Views:

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance product version

2019

Header (eventid)

MS: Filter action

MS:1

Header (eventName)

Policy name

Policy

Header (severity)

Severity

3

cnt

Number of detections

Example: 10

dhost

List of all recipients

Example: employee_a1@Acompany.com;employee_a2@Acompany.com

duser

One of the recipients

Example: employee_a1@Acompany.com

act

Filter action

Example: "2"

For more information, see Filter Action Mapping Table.

cs1Label

Corresponding label for the "cs1" field

Example: "SL_PolicyContent"

cs1

Policy settings

Example: "Default_policy"

cs2Label

Corresponding label for the "cs2" field

Example: "CLF_ProductVersion"

cs2

Product version

Example: "11"

cs3Label

Corresponding label for the "cs3" field

Example: "SL_FilterType"

cs3

Filter type

Example: "2"

  • 0: Unknown

  • 1: ContentFilter

  • 2: AttachmentFilter

  • 3: StandardFilter

  • 4: SizeFilter

  • 5: DisclaimerMgr

  • 6: SpamFilter

  • 7: OPP

  • 8: ImportFilter

  • 9: PhishingFilter

  • 10: UrlReputationFilter

cs4Label

Corresponding label for the "cs4" field

Example: "CLF_ReasonCode"

cs4

Reason Code

Example: "access"

cs5Label

Corresponding label for the "cs5" field

Example: "CLF_ReasonCodeSource"

cs5

Reason code source

Example: "web"

cs6Label

Corresponding label for the "cs6" field

Example: "SL_MessageAction"

cs6

Action

Example: "3"

  • 0: Unknown

  • 1: N/A

  • 2: Deliver

  • 3: Delete

  • 4: Quarantine

  • 5: Postpone

  • 6: Forward

  • 7: Replace

  • 8: Archive

  • 100: Strip

  • 101: Pass

cat

Log type

Example: "1705"

dvchost

Endpoint host name

Example: "ApexOneClient01"

rt

Log generation time in UTC

Example: "Nov 15 2017 08:45:57 GMT+00:00"

cn1Label

Corresponding label for the "cn1" field

Example: "CLF_SeverityCode"

cn1

Severity code

Example: "0"

  • 0: Unknown

  • 1: Information

  • 2: Warning

  • 3: Error

  • 4: Critical

deviceExternalId

ID

Example: "5"

fname

File

Example: "RERERW~42w.exe"

msg

Subject

Example: "Open this email to win a free phone"

shost

List of all senders/users in violation

Example: "bear" <bear@abc.mail.com>;"yumi" <yumi@abc.mail.com>

suser

One of the senders/users in violation

Example: "bear" <bear@abc.mail.com>

deviceFacility

Product name

Example: "Deep Discovery Email Inspector"

src

Email sender IP address

Example: "10.206.155.122"

filepath

Suspicious file location

Example: "https://ca91-1.testurl.com:443"

request

Suspicious URL

Example: "https://ca91-1.testurl.com:443"

Log sample:

CEF:0|Trend Micro|Apex Central|2019|MS:0|This is a policy 
name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00
:00 dhost=user@test.com duser=user@test.com act=0 cs2Label=C
LF_ProductVersion cs2=3.2 cs3Label=SL_FilterType cs3=0 cs5La
bel=CLF_ReasonCodeSource cs5=20 cs6Label=SL_MessageAction cs
6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=CLF_ServerityC
ode cn1=2 fname=NE_AEP.1550 msg=plain_qp_no8_av1u_NE_AEP.155
0 shost=user2@test.com suser=user2@test.com deviceFacility=D
eep Discovery Email Inspector src=10.206.155.122
Parent topic: Syslog Content Mapping - CEF