CEF Spyware/Grayware Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

Device event class ID

Spyware Detected

Header (eventName)

Event name

Spyware Detected

Header (severity)

Severity

3

cnt

Number of detections

Example: "10"

rt

Log generation time in UTC

Example: "Oct 06 2017 08:39:46 GMT+00:00"

cn1Label

Corresponding label for the "cn1" field

Example: "Pattern Type"

cn1

Pattern type

Example: "1073741840"

cs1Label

Corresponding label for the "cs1" field

Example: "VirusName"

cs1

Spyware/Grayware

Example: "ADW_OPENCANDY"

cs2Label

Corresponding label for the "cs2" field

Example: "EngineVersion"

cs2

Engine version

Example: "6.2.3027"

cs5Label

Corresponding label for the "cs5" field

Example: "ActionResult"

cs5

Action

Example: "Reboot system successfully"

For more information, see Action Mapping Table.

cs6Label

Corresponding label for the "cs6" field

Example: "PatternVersion"

cs6

Pattern version

Example: "1297"

cat

Log type

Example: "1727"

dvchost

Endpoint host name

Example: "ApexOneClient01"

deviceExternalId

ID

Example: "3"

fname

Resource

Example: "F:\\Malware\\psas\\rsrc2.bin"

filePath

Resource

Example: "F:\\Malware\\psas\\rsrc2.bin"

dhost

Endpoint host name

Example: "ApexOneClient01"

dst

Endpoint IPv4 address

Examle: "50.8.1.1"

c6a3Label

Corresponding label for the "c6a3" field

Example: "SLP_DestinationIP"

c6a3

Endpoint IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

fileHash

File SHA-1

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

deviceFacility

Product

Example: "Apex One"

duser

User name

Example: "Admin004"

cn2Label

Corresponding label for the "cn2" field

Example: "Scan_Type"

cn2

Scan type

Example: "Scan Now"

For more information, see Spyware/Grayware Scan Type Mapping Table.

cn3Label

Corresponding label for the "cn3" field

Example: "Security_Threat_Type"

cn3

Security threat type

Example: "Adware"

For more information, see Spyware/Grayware Risk Type Mapping Table.

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

Log sample:

CEF:0|Trend Micro|Apex Central|2019|Spyware Detected|Spywa
re Detected|3|deviceExternalId=3 rt=Oct 06 2017 08:39:46 GMT
+00:00 cnt=1 dhost=ApexOneClient01 cn1Label=PatternType cn1=
1073741840 cs1Label=VirusName cs1=ADW_OPENCANDY cs2Label=Eng
ineVersion cs2=6.2.3027 cs5Label=ActionResult cs5=Reboot sys
tem successfully cs6Label=PatternVersion cs6=1297 cat=1727 d
vchost=ApexOneClient01 fname=F:\\Malware\\psas\\rsrc2.bin fi
lePath=F:\\Malware\\psas\\rsrc2.bin dst=50.8.1.1 deviceFacil
ity=Apex One deviceNtDomain=APEXTMCM dntdom=OSCEDomain1 TMCM
LogDetectedHost=ApexOneClient01 TMCMLogDetectedIP=50.8.1.1 
ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C0360-
9CDE11EB-D4B8-F51F-C697