CEF Behavior Monitoring Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

Behavior Monitoring: Policy ID

BM:1000

Header (eventName)

Log name

Behavior Monitoring

Header (severity)

Severity

3

rt

Log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

dvchost

Host name

Example: "localhost"

cn1Label

Corresponding label for the "cn1" field

"Risk Level"

cn1

Risk level

  • 0: Low

  • 1: High

cs2Label

Corresponding label for the "cs2" field

"Policy ID"

cs2

Policy ID

  • 0: Compromised executable file

  • 1: New startup program

  • 2: Host file modification

  • 3: Program library injection

  • 4: New Internet Explorer plugin

  • 5: Internet Explorer setting modification

  • 6: Shell modification

  • 7: New service

  • 8: Security policy modification

  • 9: Firewall policy modification

  • 10: System file modification

  • 11: Duplicated system file

  • 13: Layered service provider

  • 14: System process modification

  • 16: Suspicious behavior

  • 100: Newly encountered programs

  • 200: Unauthorized file encryption

  • 1000: Threat behavior analysis

  • 9999: User-defined policy

sproc

Aegis subject

Example: "C:\\Windows\\SysWOW64\\rundll32.exe"

cn2Label

Corresponding label for the "cn2" field

"Event Type"

cn2

Event type

  • 1: Process

  • 2: Process image

  • 4: Registry

  • 8: File system

  • 16: Driver

  • 32: SDT

  • 64: System API

  • 128: User Mode

  • 2048: Exploit

  • 65535: All

cs1Label

Corresponding label for the "cs1" field

"Target"

cs1

Target host

Example: "HKCU\\Software\\Microsoft\\Windows\ \CurrentVersion\\Run\\COM+"

act

Translated action

  • 0: Allow

  • 1: Ask

  • 2: Deny

  • 3: Terminate

  • 4: Read Only

  • 5: Read/Write Only

  • 6: Read/Execute Only

  • 7: Feedback

  • 8: Clean

  • 1002: Unknown

  • 1003: Assess

  • 1004: Terminated. Files were recovered.

  • 1005: Terminated. Some files were not recovered.

  • 1006: Terminated. Files were not recovered.

  • 1007: Terminated. Restart result: Files were recovered.

  • 1008: Terminated: Restart result: Some files were not recovered.

  • 1009: Terminated: Restart result: Riles were not recovered.

cn3Label

Corresponding label for the "cn3" field

"TranslatedAegisOperation"

cn3

Operation for the translated Aegis object

  • 101: Create Process

  • 102: Open

  • 103: Terminate

  • 104: Terminate

  • 301: Delete

  • 302: Write

  • 303: Access

  • 401: Create File

  • 402: Close

  • 403: Execute

  • 501: Invoke

  • 601: Exploit

  • 9999: Unhandled Operation

shost

Source host (endpoint)

Example: "shost1"

src

Source host IP address

Example: "10.0.147.105"

deviceFacility

Product

Example: "OfficeScan"

Log sample:

CEF:0|Trend Micro|Control Manager|7.0|BM:1000|Behavior Monit
oring|3|rt=Aug 16 2017 05:00:40 GMT+00:00 dvchost=localhost 
cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\
\Windows\\SysWOW64\\rundll32.exe cn2Label=Event_Type cn2=4 c
s1Label=Target cs1=HKCU\\Software\\Microsoft\\Windows\\Curre
ntVersion\\Run\\COM+ act=3 cn3Label=Operation cn3=302 shost=
shost1 src=10.0.76.40 deviceFacility=OfficeScan