CEF Detection Logs
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
TMES |
|
Header (pver) |
Appliance version |
Example: 1.0.0.0 |
|
Header (eventid) |
Signature ID |
100101 |
|
Header (eventName) |
Description |
DETECTION |
|
Header (severity) |
Email severity |
6 |
|
rt |
Log generation time |
Example: 2019-12-10T08:26:46.728Z |
|
cs1Label |
Event type |
eventType |
|
cs1 |
Event type |
Example: ransomware |
|
cs2Label |
Domain name |
domainName |
|
cs2 |
Domain name |
Example: example1.com |
|
suser |
Email sender |
Example: user1@example1.com |
|
duser |
Email recipients |
Example: user2@example2.com |
|
cs3Label |
Email message direction |
direction |
|
cs3 |
Email message direction |
|
|
cs4Label |
Unique message identifier |
messageId |
|
cs4 |
Unique message identifier |
Example: 201605181642138223747@trend.com |
|
msg |
Email subject |
Example: hello |
|
cn1Label |
Email message size |
messageSize |
|
cn1 |
Email message size |
Example: 1809 |
|
cs5Label |
Violated event analysis |
policyName |
|
cs5 |
Violated event analysis |
Example: Spam |
|
cs6Label |
Violated event details |
details |
|
cs6 |
Violated event details |
Example: {"threatNames":"Troj", "fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e", "threatName":"Troj"}]} |
|
act |
Action in the event |
|
Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2019-12-10T08:26:46.728Z
cs1Label=eventType cs1=virus cs2Label=domainName cs2=example1.com
suser=user1@example1.com duser=user2@example2.com cs3Label=direction
cs3=incoming cs4Label=messageId cs4=201605181642138223747@trend.com
msg=test sample cn1Label=messageSize cn1=1809 cs5Label=policyName
cs5=Test Rule act=Quarantine cs6Label=details cs6={"threatNames":"Troj",
"fileInfo":[{"fileName":"file1",
"fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606ceac00feebf95bbf10e",
"threatName":"Troj"}]}
