CEF Predictive Machine Learning Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

PML:Action result

PML:File cleaned

Header (eventName)

Detection name

virusa

Header (severity)

Severity

3

rt

The detection time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

dvchost

Product server

Example: "Sample_OSCE"

cn1Label

Corresponding label for the "cn1" field

"Probable Threat Type"

cn1

Probable threat type

Example: "35143"

For more information, see Threat Type Mapping Table.

cs2Label

Corresponding label for the "cs2" field

"Security Threat"

cs2

Security threat

Example: "Troj.Win32.TRX.XXPE002FF017"

shost

Infected endpoint

Example: "10.0.0.1"

suser

Logon user

Example: "TREND\User"

cn2Label

Corresponding label for the "cn2" field

"Type"

cn2

Detection type

Example: "0"

  • 0: File

  • 1: Process

filePath

File path

Example: "D:\"

fname

File name

Example: "ALCORMP.EXE"

deviceCustomDate1

File creation time

Example: "2017-04-26 05:53:27.000"

sproc

System process

Example: "notepad.exe"

cn4Label

Corresponding label for the "cn4" field

"Process Command"

cs4

Process command

Example: "notepad.exe"

duser

Process owner

Example: "user1"

app

Infection channel

Example: "10"

  • 0: Unknown

  • 1: Local drive

  • 2: Network drive

  • 3: AutoRun files

  • 10: Web

  • 11: Email

  • 999: Local or network drive

cs3Label

Corresponding label for the "cs3" field

"Infection Source"

cs3

Infection source

Example: "http://10.0.0.1/"

dst

Product/Endpoint IP

Example: "10.0.35.49"

c6a3Label

Corresponding label for the "c6a3" field

"Product/Endpoint IP"

c6a3

Product/Endpoint IP

Example: "10.0.17.6"

cn3Label

Corresponding label for the "cn3" field

"Threat Probability"

cn3

Threat probability

Example: "82"

act

Action result

Example: "21"

For more information, see Action Result Mapping Table.

filehash

File SHA-1

Example: "52c17c785b45ee961f68fb17744276076f383085"

dhost

Product entity/endpoint

Example: "dhost1"

deviceExternalId

Log sequence number

Example: "100"

deviceFacility

Product

Example: "OfficeScan"

Log sample:

CEF:0|Trend Micro|Control Manager|7.0|PML:File cleaned|virus
a|3|deviceFacility=1 cs2Label=DetectionName cs2=virusa suser
=Sample-OSCE\\Administrator cn2Label=DetectionType cn2=0 fil
ePath=C:\\WindowsFILENAME deviceCustomDate1Label=FileCreatio
nDate deviceCustomDate1=Nov 03 2016 08:58:03 GMT+00:00 sproc
=notepad.exe cs4Label=ProcessCommandLine cs4=notepad.exe -te
st duser=admin app=2 cs3Label=InfectionLocation cs3=http://1
0.0.0.1/ dst=10.0.174.28 cn3Label=Confidence cn3=82 act=21