blocked
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
|
dvc=10.1.1.10
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=www.example.com dvchost=2001:db8::5
|
|
suid
|
suid
|
User ID
|
The account IDnumber of the user name.
|
suid=0
|
|
suser
|
suser
|
User Name
|
The name of the user account that installed the software on the protected computer.
|
suser=root
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant name.
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID number.
|
TrendMicroDsTenantId=0
|
|
fileHash
|
fileHash
|
File hash
|
The SHA 256 hash that identifies the software file.
|
fileHash=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
|
|
filePath
|
filePath
|
File Path
|
The location of the malware file.
|
filePath=/bin/my.jar
|
|
fsize
|
fsize
|
File Size
|
The file size in bytes.
|
fsize=16
|
|
aggregationType
|
aggregationType
|
Aggregation Type
|
An integer that indicates how the event is aggregated:
For information, about event aggregation, see View Application Control event logs.
|
aggregationType=2
|
|
repeatCount
|
repeatCount
|
Repeat Count
|
The number of occurrences of the event. Non-aggregated events have a value of 1. Aggregated
events have a value of 2 or more.
|
repeatCount=4
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=6
|
|
None
|
cat
|
Category
|
Category
|
cat=AppControl
|
|
None
|
name
|
Name
|
Event name
|
name=blocked
|
|
None
|
desc
|
Description
|
Event description. Application Control uses the action as the description.
|
desc=blocked
|
Firewall event log format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|20|Log for TCP Port 80|0|cn1=1
cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE
TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.147 out=1019 cs3=DF MF
cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP
Flags cnt=1 TrendMicroDsPacketData=AFB...
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|21|cat=Firewall name=Remote
Domain Enforcement (Split Tunnel) desc=Remote Domain Enforcement (Split Tunnel) sev=5
cn1=37 cn1Label=Host ID dvchost=www.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
act=Deny dstMAC=67:BF:1B:2F:13:EE srcMAC=78:FD:E7:07:9F:2C TrendMicroDsFrameType=IP
src=10.0.110.221 dst=105.152.185.81 out=177 cs3= cs3Label=Fragmentation Bits proto=UDP
srcPort=23 dstPort=445 cnt=1 TrendMicroDsPacketData=AFB...
Sample TendMicroDsScannerIp Log Entry: CEF Field : (wait check), LEEF Field: TrendMicroDsScannerIp, Name: Scanner IP, Description:
Scanner IP Address, Example: TrendMicroDsScannerIp=192.168.33.1
TrendMicroDsTargetPortList Log Entry: CEF Field : (wait check), LEEF Field: TrendMicroDsTargetPortList, Name: Target Port
List, Description: Scanned Port List, Example: TrendMicroDsTargetPortList=12;13;16;18;22;23;27;32;38;42;44;47;48;60;67;
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
act
|
act
|
Action
|
|
act=Log act=Deny
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=113
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
cnt
|
cnt
|
Repeat Count
|
The number of times this event was sequentially repeated.
|
cnt=8
|
|
cs2
|
cs2
|
TCP Flags
|
|
cs2=0x10 ACK cs2=0x14 ACK RST
|
|
cs2Label
|
cs2Label
|
TCP Flags
|
The name label for the field cs2.
|
cs2Label=TCP Flags
|
|
cs3
|
cs3
|
Packet Fragmentation Information
|
|
cs3=DF cs3=MF cs3=DF MF
|
|
cs3Label
|
cs3Label
|
Fragmentation Bits
|
The name label for the field cs3.
|
cs3Label=Fragmentation Bits
|
|
cs4
|
cs4
|
ICMP Type and Code
|
(For the ICMP protocol only) The ICMP type and code, delimited by a space.
|
cs4=11 0 cs4=8 0
|
|
cs4Label
|
cs4Label
|
ICMP
|
The name label for the field cs4.
|
cs4Label=ICMP Type and Code
|
|
dmac
|
dstMAC
|
Destination MAC Address
|
MAC address of the destination computer's network interface.
|
dmac= 00:0C:29:2F:09:B3
|
|
dpt
|
dstPort
|
Destination Port
|
(For TCP and UDP protocol only) Port number of the destination computer's connection or session.
|
dpt=80 dpt=135
|
|
dst
|
dst
|
Destination IP Address
|
IP address of the destination computer.
|
dst=192.168.1.102 dst=10.30.128.2
|
|
in
|
in
|
Inbound Bytes Read
|
(For inbound connections only) Number of inbound bytes read.
