Views:
Common Event Format (CEF) and Log Event Extended Format (LEEF) log message formats are slightly different. For example, the "Source User" column in the GUI corresponds to a field named "suser" in CEF; in LEEF, the same field is named "usrName" instead. Log message fields also vary by whether the event originated on the agent or Server & Workload Protection and which feature created the log message.
Note
Note
If your syslog messages are being truncated, it may be because you're using User Datagram Protocol (UDP). To prevent truncation, transfer your syslog messages over Transport Layer Security (TLS) instead. For instructions on switching to TLS, see Define a syslog configuration.
Note
Note
Basic syslog format is not supported by the Anti-Malware, Web Reputation, Integrity Monitoring, and Application Control protection modules.
If the syslog messages are sent from Server & Workload Protection, there are several differences. In order to preserve the original agent hostname (the source of the event), a new extension ("dvc" or "dvchost") is present. "dvc" is used if the hostname is an IPv4 address; "dvchost" is used for hostnames and IPv6 addresses.
Additionally, the extension "TrendMicroDsTags" is used if the events are tagged. This applies only to auto-tagging with run on future, since events are forwarded via syslog only as they are collected by Server & Workload Protection. The product for logs relayed through Workload Security will still read "Deep Security Agent"; however, the product version is the version of Server & Workload Protection.

CEF syslog message format

All CEF events include 'dvc=IPv4 Address' or 'dvchost=Hostname' (or the IPv6 address) for the purposes of determining the original agent that was the source of the event. This extension is important for events sent from Server & Workload Protection, since in this case the syslog sender of the message is not the originator of the event.
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
To determine whether the log entry comes from Server & Workload Protection or an agent, look at the "Device Product" field:
Sample CEF Log Entry: Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Workload Security Manager|<Workload Security version>|600|Administrator Signed In|4|suser=Master...
Note
Note
Events that occur on a VM that is protected by a virtual appliance, but that don't have an in-guest agent, will still be identified as coming from an agent.
To further determine what kind of rule triggered the event, look at the "Signature ID" and "Name" fields:
Sample Log Entry: Mar 19 15:19:15 root CEF:0|Trend Micro|Deep Security Agent|<Agent version>|123|Out Of Allowed Policy|5|cn1=1...
The "Signature ID" value indicates what kind of event has been triggered:
Signature IDs
Description
10
Custom Intrusion Prevention (IPS) rule
20
Log-only Firewall rule
21
Deny Firewall rule
30
Custom Integrity Monitoring rule
40
Custom Log Inspection rule
100-7499
System events
100-199
Policy Firewall rule and Firewall stateful configuration
200-299
IPS internal errors
300-399
SSL/TLS events
500-899
IPS normalization
1,000,000-1,999,999
Trend Micro IPS rule. The signature ID is the same as the IPSrule ID.
2,000,000-2,999,999
Integrity Monitoring rule. The signature ID is the Integrity Monitoring rule ID + 1,000,000.
3,000,000-3,999,999
Log Inspection rule. The signature ID is the Log Inspection rule ID + 2,000,000.
4,000,000-4,999,999
Anti-Malware events. Currently, only these signature IDs are used:
  • 4,000,000 - Anti-Malware - Real-Time Scan
  • 4,000,001 - Anti-Malware - Manual Scan
  • 4,000,002 - Anti-Malware - Scheduled Scan
  • 4,000,003 - Anti-Malware - Quick Scan
  • 4,000,010 - Anti-Spyware - Real-Time Scan
  • 4,000,011 - Anti-Spyware - Manual Scan
  • 4,000,012 - Anti-Spyware - Scheduled Scan
  • 4,000,013 - Anti-Spyware - Quick Scan
  • 4,000,020 - Suspicious Activity - Real-Time Scan
  • 4,000,030 - Unauthorized Change - Real-Time Scan
5,000,000-5,999,999
Web Reputation events. Currently, only these signature IDs are used:
  • 5,000,000 - Web Reputation - Blocked
  • 5,000,001 - Web Reputation - Detect Only
6,000,000-6,999,999
Application Control events. Currently, only these signature IDs are used:
  • 6,001,100 - Application Control - Detect Only, in block list
  • 6,001,200 - Application Control - Detect Only, not in allow list
  • 6,002,100 - Application Control - Blocked, in block list
  • 6,002,200 - Application Control – Blocked, not in allow list
7,000,000-7,999,999
Device Control events. Currently, only these signature IDs are used:
  • 7,000,000 - Device Control - access unknown device was blocked
  • 7,000,200 - Device Control - write unknown device was blocked
  • 7,001,000 - Device Control - access USB device was blocked
  • 7,001,200 - Device Control - write USB device was blocked
  • 7,002,000 - Device Control - access mobile device was blocked
  • 7,002,200 - Device Control - write mobile device was blocked
Note
Note
Log entries don't always have all CEF extensions described in the event log format tables below. CEF extensions also may not be always in the same order. If you are using regular expressions (regex) to parse the entries, make sure your expressions do not depend on each key-value pair to exist, or to be in a specific order.
Note
Note
Syslog messages are limited to 64 KB by the syslog protocol specification. If the message is longer, data may be truncated. The basic syslog format is limited to 1 KB.

