CEF Spyware/Grayware Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

Device event class ID

Spyware Detected

Header (eventName)

Event name

Spyware Detected

Header (severity)

Severity

3

cnt

Number of detections

Example: "10"

rt

Log generation time in UTC

Example: "Oct 06 2017 08:39:46 GMT+00:00"

cn1Label

Corresponding label for the "cn1" field

Example: "Pattern Type"

cn1

Pattern type

Example: "1073741840"

cs1Label

Corresponding label for the "cs1" field

Example: "VirusName"

cs1

Spyware/Grayware

Example: "ADW_OPENCANDY"

cs2Label

Corresponding label for the "cs2" field

Example: "EngineVersion"

cs2

Engine version

Example: "6.2.3027"

cs5Label

Corresponding label for the "cs5" field

Example: "ActionResult"

cs5

Action

Example: "Reboot system successfully"

For more information, see Action Mapping Table.

cs6Label

Corresponding label for the "cs6" field

Example: "PatternVersion"

cs6

Pattern version

Example: "1297"

cat

Log type

Example: "1727"

dvchost

Endpoint host name

Example: "OSCEClient01"

deviceExternalId

ID

Example: "3"

fname

Resource

Example: "F:\\Malware\\psas\\rsrc2.bin"

filePath

Resource

Example: "F:\\Malware\\psas\\rsrc2.bin"

dhost

Endpoint host name

Example: "OSCEClient01"

dst

Endpoint IPv4 address

Examle: "50.8.1.1"

c6a3Label

Corresponding label for the "c6a3" field

Example: "SLP_DestinationIP"

c6a3

Endpoint IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

fileHash

File SHA-1

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

deviceFacility

Product

Example: "OfficeScan"

duser

User name

Example: "Admin004"

cn2Label

Corresponding label for the "cn2" field

Example: "Scan_Type"

cn2

Scan type

Example: "Scan Now"

For more information, see Spyware/Grayware Scan Type Mapping Table.

cn3Label

Corresponding label for the "cn3" field

Example: "Security_Threat_Type"

cn3

Security threat type

Example: "Adware"

For more information, see Spyware/Grayware Risk Type Mapping Table.

Log sample:

CEF:0|Trend Micro|Control Manager|7.0|Spyware Detected|Spywa
re Detected|3|deviceExternalId=3 rt=Oct 06 2017 08:39:46 GMT
+00:00 cnt=1 dhost=OSCEClient01 cn1Label=PatternType cn1=107
3741840 cs1Label=VirusName cs1=ADW_OPENCANDY cs2Label=Engine
Version cs2=6.2.3027 cs5Label=ActionResult cs5=Reboot system
 successfully cs6Label=PatternVersion cs6=1297 cat=1727 dvch
ost=OSCEClient01 fname=F:\\Malware\\psas\\rsrc2.bin filePath
=F:\\Malware\\psas\\rsrc2.bin dst=50.8.1.1 deviceFacility=Of
ficeScan