|
in=137 in=21
|
|
out
|
out
|
Outbound Bytes Read
|
(For outbound connections only) Number of outbound bytes read.
|
out=216 out=13
|
|
proto
|
proto
|
Transport protocol
|
Name of the transport protocol used.
|
proto=tcp proto=udp proto=icmp
|
|
smac
|
srcMAC
|
Source MAC Address
|
MAC address of the source computer's network interface.
|
smac= 00:0E:04:2C:02:B3
|
|
spt
|
srcPort
|
Source Port
|
(For TCP and UDP protocol only) Port number of the source computer's connection or
session.
|
spt=1032 spt=443
|
|
src
|
src
|
Source IP Address
|
The packet's source IP address at this event.
|
src=192.168.1.105 src=10.10.251.231
|
|
TrendMicroDsFrameType
|
TrendMicroDsFrameType
|
Ethernet frame type
|
Connection ethernet frame type.
|
TrendMicroDsFrameType=IP TrendMicroDsFrameType=ARP TrendMicroDsFrameType=RevARP TrendMicroDsFrameType=NetBEUI
|
|
TrendMicroDsPacketData
|
TrendMicroDsPacketData
|
Packet data
|
The packet data, represented in Base64.
|
TrendMicroDsPacketData=AFB...
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
|
dvc=10.1.144.199
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=exch01.example.com dvchost=2001:db8::5
|
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Event Tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=suspicious
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant Name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=5
|
|
None
|
cat
|
Category
|
Category
|
cat=Firewall
|
|
None
|
name
|
Name
|
Event name
|
name=Remote Domain Enforcement (Split Tunnel)
|
|
None
|
desc
|
Description
|
Event description. Firewall events use the event name as the description.
|
desc=Remote Domain Enforcement (Split Tunnel)
|
|
TrendMicroDsScannerIp
|
TrendMicroDsScannerIp
|
Scanner IP
|
Scanner IP Address
|
TrendMicroDsScannerIp=192.168.33.1
|
|
TrendMicroDsTargetPortList
|
TrendMicroDsTargetPortList
|
Target Port List
|
Scanned Port List
|
TrendMicroDsTargetPortList=12;13;16;18;22;23;27;32;38;42;44;47;48;60;67;
|
Integrity Monitoring log event format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|30|New Integrity Monitoring
Rule|6|cn1=1 cn1Label=Host ID dvchost=hostname act=updated filePath=c:\windows\message.dll
suser=admin sproc=C:\Windows\System32\notepad.exe msg=lastModified,sha1,size
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|2002779|cat=Integrity Monitor
name=Microsoft Windows - System file modified desc=Microsoft Windows - System file
modified sev=8 cn1=37 cn1Label=Host ID dvchost=www.example.com TrendMicroDsTenant=Primary
TrendMicroDsTenantId=0 act=updated suser=admin sproc=C:\Windows\System32\notepad.exe
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
act
|
act
|
Action
|
The action detected by the integrity rule. Can contain: created, updated, deleted
or renamed.
|
act=created act=deleted
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=113
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
filePath
|
filePath
|
Target Entity
|
The integrity rule target entity. May contain a file or directory path, registry key,
etc.
|
filePath=C:\WINDOWS\system32\drivers\etc\hosts
|
|
suser
|
suser
|
Source User
|
Account of the user who changed the file being monitored.
|
suser=WIN-038M7CQDHIN\Administrator
|
|
sproc
|
sproc
|
Source Process
|
The name of the event's source process.
|
sproc=C:\\Windows\\System32\\notepad.exe
|
|
msg
|
msg
|
Attribute changes
|
(For "renamed" action only) A list of changed attribute names. If "Relay via Manager"
is selected, all event action types include a full description.
|
msg=lastModified,sha1,size
|
|
oldfilePath
|
oldfilePath
|
Old target entity
|
(For "renamed" action only) The previous integrity rule target entity to capture the
rename action from the previous target entity to the new, which is recorded in the
filePath field.
|
oldFilePath=C:\WINDOWS\system32\logfiles\ds_agent.log
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
|
dvc=10.1.144.199
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=www.example.com dvchost=2001:db8::5
|
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Events tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=suspicious
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=8
|
|
None
|
cat
|
Category
|
Category
|
cat=Integrity Monitor
|
|
None
|
name
|
Name
|
Event name
|
name=Microsoft Windows - System file modified
|
|
None
|
desc
|
Description
|
Event description. Integrity Monitoring uses the event name as the description.
|
desc=Microsoft Windows - System file modified
|
Intrusion Prevention event log format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|1001111|Test Intrusion Prevention
Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE
TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.105 out=1093 cs3=DF MF
cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP
Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10
cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention
Flags TrendMicroDsPacketData=R0VUIC9zP3...
