CEF Key |
Description |
Value |
---|---|---|
Header (logVer) |
CEF format version |
CEF: 0 |
Header (vendor) |
Appliance vendor |
Trend Micro |
Header (pname) |
Appliance product |
TMES |
Header (pver) |
Appliance version |
Example: 1.0.0.0 |
Header (eventid) |
Signature ID |
100101 |
Header (eventName) |
Description |
DETECTION |
Header (severity) |
Email severity |
6 |
rt |
Log generation time |
Example: 2019-12-10T08:26:46.728Z |
cs1Label |
Event type |
eventType |
cs1 |
Event type |
Example: ransomware |
cs2Label |
Domain name |
domainName |
cs2 |
Domain name |
Example: example1.com |
suser |
Email sender |
Example: user1@example1.com |
duser |
Email recipients |
Example: user2@example2.com |
cs3Label |
Email message direction |
direction |
cs3 |
Email message direction |
|
cs4Label |
Unique message identifier |
messageId |
cs4 |
Unique message identifier |
Example: 201605181642138223747@trend.com |
msg |
Email subject |
Example: hello |
cn1Label |
Email message size |
messageSize |
cn1 |
Email message size |
Example: 1809 |
cs5Label |
Violated event analysis |
policyName |
cs5 |
Violated event analysis |
Example: Spam |
cs6Label |
Violated event details |
details |
cs6 |
Violated event details |
Example: {"threatNames":"Troj", "fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e", "threatName":"Troj"}]} |
act |
Action in the event |
|
Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2019-12-10T08:26:46.728Z cs1Label=eventType cs1=virus cs2Label=domainName cs2=example1.com suser=user1@example1.com duser=user2@example2.com cs3Label=direction cs3=incoming cs4Label=messageId cs4=201605181642138223747@trend.com msg=test sample cn1Label=messageSize cn1=1809 cs5Label=policyName cs5=Test Rule act=Quarantine cs6Label=details cs6={"threatNames":"Troj", "fileInfo":[{"fileName":"file1", "fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e", "threatName":"Troj"}]}