Sandbox Detection logs are called Virtual Analyzer Detections on the Apex Central console.
CEF Key |
Description |
Value |
---|---|---|
Header (logVer) |
CEF format version |
CEF:0 |
Header (vendor) |
Appliance vendor |
Trend Micro |
Header (pname) |
Appliance product |
Apex Central |
Header (pver) |
Appliance version |
2019 |
Header (eventid) |
Device event class ID |
VAD |
Header (eventName) |
Event name |
Virtual Analyzer detection name |
Header (severity) |
Severity |
3 |
deviceExternalId |
ID |
Example: "2" |
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
deviceFacility |
Product |
Example: "Apex One" |
dvchost |
Server name |
Example: "OSCE01" |
dhost |
Endpoint name |
Example: "Isolate-ClientA" |
dst |
Endpoint IPv4 address |
Example: "10.0.17.6" |
c6a3 |
Endpoint IPv6 address |
Example: "fe80::38ca:cd15:443c:40bb%11" |
app |
Entry channel |
Example: "0" For more information, see Protocol Mapping Table |
sourceServiceName |
Source |
Example: "Test1@tmcm.extbeta.com" |
destinationServiceName |
Destination |
Example: "Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com" |
sproc |
Process name |
Example: "VA" |
fileHash |
File SHA-1 hash |
Example: "D6712CAE5EC821F910E14945153AE7871AA536CA" |
fname |
File name |
Example: "C:\\\\QA_Log.zip" |
request |
URL |
Example: "http://127.1.1.1" |
cs1 |
The name of the security threat determined by Virtual Analyzer |
Example: "VAN_RANSOMWARE.umxxhelloransom_abc" |
cn1 |
Displays the risk level assigned by Virtual Analyzer |
Example: "0"
|
cs2 |
Displays the security threat type |
Example: "Anti-security, self-preservation" |
cs3 |
Cloud storage vendor |
Example: "Google Drive"
|
reason |
Critical threat type |
Example: "E"
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF: 0|Trend Micro|Apex Central|2019|VAD|VAN_RANSOMWARE.um xxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23: 23 GMT+00:00 deviceFacility=Apex One dvchost=OSCE01 dhost= Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@tre nd.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test 3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72 602F798B642F14140 fname=C:\\\\QA_Log.zip request=http://127. 1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhellor ansom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categori es cs2=Anti-security, self-preservation cs3Label=Cloud_Servi ce_Vendor cs3=Google Drive reason=E deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCMLogDetectedHost=OSCEClient TMCMLogDe tectedIP=0.0.0.0 ApexCentralHost=TW-CHRIS-W2019 devicePaylo adId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatfor m=Windows 7 6.1 (Build 7601) Service Pack 1