To enable flexible integration with third-party log management systems, Cloud App Security also supports Common Event Format (CEF) as the
syslog message format.
Common Event Format (CEF) is an open log management standard created by HP ArcSight.
Cloud App Security uses a subset of the CEF dictionary.
Cloud App Security provides an optional parameter
format. To retrieve security event logs in CEF format, add this
parameter into the request and set it to cef.
Request Example
Retrieve all Data Loss Prevention logs of Exchange Online within five minutes before
the
point of time when the request is sent, with each item displayed in CEF
format
GET https://api.tmcas.trendmicro.com/v1/siem/security_events?service=exchange&event=dlp&format=cef Authorization: Bearer 1de231142eef3f83928da98dc251fbebb6cafed4
Response
On success, the service sends back an HTTP 200 response and returns a response body
in CEF
format.
Response Example
{
"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=exchange&event=securityrisk&
start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&format=cef",
"next_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=exchange&event=securityrisk&
start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&page_id=<randomly generated value>=&format=cef",
"last_log_item_generation_time":"2018-09-25T02:43:31Z",
"security_events":["CEF:0|Trend Micro|CAS|5.0|100,101|securityrisk|High
DevicePayloadId=IwUVemkBIMKdAHkUVwi- destinationServiceName=Exchange Online
cat=security_risk_scan msg=Real-time scan TrendMicroCasAffectedUser=username1@example1.onmicrosoft.com
TrendMicroCasLocation=username1@example1.onmicrosoft.com\\Junk Email rt=2018-09-25T02:43:31Z
TrendMicroCasPolicyName=phishing test from jimmy TrendMicroCasFilter=Web Reputation act=Quarantine
TrendMicroCasThreatType=Phishing outcome=success suid=<DM6PR01MB41868726C4F662504F963431994B0@DM6PR01MB4186.prod.exchangelabs.com>
suser=<username2@example2.com> duser=[\"\\\"username1\\\"<username1@example1.onmicrosoft.com>\"]
start=2018-09-25T02:43:21 end=2018-09-25T02:43:05 TrendMicroCasMailSubject=FW: test
TrendMicroCasMailFileName=filename.exe cs2Label=detected_by cs2= TrendMicroCasRiskLevel=
fileHash=f0bb4b3f4ac5f7b3228feeba2ed10c1a0a0f8d44
TrendMicroCasFileSha256=11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865
TrendMicroCasVaReportLink=https://api-dev.tmcas.trendmicro.net/v1/siem/security_events/va_analysis_report?report_id=
7ca0b75044627a884322cf29290fecc048d93b129bee48fa0b0c875a3feb1ecfc739a64b896a5278&language=en"]
}
Response Fields
The following tables outline the syslog content mapping between Cloud App Security log output and CEF syslog types.
The CEF log format consists of a CEF header and a CEF extension:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class
ID|Name|Severity|[Extension]
 |
NoteAll time-related fields in the table are set to Coordinated Universal Time (UTC).
|
Header
|
CEF Key
|
Description
|
Value
|
|
logVer
|
CEF format version
|
CEF: 0
|
|
vendor
|
Appliance vendor
|
Trend Micro
|
|
pname
|
Appliance product name
|
CAS
|
|
pver
|
Appliance version
|
Example: 5.0
|
|
eventid
|
Device event class ID
|
Options for each Device Event Class ID and the corresponding
Event Name include:
|
|
eventName
|
Event name
|
Options for each Device Event Class ID and the corresponding
Event Name include:
|
|
severity
|
Risk level
|
High
|
Extension
|
CEF Key
|
Cloud App Security Log Output
|
Description and Value
|
||
|
devicepayloadid
|
security_events/log_item_id |
ID that uniquely identifies a log item
Example: NdGBDmYBWu4z8GKN0JHL
|
||
|
destinationServiceName
|
security_events/service |
Name of the requested service
Example: exchange
|
||
|
cat
|
security_events/event |
Type of the requested security event
Example: security_risk_scan
|
||
|
Common fields in "message"
|
||||
|
msg
|
security_events/message/scan_type |
Whether it is a real-time scan or manual scan that detected the security
event
Example: Real-time scan
|
||
|
TrendMicroCasAffectedUser
|
security_events/message/affected_user |
Mailbox that received an email message triggering the security event, or user
account that uploaded or modified a file triggering the security event
Example: username@example.com
|
||
|
TrendMicroCasLocation
|
security_events/message/location |
Location where the security event was detected
Example: username@example.com\Junk Email
|
||
|
rt
|
security_events/message/detection_time |
Date and time when the security event was detected
Example: 2018-09-25T02:14:40Z
|
||
|
TrendMicroCasPolicyName
|
security_events/message/triggered_policy_name |
Name of a configured policy that was violated
Example: phishing test from username
|
||
|
TrendMicroCasFilter
|
security_events/message/triggered_security_filter |
Name of the security filter that detected the security event
Example: Web Reputation
|
||
|
act
|
security_events/message/action |
Action that Cloud App Security took after detecting the security event
Example: Quarantine
|
||
|
outcome
|
security_events/message/action_result |
Whether the action was successfully taken or not
Example: success
|
||
|
TrendMicroCasThreatType
|
security_events/message/threat_type |
Threat type detected in the security event