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|1000940|cat=Intrusion Prevention
name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities desc=Sun
Java RunTime Environment Multiple Buffer Overflow Vulnerabilities sev=10 cn1=6 cn1Label=Host
ID dvchost=exch01 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 dstMAC=55:C0:A8:55:FF:41
srcMAC=CA:36:42:B1:78:3D TrendMicroDsFrameType=IP src=10.0.251.84 dst=56.19.41.128
out=166 cs3= cs3Label=Fragmentation Bits proto=ICMP srcPort=0 dstPort=0 cnt=1 act=IDS:Reset
cn3=0 cn3Label=DPI Packet Position cs5=0 cs5Label=DPI Stream Position cs6=0 cs6Label=DPI
Flags TrendMicroDsPacketData=R0VUIC9zP3...
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
act
|
act
|
Action
|
(IPS rules written before Deep Security version 7.5 SP1 could additionally perform
Insert, Replace, and Delete actions. These actions are no longer performed. If an
older IPS Rule is triggered which still attempts to perform those actions, the event
will indicate that the rule was applied in detect-only mode.)
|
act=Block
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=113
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
cn3
|
cn3
|
Intrusion Prevention Packet Position
|
Position within packet of data that triggered the event.
|
cn3=37
|
|
cn3Label
|
cn3Label
|
Intrusion Prevention Packet Position
|
The name label for the field cn3.
|
cn3Label=Intrusion Prevention Packet Position
|
|
cnt
|
cnt
|
Repeat Count
|
The number of times this event was sequentially repeated.
|
cnt=8
|
|
cs1
|
cs1
|
Intrusion Prevention Filter Note
|
(Optional) A note field which can contain a short binary or text note associated with
the payload file. If the value of the note field is all printable ASCII characters,
it will be logged as text with spaces converted to underscores. If it contains binary
data, it will be logged using Base-64 encoding.
|
cs1=Drop_data
|
|
cs1Label
|
cs1Label
|
Intrusion Prevention Note
|
The name label for the field cs1.
|
cs1Label=Intrusion Prevention Note
|
|
cs2
|
cs2
|
TCP Flags
|
(For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST,
SYN and FIN fields may be present if the TCP header was set.
|
cs2=0x10 ACK cs2=0x14 ACK RST
|
|
cs2Label
|
cs2Label
|
TCP Flags
|
The name label for the field cs2.
|
cs2Label=TCP Flags
|
|
cs3
|
cs3
|
Packet Fragmentation Information
|
|
cs3=DF cs3=MF cs3=DF MF
|
|
cs3Label
|
cs3Label
|
Fragmentation Bits
|
The name label for the field cs3.
|
cs3Label=Fragmentation Bits
|
|
cs4
|
cs4
|
ICMP Type and Code
|
(For the ICMP protocol only) The ICMP type and code stored in their respective order
delimited by a space.
|
cs4=11 0 cs4=8 0
|
|
cs4Label
|
cs4Label
|
ICMP
|
The name label for the field cs4.
|
cs4Label=ICMP Type and Code
|
|
cs5
|
cs5
|
Intrusion Prevention Stream Position
|
Position within stream of data that triggered the event.
|
cs5=128 cs5=20
|
|
cs5Label
|
cs5Label
|
Intrusion Prevention Stream Position
|
The name label for the field cs5.
|
cs5Label=Intrusion Prevention Stream Position
|
|
cs6
|
cs6
|
Intrusion Prevention Filter Flags
|
A combined value that includes the sum of the flag values: 1 - Data truncated - Data
could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed
- Logs threshold suppressed after this log. 8 - Have Data - Contains packet data 16
- Reference Data - References previously logged data.
|
The following example would be a summed combination of 1 (Data truncated) and 8 (Have
Data): cs6=9
|
|
cs6Label
|
cs6Label
|
Intrusion Prevention Flags
|
The name label for the field cs6.
|
cs6=Intrusion Prevention Filter Flags
|
|
dmac
|
dstMAC
|
Destination MAC Address
|
Destination computer network interface MAC address.
|
dmac= 00:0C:29:2F:09:B3
|
|
dpt
|
dstPort
|
Destination Port
|
Destination computer connection port. Applicable to TCP and UDP protocol only.
|
dpt=80 dpt=135
|
|
dst
|
dst
|
Destination IP Address
|
Destination computer IP Address.