LEEF 2.0 syslog message format

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF 2.0 Log Entry (Workload Security System Event Log Sample): LEEF:2.0|Trend Micro|Server & Workload Protection Manager|<Agent version>|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System msg=Alert: CPUWarning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity:Warning TrendMicroDsTenant=Primary

Events originating in Server & Workload Protection

System event log format

Base CEF Format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Server & Workload Protection Manager|<Server & Workload Protection version>|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF 2.0 Log Entry: LEEF:2.0|Trend Micro|Server & Workload Protection Manager|<DSA version>|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System msg=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning TrendMicroDsTenant=Primary
Note
Note
LEEF format uses a reserved "sev" key to show severity and "name" for the Name value.
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
src
src
Source IP Address
Server & Workload Protection IP address.
src=10.52.116.23
suser
usrName
Source User
Server & Workload Protection administrator's account.
suser=MasterAdmin
target
target
Target Entity
The subject of the event. It can be the administrator account logged into Server & Workload Protection, or a computer.
target=MasterAdmin target=server01
targetID
targetID
Target Entity ID
The identifier added in Server & Workload Protection.
targetID=1
targetType
targetType
Target Entity Type
The event target entity type.
targetType=Host
msg
msg
Details
Details of the system event. May contain a verbose description of the event.
msg=User password incorrect for username MasterAdmin on an attempt to sign in from 127.0.0.1 msg=A Scan for Recommendations on computer (localhost) has completed...
TrendMicroDsProcessImagePath
TrendMicroDsProcessImagePath
Process Image Path
The full path of the process that generates an anti-malware event detection.
Note
Note
Windows does not support this information.
TrendMicroDsProcessImagePath=/usr/bin/bash
TrendMicroDsProcessPid
TrendMicroDsProcessPid
Process PID
The PID of the process that generates an anti-malware event detection
Note
Note
Windows does not support this information.
TrendMicroDsProcessPid=4422
TrendMicroDsTags
TrendMicroDsTags
Event Tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant Name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
TrendMicroDsReasonId
TrendMicroDsReasonId
Event reason ID
Indicates the reason ID for event descriptions. Each event has its own reason ID definition.
TrendMicroDsReasonId=1
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=3
None
cat
Category
Event category
cat=System
None
name
Name
Event name
name=Alert Ended
None
desc
Description
Event description
desc:Alert: CPU Warning Threshold Exceeded

