CEF Data Loss Prevention Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

Event ID

700106

Header (eventName)

Log name

Data Loss Prevention

Header (severity)

Severity

3

cs1Label

Corresponding label for the "cs1" field

"Policy GUID"

cs1

Policy GUID

Example: "FAF492CF-164C-4672-9A79-F1AB9CB288A3"

cn1Label

Corresponding label for the "cn1" field

"Product"

cn1

Product type value

Example: "15"

rt

Log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

src

Source host IP address

Example: "10.0.57.160"

smac

Source host MAC address

Example: "74-27-00-0C-65-E7"

shost

Source host name

Example: "shost1"

cs4Label

Corresponding label for the "cs4" field

"Incident_Source_(AD_Account)"

cs4

The user name in violation

Example: "Trend"

suser

Email sender

Example: "sender@example.com"

request

The URL accessed

Example: "https://example.com/api/content"

duser

Comma (,) separated list of recipients

Example: "user1@example.com;user2@example.com;"

msg

Subject

Example: "Sample,20171017"

filepath

File path

Example: "D:\\Windows Live Mail\\Storage Folders\\Imported Fo e52\\Local Folders\\Sent Items\\Archive Aft de1\\Clients,Adv 22b\\"

fname

Trigger file name

Example: "2B43363A-000000A4.eml"

fsize

File size in bytes

Example: "3"

cs5Label

Corresponding label for the "cs5" field

"Rule"

cs5

Rule name

Example: "SAMPLE RULE SET"

cs6Label

Corresponding label for the "cs6" field

"Template"

cs6

Template name

Example: "PSG Policy"

cn3Label

Corresponding label for the "cn3" field

"Channel"

cn3

Channel type

Example: "3"

For more information, see Channel Mapping Table.

cn2Label

Corresponding label for the "cn2" field

"Action"

cn2

Action result

Example: "4"

For more information, see Action Result Mapping Table.

cs2Label

Corresponding label for the "cs2" field

"Policy"

cs2

Policy name

Example: "OfficeScan"

cs3Label

Corresponding label for the "cs3" field

"Product_Entity/Endpoint"

cs3

Endpoint host name

Example: "Sample_OSCE"

dvchost

Server host name

Example: "localhost"

deviceFacility

Product name

Example: "OfficeScan"

Log sample:

CEF:0|Trend Micro|Control Manager|7.0|700106|Data Loss Preve
ntion|3|cs3Label=Product_Entity/Endpoint cs3=Sample_OSCE dvc
host=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product 
cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac=
34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_
Account) cs4=12467 filePath=D:\\2. DRIVER\\drivers WIN7\\Dri
vers\\DP_CardReader_14032.7z\\O2Micro\\FORCED\\6x86\\ fname=
O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Temp
late cs6=PSG Policy cn3Label=Channel cn3=0 cn2Label=Action c
n2=4 deviceFacility=OfficeScan