CEF Suspicious File Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

FH:Action

FH:Log

Header (eventName)

Name

Suspicious Files

Header (severity)

Severity

3

deviceExternalId

ID

Example: "1"

cat

Log type

Example: "1766"

deviceFacility

Product

Example: "Apex One"

cn1Label

Corresponding label for the "cn1" field

Example: "SLF_ProductVersion"

cn1

Product version

Example: "11"

rt

Detection time

Example: "Nov 15 2017 02:47:21 GMT+00:00"

dst

Endpoint IPv4 address

Example: "10.201.86.151"

c6a3Label

Corresponding label for the "c6a3" field

Example: "Endpoint IPv6 Address"

c6a3

Endpoint IPv6 address

Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d"

dhost

Endpoint host name

Example: "APEX-ONE-CLIENT-1"

cs2Label

Corresponding label for the "cs2" field

Example: "SLF_TrueFileType"

cs2

File type

Example: "TEXT"

fileHash

File SHA-1

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

cs3Label

Corresponding label for the "cs3" field

Example: "SLF_FileSource"

cs3

File path

Example: "C:\\Users\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE"

cn2Label

Corresponding label for the "cn2" field

Example: "SLF_SourceType"

cn2

C&C list source

Example: "0"

  • 0: Sandbox

  • 1: User-defined

act

Action

Example: "Log"

  • 1: Log

  • 2: Block

  • 3: Quarantine

cn3Label

Corresponding label for the "cn3" field

Example: "SLF_ScanType"

cn3

Scan type

Example: "1"

  • 1: Scheduled scan

  • 2: Manual scan

  • 3: Scan now

  • 4: Real-time scan

reason

Critical threat type

Example: "E"

  • A: Known Advanced Persistent Threat (APT)

  • B: Social engineering attack

  • C: Vulnerability attack

  • D: Lateral movement

  • E: Unknown threats

  • F: C&C callback

  • G: Ransomware

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|FH:Log|Suspicious File
s|3|deviceExternalId=1 rt=Nov 15 2016 02:47:21 GMT+00:00 cat
=1766 deviceFacility=Apex One cn1Label=SLF_ProductVersion cn
1=11 dst=10.201.86.151 dhost=APEX-ONE-CLIENT-1 cs2Label=SLF_
TrueFileType cs2=SLF_TrueFileType fileHash=D6712CAE5EC821F91
0E14945153AE7871AA536CA cs3Label=SLF_FileSource cs3=C:\\User
s\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\0
17545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE cn2Label=
SLF_SourceType cn2=0 act=Log cn3Label=SLF_ScanType cn3=1 rea
son=E deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCMLogDete
ctedHost=APEX-ONE-CLIENT-1 TMCMLogDetectedIP=10.201.86.151
ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360-
9CDE11EB-D4B8-F51F-C697