|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF:0
|
|
Header (vendor)
|
Product vendor
|
Trend Micro
|
|
Header (pname)
|
Product name
|
Apex Central
|
|
Header (pver)
|
Product version
|
2019
|
|
Header (eventid)
|
Event ID
|
|
|
Header (eventName)
|
Log name
|
|
|
Header (severity)
|
Severity
|
3
|
|
dvchost
|
Display name of the managed endpoint
|
Example:
localhost |
|
rt
|
Log generation time in UTC
|
Example:
Nov 15 2017 08:43:57 GMT +00:00 |
|
src
|
Source IPv4 address
|
Example: "10.1.152.12"
|
|
c6a2Label
|
Corresponding label for the "c6a2" field
|
SLF_SourceIPv6
|
|
c6a2
|
Source IPv6 address
|
"2001:b011:1004:325b:8db7:6ca9:8fc5:321a"
|
|
smac
|
Source MAC address
|
Example: "18:31:BF:4F:30:DD"
|
|
spt
|
Source port
|
Example: "60886"
|
|
dst
|
Destination IPv4 address
|
Example: "10.1.153.151"
|
|
c6a3Label
|
Corresponding label for the "c6a3" field
|
SLF_DestinationIPv6
|
|
c6a3
|
Destination IPv6 address
|
Example: "2001:b011:1004:325b:8db7:6ca9:8fc5:654a"
|
|
dmac
|
Destination host MAC address
|
Example: "D0:17:C2:95:ED:71"
|
|
dpt
|
Destination port
|
Example: "139"
|
|
cn2Label
|
Corresponding label for the "cn2" field
|
SLF_IsDetectionOnly
|
|
cn2
|
Indicates whether the system is in "detection only" mode
|
Example: "0"
|
|
act
|
Action
|
Example: "LOG"
SLF_ACTION maps:
|
|
deviceDirection
|
Incoming or outgoing direction
|
Example: "Apex One"
|
|
cn3Label
|
Corresponding label for the "cn3" field
|
SLF_Rank
|
|
cn3
|
Weighted priority of the incident
|
Example: "3"
Calculated from Severity x Asset Value
|
|
cn4Label
|
Corresponding label for the "cn4" field
|
SLF_SeverityCode
|
|
cn4
|
The system defined incident severity value
|
Example: "1"
|
|
proto
|
The network protocol being exploited
|
Example: "10009"
|
|
cs2Label
|
Corresponding label for the "cs2" field
|
SLF_ConnectionType
|
|
cs2
|
The network application name
|
Example: "DCERPC Services"
|
|
cn1Label
|
Corresponding label for the "cn1" field
|
SLF_RuleID
|
|
cn1
|
The ID of the inspection rule
|
Example: "1005448"
|
|
cs1Label
|
Corresponding label for the "cs1" field
|
SLF_RuleContent
|
|
cs1
|
The string literal of the rule ID and description
|
Example: "1005448 - SMB Null Session Detected - 1"
|
|
cnt
|
Aggregated count
|
Example: "1"
|
|
deviceNtDomain
|
Active Directory domain
|
Example: APEXTMCM
|
|
dntdom
|
Apex One domain hierarchy
|
Example: OSCEDomain1
|
Log sample:
CEF:0|Trend Micro|Apex Central|2019|Log|1009549 - Detected T erminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T104 3,T1076,T1048,T1032,T1071)|3|rt=Apr 20 2020 03:33:20 GMT+00: 00 dvchost=OSCEClient23 deviceFacility=Apex One act=Log,src= 10.1.1.9 dst=80.1.1.9 smac=54-BF-64-84-7F-09 spt=89 dmac=54- BF-64-84-7F-19 dpt=449 cn2Label=SLF_IsDetectionOnly cn2=0 de viceDirection=Inbound cn3Label=SLF_Rank cn3=1 cn4Label=SLF_S everityCode cn4=1 proto=10009 cs2Label=SLF_ConnectionType cs 2=N/A cn1Label=SLF_RuleID cn1=1009549 cs1Label=SLF_RuleConte nt cs1=1009549 - Detected Terminal Services (RDP) Server Tra ffic - 1 (ATT&CK T1015,T1043,T1076,T1048,T1032,T1071) cnt=1 deviceNtDomain=APEXTMCM dntdom=OSCEDomain1