CEF Observed Attack Techniques Logs

Table 1. CEF Observed Attack Techniques Logs
CEF Key Description Value
Header (Version) CEF format version CEF:0
Header (Device Vendor) Product vendor Trend Micro
Header (Device Product) Product of sending device Vision One
Header (Device Version) Service version 1.0.0
Header (Device Event Class ID) A unique identifier per event-type 900002
Header (Name) Category of the event Vision One Observed Attack Technique
Header (Severity) Importance of the event

Example: 3

  • 1: Undefined

  • 2: Info

  • 3: Low

  • 5: Medium

  • 7: High

  • 9: Critical
act Action taken for the violation

Example: "Block"

  • Not blocked

  • Block

  • Reset
app Network protocol being exploited

Example: "HTTP"

  • HTTP

  • KEBEROS

  • TCP
cat Detection name Example: "Connection To Commonly Used Ports"
deviceDirection Device direction

Example: "0"

  • 0 (inbound)

  • 1 (outbound)
deviceExternalId GUID of the agent which reported this detection Example: "B0DA10B4-EA5A-44EA-8D78-41FE6CD1C3E2"
deviceFacility Product name

Example: "Trend Micro Deep Security"

  • Trend Micro Deep Security

  • Deep Discovery Inspector

  • Apex One
externalId Event Id

Example: "100116"

  • 100116

  • 100117

  • 100119
request Notable URL

Example: "http://35.247.144.219"
src Source IP Example: "8.8.8.8"
dst Destination IP Example: "239.255.255.250"
shost Source hostname Example: "dns.google"
dhost Destination hostname Example: "10.46.91.40"
deviceProcessName Process name in device Example: "C:\\Users\\Administrator\\AppData\\Local\\Programs\\Python\\Python38-32\\python.exe"
msg Filter description Example: "Detects the connection to commonly used ports"
cs1 MITRE tactics list Example: "TA0002,TA0006"
cs1Label Corresponding label for the "cs1" field Example: "MITRE Tactics IDs"
cs2 MITRE techniques list Example: "T1003.001,T1059.001"
cs2Label Corresponding label for the "cs2" field Example: "MITRE Technique IDs"
rt Event time Example: "Dec 05 2022 05:26:45"
dpt Port of "dst" Example: "8080"
spt Port of "src" Example: "544"
TrendMicroV1CompanyID Company ID Example: "68960c94-9be6-4343-a4ca-6408de7aa331"
Parent topic: Syslog Content Mapping - CEF