CEF Intrusion Prevention Logs
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Product vendor |
Trend Micro |
|
Header (pname) |
Product name |
Apex Central |
|
Header (pver) |
Product version |
2019 |
|
Header (eventid) |
Event ID |
Log |
|
Header (eventName) |
Log name |
Intrusion Prevention |
|
Header (severity) |
Severity |
3 |
|
dvchost |
Display name of the managed endpoint |
Example: "localhost" |
|
rt |
Event trigger time in UTC |
Example: "Mar 22 2018 08:23:23 GMT+00:00" |
|
src |
Source IPv4 address |
Example: "10.1.152.12" |
|
c6a2Label |
Corresponding label for the "c6a2" field |
SLF_SourceIPv6 |
|
c6a2 |
Source IPv6 address |
"2001:b011:1004:325b:8db7:6ca9:8fc5:321a" |
|
smac |
Source MAC address |
Example: "18:31:BF:4F:30:DD" |
|
spt |
Source port |
Example: "60886" |
|
dst |
Destination IPv4 address |
Example: "10.1.153.151" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
SLF_DestinationIPv6 |
|
c6a3 |
Destination IPv6 address |
Example: "2001:b011:1004:325b:8db7:6ca9:8fc5:654a" |
|
dmac |
Destination host MAC address |
Example: "D0:17:C2:95:ED:71" |
|
dpt |
Destination port |
Example: "139" |
|
cn2Label |
Corresponding label for the "cn2" field |
Mode |
|
cn2 |
Indicates whether the system is in "detection only" mode |
Example: "0"
|
|
act |
Action |
Example: "LOG" SLF_ACTION maps:
|
|
deviceDirection |
Incoming or outgoing direction |
Example: "Apex One" |
|
cn3Label |
Corresponding label for the "cn3" field |
Priority |
|
cn3 |
Weighted priority of the incident |
Example: "3" Calculated from Severity x Asset Value |
|
cn4Label |
Corresponding label for the "cn4" field |
Severity |
|
cn4 |
The system defined incident severity value |
Example: "1"
|
|
proto |
The network protocol being exploited |
Example: "10009"
|
|
cs2Label |
Corresponding label for the "cs2" field |
Application_Type |
|
cs2 |
The network application name |
Example: "DCERPC Services" |
|
cn1Label |
Corresponding label for the "cn1" field |
Rule |
|
cn1 |
The ID of the inspection rule |
Example: "1005448" |
|
cs1Label |
Corresponding label for the "cs1" field |
Reason/Rule |
|
cs1 |
The string literal of the rule ID and description |
Example: "1005448 - SMB Null Session Detected - 1" |
|
cnt |
Aggregated count |
Example: "1" |
|
deviceFacility |
Product |
Example: "Apex One" |
|
deviceNtDomain |
Active Directory domain |
Example: APEXTMCM |
|
dntdom |
Apex One domain hierarchy |
Example: OSCEDomain1 |
|
TMCMLogDetectedHost |
Endpoint name where the log event occurred |
Example: MachineHostName |
|
TMCMLogDetectedIP |
IP address where the log event occurred |
Example: 10.1.2.3 |
|
ApexCentralHost |
Apex Central host name |
Example: TW-CHRIS-W2019 |
|
devicePayloadId |
Unique message GUID |
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697 |
|
TMCMdevicePlatform |
Endpoint operating system |
Example: Windows 7 6.1 (Build 7601) Service Pack 1 |
Log sample:
CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3| rt=Apr 20 2020 03:33:20 GMT+00:00 dvchost=OSCEClient23 device Facility=Apex One act=Log,src=10.1.1.9 dst=80.1.1.9 smac=54-B F-64-84-7F-09 spt=89 dmac=54-BF-64-84-7F-19 dpt=449 cn2Label= Mode cn2=0 deviceDirection=Inbound cn3Label=Priority cn3=1 cn 4Label=Severity cn4=1 proto=10009 cs2Label=Application_Type c s2=N/A cn1Label=Rule cn1=1009549 cs1Label=Reason/Rule cs1=100 9549 - Detected Terminal Services (RDP) Server Traffic - 1 (A TT&CK T1015,T1043,T1076,T1048,T1032,T1071) cnt=1 deviceNtDoma in=APEXTMCM dntdom=OSCEDomain1 deviceFacility=Apex One TMCMLo gDetectedHost=shost1 TMCMLogDetectedIP=10.1.1.9 devicePayload Id=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=W indows 7 6.1 (Build 7601) Service Pack 1