Events originating in the agent

Anti-Malware event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|4000000|Eicar_test_file|6|cn1=1 cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\Users\trend\Desktop\eicar.exe act=Delete result=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF Log Entry: LEEF: 2.0|Trend Micro|Deep Security Agent|<Agent version>|4000030|cat=Anti-Malware name=HEU_AEGIS_CRYPT desc=HEU_AEGIS_CRYPT sev=6 cn1=241 cn1Label=Host ID dvc=10.0.0.1 TrendMicroDsTags=FS TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 filePath=C:\Windows\System32\virus.exe act=Terminate msg=Realtime TrendMicroDsMalwareTarget=Multiple TrendMicroDsMalwareTargetType=File System TrendMicroDsFileMD5=1947A1BC0982C5871FA3768CD025453E#011 TrendMicroDsFileSHA1=5AD084DDCD8F80FBF2EE3F0E4F812E812DEE60C1#011 TrendMicroDsFileSHA256=25F231556700749F8F0394CAABDED83C2882317669DA2C01299B45173482FA6E TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=1
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
cn2
cn2
File Size
The size of the quarantine file. This extension is included only when the "direct forward" from agent /appliance is selected.
cn2=100
cn2Label
cn2Label
File Size
The name label for the field cn2.
cn2Label=Quarantine File Size
cs3
cs3
Infected Resource
The path of the spyware item. This field is only for spyware detection events.
cs3=C:\test\atse_samples\SPYW_Test_Virus.exe
cs3Label
cs3Label
Infected Resource
The name label for the field cs3. This field is only for spyware detection events.
cs3Label=Infected Resource
cs4
cs4
Resource Type
Resource Type values:
10=Files and Directories
11=System Registry
12=Internet Cookies
13=Internet URL Shortcut
14=Programs in Memory
15=Program Startup Areas
16=Browser Helper Object
17=Layered Service Provider
18=Hosts File
19=Windows Policy Settings
20=Browser
23=Windows Shell Setting
24=IE Downloaded Program Files
25=Add/Remove Programs
26=Services
other=Other
For example, if there's a spyware file named spy.exe that creates a registry run key to keep its persistence after system reboot, there will be two items in the spyware report: the item for spy.exe has cs4=10 (Files and Directories), and the item for the run key registry has cs4=11 (System Registry).
This field is only for spyware detection events.
cs4=10
cs4Label
cd4Label
Resource Type
The name label for the field cs4. This field is only for spyware detection events.
cs4Label=Resource Type
cs5
cs5
Risk Level
Risk level values:
0=Very Low
25=Low
50=Medium
75=High
100=Very High
This field is only for spyware detection events.
cs5=25
cs5Label
cs5Label
Risk Level
The name label for the field cs5. This field is only for spyware detection events.
cs5Label=Risk Level
cs6
cs6
Container
The image name of the Docker container, container name, and container ID where the malware was detected.
cs6=ContainerImageName | ContainerName | ContainerID
cs6Label
cs6Label
Container
The name label for the field cs6.
cs6Label=Container
filePath
filePath
File Path
The location of the malware file.
filePath=C:\\Users\\Mei\\Desktop\\virus.exe
act
act
Action
The action performed by the Anti-Malware engine. Possible values are: Deny Access, Quarantine, Delete, Pass, Clean, Terminate, and Unspecified.
act=Clean act=Pass
result
result
Result
The result of the failed Anti-Malware action.
result=Passed result=Deleted result=Quarantined result=Cleaned result=Access Denied result=Terminated result=Log result=Failed result=Pass Failed result=Delete Failed result=Quarantine Failed result=Clean Failed result=Terminate Failed result=Log Failed result=Scan Failed result=Passed (Scan Failed) result=Quarantined (Scan Failed) result=Quarantine Failed (Scan Failed) result=Deny Access (Scan Failed)
msg
msg
Message
The type of scan. Possible values are: Realtime, Scheduled, and Manual.
msg=Realtime msg=Scheduled
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.144.199
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=fe80::f018:a3c6:20f9:afa6%5
TrendMicroDsBehaviorRuleID
TrendMicroDsBehaviorRuleID
Behavior monitoring rule ID
The behavior monitoring rule ID for internal malware case tracking.
BehaviorRuleID=CS913
TrendMicroDsBehaviorType
TrendMicroDsBehaviorType
Behavior Monitoring type
The type of behavior monitoring event detected.
BehaviorType=Threat-Detection
TrendMicroDsTags
TrendMicroDsTags
Events tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
TrendMicroDsMalwareTargetCount
TrendMicroDsMalwareTargetCount
Target count
The number of target files.
TrendMicroDsMalwareTargetCount=3
TrendMicroDsMalwareTarget
TrendMicroDsMalwareTarget
Target(s)
The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple."
Only suspicious activity monitoring and unauthorized change monitoring have values for this field.
TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTarget=C:\\Windows\\System32\\cmd.exe TrendMicroDsMalwareTarget=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings TrendMicroDsMalwareTarget=Multiple
TrendMicroDsMalwareTargetType
TrendMicroDsMalwareTargetType
Target Type
The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry.
Only suspicious activity monitoring and unauthorized change monitoring have values for this field.
TrendMicroDsMalwareTargetType=N/A TrendMicroDsMalwareTargetType=Exploit TrendMicroDsMalwareTargetType=File System TrendMicroDsMalwareTargetType=Process TrendMicroDsMalwareTargetType=Registry
TrendMicroDsProcess
TrendMicroDsProcess
Process
Process Name
TrendMicroDsProcess= abc.exe
TrendMicroDsFileMD5
TrendMicroDsFileMD5
File MD5
The MD5 hash of the file
TrendMicroDsFileMD5=1947A1BC0982C5871FA3768CD025453E
TrendMicroDsFileSHA1
TrendMicroDsFileSHA1
File SHA1
The SHA1 hash of the file
TrendMicroDsFileSHA1=5AD084DDCD8F80FBF2EE3F0E4F812E812DEE60C1
TrendMicroDsFileSHA256
TrendMicroDsFileSHA256
File SHA256
The SHA256 hash of the file
TrendMicroDsFileSHA256=25F231556700749F8F0394CAABDED83C2882317669DA2C01299B45173482FA6E
TrendMicroDsDetectionConfidence
TrendMicroDsDetectionConfidence
Threat Probability
Indicates how closely (in %) the file matched the malware model
TrendMicroDsDetectionConfidence=95
TrendMicroDsRelevantDetectionNames
TrendMicroDsRelevantDetectionNames
Probable Threat Type
Indicates the most likely type of threat contained in the file after Predictive Machine Learning compared the analysis to other known threats(separate by semicolon";" )
TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=6
None
cat
Category
Category
cat=Anti-Malware
None
name
Name
Event name
name=SPYWARE_KEYL_ACTIVE
None
desc
Description
Event description. Anti-Malware uses the event name as the description.
desc=SPYWARE_KEYL_ACTIVE
TrendMicroDsCommandLine
TrendMicroDsCommandLine
Command Line
The commands that the subject process executes
TrendMicroDsCommandLine=/tmp/orca-testkit-sample/testsys_m64 -u 1000 -g 1000 -U 1000 -G 1000 -e cve_2017_16995 1 -d 4000000
TrendMicroDsCve
TrendMicroDsCve
CVE
CVE information, if the process behavior is identified in one of Common Vulnerabilities and Exposures.
TrendMicroDsCve=CVE-2016-5195,CVE-2016-5195,CVE-2016-5195
TrendMicroDsMitre
TrendMicroDsMitre
MITRE
The MITRE information, if the process behavior is identified in one of MITRE attack scenarios.
TrendMicroDsMitre=T1068,T1068,T1068
suser
suser
user name
The user account name who triggered this event
suser=root

