CEF Detection Logs

Table 1. CEF Detection Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

TMES

Header (pver)

Appliance version

Example: 1.0.0.0

Header (eventid)

Signature ID

100101

Header (eventName)

Description

DETECTION

Header (severity)

Email severity

6: Medium

rt

Log generation time

Example: 2018-06-28 03:22:31

cs1Label

Event type

eventType

cs1

Event type

Example: ransomware

cs2Label

Domain name

domainName

cs2

Domain name

Example: example1.com

suser

Email sender

Example: user1@example1.com

duser

Email recipients

Example: user2@example2.com

cs3Label

Email message direction

direction

cs3

Email message direction

  • incoming

  • outgoing

cs4Label

Unique message identifier

messageId

cs4

Unique message identifier

Example: 201605181642138223747@trend.com

msg

Email subject

Example: hello

cn1Label

Email message size

messageSize

cn1

Email message size

Example: 1809

cs5Label

Violated event analysis

policyName

cs5

Violated event analysis

Example: Spam

cs6Label

Violated event details

details

cs6

Violated event details

Example:
{"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e",
"threatName":"Troj"}]}

act

Action in the event

  • Quarantine

  • Bypass

  • Delete Attachment

  • Insert Stamp

  • Tag Subject

  • Change Recipient

  • Delete Message

  • Send Notification

  • Reject

  • Clean

  • BCC

  • Deliver

  • Insert X-Header

  • Encryption in progress

Log sample:

CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2018-06-28 03:22:31 
cs1Label=eventType cs1=virus cs2Label=domainName cs2=example1.com 
suser=user1@example1.com duser=user2@example2.com cs3Label=direction
cs3=incoming cs4Label=messageId cs4=201605181642138223747@trend.com 
msg=test sample cn1Label=messageSize cn1=1809 cs5Label=policyName 
cs5=Test Rule act=Quarantine cs6Label=details cs6={"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e",
"threatName":"Troj"}]}