Views:
To enable flexible integration with third-party log management systems, Cloud App Security also supports Common Event Format (CEF) as the syslog message format.
Common Event Format (CEF) is an open log management standard created by HP ArcSight. Cloud App Security uses a subset of the CEF dictionary.
Cloud App Security provides an optional parameter format. To retrieve security event logs in CEF format, add this parameter into the request and set it to cef.

Request Example

Retrieve all Data Loss Prevention logs of Exchange Online within five minutes before the point of time when the request is sent, with each item displayed in CEF format
GET https://api.tmcas.trendmicro.com/v1/siem/security_events?service=exchange&event=dlp&format=cef
Authorization: Bearer 1de231142eef3f83928da98dc251fbebb6cafed4

Response

On success, the service sends back an HTTP 200 response and returns a response body in CEF format.

Response Example

{
    "current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=exchange&event=securityrisk&
     start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&format=cef",
    "next_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=exchange&event=securityrisk&
     start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&page_id=<randomly generated value>=&format=cef",
    "last_log_item_generation_time":"2018-09-25T02:43:31Z",
    "security_events":["CEF:0|Trend Micro|CAS|5.0|100,101|securityrisk|High  
     DevicePayloadId=IwUVemkBIMKdAHkUVwi- destinationServiceName=Exchange Online 
     cat=security_risk_scan msg=Real-time scan TrendMicroCasAffectedUser=username1@example1.onmicrosoft.com 
     TrendMicroCasLocation=username1@example1.onmicrosoft.com\\Junk Email rt=2018-09-25T02:43:31Z 
     TrendMicroCasPolicyName=phishing test from jimmy TrendMicroCasFilter=Web Reputation act=Quarantine 
     TrendMicroCasThreatType=Phishing outcome=success suid=<DM6PR01MB41868726C4F662504F963431994B0@DM6PR01MB4186.prod.exchangelabs.com> 
     suser=<username2@example2.com> duser=[\"\\\"username1\\\"<username1@example1.onmicrosoft.com>\"] 
     start=2018-09-25T02:43:21 end=2018-09-25T02:43:05 TrendMicroCasMailSubject=FW: test 
     TrendMicroCasMailFileName=filename.exe cs2Label=detected_by cs2= TrendMicroCasRiskLevel= 
     fileHash=f0bb4b3f4ac5f7b3228feeba2ed10c1a0a0f8d44  
     TrendMicroCasFileSha256=11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865 
     TrendMicroCasVaReportLink=https://api-dev.tmcas.trendmicro.net/v1/siem/security_events/va_analysis_report?report_id=
     7ca0b75044627a884322cf29290fecc048d93b129bee48fa0b0c875a3feb1ecfc739a64b896a5278&language=en"]
}

Response Fields

The following tables outline the syslog content mapping between Cloud App Security log output and CEF syslog types.
The CEF log format consists of a CEF header and a CEF extension:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
Note
Note
All time-related fields in the table are set to Coordinated Universal Time (UTC).

Header

CEF Key
Description
Value
logVer
CEF format version
CEF: 0
vendor
Appliance vendor
Trend Micro
pname
Appliance product name
CAS
pver
Appliance version
Example: 5.0
eventid
Device event class ID
Options for each Device Event Class ID and the corresponding Event Name include:
  • 100,101: security_risk
  • 100,102: virtual_analyzer
  • 100,103: ransomware
  • 100,104: data_protection
eventName
Event name
Options for each Device Event Class ID and the corresponding Event Name include:
  • 100,101: security_risk
  • 100,102: virtual_analyzer
  • 100,103: ransomware
  • 100,104: data_protection
severity
Risk level
High

