CEF Intrusion Prevention Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Product vendor

Trend Micro

Header (pname)

Product name

Apex Central

Header (pver)

Product version

2019

Header (eventid)

Event ID

Log

Header (eventName)

Log name

Intrusion Prevention

Header (severity)

Severity

3

dvchost

Display name of the managed endpoint

Example: "localhost"

rt

Log generation time in UTC

Example: "Nov 15 2017 08:43:57 GMT +00:00"

src

Source IPv4 address

Example: "10.1.152.12"

c6a2Label

Corresponding label for the "c6a2" field

SLF_SourceIPv6

c6a2

Source IPv6 address

"2001:b011:1004:325b:8db7:6ca9:8fc5:321a"

smac

Source MAC address

Example: "18:31:BF:4F:30:DD"

spt

Source port

Example: "60886"

dst

Destination IPv4 address

Example: "10.1.153.151"

c6a3Label

Corresponding label for the "c6a3" field

SLF_DestinationIPv6

c6a3

Destination IPv6 address

Example: "2001:b011:1004:325b:8db7:6ca9:8fc5:654a"

dmac

Destination host MAC address

Example: "D0:17:C2:95:ED:71"

dpt

Destination port

Example: "139"

cn2Label

Corresponding label for the "cn2" field

Mode

cn2

Indicates whether the system is in "detection only" mode

Example: "0"

  • 0 or NULL = No

  • 1 = Yes

act

Action

Example: "LOG"

SLF_ACTION maps:

  • 0 = UNKNOWN

  • 3 = DELETE

  • 6 = LOG

  • 10 = INSERT/REPLACE

  • 13 = BLOCK

  • 257 = RESET

deviceDirection

Incoming or outgoing direction

Example: "Apex One"

cn3Label

Corresponding label for the "cn3" field

Priority

cn3

Weighted priority of the incident

Example: "3"

Calculated from Severity x Asset Value

cn4Label

Corresponding label for the "cn4" field

Severity

cn4

The system defined incident severity value

Example: "1"

  • 1 = LOW

  • 2 = MEDIUM

  • 3 = HIGH

  • 4 = CRITICAL

proto

The network protocol being exploited

Example: "10009"

  • 28 = ICMP

  • 46 = ICMPv6

  • 10003 = TCP

  • 10004 = UDP

  • 10005 = IGMP

  • 10006 = GGP

  • 10007 = PUP

  • 10008 = IDP

  • 10009 = ND

  • 10010 = RAW

cs2Label

Corresponding label for the "cs2" field

Application_Type

cs2

The network application name

Example: "DCERPC Services"

cn1Label

Corresponding label for the "cn1" field

Rule

cn1

The ID of the inspection rule

Example: "1005448"

cs1Label

Corresponding label for the "cs1" field

Reason/Rule

cs1

The string literal of the rule ID and description

Example: "1005448 - SMB Null Session Detected - 1"

cnt

Aggregated count

Example: "1"

deviceFacility

Product

Example: "Apex One"

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|
rt=Apr 20 2020 03:33:20 GMT+00:00 dvchost=OSCEClient23 
deviceFacility=Apex One act=Log,src=10.1.1.9 dst=80.1.1.9 
smac=54-BF-64-84-7F-09 spt=89 dmac=54-BF-64-84-7F-19 
dpt=449 cn2Label=Mode cn2=0 deviceDirection=Inbound 
cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10009 
cs2Label=Application_Type cs2=N/A cn1Label=Rule cn1=1009549 
cs1Label=Reason/Rule cs1=1009549 - Detected Terminal Services 
(RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076,T1048,
T1032,T1071) cnt=1 deviceNtDomain=APEXTMCM 
dntdom=OSCEDomain1 deviceFacility=Apex One 
TMCMLogDetectedHost=shost1 TMCMLogDetectedIP=10.1.1.9