CEF Sandbox Detection Logs

Note:

Sandbox Detection logs are called Virtual Analyzer Detections on the Apex Central console.

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Device event class ID

VAD

Header (eventName)

Event name

Virtual Analyzer detection name

Header (severity)

Severity

3

deviceExternalId

ID

Example: "2"

rt

Log generation time in UTC

Example: "Mar 22 2018 08:23:23 GMT+00:00"

deviceFacility

Product

Example: "Apex One"

dvchost

Server name

Example: "OSCE01"

dhost

Endpoint name

Example: "Isolate-ClientA"

dst

Endpoint IPv4 address

Example: "10.0.17.6"

c6a3

Endpoint IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

app

Entry channel

Example: "0"

For more information, see Protocol Mapping Table

sourceServiceName

Source

Example: "Test1@tmcm.extbeta.com"

destinationServiceName

Destination

Example: "Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com"

sproc

Process name

Example: "VA"

fileHash

File SHA-1 hash

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

fname

File name

Example: "C:\\\\QA_Log.zip"

request

URL

Example: "http://127.1.1.1"

cs1

The name of the security threat determined by Virtual Analyzer

Example: "VAN_RANSOMWARE.umxxhelloransom_abc"

cn1

Displays the risk level assigned by Virtual Analyzer

Example: "0"

  • 0: No risk

  • 1: Low risk

  • 2: Medium risk

  • 3: High risk

  • 9999: Unknown

cs2

Displays the security threat type

Example: "Anti-security, self-preservation"

cs3

Cloud storage vendor

Example: "Google Drive"

  • Dropbox

  • Box

  • Google Drive

  • Microsoft OneDrive

  • SugarSync

  • Hightail

  • Evernote

  • Microsoft Exchange Online

  • Microsoft SharePoint Online

  • Unknown

  • N/A

reason

Critical threat type

Example: "E"

  • A: Known Advanced Persistent Threat (APT)

  • B: Social engineering attack

  • C: Vulnerability attack

  • D: Lateral movement

  • E: Unknown threats

  • F: C&C callback

  • G: Ransomware

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF: 0|Trend Micro|Apex Central|2019|VAD|VAN_RANSOMWARE.um
xxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23:
23 GMT+00:00 deviceFacility=Apex One dvchost=OSCE01 dhost=
Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@tre
nd.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test
3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72
602F798B642F14140 fname=C:\\\\QA_Log.zip request=http://127.
1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhellor
ansom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categori
es cs2=Anti-security, self-preservation cs3Label=Cloud_Servi
ce_Vendor cs3=Google Drive reason=E deviceNtDomain=APEXTMCM 
dntdom=OSCEDomain1 TMCMLogDetectedHost=OSCEClient TMCMLogDe
tectedIP=0.0.0.0 ApexCentralHost=TW-CHRIS-W2019 devicePaylo
adId=1C00290C0360-9CDE11EB-D4B8-F51F-C697