Extension

CEF Key
Cloud App Security Log Output
Description and Value
devicepayloadid
security_events/log_item_id
ID that uniquely identifies a log item
Example: NdGBDmYBWu4z8GKN0JHL
destinationServiceName
security_events/service
Name of the requested service
Example: exchange
cat
security_events/event
Type of the requested security event
Example: security_risk_scan
Common fields in "message"
msg
security_events/message/scan_type
Whether it is a real-time scan or manual scan that detected the security event
Example: Real-time scan
TrendMicroCasAffectedUser
security_events/message/affected_user
Mailbox that received an email message triggering the security event, or user account that uploaded or modified a file triggering the security event
Example: username@example.com
TrendMicroCasLocation
security_events/message/location
Location where the security event was detected
Example: username@example.com\Junk Email
rt
security_events/message/detection_time
Date and time when the security event was detected
Example: 2018-09-25T02:14:40Z
TrendMicroCasPolicyName
security_events/message/triggered_policy_name
Name of a configured policy that was violated
Example: phishing test from username
TrendMicroCasFilter
security_events/message/triggered_security_filter
Name of the security filter that detected the security event
Example: Web Reputation
act
security_events/message/action
Action that Cloud App Security took after detecting the security event
Example: Quarantine
outcome
security_events/message/action_result
Whether the action was successfully taken or not
Example: success
TrendMicroCasThreatType
security_events/message/threat_type
Threat type detected in the security event
Example: Phishing
Email related fields in "message"
suid
security_events/message/mail_message_id
ID of the email message that triggered the security event
Example: <0ee59974fb7c48538b3e077f5c40b875@example.com>
suser
security_events/message/mail_message_sender
Email address of the sender
Example: username@example.com
duser
security_events/message/mail_message_recipient
Email address(es) of the recipient(s)
Example: "\"username\"<username@example.com>"
deviceCustomDate1Label
security_events/message/mail_message_submit_time
Date and time when the email message triggering the security event was submitted to send
Value: mail_message_submit_time
deviceCustomDate1
security_events/message/mail_message_submit_time
The value for deviceCustomDate1Label
Example: 2018-09-25T02:14:25.818Z
deviceCustomDate2Label
security_events/message/mail_message_delivery_time
Date and time when the email message triggering the security event was delivered to the recipient
Value: mail_message_delivery_time
deviceCustomDate2
security_events/message/mail_message_delivery_time
The value for deviceCustomDate2Label
Example: 2018-09-25T02:14:25.818Z
TrendMicroCasMailSubject
security_events/message/mail_message_subject
Subject of the email message that triggered the security event
Example: example
TrendMicroCasMailFileName
security_events/message/mail_message_file_name
Name of the email attachment that triggered the security event
Example: filename.exe
File related fields in "message"
fname
security_events/message/file_name
Name of the file that triggered the security event
Example: example.pdf
fileCreateTime
security_events/message/file_upload_time
Date and time when the file triggering the security event was uploaded
Example: 2018-09-25T02:14:25.818Z
Log type related fields in "message"
Security Risk Scan
cs1Label
security_events/message/security_risk_name
Name of the security risk detected
Value: security_risk_name
cs1
security_events/message/security_risk_name
The value for cs1Label
Example: Spyware: http://wrs21.winshipway.com
cs2Label
security_events/message/detected_by
Technology or method through which the email message or file triggering the security event was detected
Value: detected_by
cs2
security_events/message/detected_by
The value for cs2Label
Example: Web Reputation
TrendMicroCasRiskLevel
security_events/message/risk_level
Web Reputation risk level assigned to the analyzed URL that triggered the security event
Example: Dangerous
fileHash
security_events/message/file_sha1
SHA-1 hash value of the file that triggered the security event
Example: fd4a7c09dc2c48c1390e09a72b86adaf504802b5
TrendMicroCasFileSha256
security_events/message/file_sha256
SHA-256 hash value of the file that triggered the security event
Example: 11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865
Virtual Analyzer
cs3Label
security_events/message/virus_name
Name of the virus detected
Value: virus_name
cs3
security_events/message/virus_name
The value for cs3Label
Example: VAN_BOT.UMXX
fileHash
security_events/message/file_sha1
SHA-1 hash value of the file that triggered the security event
Example: 0636ed126113daef6d509d9352d47defaed04508
TrendMicroCasRiskLevel
security_events/message/risk_level
Virtual Analyzer risk level assigned to the analyzed object that triggered the security event
Example: Medium risk
cs4Label
security_events/message/detection_type
Type of the suspicious object that triggered the security event
Value: detection_type
cs4
security_events/message/detection_type
The value for cs4Label
Example: File
TrendMicroCasVaReportLink
security_events/message/va_report_link
Virtual Analyzer report download link
Example: https://api.tmcas.trendmicro.com/v1/siem/security_events/va_analysis_report?report_id=38baa2*************************fd7187324
TrendMicroCasFileSha256
security_events/message/file_sha256
SHA-256 hash value of the file that triggered the security event
Example: 11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865
Ransomware
cs5Label
security_events/message/ransomware_name
Name of the ransomware detected
Value: ransomware_name
cs5
security_events/message/ransomware_name
The value for cs5Label
Example: Ransom_CRYPWALL.MVP
Data Loss Prevention
cs6Label
security_events/message/triggered_dlp_template
Details of the compliance template that was violated to trigger the security event
Value: triggered_dlp_template
cs6
security_events/message/triggered_dlp_template
The value for cs6Label
Example: All: Credit Card Number