To enable flexible integration with third-party log management systems, Cloud App Security also supports Common Event Format (CEF) as the syslog message format.
Common Event Format (CEF) is an open log management standard created by HP ArcSight. Cloud App Security uses a subset of the CEF dictionary.
Cloud App Security provides an optional parameter format. To retrieve security event logs in CEF format, add this parameter into the request and set it to cef.
Request Example
GET https://api.tmcas.trendmicro.com/v1/siem/security_events?service=exchange&event=dlp&format=cef Authorization: Bearer 1de231142eef3f83928da98dc251fbebb6cafed4
Response
On success, the service sends back an HTTP 200 response and returns a response body in CEF format.
Response Example
{
"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=exchange&event=securityrisk&
start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&format=cef",
"next_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=exchange&event=securityrisk&
start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&page_id=<randomly generated value>=&format=cef",
"last_log_item_generation_time":"2018-09-25T02:43:31Z",
"security_events":["CEF:0|Trend Micro|CAS|5.0|100,101|securityrisk|High
DevicePayloadId=IwUVemkBIMKdAHkUVwi- destinationServiceName=Exchange Online
cat=security_risk_scan msg=Real-time scan TrendMicroCasAffectedUser=username1@example1.onmicrosoft.com
TrendMicroCasLocation=username1@example1.onmicrosoft.com\\Junk Email rt=2018-09-25T02:43:31Z
TrendMicroCasPolicyName=phishing test from jimmy TrendMicroCasFilter=Web Reputation act=Quarantine
outcome=success suid=<DM6PR01MB41868726C4F662504F963431994B0@DM6PR01MB4186.prod.exchangelabs.com>
suser=<username2@example2.com> duser=[\"\\\"username1\\\"<username1@example1.onmicrosoft.com>\"]
start=2018-09-25T02:43:21 end=2018-09-25T02:43:05 TrendMicroCasMailSubject=FW: test
TrendMicroCasMailFileName=filename.exe cs2Label=detected_by cs2= TrendMicroCasRiskLevel=
fileHash=f0bb4b3f4ac5f7b3228feeba2ed10c1a0a0f8d44
TrendMicroCasFileSha256=11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865
TrendMicroCasVaReportLink=https://api-dev.tmcas.trendmicro.net/v1/siem/security_events/va_analysis_report?report_id=
7ca0b75044627a884322cf29290fecc048d93b129bee48fa0b0c875a3feb1ecfc739a64b896a5278&language=en"]
}
Response Fields
The following tables outline the syslog content mapping between Cloud App Security log output and CEF syslog types.
The CEF log format consists of a CEF header and a CEF extension:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
All time-related fields in the table are set to Coordinated Universal Time (UTC).
|
CEF Key |
Description |
Value |
|---|---|---|
|
logVer |
CEF format version |
CEF: 0 |
|
vendor |
Appliance vendor |
Trend Micro |
|
pname |
Appliance product name |
CAS |
|
pver |
Appliance version |
Example: 5.0 |
|
eventid |
Device event class ID |
Options for each Device Event Class ID and the corresponding Event Name include:
|
|
eventName |
Event name |
Options for each Device Event Class ID and the corresponding Event Name include:
|
|
severity |
Risk level |
High |
|
CEF Key |
Cloud App Security Log Output |
Description and Value |
|---|---|---|
|
devicepayloadid |
security_events/log_item_id |
ID that uniquely identifies a log item Example: NdGBDmYBWu4z8GKN0JHL |
|
destinationServiceName |
security_events/service |
Name of the requested service Example: exchange |
|
cat |
security_events/event |
Type of the requested security event Example: security_risk_scan |
|
Common fields in "message" |
||
|
msg |
security_events/message/scan_type |
Whether it is a real-time scan or manual scan that detected the security event Example: Real-time scan |
|
TrendMicroCasAffectedUser |
security_events/message/affected_user |
Mailbox that received an email message triggering the security event, or user account that uploaded or modified a file triggering the security event Example: username@example.com |
|
TrendMicroCasLocation |
security_events/message/location |
Location where the security event was detected Example: username@example.com\Junk Email |
|
rt |
security_events/message/detection_time |
Date and time when the security event was detected Example: 2018-09-25T02:14:40Z |
|
TrendMicroCasPolicyName |
security_events/message/triggered_policy_name |
Name of a configured policy that was violated Example: phishing test from username |
|
TrendMicroCasFilter |
security_events/message/triggered_security_filter |
Name of the security filter that detected the security event Example: Web Reputation |
|
act |
security_events/message/action |
Action that Cloud App Security took after detecting the security event Example: Quarantine |
|
outcome |
security_events/message/action_result |