Application Control event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Example CEF Log Entry: CEF: 0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202 cn1Label=Host ID dvc=192.168.33.128 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Example LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|10.0.2883|60|cat=AppControl name=blocked desc=blocked sev=6 cn1=2 cn1Label=Host ID dvc=10.203.156.39 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 suser=root suid=0 act=blocked filePath=/bin/my.jar fsize=123857 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=2
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
cs1
cs1
Reason
The reason why application control performed the specified action, such as "notWhitelisted" (the software did not have a matching rule, and application control was configured to block unrecognized software).
cs1=notWhitelisted
cs1Label
cs1Label
The name label for the field cs1.
cs1Label=actionReason
cs2
cs2
If it was calculated, the SHA-1 hash of the file.
cs2=156F4CB711FDBD668943711F853FB6DA89581AAD
cs2Label
cs2Label
The name label for the field cs2.
cs2Label=sha1
cs3
cs3
If it was calculated, the MD5 hash of the file.
cs3=4E8701AC951BC4537F8420FDAC7EFBB5
cs3Label
cs3Label
The name label for the field cs3.
cs3Label=md5
act
act
Action
The action performed by the Application Control engine. Possible values are: Blocked, Allowed.
act=blocked
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.1.10
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=2001:db8::5
suid
suid
User ID
The account IDnumber of the user name.
suid=0
suser
suser
User Name
The name of the user account that installed the software on the protected computer.
suser=root
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant name.
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID number.
TrendMicroDsTenantId=0
fileHash
fileHash
File hash
The SHA 256 hash that identifies the software file.
fileHash=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
filePath
filePath
File Path
The location of the malware file.
filePath=/bin/my.jar
fsize
fsize
File Size
The file size in bytes.
fsize=16
aggregationType
aggregationType
Aggregation Type
An integer that indicates how the event is aggregated:
  • 0: The event is not aggregated
  • 1: The event is aggregated based on file name, path, and event type.
  • 2: The event is aggregated based on event type.
For information, about event aggregation, see View Application Control event logs.
aggregationType=2
repeatCount
repeatCount
Repeat Count
The number of occurrences of the event. Non-aggregated events have a value of 1. Aggregated events have a value of 2 or more.
repeatCount=4
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=6
None
cat
Category
Category
cat=AppControl
None
name
Name
Event name
name=blocked
None
desc
Description
Event description. Application Control uses the action as the description.
desc=blocked

