Views:
CEF Key
Description
Value
Header (logVer)
CEF format version
CEF:0
Header (vendor)
Product vendor
TrendAI™
Header (pname)
Product name
Apex Central
Header (pver)
Product version
2019
Header (eventid)
Event ID
Log
Header (eventName)
Log name
Intrusion Prevention
Header (severity)
Severity
3
dvchost
Display name of the managed endpoint
Example: localhost
rt
Event trigger time in UTC
Example: Mar 22 2018 08:23:23 GMT+00:00
src
Source IPv4 address
Example: "10.1.152.12"
c6a2Label
Corresponding label for the "c6a2" field
SLF_SourceIPv6
c6a2
Source IPv6 address
"2001:b011:1004:325b:8db7:6ca9:8fc5:321a"
smac
Source MAC address
Example: "18:31:BF:4F:30:DD"
spt
Source port
Example: "60886"
dst
Destination IPv4 address
Example: "10.1.153.151"
c6a3Label
Corresponding label for the "c6a3" field
SLF_DestinationIPv6
c6a3
Destination IPv6 address
Example: "2001:b011:1004:325b:8db7:6ca9:8fc5:654a"
dmac
Destination host MAC address
Example: "D0:17:C2:95:ED:71"
dpt
Destination port
Example: "139"
cn2Label
Corresponding label for the "cn2" field
Mode
cn2
Indicates whether the system is in "detection only" mode
Example: "0"
  • 0 or NULL = No
  • 1 = Yes
act
Action
Example: "LOG"
SLF_ACTION maps:
  • 0 = UNKNOWN
  • 3 = DELETE
  • 6 = LOG
  • 10 = INSERT/REPLACE
  • 13 = BLOCK
  • 257 = RESET
deviceDirection
Incoming or outgoing direction
Example: "Apex One"
cn3Label
Corresponding label for the "cn3" field
Priority
cn3
Weighted priority of the incident
Example: "3"
Calculated from Severity x Asset Value
cn4Label
Corresponding label for the "cn4" field
Severity
cn4
The system defined incident severity value
Example: "1"
  • 1 = LOW
  • 2 = MEDIUM
  • 3 = HIGH
  • 4 = CRITICAL
proto
The network protocol being exploited
Example: "10009"
  • 28 = ICMP
  • 46 = ICMPv6
  • 10003 = TCP
  • 10004 = UDP
  • 10005 = IGMP
  • 10006 = GGP
  • 10007 = PUP
  • 10008 = IDP
  • 10009 = ND
  • 10010 = RAW
cs2Label
Corresponding label for the "cs2" field
Application_Type
cs2
The network application name
Example: "DCERPC Services"
cn1Label
Corresponding label for the "cn1" field
Rule
cn1
The ID of the inspection rule
Example: "1005448"
cs1Label
Corresponding label for the "cs1" field
Reason/Rule
cs1
The string literal of the rule ID and description
Example: "1005448 - SMB Null Session Detected - 1"
cnt
Aggregated count
Example: "1"
deviceFacility
Product
Example: "Apex One"
deviceNtDomain
Active Directory domain
Example: APEXTMCM
dntdom
Apex One domain hierarchy
Example: OSCEDomain1
TMCMLogDetectedHost
Endpoint name where the log event occurred
Example: MachineHostName
TMCMLogDetectedIP
IP address where the log event occurred
Example: 10.1.2.3
ApexCentralHost
Apex Central host name
Example: TW-CHRIS-W2019
devicePayloadId
Unique message GUID
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform
Endpoint operating system
Example: Windows 7 6.1 (Build 7601) Service Pack 1
Log sample:
CEF:0|TrendAI™|Apex Central|2019|Log|Intrusion Prevention|3|
rt=Apr 20 2020 03:33:20 GMT+00:00 dvchost=OSCEClient23 device
Facility=Apex One act=Log,src=10.1.1.9 dst=80.1.1.9 smac=54-B
F-64-84-7F-09 spt=89 dmac=54-BF-64-84-7F-19 dpt=449 cn2Label=
Mode cn2=0 deviceDirection=Inbound cn3Label=Priority cn3=1 cn
4Label=Severity cn4=1 proto=10009 cs2Label=Application_Type c
s2=N/A cn1Label=Rule cn1=1009549 cs1Label=Reason/Rule cs1=100
9549 - Detected Terminal Services (RDP) Server Traffic - 1 (A
TT&CK T1015,T1043,T1076,T1048,T1032,T1071) cnt=1 deviceNtDoma
in=APEXTMCM dntdom=OSCEDomain1 deviceFacility=Apex One TMCMLo
gDetectedHost=shost1 TMCMLogDetectedIP=10.1.1.9 devicePayload
Id=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=W
indows 7 6.1 (Build 7601) Service Pack 1
Keywords: Intrusion Prevention Logs