Views:

LEEF Violation Logs

LEEF Key
Description
Value 
Header(logVer)
LEEF format version
LEEF: 1.0
Header(vendor)
Appliance vendor
 Trend Micro
Header(pname)
Appliance product
 Deep Discovery Web Inspector
Header(pver)
Appliance version
Example: 2.5.0.1181
Header(eventName)
Description
Example: Ransomware
devtime
UTC timestamp
Example: Oct 20 2017 17:15:57 GMT+00:00
logType
Log type
6: Violation Log
companyId
Company ID
Reserved, value is default
adDomain
AD domain
Active Directory domain information
Example: trendnet.org
userName
Client IP
Example: 10.204.171.200
groupName
Group name
Active Directory group name information
department
Department
Active Directory department information
Example: commercial
device
Device
Reserved, default null
act
Action
Can be one of the following values:
  • allow
  • monitor
  • block
  • analyzing
proto
Protocol channel
  • 1: HTTP
  • 2: HTTPS
  • 3: HTTP2
  • 4: FTP
tlsVersion
TLS version
  • 0: None TLS
  • 1: SSLv3
  • 2: TLSv1.0
  • 3: TLSv1.1
  • 4: TLSv1.2
  • 5: TLSv1.3
size
Transport bytes by Deep Discovery Web Inspector, unit bytes
Example: 15
dst
Destination IP address of request
Example: 54.148.125.151
src
Source IP address of request
Example: 10.204.171.200
upstreamSize
The upstream payload from Deep Discovery Web Inspector to server, unit bytes
Example: 54
downstreamSize
The downstream payload from server to Deep Discovery Web Inspector, unit bytes
Example: 49
domain
Domain
Example: ca95-1.winshipway.com
detectionType
Detection type
For a description of each type, see List of Detection Types
detectionSubType
Detection sub-type
Reserved, default 0
threatType
Threat type
  • 1: Ransomware
  • 2: C&C Callback
  • 3: Suspicious Malware
  • 4: Suspicious URLs
  • 5: Suspicious Documents
  • 6: Suspicious Scripts
  • 7: Malicious URL
  • 8: Malicious Content
  • 9: Suspicious Content
  • 10: Coin Miners
sev
Risk level
  • 0: user defined
  • 1: low
  • 2: medium
  • 3: high
  • 4: potential threat risk
policy
Policy name
Example: test
profileName
Profile name
Reserved, currently displays as default
wrsThreshold
WRS threshold
Value is set to 50
principalName
Principal name
Reserved, default is null
url
URL
Example: hxxp://ca95-1.winshipway.com/
urlCat
URL category
Example: Ransomware
appName
Application name
Reserved, default is null
wrsScore
WRS score
Example: 81
malwareType
Malware type
Reserved, default 0
malwareName
Malware name
Example: Ransomware
soData
Suspicious object displayed on the Deep Discovery Web Inspector Detections page
Can be one of the following types:
  • Domain
  • URL
  • Server IP
  • File SHA1
fName
File name
Example: a.txt
fileHash
SHA1
Example: 0d3d4cdfff683b0c17843a889e867fe29095c3ac
msg
Log description
Value is null
httpTrans
HTTP transaction
Example: {"http_req":{"headers":{"accept-encoding":"gzip,deflate","host":"10.204.170.7","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"},"host":"10.204.170.7","method":"GET","path":"TESTDATA/virus/NonCleanable/EXT_BOO.BOO","scheme":"http"}, "http_response":{"headers":{"content-length":"512","content-type":"text/plain"},"status_code":200},"ver":"1.0"}
debugInfo
Debug information
Example: {"conn_state":{"auth_id_type":"ip","auth_is_guest":false,"auth_reuse":false,"auth_user_id":"10.204.171.200","bypass_scan":false,"c_listen_addr":"0.0.0.0:8080","c_local_addr":"10.204.133.74:8080","c_peer_addr":"10.204.171.200:64353","c_recv_bytes":470,"c_sent_bytes":0,"gateway_ip":"10.204.171.200","s_recv_bytes":0,"s_sent_bytes":0,"tmufe_timeout":false},"errcode":"3055,IWSSHttpProxyProtocol.cpp:2569","src":"Proxy","trans":{"info":"","time":"1: 1508519757821, 2: 0, 13: 1, 14: 1, 33: 1, 15: 1, 16: 1, 34: 1, 38: 1"}, "ver":"1.0"}
Log sample:
LEEF:1.0|Trend Micro|Deep Discovery Web Inspector|2.5.0.1181|
Ransomware|wrsScore=49 detectionType=21 domain=ca95-1.winshipway.com 
adDomain= malwareType=0 fileHash= sev=3 fName= principalName= 
logType=6 groupName= policy=default httpTrans={"http_req":
{"headers":{"accept-encoding":"gzip,deflate","host":
"ca95-1.winshipway.com","proxy-connection":"keep-alive",
"user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 
Safari/537.36"},"host":"ca95-1.winshipway.com","method":"GET",
"path":"/","scheme":"http"},"http_response":{"headers":null,
"status_code":-1},"ver":"1.0"} device= profileName=default 
tlsVersion=0 soData= urlCat=Ransomware size=0 
userName=10.204.171.200 src=10.204.171.200 threatType=1 
wrsThreshold=50 companyId= url=http://ca95-1.winshipway.com/ 
dst=54.148.125.151 proto=1 appName= techSubType=0 
malwareName=Ransomware from WRS upstreamSize=0 
downstreamSize=0 devTime=Oct 24 2017 15:14:18 GMT+00:00 
act=block department= debugInfo={"conn_state":{"auth_id_type":
"ip","auth_is_guest":false,"auth_reuse":false,"auth_user_id":
"10.204.171.200","bypass_scan":false,"c_listen_addr":
"0.0.0.0:8080","c_local_addr":"10.204.133.74:8080",
"c_peer_addr":"10.204.171.200:63065","c_recv_bytes":470,
"c_sent_bytes":0,"gateway_ip":"10.204.171.200",
"s_recv_bytes":0,"s_sent_bytes":0,"tmufe_timeout":false},
"errcode":"3055,IWSSHttpProxyProtocol.cpp:2569","src":
"Proxy","trans":{"info":"","time":"1:1508858058298, 2: 0, 13: 
0, 14: 2, 33: 2, 15: 2, 16: 176, 34: 176, 38:176"},"ver":"1.0"}  
msg=
Keywords: violation logs,LEEF