CEF Virus/Malware Logs

Views:

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Apex Central

Header (pver)

Appliance version

2019

Header (eventid)

AV:Action

AV:File renamed

Header (eventName)

Virus/Malware name

JS_EXPLOIT.SMDN

Header (severity)

Severity

cnt

Detections

Example: 10

dhost

Endpoint

Example: ApexOneClient01

duser

User

Example: Admin004

act

Action

Example: File renamed

For more information, see Action Mapping Table.

Event trigger time in UTC

Example: Mar 22 2018 08:23:23 GMT+00:00

cn1Label

Corresponding label for the cn1 field

Example: VLF_PatternNumber

cn1

Pattern/Rule version

Example: 920500

cn2Label

Corresponding label for the cn2 field

Example: VLF_SecondAction

cn2

Second action

Example: 3

For more information, see Second Action Mapping Table.

cs1Label

Corresponding label for the cs1 field

Example: VLF_FunctionCode

cs1

Scan type

Example: Manual Scan

0: Unknown
1: N/A
11: Real-time Scan
12: Manual Scan
13: Scheduled Scan
16: Scan Now
17: Card Scan
18: Damage Cleanup Services
19: Storage Scan

cs2Label

Corresponding label for the cs2 field

Example: VLF_EngineVersion

cs2

Engine version

Example: 9.500.1005

cs3Label

Corresponding label for the cs3 field

Example: CLF_ProductVersion

cs3

Product version

Example: 11

cs4Label

Corresponding label for the cs4 field

Example: CLF_ReasonCode

cs4

Reason code

Example: virus log

cs5Label

Corresponding label for the cs5 field

Example: VLF_FirstActionResult

cs5

First action result

Example: Unable to clean file

For more information, see Action Mapping Table.

cs6Label

Corresponding label for the cs6 field

Example: Second Action Result

cs6

Second action result

Example: Unable to clean file. Passed

For more information, see Action Mapping Table.

cat

Log type

Example: 1703

dvchost

Product server name

Example: ApexOneServer01

cn3Label

Corresponding label for the cn3 field

Example: Overall_Risk_Rating

cn3

Severity code

Example: 0

0: Low
1: Low
2: Medium
3: High

deviceExternalId

Example: 3

fname

File

Example: FakeMalwareRebootDel.exe

filePath

File path

Example: C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Rar$DR01.046\\

msg

File in compressed file

Example: BMAC Schedule of Events.xls

shost

Source host, UNC, or email address

Note

The system may not include this key in logs.

Example: xxx@test.com

dst

Endpoint IPv4 address

Examle: 50.8.1.1

c6a3Label

Corresponding label for the c6a3 field

Example: SLP_DestinationIP

c6a3

Endpoint IPv6 address

Example: fe80::38ca:cd15:443c:40bb%11

fileHash

File SHA-1

Example: D6712CAE5EC821F910E14945153AE7871AA536CA

deviceFacility

Product

Example: Apex One

reason

Critical threat type

Example: E

A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware

deviceNtDomain

Active Directory domain

Example: APEXTMCM

dntdom

Apex One domain hierarchy

Example: OSCEDomain1

TMCMLogDetectedHost

Endpoint name where the log event occurred

Example: MachineHostName

TMCMLogDetectedIP

IP address where the log event occurred

Example: 10.1.2.3

ApexCentralHost

Apex Central host name

Example: TW-CHRIS-W2019

devicePayloadId

Unique message GUID

Example: 1C00290C0360-9CDE11EB-D4B8-F51F-C697

TMCMdevicePlatform

Endpoint operating system

Example: Windows 7 6.1 (Build 7601) Service Pack 1

Log sample:

CEF:0|Trend Micro|Apex Central|2019|AV:File renamed|JS_EXP
LOIT.SMDN|3|deviceExternalId=104 rt=Feb 18 2016 14:34:00 G
MT+00:00 cnt=1 dhost=ApexOneClient01 duser=Admin004 act=Fi
le renamed cn1Label=VLF_PatternNumber cn1=920500 cn2Label=
VLF_SecondAction cn2=3 cs1Label=VLF_FunctionCode cs1=Manua
l Scan cs2Label=VLF_EngineVersion cs2=9.500.1005 cs3Label=
CLF_ProductVersion cs3=10.6 cs4Label=CLF_ReasonCode cs4=vi
rus log cs5Label=VLF_FirstActionResult cs5=File renamed cs
6Label=VLF_SecondActionResult cs6=N/A cat=1703 dvchost=Ape
xOneServer01 cn3Label=CLF_ServerityCode cn3=2 fname=0348C6
93056617D34FC5B5BAB4643885FEE5FEDF;0xD5D56AC2 filePath=C:\
\Users\\Administrator\\Desktop\\trend_test_virus\\Trojans\
\ msg=BMAC Schedule of Events.xls shost=xxx@test.com dst=1
0.201.129.24 devic eFacility=Apex One reason=B deviceNtDom
ain=APEXTMCM dntdom=O SCEDomain1 ApexCentralHost=TW-CHRIS-
W2019 devicePayloadId=1C00290C0360-9CDE11EB-D4B8-F51F-C697
TMCMdevicePlatform=Windows 7 6.1 (Build 7601) Service Pack
 1

Keywords: Virus/Malware