Example: Phishing
|
||
|
TrendMicroCasMailEnvelopeSender
|
security_events/message/mail_message_envelope_sender |
Message envelope sender
Example: user@example1.onmicrosoft.com
|
||
|
TrendMicroCasMailDirection
|
security_events/message/mail_message_direction |
Mail direction, indicating whether the email is inbound or outbound message
Example: Inbound
|
||
|
Email related fields in "message"
|
||||
|
suid
|
security_events/message/mail_message_id |
ID of the email message that triggered the security event
Example: <0ee59974fb7c48538b3e077f5c40b875@example.com>
|
||
|
suser
|
security_events/message/mail_message_sender |
Email address of the sender
Example: username@example.com
|
||
|
duser
|
security_events/message/mail_message_recipient |
Email address(es) of the recipient(s)
Example: "\"username\"<username@example.com>"
|
||
|
deviceCustomDate1Label
|
security_events/message/mail_message_submit_time |
Date and time when the email message triggering the security event was submitted
to send
Value: mail_message_submit_time
|
||
|
deviceCustomDate1
|
security_events/message/mail_message_submit_time |
The value for deviceCustomDate1Label
Example: 2018-09-25T02:14:25.818Z
|
||
|
deviceCustomDate2Label
|
security_events/message/mail_message_delivery_time |
Date and time when the email message triggering the security event was delivered
to the recipient
Value: mail_message_delivery_time
|
||
|
deviceCustomDate2
|
security_events/message/mail_message_delivery_time |
The value for deviceCustomDate2Label
Example: 2018-09-25T02:14:25.818Z
|
||
|
TrendMicroCasMailSubject
|
security_events/message/mail_message_subject |
Subject of the email message that triggered the security event
Example: example
|
||
|
TrendMicroCasMailFileName
|
security_events/message/mail_message_file_name |
Name of the email attachment that triggered the security event
Example: filename.exe
|
||
|
File related fields in "message"
|
||||
|
fname
|
security_events/message/file_name |
Name of the file that triggered the security event
Example: example.pdf
|
||
|
fileCreateTime
|
security_events/message/file_upload_time |
Date and time when the file triggering the security event was uploaded
Example: 2018-09-25T02:14:25.818Z
|
||
|
Log type related fields in "message"
|
||||
|
Security Risk Scan
|
||||
|
cs1Label
|
security_events/message/security_risk_name |
Name of the security risk detected
Value: security_risk_name
|
||
|
cs1
|
security_events/message/security_risk_name |
The value for cs1Label
Example: Spyware: http://wrs21.winshipway.com
|
||
|
cs2Label
|
security_events/message/detected_by |
Technology or method through which the email message or file triggering the
security event was detected
Value: detected_by
|
||
|
cs2
|
security_events/message/detected_by |
The value for cs2Label
Example: Web Reputation
|
||
|
TrendMicroCasRiskLevel
|
security_events/message/risk_level |
Web Reputation risk level assigned to the analyzed URL that triggered the
security event
Example: Dangerous
|
||
|
fileHash
|
security_events/message/file_sha1 |
SHA-1 hash value of the file that triggered the security event
Example: fd4a7c09dc2c48c1390e09a72b86adaf504802b5
|
||
|
TrendMicroCasFileSha256
|
security_events/message/file_sha256 |
SHA-256 hash value of the file that triggered the security event
Example: 11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865
|
||
|
Virtual Analyzer
|
||||
|
cs3Label
|
security_events/message/virus_name |
Name of the virus detected
Value: virus_name
|
||
|
cs3
|
security_events/message/virus_name |
The value for cs3Label
Example: VAN_BOT.UMXX
|
||
|
fileHash
|
security_events/message/file_sha1 |
SHA-1 hash value of the file that triggered the security event
Example: 0636ed126113daef6d509d9352d47defaed04508
|
||
|
TrendMicroCasRiskLevel
|
security_events/message/risk_level |
Virtual Analyzer risk level assigned to the analyzed object that triggered the
security event
Example: Medium risk
|
||
|
cs4Label
|
security_events/message/detection_type |
Type of the suspicious object that triggered the security event
Value: detection_type
|
||
|
cs4
|
security_events/message/detection_type |
The value for cs4Label
Example: File
|
||
|
TrendMicroCasVaReportLink
|
security_events/message/va_report_link |
Virtual Analyzer report download link
Example:
https://api.tmcas.trendmicro.com/v1/siem/security_events/va_analysis_report?report_id=38baa2*************************fd7187324
|
||
|
TrendMicroCasFileSha256
|
security_events/message/file_sha256 |
SHA-256 hash value of the file that triggered the security event
Example: 11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865
|
||
|
Ransomware
|
||||
|
cs5Label
|
security_events/message/ransomware_name |
Name of the ransomware detected
Value: ransomware_name
|
||
|
cs5
|
security_events/message/ransomware_name |
The value for cs5Label
Example: Ransom_CRYPWALL.MVP
|
||
|
Data Loss Prevention
|
||||
|
cs6Label
|
security_events/message/triggered_dlp_template |
Details of the compliance template that was violated to trigger the security
event
Value: triggered_dlp_template
|
||
|
cs6
|
security_events/message/triggered_dlp_template |
The value for cs6Label
Example: All: Credit Card Number
|
||