CEF Predictive Machine Learning Logs | Trend Micro Service Central

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Product vendor	Trend Micro
Header (pname)	Product name	Apex Central
Header (pver)	Product version	2019
Header (eventid)	PML:Action result	PML:File cleaned
Header (eventName)	Detection name	virusa
Header (severity)	Severity	3
rt	Event trigger time in UTC	Example: Mar 22 2018 08:23:23 GMT+00:00
dvchost	Product server	Example: Sample_Host
cn1Label	Corresponding label for the cn1 field	ThreatType
cn1	Probable threat type	Example: 35143 For more information, see Threat Type Mapping Table.
cs2Label	Corresponding label for the cs2 field	DetectionName
cs2	Security threat	Example: Troj.Win32.TRX.XXPE002FF017
shost	Infected endpoint	Example: 10.0.0.1
suser	Logon user	Example: TREND\\User
cn2Label	Corresponding label for the cn2 field	DetectionType
cn2	Detection type	Example: 0 0: File 1: Process
filePath	File path	Example: "D:\\"
fname	File name	Example: "ALCORMP.EXE"
deviceCustomDate1	File creation time	Example: 2017-04-26 05:53:27.000
sproc	System process	Example: notepad.exe
cn4Label	Corresponding label for the cn4 field	ProcessCommandLine
cs4	Process command	Example: notepad.exe
duser	Process owner	Example: user1
app	Infection channel	Example: 10 0: Unknown 1: Local drive 2: Network drive 3: AutoRun files 10: Web 11: Email 999: Local or network drive
cs3Label	Corresponding label for the cs3 field	InfectionLocation
cs3	Infection source	Example: http://10.0.0.1/
dst	Product/Endpoint IPv4 Address	Example: 10.0.17.6
c6a3Label	Corresponding label for the c6a3 field	Product/Endpoint IP
c6a3	Product/Endpoint IPv6 Address	Example: fd66:5168:9882:6:b5b0:b2b5:4173:3f5d
cn3Label	Corresponding label for the cn3 field	Confidence
cn3	Threat probability	Example: 82
act	Action result	Example: 21 For more information, see Action Mapping Table.
filehash	File SHA-1	Example: 52c17c785b45ee961f68fb17744276076f383085
dhost	Product entity/endpoint	Example: dhost1
deviceExternalId	Log sequence number	Example: 100
deviceFacility	Product	Example: Apex One
reason	Critical threat type	Example: E A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	Active Directory domain	Example: APEXTMCM
dntdom	Apex One domain hierarchy	Example: OSCEDomain1
TMCMLogDetectedHost	Endpoint name where the log event occurred	Example: MachineHostName
TMCMLogDetectedIP	IP address where the log event occurred	Example: 10.1.2.3
ApexCentralHost	Apex Central host name	Example: TW-CHRIS-W2019
devicePayloadId	Unique message GUID	Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform	Endpoint operating system	Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|Detecti
on01|3|deviceExternalId=1 rt=Dec 01 2018 16:01:00 GMT+00:00 
deviceFacility=15 dvchost=OSCE01 cn1Label=ThreatType cn1=1 c
s2Label=DetectionName cs2=Detection01 shost=10.0.0.1 suser=S
ample_Domain\\Sample_User cn2Label=DetectionType cn2=0 fileP
ath=C:\\test01\\aaa.exe fname=aaa.exe deviceCustomDate1Label
=FileCreationDate deviceCustomDate1=Dec 02 2018 00:01:00 GMT
+00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4=not
epad.exe -test duser=admin01 app=1 cs3Label=InfectionLocatio
n cs3=https://10.1.1.1 dst=80.1.1.1 cn3Label=Confidence cn3=
81 act=21 fileHash=177750B65A21A9043105FD0820B85B58CF148A01 
dhost=OSCEClient11 reason=E deviceNtDomain=APEXTMCM dntdom=O
SCEDomain1 TMCMLogDetectedHost=OSCEClient11 TMCMLogDetectedI
P=80.1.1.1 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C
00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windo
ws 7 6.1 (Build 7601) Service Pack 1

Keywords: Predictive Machine Learning