CEF Predictive Machine Learning Logs
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF:0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
Control Manager |
|
Header (pver) |
Appliance version |
7.0 |
|
Header (eventid) |
PML:Action result |
PML:File cleaned |
|
Header (eventName) |
Detection name |
virusa |
|
Header (severity) |
Severity |
3 |
|
rt |
The detection time in UTC |
Example: "Feb 14 2017 11:14:08 GMT+00:00" |
|
dvchost |
Product server |
Example: "Sample_OSCE" |
|
cn1Label |
Corresponding label for the "cn1" field |
"Probable Threat Type" |
|
cn1 |
Probable threat type |
Example: "35143" For more information, see Threat Type Mapping Table. |
|
cs2Label |
Corresponding label for the "cs2" field |
"Security Threat" |
|
cs2 |
Security threat |
Example: "Troj.Win32.TRX.XXPE002FF017" |
|
shost |
Infected endpoint |
Example: "10.0.0.1" |
|
suser |
Logon user |
Example: "TREND\User" |
|
cn2Label |
Corresponding label for the "cn2" field |
"Type" |
|
cn2 |
Detection type |
Example: "0"
|
|
filePath |
File path |
Example: "D:\" |
|
fname |
File name |
Example: "ALCORMP.EXE" |
|
deviceCustomDate1 |
File creation time |
Example: "2017-04-26 05:53:27.000" |
|
sproc |
System process |
Example: "notepad.exe" |
|
cn4Label |
Corresponding label for the "cn4" field |
"Process Command" |
|
cs4 |
Process command |
Example: "notepad.exe" |
|
duser |
Process owner |
Example: "user1" |
|
app |
Infection channel |
Example: "10"
|
|
cs3Label |
Corresponding label for the "cs3" field |
"Infection Source" |
|
cs3 |
Infection source |
Example: "http://10.0.0.1/" |
|
dst |
Product/Endpoint IP |
Example: "10.0.35.49" |
|
c6a3Label |
Corresponding label for the "c6a3" field |
"Product/Endpoint IP" |
|
c6a3 |
Product/Endpoint IP |
Example: "10.0.17.6" |
|
cn3Label |
Corresponding label for the "cn3" field |
"Threat Probability" |
|
cn3 |
Threat probability |
Example: "82" |
|
act |
Action result |
Example: "21" For more information, see Action Result Mapping Table. |
|
filehash |
File SHA-1 |
Example: "52c17c785b45ee961f68fb17744276076f383085" |
|
dhost |
Product entity/endpoint |
Example: "dhost1" |
|
deviceExternalId |
Log sequence number |
Example: "100" |
|
deviceFacility |
Product |
Example: "OfficeScan" |
Log sample:
CEF:0|Trend Micro|Control Manager|7.0|PML:File cleaned|virus a|3|deviceFacility=1 cs2Label=DetectionName cs2=virusa suser =Sample-OSCE\\Administrator cn2Label=DetectionType cn2=0 fil ePath=C:\\WindowsFILENAME deviceCustomDate1Label=FileCreatio nDate deviceCustomDate1=Nov 03 2016 08:58:03 GMT+00:00 sproc =notepad.exe cs4Label=ProcessCommandLine cs4=notepad.exe -te st duser=admin app=2 cs3Label=InfectionLocation cs3=http://1 0.0.0.1/ dst=10.0.174.28 cn3Label=Confidence cn3=82 act=21
