|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF:0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Apex Central
|
|
Header (pver)
|
Appliance version
|
2019
|
|
Header (eventid)
|
Device event class ID
|
|
|
Header (eventName)
|
Event name
|
Endpoint Application Control Violation Information
|
|
Header (severity)
|
Severity
|
3
|
|
deviceExternalId
|
ID
|
Example:
39 |
|
rt
|
Event trigger time in UTC
|
Example:
Mar 22 2018 08:23:23 GMT+00:00 |
|
dvchost
|
Computer name
|
Example:
localhost |
|
shost
|
Client host name
|
Example:
shost1 |
|
cs1
|
Product server pattern version
|
Example:
1297 |
|
suser
|
Client user name
|
Example:
TREND\User |
|
cs2
|
Client IPv4 address
|
Example:
10.0.17.6 |
|
c6a3
|
Client IPv6 address
|
Example:
fe80::38ca:cd15:443c:40bb%11 |
|
cn1
|
Client status
|
|
|
filehash
|
Application file SHA-1 hash
|
Example:
D6712CAE5EC821F910E14945153AE7871AA536CA |
|
fname
|
Application file name
|
Example:
notepad.exe |
|
cs3
|
Application process command line
|
Example:
notepad.exe |
|
duser
|
User name
|
Example:
Admin004 |
|
cs4
|
Rule name
|
Example:
SAMPLE RULE SET |
|
cs5
|
Policy name
|
Example:
SAMPLE POLICY |
|
act
|
Policy action
|
|
|
deviceFacility
|
Product name
|
Example:
Trend Micro Endpoint Application Control |
|
deviceNtDomain
|
Active Directory domain
|
Example: APEXTMCM
|
|
dntdom
|
Apex One domain hierarchy
|
Example: OSCEDomain1
|
|
ApexCentralHost
|
Apex Central host name
|
Example: TW-CHRIS-W2019
|
|
devicePayloadId
|
Unique message GUID
|
Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697
|
|
TMCMdevicePlatform
|
Endpoint operating system
|
Example: Windows 7 6.1 (Build 7601) Service Pack 1
|
Log sample:
CEF:0|Trend Micro|Apex Central|2019|EAC:1|Endpoint Applica tion Control Violation Information|3|deviceExternalId=39 rt= Jun 27 2012 03:14:03 GMT+00:00 cs1Label=Version cs1=1.299.00 suser=TMCM\\QA cs2Label=ApplicationControlEvent_ClientIPAdd ress_V4 cs2=0.0.0.0 cn1Label=Connection_Status cn1=0 fileHas h=c0869b72C5606D22D92A6AC986686BB87485A25b fname=P2P_TEST.ex e cs3Label=Command cs3=C:\\P2P_TEST.exe duser=QA cs4Label=Ru le cs4=Test cs5Label=Policy cs5=TestPolicy act=Blocked devic eFacility=Trend Micro Endpoint Application Control deviceNtD omain=APEXTMCM dntdom=OSCEDomain1 ApexCentralHost=TW-CHRIS- W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697 TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack 1