CEF Attack Discovery Detection Logs

Note:

If one Attack Discovery detection log relates to more than 4 objects, Apex Central only forwards the first 4 objects.

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Event ID

700220

Header (eventName)

Log name

Attack Discovery Detections

Header (severity)

Severity

3

deviceExternalId

ID

Example: "38"

rt

Log generation time in UTC

Example: "Mar 22 2018 08:23:23 GMT+00:00"

dhost

Endpoint host name

Example: "ApexOneClient01"

dst

Client IPv4 address

Example: "10.0.8.20"

C6a3

Client IPv6 address

Example: "fd96:7521:9502:6:b5b0:b2b5:4173:3f5d"

duser

User name

Example: "Admin004"

customerExternalID

Instance ID

Example: "8c1e2d8f-a03b-47ea-aef8-5aeab99ea697"

cn1Label

Corresponding label for the "cn1" field

"SLF_RiskLevel"

cn1

Risk Level

Example: "0"

  • 0: Unknown

  • 100: Low risk

  • 500: Medium risk

  • 1000: High risk

cn2Label

Corresponding label for the "cn2" field

"SLF_PatternNumber"

cn2

Pattern Number

Example: "30.1012.00"

cs1Label

Corresponding label for the "cs1" field

"SLF_RuleID"

cs1

Rule ID

Example: "powershell invoke expression"

cat

Category ID

Example: "point of entry"

cs2Label

Corresponding label for the "cs2" field

"SLF_ADEObjectGroup_Info_1"

cs2

Attack Discovery object information

Example:

process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}

cs3Label

Corresponding label for the "cs3" field

"SLF_ADEObjectGroup_Info_2"

cs3

Attack Discovery object information

Example:

process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}

cs4Label

Corresponding label for the "cs4" field

"SLF_ADEObjectGroup_Info_3"

cs4

Attack Discovery object information

Example:

process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}

cs5Label

Corresponding label for the "cs5" field

"SLF_ADEObjectGroup_Info_4"

cs5

Attack Discovery object information

Example:

process - powershell.exe - {
 "META_FILE_MD5" : 
   "9393f60b1739074eb17c5f4ddd
    efe239",
 "META_FILE_NAME" : 
   "powershell.exe",
 "META_FILE_SHA1" : 
   "887ce4a295c163791b60fc23d2
    85e6d84f28ee4c",
 "META_FILE_SHA2" : 
   "de96a6e50044335375dc1ac238
    336066889d9ffc7d73628ef4fe
    1b1b160ab32c",
 "META_PATH" : 
    "c:\\windows\\system32\\wi
     ndowspowershell\\v1.0\\",
 "META_PROCESS_CMD" : 
  [ "powershell  cmd " ],
 "META_PROCESS_PID" : 7132,
 "META_SIGNER" : 
    "microsoft windows",
 "META_SIGNER_VALIDATION" : 
    true,
 "META_USER_USER_NAME" : 
    "Administrator",
 "META_USER_USER_SERVERNAME" : 
    "Host",
 "OID" : 1
}

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|700211|Attack Discovery 
Detections|3|deviceExternalId=5 rt=Jan 17 2019 03:38:06 GMT+
00:00 dhost=VCAC-Window-331 dst=10.201.86.150 customerExtern
alID=8c1e2d8f-a03b-47ea-aef8-5aeab99ea697 cn1Label=SLF_RiskL
evel cn1=0 cn2Label=SLF_PatternNumber cn2=30.1012.00 cs1Labe
l=SLF_RuleID cs1=powershell invoke expression cat=point of e
ntry cs2Label=SLF_ADEObjectGroup_Info_1 cs2=process - code9.
exe - {USER: administrator09} deviceNtDomain=APEXTMCM 
dntdom=OSCEDomain1 TMCMLogDetectedHost=VCAC-Window-331 
TMCMLogDetectedIP=10.201.86.150 ApexCentralHost=TW-CHRIS-W2019
devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697