Firewall event log format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|20|Log for TCP Port 80|0|cn1=1 cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.147 out=1019 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 TrendMicroDsPacketData=AFB...
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|21|cat=Firewall name=Remote Domain Enforcement (Split Tunnel) desc=Remote Domain Enforcement (Split Tunnel) sev=5 cn1=37 cn1Label=Host ID dvchost=www.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=Deny dstMAC=67:BF:1B:2F:13:EE srcMAC=78:FD:E7:07:9F:2C TrendMicroDsFrameType=IP src=10.0.110.221 dst=105.152.185.81 out=177 cs3= cs3Label=Fragmentation Bits proto=UDP srcPort=23 dstPort=445 cnt=1 TrendMicroDsPacketData=AFB...
Sample TendMicroDsScannerIp Log Entry: CEF Field : (wait check), LEEF Field: TrendMicroDsScannerIp, Name: Scanner IP, Description: Scanner IP Address, Example: TrendMicroDsScannerIp=192.168.33.1
TrendMicroDsTargetPortList Log Entry: CEF Field : (wait check), LEEF Field: TrendMicroDsTargetPortList, Name: Target Port List, Description: Scanned Port List, Example: TrendMicroDsTargetPortList=12;13;16;18;22;23;27;32;38;42;44;47;48;60;67;
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
act
act
Action
act=Log act=Deny
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=113
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
cnt
cnt
Repeat Count
The number of times this event was sequentially repeated.
cnt=8
cs2
cs2
TCP Flags
cs2=0x10 ACK cs2=0x14 ACK RST
cs2Label
cs2Label
TCP Flags
The name label for the field cs2.
cs2Label=TCP Flags
cs3
cs3
Packet Fragmentation Information
cs3=DF cs3=MF cs3=DF MF
cs3Label
cs3Label
Fragmentation Bits
The name label for the field cs3.
cs3Label=Fragmentation Bits
cs4
cs4
ICMP Type and Code
(For the ICMP protocol only) The ICMP type and code, delimited by a space.
cs4=11 0 cs4=8 0
cs4Label
cs4Label
ICMP
The name label for the field cs4.
cs4Label=ICMP Type and Code
dmac
dstMAC
Destination MAC Address
MAC address of the destination computer's network interface.
dmac= 00:0C:29:2F:09:B3
dpt
dstPort
Destination Port
(For TCP and UDP protocol only) Port number of the destination computer's connection or session.
dpt=80 dpt=135
dst
dst
Destination IP Address
IP address of the destination computer.
dst=192.168.1.102 dst=10.30.128.2
in
in
Inbound Bytes Read
(For inbound connections only) Number of inbound bytes read.
in=137 in=21
out
out
Outbound Bytes Read
(For outbound connections only) Number of outbound bytes read.
out=216 out=13
proto
proto
Transport protocol
Name of the transport protocol used.
proto=tcp proto=udp proto=icmp
smac
srcMAC
Source MAC Address
MAC address of the source computer's network interface.
smac= 00:0E:04:2C:02:B3
spt
srcPort
Source Port
(For TCP and UDP protocol only) Port number of the source computer's connection or session.
spt=1032 spt=443
src
src
Source IP Address
The packet's source IP address at this event.
src=192.168.1.105 src=10.10.251.231
TrendMicroDsFrameType
TrendMicroDsFrameType
Ethernet frame type
Connection ethernet frame type.
TrendMicroDsFrameType=IP TrendMicroDsFrameType=ARP TrendMicroDsFrameType=RevARP TrendMicroDsFrameType=NetBEUI
TrendMicroDsPacketData
TrendMicroDsPacketData
Packet data
The packet data, represented in Base64.
TrendMicroDsPacketData=AFB...
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.144.199
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=exch01.example.com dvchost=2001:db8::5
TrendMicroDsTags
TrendMicroDsTags
Event Tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant Name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=5
None
cat
Category
Category
cat=Firewall
None
name
Name
Event name
name=Remote Domain Enforcement (Split Tunnel)
None
desc
Description
Event description. Firewall events use the event name as the description.
desc=Remote Domain Enforcement (Split Tunnel)
TrendMicroDsScannerIp
TrendMicroDsScannerIp
Scanner IP
Scanner IP Address
TrendMicroDsScannerIp=192.168.33.1
TrendMicroDsTargetPortList
TrendMicroDsTargetPortList
Target Port List
Scanned Port List
TrendMicroDsTargetPortList=12;13;16;18;22;23;27;32;38;42;44;47;48;60;67;

