CEF Sandbox Detection Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

Device event class ID

VAD

Header (eventName)

Event name

Sandbox Detection Name

Header (severity)

Severity

3

deviceExternalId

ID

Example: "2"

rt

Log generation time in UTC

Example: "Mar 22 2018 08:23:23 GMT+00:00"

deviceFacility

Product type

Example: "OfficeScan"

dvchost

Server name

Example: "OSCE01"

dhost

Endpoint name

Example: "Isolate-ClientA"

dst

Endpoint IPv4 address

Example: "10.0.17.6"

c6a3

Endpoint IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

app

Entry channel

Example: "1"

sourceServiceName

Source

Example: "Test1@tmcm.extbeta.com"

destinationServiceName

Destination

Example: "Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com"

sproc

Process name

Example: "VA"

fileHash

File SHA-1 hash

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

fname

File name

Example: "C:\\\\QA_Log.zip"

request

URL

Example: "http://127.1.1.1"

cs1

Sandbox Detection Log detection name

Example: "VAN_RANSOMWARE.umxxhelloransom_abc"

cn1

Sandbox Detection Log risk level

Example: "0"

cs2

Sandbox Detection Log threat categories

Example: "Anti-security, self-preservation"

cs3

Cloud storage vendor

Example: "N/A #015"

Log sample:

CEF: 0|Trend Micro|Control Manager|7.0|VAD|VAN_RANSOMWARE.um
xxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23:
23 GMT+00:00 deviceFacility=OfficeScan dvchost=OSCE01 dhost=
Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@tre
nd.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test
3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72
602F798B642F14140 fname=C:\\\\QA_Log.zip request=http://127.
1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhellor
ansom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categori
es cs2=Anti-security, self-preservation cs3Label=Cloud_Servi
ce_Vendor cs3=N/A #015