|
dst=192.168.1.102 dst=10.30.128.2
|
|
xff
|
xff
|
X-Forwarded-For
|
The IPaddress of the last hub in the X-Forwarded-For header. This is typically originating
IP address, beyond the proxy that may exist. See also the src field. To include xff
in events, enable the "1006540 - Enable X-Forwarded-For HTTP Header Logging" Intrusion Prevention rule.
|
xff=192.168.137.1
|
|
in
|
in
|
Inbound Bytes Read
|
Number of inbound bytes read. Applicable to inbound connections only.
|
in=137 in=21
|
|
out
|
out
|
Outbound Bytes Read
|
Number of outbound bytes read. Applicable to outbound connections only.
|
out=216 out=13
|
|
proto
|
proto
|
Transport protocol
|
Name of the connection transport protocol used.
|
proto=tcp proto=udp proto=icmp
|
|
smac
|
srcMAC
|
Source MAC Address
|
Source computer network interface MAC address.
|
smac= 00:0E:04:2C:02:B3
|
|
spt
|
srcPort
|
Source Port
|
Source computer connection port. Applicable to TCP and UDP protocol only.
|
spt=1032 spt=443
|
|
src
|
src
|
Source IP Address
|
Source computer IP Address. This is the IP of the last proxy server, if it exists,
or the client IP. See also the xff field.
|
src=192.168.1.105 src=10.10.251.231
|
|
TrendMicroDsFrameType
|
TrendMicroDsFrameType
|
Ethernet frame type
|
Connection ethernet frame type.
|
TrendMicroDsFrameType=IP TrendMicroDsFrameType=ARP TrendMicroDsFrameType=RevARP TrendMicroDsFrameType=NetBEUI
|
|
TrendMicroDsPacketData
|
TrendMicroDsPacketData
|
Packet data
|
The packet data, represented in Base64.
|
TrendMicroDsPacketData=R0VUIC9zP3...
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. Uses dvchost instead.
|
dvc=10.1.144.199
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. Uses dvc field instead.
|
dvchost=www.example.com dvchost=2001:db8::5
|
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Event tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=Suspicious
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant name
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=10
|
|
None
|
cat
|
Category
|
Category
|
cat=Intrusion Prevention
|
|
None
|
name
|
Name
|
Event name
|
name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
|
|
None
|
desc
|
Description
|
Event description. Intrusion Prevention events use the event name as the description.
|
desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
|
|
cn2
|
cn2
|
Status Code
|
Status code.
|
cn2=-501
|
Log Inspection event format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|3002795|Microsoft Windows Events|8|cn1=1
cn1Label=Host ID dvchost=hostname cs1Label=LI Description cs1=Multiple Windows Logon
Failures fname=Security src=127.0.0.1 duser=(no user) shost=WIN-RM6HM42G65V msg=WinEvtLog
Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no
domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|3003486|cat=Log Inspection
name=Mail Server - MDaemon desc=Server Shutdown. sev=3 cn1=37 cn1Label=Host ID dvchost=exch01.example.com
TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=Server Shutdown. cs1Label=LI
Description fname= shost= msg=
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=113
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
cs1
|
cs1
|
Specific Sub-Rule
|
The Log Inspection sub-rule which triggered this event.
|
cs1=Multiple Windows audit failure events
|
|
cs1Label
|
cs1Label
|
LI Description
|
The name label for the field cs1.
|
cs1Label=LI Description
|
|
duser
|
duser
|
User Information
|
(If parse-able username exists) The name of the target user initiated the log entry.
|
duser=(no user) duser=NETWORK SERVICE
|
|
fname
|
fname
|
Target entity
|
The Log Inspection rule target entity. May contain a file or directory path, registry
key, etc.
|
fname=Application fname=C:\Program Files\CMS\logs\server0.log
|
|
msg
|
msg
|
Details
|
Details of the Log Inspection event. May contain a verbose description of the detected
log event.
|
msg=WinEvtLog: Application: AUDIT_FAILURE(20187): pgEvent: (no user): no domain: SERVER01:
Remote login failure for user 'xyz'
|
|
shost
|
shost
|
Source Hostname
|
Source computer hostname.
|
shost=webserver01.corp.com
|
|
src
|
src
|
Source IP Address
|
Source computer IP address.
|
src=192.168.1.105 src=10.10.251.231
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
|
dvc=10.1.144.199
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=www.example.com dvchost=2001:db8::5
|
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Events tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=suspicious
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=3
|
|
None
|
cat
|
Category
|
Category
|
cat=Log Inspection
|
|
None
|
name
|
Name
|
Event name
|
name=Mail Server - MDaemon
|
|
None
|
desc
|
Description
|
Event description.
