Views:
Note
Note
Sandbox Detection logs are called Virtual Analyzer Detections on the Apex Central console.
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Apex Central
Header (pver)
Appliance version
2019
Header (eventid)
Device event class ID
VAD
Header (eventName)
Event name
Virtual Analyzer detection name
Header (severity)
Severity
3
deviceExternalId
ID
Example: 2
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
deviceFacility
Product
Example: Apex One
dvchost
Server name
Example: OSCE01
dhost
Endpoint name
Example: Isolate-ClientA
dst
Endpoint IPv4 address
Example: 10.0.17.6
c6a3
Endpoint IPv6 address
Example: fe80::38ca:cd15:443c:40bb%11
app
Entry channel
Example: 0
For more information, see Protocol Mapping Table
sourceServiceName
Source
Example: Test1@tmcm.extbeta.com
destinationServiceName
Destination
Example: Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com
sproc
Process name
Example: VA
fileHash
File SHA-1 hash
Example: D6712CAE5EC821F910E14945153AE7871AA536CA
fname
File name
Example: C:\\\\QA_Log.zip
request
URL
Example: http://127.1.1.1
cs1
The name of the security threat determined by Virtual Analyzer
Example: VAN_RANSOMWARE.umxxhelloransom_abc
cn1
Displays the risk level assigned by Virtual Analyzer
Example: 0
  • 0: No risk
  • 1: Low risk
  • 2: Medium risk
  • 3: High risk
  • 9999: Unknown
cs2
Displays the security threat type
Example: Anti-security, self-preservation
cs3
Cloud storage vendor
Example: Google Drive
  • Dropbox
  • Box
  • Google Drive
  • Microsoft OneDrive
  • SugarSync
  • Hightail
  • Evernote
  • Microsoft Exchange Online
  • Microsoft SharePoint Online
  • Unknown
  • N/A
reason
Critical threat type
Example: E
  • A: Known Advanced Persistent Threat (APT)
  • B: Social engineering attack
  • C: Vulnerability attack
  • D: Lateral movement
  • E: Unknown threats
  • F: C&C callback
  • G: Ransomware
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF: 0|Trend Micro|Apex Central|2019|VAD|VAN_RANSOMWARE.um
xxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23:
23 GMT+00:00 deviceFacility=Apex One dvchost=OSCE01 dhost=
Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@tre
nd.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test
3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72
602F798B642F14140 fname=C:\\\\QA_Log.zip request=http://127.
1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhellor
ansom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categori
es cs2=Anti-security, self-preservation cs3Label=Cloud_Servi
ce_Vendor cs3=Google Drive reason=E deviceNtDomain=APEXTMCM 
dntdom=OSCEDomain1 TMCMLogDetectedHost=OSCEClient TMCMLogDe
tectedIP=0.0.0.0 ApexCentralHost=TW-CHRIS-W2019 devicePaylo
adId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatfor
m=Windows 7 6.1 (Build 7601) Service Pack 1
Keywords: Sandbox Detection Logs,Virtual Analyzer