CEF Behavior Monitoring Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Product vendor

Trend Micro

Header (pname)

Product name

Apex Central

Header (pver)

Product version

2019

Header (eventid)

Behavior Monitoring policy ID

BM:1000

Header (eventName)

Log name

Behavior Monitoring

Header (severity)

Severity

3

rt

Log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

dvchost

Host name

Example: "localhost"

cs2Label

Corresponding label for the "cs2" field

"Policy"

cs2

Policy type

  • Compromised executable file

  • New startup program

  • Host file modification

  • Program library injection

  • New Internet Explorer plugin

  • Internet Explorer setting modification

  • Shell modification

  • New service

  • Security policy modification

  • Firewall policy modification

  • System file modification

  • Duplicated system file

  • Layered service provider

  • System process modification

  • Suspicious behavior

  • Newly encountered programs

  • Unauthorized file encryption

  • Threat behavior analysis

  • User-defined policy

sproc

Target of the event

Example: "C:\\Windows\\SysWOW64\\rundll32.exe"

cs3Label

Corresponding label for the "cs3" field

"Event_Type"

cs3

Event type

  • Process

  • Process image

  • Registry

  • File system

  • Driver

  • SDT

  • System API

  • User Mode

  • Exploit

  • All

cs4Label

Corresponding label for the "cs4" field

"Operation"

cs4

The operation to be performed by the target of the event

  • Create Process

  • Open

  • Terminate

  • Delete

  • Write

  • Access

  • Create File

  • Close

  • Execute

  • Invoke

  • Exploit

  • Unhandled Operation

cs5Label

Corresponding label for the "cs5" field

"Risk_Level"

cs5

Risk level

Example: "1"

  • 0: Low

  • 1: High

cs1Label

Corresponding label for the "cs1" field

"Target"

cs1

Target host

Example: "HKCU\\Software\\Microsoft\\Windows\ \CurrentVersion\\Run\\COM+"

act

Translated action

  • Allow

  • Ask

  • Deny

  • Terminate

  • Read Only

  • Read/Write Only

  • Read/Execute Only

  • Feedback

  • Clean

  • Unknown

  • Assess

  • Terminated. Files were recovered.

  • Terminated. Some files were not recovered.

  • Terminated. Files were not recovered.

  • Terminated. Restart result: Files were recovered.

  • Terminated: Restart result: Some files were not recovered.

  • Terminated: Restart result: Files were not recovered.

shost

Source host (endpoint)

Example: "shost1"

src

Source host IP address

Example: "10.0.147.105"

deviceFacility

Product

Example: "Apex One"

reason

Critical threat type

Example: "E"

  • A: Known Advanced Persistent Threat (APT)

  • B: Social engineering attack

  • C: Vulnerability attack

  • D: Lateral movement

  • E: Unknown threats

  • F: C&C callback

  • G: Ransomware

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monitor
ing|3|rt=Sep 20 2019 01:02:03 GMT+00:00 dvchost=localhost cs
5Label=Risk_Level cs5=1 cs2Label=Policy cs2=Threat Behavior 
Analysis sproc=subject cs3Label=Event_Type cs3=File system c
s1Label=Target cs1=HKCU\\Software\\Microsoft\\Windows\\Curre
ntVersion\\Run\\COM+ act=Ask cs4Label=Operation cs4=Create P
rocess shost=shost1 src=10.0.76.40 deviceFacility=Apex One r
eason=G deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 
TMCMLogDetectedHost=shost1 TMCMLogDetectedIP=10.0.76.40 
ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=
1C00290C0360-9CDE11EB-D4B8-F51F-C697