Views:
Note
Note
Sandbox Detection logs are called Virtual Analyzer Detections on the Apex Central console.
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Appliance vendor
TrendAI™
Header (pname)
Appliance product
Apex Central
Header (pver)
Appliance version
2019
Header (eventid)
Device event class ID
VAD
Header (eventName)
Event name
Virtual Analyzer detection name
Header (severity)
Severity
3
deviceExternalId
ID
Example: 2
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
deviceFacility
Product
Example: Apex One
dvchost
Server name
Example: OSCE01
dhost
Endpoint name
Example: Isolate-ClientA
dst
Endpoint IPv4 address
Example: 10.0.17.6
c6a3
Endpoint IPv6 address
Example: fe80::38ca:cd15:443c:40bb%11
app
Entry channel
Example: 0
For more information, see Protocol Mapping Table
sourceServiceName
Source
Example: Test1@tmcm.extbeta.com
destinationServiceName
Destination
Example: Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com
sproc
Process name
Example: VA
fileHash
File SHA-1 hash
Example: D6712CAE5EC821F910E14945153AE7871AA536CA
fname
File name
Example: C:\\\\QA_Log.zip
request
URL
Example: http://127.1.1.1
cs1
The name of the security threat determined by Virtual Analyzer
Example: VAN_RANSOMWARE.umxxhelloransom_abc
cn1
Displays the risk level assigned by Virtual Analyzer
Example: 0
  • 0: No risk
  • 1: Low risk
  • 2: Medium risk
  • 3: High risk
  • 9999: Unknown
cs2
Displays the security threat type
Example: Anti-security, self-preservation
cs3
Cloud storage vendor
Example: Google Drive
  • Dropbox
  • Box
  • Google Drive
  • Microsoft OneDrive
  • SugarSync
  • Hightail
  • Evernote
  • Microsoft Exchange Online
  • Microsoft SharePoint Online
  • Unknown
  • N/A
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF: 0|TrendAI™|Apex Central|2019|VAD|VAN_RANSOMWARE.um
xxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23:
23 GMT+00:00 deviceFacility=Apex One dvchost=OSCE01 dhost=
Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@tre
nd.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test
3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72
602F798B642F14140 fname=C:\\\\QA_Log.zip request=http://127.
1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhellor
ansom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categori
es cs2=Anti-security, self-preservation cs3Label=Cloud_Servi
ce_Vendor cs3=Google Drive reason=E deviceNtDomain=APEXTMCM 
dntdom=OSCEDomain1 TMCMLogDetectedHost=OSCEClient TMCMLogDe
tectedIP=0.0.0.0 ApexCentralHost=TW-CHRIS-W2019 devicePaylo
adId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatfor
m=Windows 7 6.1 (Build 7601) Service Pack 1
Keywords: Sandbox Detection Logs,Virtual Analyzer