Integrity Monitoring log event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|30|New Integrity Monitoring Rule|6|cn1=1 cn1Label=Host ID dvchost=hostname act=updated filePath=c:\windows\message.dll suser=admin sproc=C:\Windows\System32\notepad.exe msg=lastModified,sha1,size
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|2002779|cat=Integrity Monitor name=Microsoft Windows - System file modified desc=Microsoft Windows - System file modified sev=8 cn1=37 cn1Label=Host ID dvchost=www.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=updated suser=admin sproc=C:\Windows\System32\notepad.exe
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
act
act
Action
The action detected by the integrity rule. Can contain: created, updated, deleted or renamed.
act=created act=deleted
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=113
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
filePath
filePath
Target Entity
The integrity rule target entity. May contain a file or directory path, registry key, etc.
filePath=C:\WINDOWS\system32\drivers\etc\hosts
suser
suser
Source User
Account of the user who changed the file being monitored.
suser=WIN-038M7CQDHIN\Administrator
sproc
sproc
Source Process
The name of the event's source process.
sproc=C:\\Windows\\System32\\notepad.exe
msg
msg
Attribute changes
(For "renamed" action only) A list of changed attribute names. If "Relay via Manager" is selected, all event action types include a full description.
msg=lastModified,sha1,size
oldfilePath
oldfilePath
Old target entity
(For "renamed" action only) The previous integrity rule target entity to capture the rename action from the previous target entity to the new, which is recorded in the filePath field.
oldFilePath=C:\WINDOWS\system32\logfiles\ds_agent.log
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.144.199
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=2001:db8::5
TrendMicroDsTags
TrendMicroDsTags
Events tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=8
None
cat
Category
Category
cat=Integrity Monitor
None
name
Name
Event name
name=Microsoft Windows - System file modified
None
desc
Description
Event description. Integrity Monitoring uses the event name as the description.
desc=Microsoft Windows - System file modified

