Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Product vendor
Trend Micro
Header (pname)
Product name
Apex Central
Header (pver)
Product version
2019
Header (eventid)
Behavior Monitoring policy ID
BM:1000
Header (eventName)
Log name
Behavior Monitoring
Header (severity)
Severity
3
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
dvchost
Host name
Example: localhost
cs2Label
Corresponding label for the cs2 field
Policy
cs2
Policy type
  • Compromised executable file
  • New startup program
  • Host file modification
  • Program library injection
  • New Internet Explorer plugin
  • Internet Explorer setting modification
  • Shell modification
  • New service
  • Security policy modification
  • Firewall policy modification
  • System file modification
  • Duplicated system file
  • Layered service provider
  • System process modification
  • Suspicious behavior
  • Newly encountered programs
  • Unauthorized file encryption
  • Threat behavior analysis
  • User-defined policy
sproc
Target of the event
Example: C:\\Windows\\SysWOW64\\rundll32.exe
cs3Label
Corresponding label for the cs3 field
Event_Type
cs3
Event type
  • Process
  • Process image
  • Registry
  • File system
  • Driver
  • SDT
  • System API
  • User Mode
  • Exploit
  • All
cs4Label
Corresponding label for the cs4 field
Operation
cs4
The operation to be performed by the target of the event
  • Create Process
  • Open
  • Terminate
  • Delete
  • Write
  • Access
  • Create File
  • Close
  • Execute
  • Invoke
  • Exploit
  • Unhandled Operation
cs5Label
Corresponding label for the cs5 field
Risk_Level
cs5
Risk level
Example: 1
  • 0: Low
  • 1: High
TMCMLogTarget
Target host
Example: HKCU\\Software\\Microsoft\\Windows\ \CurrentVersion\\Run\\COM+
act
Translated action
  • Allow
  • Ask
  • Deny
  • Terminate
  • Read Only
  • Read/Write Only
  • Read/Execute Only
  • Feedback
  • Clean
  • Unknown
  • Assess
  • Terminated. Files were recovered.
  • Terminated. Some files were not recovered.
  • Terminated. Files were not recovered.
  • Terminated. Restart result: Files were recovered.
  • Terminated: Restart result: Some files were not recovered.
  • Terminated: Restart result: Files were not recovered.
shost
Source host (endpoint)
Example: shost1
src
Source host IP address
Example: "10.0.147.105"
deviceFacility
Product
Example: Apex One
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monitor
ing|3|rt=Sep 20 2019 01:02:03 GMT+00:00 dvchost=localhost cs
5Label=Risk_Level cs5=1 cs2Label=Policy cs2=Threat Behavior 
Analysis sproc=subject cs3Label=Event_Type cs3=File system 
TMCMLogTarget=HKCU\\Software\\Microsoft\\Windows\\CurrentVer
sion\\Run\\COM+ act=Ask cs4Label=Operation cs4=Create Proces
s shost=shost1 src=10.0.76.40 deviceFacility=Apex One reason
=G deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCMLogDetecte
dHost=shost1 TMCMLogDetectedIP=10.0.76.40 ApexCentralHost=TW
-CHRIS-W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F
-C697 TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service 
Pack 1
Keywords: Behavior Monitoring