Whether the action was successfully taken or not Example: success |
|
Email related fields in "message" |
||
|
suid |
security_events/message/mail_message_id |
ID of the email message that triggered the security event Example: <0ee59974fb7c48538b3e077f5c40b875@example.com> |
|
suser |
security_events/message/mail_message_sender |
Email address of the sender Example: username@example.com |
|
duser |
security_events/message/mail_message_recipient |
Email address(es) of the recipient(s) Example: "\"username\"<username@example.com>" |
|
deviceCustomDate1Label |
security_events/message/mail_message_submit_time |
Date and time when the email message triggering the security event was submitted to send Value: mail_message_submit_time |
|
deviceCustomDate1 |
security_events/message/mail_message_submit_time |
The value for deviceCustomDate1Label Example: 2018-09-25T02:14:25.818Z |
|
deviceCustomDate2Label |
security_events/message/mail_message_delivery_time |
Date and time when the email message triggering the security event was delivered to the recipient Value: mail_message_delivery_time |
|
deviceCustomDate2 |
security_events/message/mail_message_delivery_time |
The value for deviceCustomDate2Label Example: 2018-09-25T02:14:25.818Z |
|
TrendMicroCasMailSubject |
security_events/message/mail_message_subject |
Subject of the email message that triggered the security event Example: example |
|
TrendMicroCasMailFileName |
security_events/message/mail_message_file_name |
Name of the email attachment that triggered the security event Example: filename.exe |
|
File related fields in "message" |
||
|
fname |
security_events/message/file_name |
Name of the file that triggered the security event Example: example.pdf |
|
fileCreateTime |
security_events/message/file_upload_time |
Date and time when the file triggering the security event was uploaded Example: 2018-09-25T02:14:25.818Z |
|
Log type related fields in "message" |
||
|
Security Risk Scan |
||
|
cs1Label |
security_events/message/security_risk_name |
Name of the security risk detected Value: security_risk_name |
|
cs1 |
security_events/message/security_risk_name |
The value for cs1Label Example: Spyware: http://wrs21.winshipway.com |
|
cs2Label |
security_events/message/detected_by |
Technology or method through which the email message or file triggering the security event was detected Value: detected_by |
|
cs2 |
security_events/message/detected_by |
The value for cs2Label Example: Web Reputation |
|
TrendMicroCasRiskLevel |
security_events/message/risk_level |
Web Reputation risk level assigned to the analyzed URL that triggered the security event Example: Dangerous |
|
fileHash |
security_events/message/file_sha1 |
SHA-1 hash value of the file that triggered the security event Example: fd4a7c09dc2c48c1390e09a72b86adaf504802b5 |
|
TrendMicroCasFileSha256 |
security_events/message/file_sha256 |
SHA-256 hash value of the file that triggered the security event Example: 11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865 |
|
Virtual Analyzer |
||
|
cs3Label |
security_events/message/virus_name |
Name of the virus detected Value: virus_name |
|
cs3 |
security_events/message/virus_name |
The value for cs3Label Example: VAN_BOT.UMXX |
|
fileHash |
security_events/message/file_sha1 |
SHA-1 hash value of the file that triggered the security event Example: 0636ed126113daef6d509d9352d47defaed04508 |
|
TrendMicroCasRiskLevel |
security_events/message/risk_level |
Virtual Analyzer risk level assigned to the analyzed object that triggered the security event Example: Medium risk |
|
cs4Label |
security_events/message/detection_type |
Type of the suspicious object that triggered the security event Value: detection_type |
|
cs4 |
security_events/message/detection_type |
The value for cs4Label Example: File |
|
TrendMicroCasVaReportLink |
security_events/message/va_report_link |
Virtual Analyzer report download link Example: https://api.tmcas.trendmicro.com/v1/siem/security_events/va_analysis_report?report_id=38baa2*************************fd7187324 |
|
TrendMicroCasFileSha256 |
security_events/message/file_sha256 |
SHA-256 hash value of the file that triggered the security event Example: 11a62297f719eddf268a53db1433531ea7f8ea22c72630708db6adef71b59865 |
|
Ransomware |
||
|
cs5Label |
security_events/message/ransomware_name |
Name of the ransomware detected Value: ransomware_name |
|
cs5 |
security_events/message/ransomware_name |
The value for cs5Label Example: Ransom_CRYPWALL.MVP |
|
Data Loss Prevention |
||
|
cs6Label |
security_events/message/triggered_dlp_template |
Details of the compliance template that was violated to trigger the security event Value: triggered_dlp_template |
|
cs6 |
security_events/message/triggered_dlp_template |
The value for cs6Label Example: All: Credit Card Number |