Intrusion Prevention event log format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|1001111|Test Intrusion Prevention Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.105 out=1093 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10 cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention Flags TrendMicroDsPacketData=R0VUIC9zP3...
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|1000940|cat=Intrusion Prevention name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities sev=10 cn1=6 cn1Label=Host ID dvchost=exch01 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 dstMAC=55:C0:A8:55:FF:41 srcMAC=CA:36:42:B1:78:3D TrendMicroDsFrameType=IP src=10.0.251.84 dst=56.19.41.128 out=166 cs3= cs3Label=Fragmentation Bits proto=ICMP srcPort=0 dstPort=0 cnt=1 act=IDS:Reset cn3=0 cn3Label=DPI Packet Position cs5=0 cs5Label=DPI Stream Position cs6=0 cs6Label=DPI Flags TrendMicroDsPacketData=R0VUIC9zP3...
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
act
act
Action
(IPS rules written before Deep Security version 7.5 SP1 could additionally perform Insert, Replace, and Delete actions. These actions are no longer performed. If an older IPS Rule is triggered which still attempts to perform those actions, the event will indicate that the rule was applied in detect-only mode.)
act=Block
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=113
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
cn3
cn3
Intrusion Prevention Packet Position
Position within packet of data that triggered the event.
cn3=37
cn3Label
cn3Label
Intrusion Prevention Packet Position
The name label for the field cn3.
cn3Label=Intrusion Prevention Packet Position
cnt
cnt
Repeat Count
The number of times this event was sequentially repeated.
cnt=8
cs1
cs1
Intrusion Prevention Filter Note
(Optional) A note field which can contain a short binary or text note associated with the payload file. If the value of the note field is all printable ASCII characters, it will be logged as text with spaces converted to underscores. If it contains binary data, it will be logged using Base-64 encoding.
cs1=Drop_data
cs1Label
cs1Label
Intrusion Prevention Note
The name label for the field cs1.
cs1Label=Intrusion Prevention Note
cs2
cs2
TCP Flags
(For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set.
cs2=0x10 ACK cs2=0x14 ACK RST
cs2Label
cs2Label
TCP Flags
The name label for the field cs2.
cs2Label=TCP Flags
cs3
cs3
Packet Fragmentation Information
cs3=DF cs3=MF cs3=DF MF
cs3Label
cs3Label
Fragmentation Bits
The name label for the field cs3.
cs3Label=Fragmentation Bits
cs4
cs4
ICMP Type and Code
(For the ICMP protocol only) The ICMP type and code stored in their respective order delimited by a space.
cs4=11 0 cs4=8 0
cs4Label
cs4Label
ICMP
The name label for the field cs4.
cs4Label=ICMP Type and Code
cs5
cs5
Intrusion Prevention Stream Position
Position within stream of data that triggered the event.
cs5=128 cs5=20
cs5Label
cs5Label
Intrusion Prevention Stream Position
The name label for the field cs5.
cs5Label=Intrusion Prevention Stream Position
cs6
cs6
Intrusion Prevention Filter Flags
A combined value that includes the sum of the flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data 16 - Reference Data - References previously logged data.
The following example would be a summed combination of 1 (Data truncated) and 8 (Have Data): cs6=9
cs6Label
cs6Label
Intrusion Prevention Flags
The name label for the field cs6.
cs6=Intrusion Prevention Filter Flags
dmac
dstMAC
Destination MAC Address
Destination computer network interface MAC address.
dmac= 00:0C:29:2F:09:B3
dpt
dstPort
Destination Port
(For TCP and UDP protocol only) Destination computer connection port.
dpt=80 dpt=135
dst
dst
Destination IP Address
Destination computer IP Address.
dst=192.168.1.102 dst=10.30.128.2
xff
xff
X-Forwarded-For
The IPaddress of the last hub in the X-Forwarded-For header. This is typically originating IP address, beyond the proxy that may exist. See also the src field. To include xff in events, enable the "1006540 - Enable X-Forwarded-For HTTP Header Logging" Intrusion Prevention rule.
xff=192.168.137.1
in
in
Inbound Bytes Read
(For inbound connections only) Number of inbound bytes read.
in=137 in=21
out
out
Outbound Bytes Read
(For outbound connections only) Number of outbound bytes read.
out=216 out=13
proto
proto
Transport protocol
Name of the connection transport protocol used.
proto=tcp proto=udp proto=icmp
smac
srcMAC
Source MAC Address
Source computer network interface MAC address.
smac= 00:0E:04:2C:02:B3
spt
srcPort
Source Port
(For TCP and UDP protocol only) Source computer connection port.
spt=1032 spt=443
src
src
Source IP Address
Source computer IP Address. This is the IP of the last proxy server, if it exists, or the client IP. See also the xff field.
src=192.168.1.105 src=10.10.251.231
TrendMicroDsFrameType
TrendMicroDsFrameType
Ethernet frame type
Connection ethernet frame type.
TrendMicroDsFrameType=IP TrendMicroDsFrameType=ARP TrendMicroDsFrameType=RevARP TrendMicroDsFrameType=NetBEUI
TrendMicroDsPacketData
TrendMicroDsPacketData
Packet data
The packet data, represented in Base64.
TrendMicroDsPacketData=R0VUIC9zP3...
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.144.199
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=2001:db8::5
TrendMicroDsTags
TrendMicroDsTags
Event tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=Suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant name
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=10
None
cat
Category
Category
cat=Intrusion Prevention
None
name
Name
Event name
name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
None
desc
Description
Event description. Intrusion Prevention events use the event name as the description.
desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities

Log Inspection event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|3002795|Microsoft Windows Events|8|cn1=1 cn1Label=Host ID dvchost=hostname cs1Label=LI Description cs1=Multiple Windows Logon Failures fname=Security src=127.0.0.1 duser=(no user) shost=WIN-RM6HM42G65V msg=WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|3003486|cat=Log Inspection name=Mail Server - MDaemon desc=Server Shutdown. sev=3 cn1=37 cn1Label=Host ID dvchost=exch01.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=Server Shutdown. cs1Label=LI Description fname= shost= msg=
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=113
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
cs1
cs1
Specific Sub-Rule
The Log Inspection sub-rule which triggered this event.
cs1=Multiple Windows audit failure events
cs1Label
cs1Label
LI Description
The name label for the field cs1.
cs1Label=LI Description
duser
duser
User Information
(If parse-able username exists) The name of the target user initiated the log entry.
duser=(no user) duser=NETWORK SERVICE
fname
fname
Target entity
The Log Inspection rule target entity. May contain a file or directory path, registry key, etc.
fname=Application fname=C:\Program Files\CMS\logs\server0.log
msg
msg
Details
Details of the Log Inspection event. May contain a verbose description of the detected log event.
msg=WinEvtLog: Application: AUDIT_FAILURE(20187): pgEvent: (no user): no domain: SERVER01: Remote login failure for user 'xyz'
shost
shost
Source Hostname
Source computer hostname.
shost=webserver01.corp.com
src
src
Source IP Address
Source computer IP address.
src=192.168.1.105 src=10.10.251.231
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.144.199
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=2001:db8::5
TrendMicroDsTags
TrendMicroDsTags
Events tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=3
None
cat
Category
Category
cat=Log Inspection
None
name
Name
Event name
name=Mail Server - MDaemon
None
desc
Description
Event description.
desc=Server Shutdown

