|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF:0
|
|
Header (vendor)
|
Product vendor
|
Trend Micro
|
|
Header (pname)
|
Product name
|
Apex Central
|
|
Header (pver)
|
Product version
|
2019
|
|
Header (eventid)
|
Event ID
|
1745
|
|
Header (eventName)
|
Log name
|
Product Auditing Events
|
|
Header (severity)
|
Severity
|
3
|
|
cat
|
Log type
|
1745
|
|
deviceFacility
|
Managed product
|
Example:
Apex One |
|
dvchost
|
Display name of the managed endpoint
|
Example:
localhost |
|
rt
|
Event trigger time in UTC
|
Example:
Mar 22 2018 08:23:23 GMT+00:00 |
|
cn1Label
|
Corresponding label for the
cn1field |
SLF_CategoryID
|
|
cn1
|
Category ID
|
Example:
536,870,912 |
|
cn2Label
|
Corresponding label for the "cn2" field
|
SLF_SeverityLevel
|
|
cn2
|
Severity level
|
Example:
4
|
|
suser
|
The name of the user on whose behalf the event occurred
|
Example: "administrator"
|
|
deviceNtDomain
|
Active Directory domain
|
Example: APEXTMCM
|
|
dntdom
|
Apex One domain hierarchy
|
Example: OSCEDomain1
|
|
ApexCentralHost
|
Apex Central host name
|
Example: TW-CHRIS-W2019
|
|
devicePayloadId
|
Unique message GUID
|
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
|
Log sample:
CEF:0|Trend Micro|Apex Central|2019|Delete|1009490 - Block A dministrative Share - 1 (ATT&CK T1077,T1105)|3|rt=Apr 20 202 0 03:33:15 GMT+00:00 dvchost=OSCEClient22 deviceFacility=Ape x One act=Delete, src=10.1.1.8 dst=80.1.1.8 smac=54-BF-64-84 -7F-08 spt=88 dmac=54-BF-64-84-7F-18 dpt=448 cn2Label=SLF_Is DetectionOnly cn2=1 deviceDirection=Outbound cn3Label=SLF_Ra nk cn3=100 cn4Label=SLF_SeverityCode cn4=4 proto=10008 cs2La bel=SLF_ConnectionType cs2=Suspicious Client Application Act ivity cn1Label=SLF_RuleID cn1=1009490 cs1Label=SLF_RuleConte nt cs1=1009490 - Block Administrative Share - 1 (ATT&CK T107 7,T1105) cnt=1 deviceNtDomain=APEXTMCM dntdom=OSCEDomain1