|
desc=Server Shutdown
|
Web Reputation event format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|5000000|WebReputation|5|cn1=1
cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|5000000|cat=Web Reputation
name=WebReputation desc=WebReputation sev=6 cn1=3 cn1Label=Host ID dvchost=exch01.example.com
TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 request=http://yw.olx5x9ny.org.it/HvuauRH/eighgSS.htm
msg=Suspicious
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=1
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
request
|
request
|
Request
|
The URL of the request.
|
request=http://www.example.com/index.php
|
|
msg
|
msg
|
Message
|
The type of action. Possible values are: Realtime, Scheduled, and Manual.
|
msg=Realtime msg=Scheduled
|
|
dvc
|
dvc
|
Device address
|
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
|
dvc=10.1.144.199
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=www.example.com dvchost=2001:db8::5
|
|
TrendMicroDsTags
|
TrendMicroDsTags
|
Events tags
|
Server & Workload Protection event tags assigned to the event
|
TrendMicroDsTags=suspicious
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
None
|
sev
|
Severity
|
The severity of the event. 1 is the least severe; 10 is the most severe.
|
sev=6
|
|
None
|
cat
|
Category
|
Category
|
cat=Web Reputation
|
|
None
|
name
|
Name
|
Event name
|
name=WebReputation
|
|
None
|
desc
|
Description
|
Event description. Web Reputation uses the event name as the description.
|
desc=WebReputation
|
Device Control event format
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|50.0.1063|7000000|Device Control DeviceControl|6|cn1=1
cn1Label=Host ID dvchost=test-hostname TrendMicroDsTenant=tenantName TrendMicroDsTenantId=1
device=deviceName processName=processName1 fileName=/tmp/some_path2 vendor=vendorName
serial=aaaa-bbbb-cccc model=modelName computerName=computerName domainName=computerDomain
deviceType=0 permission=0
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter
Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|50.0.1063|7000000|cat=Device Control name=DeviceControl
desc=DeviceControl sev=6 cn1=1 cn1Label=Host ID dvchost=test-hostname TrendMicroDsTenant=tenantName
TrendMicroDsTenantId=1 device=deviceName processName=processName1 fileName=/tmp/some_path2
vendor=vendorName serial=aaaa-bbbb-cccc model=modelName computerName=computerName
domainName=computerDomain deviceType=0 permission=0
|
CEF Extension Field
|
LEEF Extension Field
|
Name
|
Description
|
Examples
|
|
cn1
|
cn1
|
Host Identifier
|
The agent computer's internal unique identifier.
|
cn1=1
|
|
cn1Label
|
cn1Label
|
Host ID
|
The name label for the field cn1.
|
cn1Label=Host ID
|
|
dvchost
|
dvchost
|
Device host name
|
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
|
dvchost=www.example.com dvchost=2001:db8::5
|
|
TrendMicroDsTenant
|
TrendMicroDsTenant
|
Tenant name
|
Server & Workload Protection tenant
|
TrendMicroDsTenant=Primary
|
|
TrendMicroDsTenantId
|
TrendMicroDsTenantId
|
Tenant ID
|
Server & Workload Protection tenant ID
|
TrendMicroDsTenantId=0
|
|
device
|
device
|
Device Name
|
The device that was accessed.
|
device=Sandisk_USB
|
|
processName
|
processName
|
Process Name
|
The process name.
|
processName=someProcess.exe
|
|
fileName
|
fileName
|
File Name
|
The file name that was accessed.
|
fileName=E:\somepath\a.exe
|
|
vendor
|
vendor
|
Vendor Name
|
The vendor name of the device.
|
vendor=sandisk
|
|
serial
|
serial
|
Serial Number
|
The serial number of the device.
|
serial=aaa-bbb-ccc
|
|
model
|
model
|
Model
|
The product name of the device.
|
model=A270_USB
|
|
computerName
|
computerName
|
Computer Name
|
The computer name.
|
computerName=Jonh_Computer
|
|
domainName
|
domainName
|
Domain Name
|
The domain name.
|
domainName=CompanyDomain
|
|
deviceType
|
deviceType
|
Device Type
|
The device type of the device USB_STORAGE_DEVICE(1) MOBILE_DEVICE(2)
|
deviceType=1
|
|
permission
|
permission
|
Permission
|
The block reason of the access BLOCK(0) READ_ONLY(2)
|
permission=0
|