CEF Predictive Machine Learning Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Product vendor

Trend Micro

Header (pname)

Product name

Apex Central

Header (pver)

Product version

2019

Header (eventid)

PML:Action result

PML:File cleaned

Header (eventName)

Detection name

virusa

Header (severity)

Severity

3

rt

The detection time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

dvchost

Product server

Example: "Sample_Host"

cn1Label

Corresponding label for the "cn1" field

"ThreatType"

cn1

Probable threat type

Example: "35143"

For more information, see Threat Type Mapping Table.

cs2Label

Corresponding label for the "cs2" field

"DetectionName"

cs2

Security threat

Example: "Troj.Win32.TRX.XXPE002FF017"

shost

Infected endpoint

Example: "10.0.0.1"

suser

Logon user

Example: "TREND\\User"

cn2Label

Corresponding label for the "cn2" field

"DetectionType"

cn2

Detection type

Example: "0"

  • 0: File

  • 1: Process

filePath

File path

Example: "D:\\"

fname

File name

Example: "ALCORMP.EXE"

deviceCustomDate1

File creation time

Example: "2017-04-26 05:53:27.000"

sproc

System process

Example: "notepad.exe"

cn4Label

Corresponding label for the "cn4" field

"ProcessCommandLine"

cs4

Process command

Example: "notepad.exe"

duser

Process owner

Example: "user1"

app

Infection channel

Example: "10"

  • 0: Unknown

  • 1: Local drive

  • 2: Network drive

  • 3: AutoRun files

  • 10: Web

  • 11: Email

  • 999: Local or network drive

cs3Label

Corresponding label for the "cs3" field

"InfectionLocation"

cs3

Infection source

Example: "http://10.0.0.1/"

dst

Product/Endpoint IPv4 Address

Example: "10.0.17.6"

c6a3Label

Corresponding label for the "c6a3" field

"Product/Endpoint IP"

c6a3

Product/Endpoint IPv6 Address

Example: "fd66:5168:9882:6:b5b0:b2b5:4173:3f5d"

cn3Label

Corresponding label for the "cn3" field

"Confidence"

cn3

Threat probability

Example: "82"

act

Action result

Example: "21"

For more information, see Action Mapping Table.

filehash

File SHA-1

Example: "52c17c785b45ee961f68fb17744276076f383085"

dhost

Product entity/endpoint

Example: "dhost1"

deviceExternalId

Log sequence number

Example: "100"

deviceFacility

Product

Example: "Apex One"

reason

Critical threat type

Example: "E"

  • A: Known Advanced Persistent Threat (APT)

  • B: Social engineering attack

  • C: Vulnerability attack

  • D: Lateral movement

  • E: Unknown threats

  • F: C&C callback

  • G: Ransomware

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|Detecti
on01|3|deviceExternalId=1 rt=Dec 01 2018 16:01:00 GMT+00:00 
deviceFacility=15 dvchost=OSCE01 cn1Label=ThreatType cn1=1 c
s2Label=DetectionName cs2=Detection01 shost=10.0.0.1 suser=S
ample_Domain\\Sample_User cn2Label=DetectionType cn2=0 fileP
ath=C:\\test01\\aaa.exe fname=aaa.exe deviceCustomDate1Label
=FileCreationDate deviceCustomDate1=Dec 02 2018 00:01:00 GMT
+00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4=not
epad.exe -test duser=admin01 app=1 cs3Label=InfectionLocatio
n cs3=https://10.1.1.1 dst=80.1.1.1 cn3Label=Confidence cn3=
81 act=21 fileHash=177750B65A21A9043105FD0820B85B58CF148A01 
dhost=OSCEClient11 reason=E deviceNtDomain=APEXTMCM dntdom=O
SCEDomain1 TMCMLogDetectedHost=OSCEClient11 TMCMLogDetectedI
P=80.1.1.1 ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=
1C00290C0360-9CDE11EB-D4B8-F51F-C697