CEF Data Loss Prevention Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Event ID

700106

Header (eventName)

Log name

Data Loss Prevention

Header (severity)

Severity

3

cs1Label

Corresponding label for the "cs1" field

"Policy GUID"

cs1

Policy GUID

Example: "FAF492CF-164C-4672-9A79-F1AB9CB288A3"

cn1Label

Corresponding label for the "cn1" field

"Product"

cn1

Product type value

Example: "15"

rt

Log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

src

Source host IP address

Example: "10.0.57.160"

smac

Source host MAC address

Example: "74-27-00-0C-65-E7"

shost

Source host name

Example: "shost1"

cs4Label

Corresponding label for the "cs4" field

"Incident_Source_(AD_Account)"

cs4

The user name in violation

Example: "Trend"

suser

Email sender

Example: "sender@example.com"

request

The URL accessed

Example: "https://example.com/api/content"

duser

Comma (,) separated list of recipients

Example: "user1@example.com;user2@example.com;"

msg

Subject

Example: "Sample,20171017"

filepath

File path

Example: "D:\\Windows Live Mail\\Storage Folders\\Imported Fo e52\\Local Folders\\Sent Items\\Archive Aft de1\\Clients,Adv 22b\\"

fname

Trigger file name

Example: "2B43363A-000000A4.eml"

fsize

File size in bytes

Example: "3"

cs5Label

Corresponding label for the "cs5" field

"Rule"

cs5

Rule name

Example: "SAMPLE RULE SET"

cs6Label

Corresponding label for the "cs6" field

"Template"

cs6

Template name

Example: "Apex One policy"

cn3Label

Corresponding label for the "cn3" field

"Channel"

cn3

Channel type

Example: "3"

For more information, see Channel Mapping Table.

cn2Label

Corresponding label for the "cn2" field

"Action"

cn2

Action result

Example: "4"

For more information, see Action Result Mapping Table.

cs2Label

Corresponding label for the "cs2" field

"Policy"

cs2

Policy name

Example: "OfficeScan"

cs3Label

Corresponding label for the "cs3" field

"Product_Entity/Endpoint"

cs3

Endpoint host name

Example: "Sample_Host"

dvchost

Server host name

Example: "localhost"

deviceFacility

Product name

Example: "Apex One"

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

externalId

Log ID of the event

Example: "101"

cfp1Label

Corresponding label for the "cfp1Label" field

"ForensicFileAvailable"

cfp1

Indicates whether the forensic file can be downloaded

  • 0: The file cannot be downloaded

  • 1: The file can be downloaded

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|700106|Data Loss Prevent
ion|3|cs3Label=Product_Entity/Endpoint cs3=Sample_Host dvc
host=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product 
cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac=
34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_
Account) cs4=12467 filePath=D:\\2. DRIVER\\drivers WIN7\\Dri
vers\\DP_CardReader_14032.7z\\O2Micro\\FORCED\\6x86\\ fname=
O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Temp
late cs6=Apex One policy cn3Label=Channel cn3=0 cn2Label=Act
ion cn2=4 deviceFacility=Apex One deviceNtDomain=APEXTMCM dn
tdom=OSCEDomain1 externalId=101 cfp1Label=ForensicFileAvaila
ble cfp1=0 dvchost=localhost TMCMLogDetectedHost=ApexOneClient01 
TMCMLogDetectedIP=10.201.86.187 ApexCentralHost=TW-CHRIS-W2019 
devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697