Views:

Understand the content mapping between Internet Access log output and CEF syslog format.

CEF Internet Access On-Premises Gateway logs

CEF key
Description
Type
Value
Header (logVer)
CEF format version
String
CEF:0
Header (vendor)
Appliance product vendor
String
Trend Micro
Header (pname)
Product name
String
Zero Trust Secure Access - Internet Access
Header (pver)
Appliance version
String
Example: 1.0.0.2000
Header (eventid)
Unique identifier per event type
String
Example: 100000
Header (eventName)
Category of the event
String
Activity Log
Header (severity)
Risk level
Integer
  • 0: act=allow/analyze
  • 1: act=monitor/warn/override
  • 2: act=block
rt
UTC timestamp of log generation
Timestamp
Example: Jul 05 2018 07:54:15 +0000
act
Action taken for the violation
String
  • allow
  • monitor
  • block
  • warn
  • override
  • analyze
app
Application protocol
String
Example: HTTP
cat
URL category
String
Example: Search Engines/Portals
customerExternalId
Company ID
String
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076
suser
User Principal Name
String
Example: user_name@example.com
devicePayloadId
GUID of this event log
String
Example: aabb2233-a1b1-41dc-9abc-3f45ab290b0a
deviceExternalId
GUID of the endpoint with the Secure Access Module installed
String
Example: 66f0cb71-4150-4437-ba8b-91151bb12345
shost
Hostname of the endpoint with the Secure Access Module installed
String
Example: my laptop
dvchost
Host name of the serving on-premises gateway
String
Example: US_Office_on_premise_GW
dst
Destination IP address of a request
String
Example: 54.231.184.240
src
Source IP address of a request
String
Example: 10.204.214.188
out
Size of a request
Integer
Unit: bytes
Example: 501
in
Size of a response
Integer
Unit: bytes
Example: 220529
dproc
Application name
String
Example: Google
destinationServiceName
App & action name of granular access control
String
Example: OneDrive download file
cn1
Malware type
Integer
  • 1: Virus
  • 2: Spyware
  • 3: Joke
  • 4: Trojan
  • 5: Test_Virus
  • 6: Packer
  • 7: Generic
  • 8: Other
  • 9: Botnet
cn1Label
Corresponding label for the "cn1" field
String
malwareType
cn2
Web Reputation Services score
Integer
Example: 81
cn2Label
Corresponding label for the "cn2" field
String
wrsScore
cn3
Detection type
Integer
  • 0: No matched Zero Trust Secure Access rule
  • 1: Missing or invalid client certificate
  • 2: Untrusted server certificate
  • 3: Zero Trust Secure Access
  • 4: HTTPS inspection exception
  • 5: HTTPS inspection failure
  • 6: HTTPS bypass at inspection failure
  • 9: Approved URLs
  • 10: Blocked URLs
  • 15: Private IP address access
  • 20: Web Reputation
  • 21: URL Filtering
  • 30: Restricted file type
  • 33: Restricted MIME type
  • 34: Restricted file extension type
  • 40: Anti-malware scan
  • 41: File scan exception
  • 45: Predictive Machine Learning
  • 50: Botnet
  • 60: Application Control
  • 70: Virtual Analyzer submission
  • 90: Suspicious Object Blocked List
  • 100: Data Loss Prevention
  • 110: Ransomware
  • 120: Risk Control
  • 130: Non-compliant device
cn3label
Corresponding label for the "cn3" field
String
detectionType
cs1
Malware name
String
Example: HEUR_OLEXP.B
cs1Label
Corresponding label for the "cs1" field
String
malwareName
cs2
Policy name
String
Example: default
cs2Label
Corresponding label for the "cs2" field
String
policyName
cs3
Profile name
String
Example: default
cs3Label
Corresponding label for the "cs3" field
String
profileName
cs4
Data Loss Prevention template name
String
Example: HIPAA, PII
cs4Label
Corresponding label for the "cs4" field
String
dlpDetails
cs5
File SHA-256
String
Example: ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93
cs5Label
Corresponding label for the "cs5" field
String
fileHashSha256
cs6
User group name
String
Example: R&D
cs6Label
Corresponding label for the "cs6" field
String
userGroupName
fname
File name
String
Example: example.doc
fileType
File type
String
Example: Microsoft Words
fsize
File size
Integer
Unit: bytes
Example: 12,345
fileHash
File SHA-1
String
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504
dhost
Domain name of a request
String
Example: www.example.com
type
Indicate whether HTTPS inspection failed (Applicable to HTTPS requests only)
Integer
  • 0: Successful
  • 1: Unsuccessful
requestClientApplication
User agent of a request
String
Example: Mozilla/5.0
requestMethod
HTTP/HTTPS request method
String
Example: GET
requestContext
MIME Type of a request payload
String
Example: text/html
reason
MIME Type of a response payload
String
Example: text/html
outcome
Status or response code of a request
String
Example: 200
proto
Network protocol for data transmission
String
Example: TCP
request
Full URL of a request
String
Example: https://www.example.com/page.html
suid
Authenticated user ID
String
Example: user@example.com