CEF Network Content Inspection Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

NCIE:Action

NCIE:Pass

Header (eventName)

Name

Suspicious Connection

Header (severity)

Severity

3

deviceExternalId

ID

Example: "1"

cat

Log type

Example: "1756"

deviceFacility

Product

Example: "Apex One"

rt

Log generation time in UTC

Example: "Oct 11 2017 06:34:06 GMT+00:00"

deviceProcessName

Process

Example: "C:\\Windows\\system32\\svchost-1.exe"

src

Local IPv4 address

Example: "10.201.86.152"

c6a2Label

Corresponding label for the "c6a2" field

Example: "SLF_SourceIP"

c6a2

Local IPv6 address

Example: "2620:101:4003:7a0:fd4b:52ed:53bd:ae3d"

spt

Local IP address port

Example: "54594"

dst

Remote IPv4 address

Example: "10.69.81.64"

c6a3Label

Corresponding label for the "c6a3" field

Example: "SLF_DestinationIP"

c6a3

Remote IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

dpt

Remote IP address port

Example: "80"

act

Action

Example: "Pass"

  • 0: Unknown

  • 1: Pass

  • 2: Block

  • 3: Monitor

  • 4: Delete

  • 5: Quarantine

  • 6: Warn

  • 7: Warn and continue

  • 8: Override

deviceDirection

Traffic direction

Example: "Inbound"

  • 0: None

  • 1: Inbound

  • 2: Outbound

cn1Label

Corresponding label for the "cn1" field

Example: "SLF_PatternType"

cn1

Pattern type

Example: "2"

  • 0: Global C&C pattern

  • 1: Relevance rules

  • 2: User-defined block list

cs2Label

Corresponding label for the "cs2" field

Example: "NCIE_ThreatName"

cs2

Threat name

Example: "Malicious_identified_CnC_querying_on_UDP_detected"

reason

Critical threat type

Example: "E"

  • A: Known Advanced Persistent Threat (APT)

  • B: Social engineering attack

  • C: Vulnerability attack

  • D: Lateral movement

  • E: Unknown threats

  • F: C&C callback

  • G: Ransomware

dvchost

Host name

Example: "localhost"

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|Suspicious C
onnection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+0
0:00 cat=1756 deviceFacility=Apex One deviceProcessName=C:
\\Windows\\system32\\svchost-1.exe act=Pass src=10.201.86.15
2 dst=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1L
abel=SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Mali
cious_identified_CnC_querying_on_UDP_detected reason=F devic
eNtDomain=APEXTMCM dntdom=OSCEDomain1 dvchost=shost1 
TMCMLogDetectedHost=shost1 TMCMLogDetectedIP=10.1.2.3
ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360
-9CDE11EB-D4B8-F51F-C697