| CEF Key | Description | Value | 
|---|---|---|
| Header (logVer) | CEF format version | CEF:0 | 
| Header (vendor) | Appliance vendor | Trend Micro | 
| Header (pname) | Appliance product | Apex Central | 
| Header (pver) | Appliance product version | 2019 | 
| Header (eventid) | MS: Filter action | MS:Clean | 
| Header (eventName) | Policy name | Policy | 
| Header (severity) | Severity | 3 | 
| cnt | Number of detections | Example: 10 | 
| dhost | List of all recipients | Example: employee_a1@Acompany.com;employee_a2@Acompany.com | 
| duser | One of the recipients | Example: employee_a1@Acompany.com | 
| act | Filter action | Example: "Clean" For more information, see Filter Action Mapping Table. | 
| cs1Label | Corresponding label for the "cs1" field | Example: "Policy_Settings" | 
| cs1 | Policy settings | Example: "Default_policy" | 
| cs2Label | Corresponding label for the "cs2" field | Example: "Product_Version" | 
| cs2 | Product version | Example: "11" | 
| cs3Label | Corresponding label for the "cs3" field | Example: "Filter_Type" | 
| cs3 | Filter type | Example: "URL reputation filter" 
 | 
| cs4Label | Corresponding label for the "cs4" field | Example: "CLF_ReasonCode" | 
| cs4 | Reason Code | Example: "access" | 
| cs5Label | Corresponding label for the "cs5" field | Example: "CLF_ReasonCodeSource" | 
| cs5 | Reason code source | Example: "web" | 
| cs6Label | Corresponding label for the "cs6" field | Example: "Action_on_Message" | 
| cs6 | Action | Example: "3" 
 | 
| cat | Log type | Example: "1705" | 
| dvchost | Endpoint host name | Example: "ApexOneClient01" | 
| rt | Event trigger time in UTC | Example: "Mar 22 2018 08:23:23 GMT+00:00" | 
| cn1Label | Corresponding label for the "cn1" field | Example: "Severity" | 
| cn1 | Severity code | Example: "2" 
 | 
| TMCMLogSeverity | Description of severity | Second scan engine | 
| cn2Label | Corresponding label for the "cn2" field | Filter_Action_Result | 
| cn2 | Filter action result | Example: 21 For more information, see Filter Action Result Mapping Table. | 
| deviceExternalId | ID | Example: "5" | 
| fname | File | Example: "RERERW~42w.exe" | 
| msg | Subject | Example: "Open this email to win a free phone" | 
| shost | List of all senders/users in violation | Example: "bear" <bear@abc.mail.com>;"yumi" <yumi@abc.mail.com> | 
| suser | One of the senders/users in violation | Example: "bear" <bear@abc.mail.com> | 
| deviceFacility | Product | Example: "Deep Discovery Email Inspector" | 
| src | Email sender IP address | Example: "10.206.155.122" | 
| filepath | Suspicious file location | Example: "https://ca91-1.testurl.com:443" | 
| request | Suspicious URL | Example: "https://ca91-1.testurl.com:443" | 
| reason | Critical threat type | Example: "E" 
 | 
| ApexCentralHost | Apex Central host name | Example: TW-CHRIS-W2019 | 
| devicePayloadId | Unique message GUID | Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 | 
| TMCMdevicePlatform | Endpoint operating system | Example: Windows 7 6.1 (Build 7601) Service Pack 1 | 
Log sample:
CEF:0|Trend Micro|Apex Central|2019|MS:Clean|This is a policy name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00 :00 dhost=user@test.com duser=user@test.com act=Clean cs1Label =Policy_Settings cs1=This is policy content cs2Label=CLF_Produ ctVersion cs2=3.2 cs3Label=Filter_Type cs3=URL reputation filt er cs5Label=CLF_ReasonCodeSource cs5=20 cs6Label=Action_on_Mes sage cs6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=Severity cn1=2 TMCMLogSeverity=Second scan engine fname=NE_AEP.1550 msg=plain_qp_no8_av1u_NE_AEP.1550 shost=user2@test.com suser= user2@test.com cn2Label=Filter_Action_Result cn2=21 deviceFaci lity=Deep Discovery Email Inspector src=10.206.155.122 reason= B,G ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C036 0-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (B uild 7601) Service Pack 1
 
		