CEF Content Security Logs

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Apex Central
Header (pver)	Appliance product version	2019
Header (eventid)	MS: Filter action	MS:Clean
Header (eventName)	Policy name	Policy
Header (severity)	Severity	3
cnt	Number of detections	Example: 10
dhost	List of all recipients	Example: employee_a1@Acompany.com;employee_a2@Acompany.com
duser	One of the recipients	Example: employee_a1@Acompany.com
act	Filter action	Example: Clean For more information, see Filter Action Mapping Table.
cs1Label	Corresponding label for the cs1 field	Example: Policy_Settings
cs1	Policy settings	Example: Default_policy
cs2Label	Corresponding label for the cs2 field	Example: Product_Version
cs2	Product version	Example: 11
cs3Label	Corresponding label for the cs3 field	Example: Filter_Type
cs3	Filter type	Example: URL reputation filter 0: Unknown 1: ContentFilter 2: AttachmentFilter 3: StandardFilter 4: SizeFilter 5: DisclaimerMgr 6: SpamFilter 7: OPP 8: ImportFilter 9: PhishingFilter 10: UrlReputationFilter
cs4Label	Corresponding label for the cs4 field	Example: CLF_ReasonCode
cs4	Reason Code	Example: access
cs5Label	Corresponding label for the cs5 field	Example: CLF_ReasonCodeSource
cs5	Reason code source	Example: web
cs6Label	Corresponding label for the cs6 field	Example: Action_on_Message
cs6	Action	Example: 3 0: Unknown 1: N/A 2: Deliver 3: Delete 4: Quarantine 5: Postpone 6: Forward 7: Replace 8: Archive 100: Strip 101: Pass
cat	Log type	Example: 1705
dvchost	Endpoint host name	Example: ApexOneClient01
rt	Event trigger time in UTC	Example: Mar 22 2018 08:23:23 GMT+00:00
cn1Label	Corresponding label for the cn1 field	Example: Severity
cn1	Severity code	Example: 2 0: Unknown 1: Information 2: Warning 3: Error 4: Critical
TMCMLogSeverity	Description of severity	Second scan engine
cn2Label	Corresponding label for the cn2 field	Filter_Action_Result
cn2	Filter action result	Example: 21 For more information, see Filter Action Result Mapping Table.
deviceExternalId	ID	Example: 5
fname	File	Example: RERERW~42w.exe
msg	Subject	Example: Open this email to win a free phone
shost	List of all senders/users in violation	Example: "bear" <bear@abc.mail.com>;"yumi" <yumi@abc.mail.com>
suser	One of the senders/users in violation	Example: "bear" <bear@abc.mail.com>
deviceFacility	Product	Example: Deep Discovery Email Inspector
src	Email sender IP address	Example: 10.206.155.122
filepath	Suspicious file location	Example: https://ca91-1.testurl.com:443
request	Suspicious URL	Example: https://ca91-1.testurl.com:443
reason	Critical threat type	Example: E A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
ApexCentralHost	Apex Central host name	Example: TW-CHRIS-W2019
devicePayloadId	Unique message GUID	Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform	Endpoint operating system	Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|MS:Clean|This is a policy
name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00
:00 dhost=user@test.com duser=user@test.com act=Clean cs1Label
=Policy_Settings cs1=This is policy content cs2Label=CLF_Produ
ctVersion cs2=3.2 cs3Label=Filter_Type cs3=URL reputation filt
er cs5Label=CLF_ReasonCodeSource cs5=20 cs6Label=Action_on_Mes
sage cs6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=Severity
cn1=2 TMCMLogSeverity=Second scan engine fname=NE_AEP.1550
msg=plain_qp_no8_av1u_NE_AEP.1550 shost=user2@test.com suser=
user2@test.com cn2Label=Filter_Action_Result cn2=21 deviceFaci
lity=Deep Discovery Email Inspector src=10.206.155.122 reason=
B,G ApexCentralHost=TW-CHRIS-W2019 devicePayloadId=1C00290C036
0-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (B
uild 7601) Service Pack 1

Keywords: Content Security