Web Reputation event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<Agent version>|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<Agent version>|5000000|cat=Web Reputation name=WebReputation desc=WebReputation sev=6 cn1=3 cn1Label=Host ID dvchost=exch01.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 request=http://yw.olx5x9ny.org.it/HvuauRH/eighgSS.htm msg=Suspicious
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=1
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
request
request
Request
The URL of the request.
request=http://www.example.com/index.php
msg
msg
Message
The type of action. Possible values are: Realtime, Scheduled, and Manual.
msg=Realtime msg=Scheduled
dvc
dvc
Device address
The IPv4 address for cn1.
Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)
dvc=10.1.144.199
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=2001:db8::5
TrendMicroDsTags
TrendMicroDsTags
Events tags
Server & Workload Protection event tags assigned to the event
TrendMicroDsTags=suspicious
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
None
sev
Severity
The severity of the event. 1 is the least severe; 10 is the most severe.
sev=6
None
cat
Category
Category
cat=Web Reputation
None
name
Name
Event name
name=WebReputation
None
desc
Description
Event description. Web Reputation uses the event name as the description.
desc=WebReputation

Device Control event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|50.0.1063|7000000|Device Control DeviceControl|6|cn1=1 cn1Label=Host ID dvchost=test-hostname TrendMicroDsTenant=tenantName TrendMicroDsTenantId=1 device=deviceName processName=processName1 fileName=/tmp/some_path2 vendor=vendorName serial=aaaa-bbbb-cccc model=modelName computerName=computerName domainName=computerDomain deviceType=0 permission=0
Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension
Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|50.0.1063|7000000|cat=Device Control name=DeviceControl desc=DeviceControl sev=6 cn1=1 cn1Label=Host ID dvchost=test-hostname TrendMicroDsTenant=tenantName TrendMicroDsTenantId=1 device=deviceName processName=processName1 fileName=/tmp/some_path2 vendor=vendorName serial=aaaa-bbbb-cccc model=modelName computerName=computerName domainName=computerDomain deviceType=0 permission=0
CEF Extension Field
LEEF Extension Field
Name
Description
Examples
cn1
cn1
Host Identifier
The agent computer's internal unique identifier.
cn1=1
cn1Label
cn1Label
Host ID
The name label for the field cn1.
cn1Label=Host ID
dvchost
dvchost
Device host name
The hostname or IPv6 address for cn1.
Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
dvchost=www.example.com dvchost=2001:db8::5
TrendMicroDsTenant
TrendMicroDsTenant
Tenant name
Server & Workload Protection tenant
TrendMicroDsTenant=Primary
TrendMicroDsTenantId
TrendMicroDsTenantId
Tenant ID
Server & Workload Protection tenant ID
TrendMicroDsTenantId=0
device
device
Device Name
The device that was accessed.
device=Sandisk_USB
processName
processName
Process Name
The process name.
processName=someProcess.exe
fileName
fileName
File Name
The file name that was accessed.
fileName=E:\somepath\a.exe
vendor
vendor
Vendor Name
The vendor name of the device.
vendor=sandisk
serial
serial
Serial Number
The serial number of the device.
serial=aaa-bbb-ccc
model
model
Model
The product name of the device.
model=A270_USB
computerName
computerName
Computer Name
The computer name.
computerName=Jonh_Computer
domainName
domainName
Domain Name
The domain name.
domainName=CompanyDomain
deviceType
deviceType
Device Type
The device type of the device USB_STORAGE_DEVICE(1) MOBILE_DEVICE(2)
deviceType=1
permission
permission
Permission
The block reason of the access BLOCK(0) READ_ONLY(2)
permission=0