CEF Device Access Control Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Event ID

700107

Header (eventName)

Log name

Device Access Control

Header (severity)

Severity

3

rt

The log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

cs1Label

Corresponding label for the "cs1" field

"Product Entity/Endpoint"

cs1

Server host name

Example: "Sample_Host"

shost

Source host name

Example: "shost1"

duser

User name

Example: "testserver\\administrator"

dvchost

Target host name

Example: "localhost"

cn1Label

Corresponding label for the "cn1" field

"Product"

cn1

Product ID

Example: "Apex One"

For more information, see Product ID Mapping Table.

sproc

Target process

Example: "C:\\Windows\\explorer.exe"

fname

File name

Example: "F:\\Autorun.inf"

cn2Label

Corresponding label for the "cn2" field

"Device_Type"

cn2

Device type

Example: "0"

  • 0: USB storage device

  • 1: Non-storage USB

  • 2: CD/DVD

  • 3: Floppy disks

  • 4: Network driver

cn3Label

Corresponding label for the "cn3" field

"Permission"

cn3

Permission

Example: "3"

  • 0: Modify

  • 1: Read and execute

  • 2: Read

  • 3: List device content only

  • 4: Block

deviceFacility

Product

Example: "Apex One"

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|700107|Device Access C
ontrol|3|rt=Aug 16 2017 04:49:15 GMT+00:00 cs1Label=Product_
Entity/Endpoint cs1=Sample_Host shost=shost1 dvchost=localho
st cn1Label=Product cn1=15 sproc=C:\\Windows\\explorer.exe f
name=F:\\Autorun.inf cn2Label=Device_Type cn2=0 cn3Label=Per
mission cn3=3 deviceFacility=Apex One deviceNtDomain=APEXTMC
M dntdom=OSCEDomain1 TMCMLogDetectedHost=shost1 
TMCMLogDetectedIP=10.0.76.40 ApexCentralHost=TW-CHRIS-W2019
devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697