Skip to main content
Skip table of contents

V 2.0 : Behavior Monitoring Event

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-behavior-monitor.aspx

Classification

Rule Name

Rule Type

Classification

Common Event

V 2.0 : Behavior Monitoring EventBase RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : AllowSub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : AskSub RuleOther SecurityGeneral Security
V 2.0 : Behaviour Monitoring : DenySub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 3Sub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Read OnlySub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : Read/Write OnlySub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : Read/Execute OnlySub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : FeedbackSub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : CleanSub RuleFailed ActivityThreat Deleted
V 2.0 : Behaviour Monitoring : UnknownSub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : AssessSub RuleActivityGeneral Threat Message
V 2.0 : Behaviour Monitoring : Terminate : 1004Sub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1005Sub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1006Sub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1007Sub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1008Sub RuleFailed ActivityThreat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1009Sub RuleFailed ActivityThreat Blocked

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Header (logVer) N/AN/ACEF format version
Header (vendor) N/AN/AProduct vendor
Header (pname) N/AN/AProduct name
Header (pver) N/AN/AProduct version
Header (eventid) N/AN/ABehavior Monitoring policy ID
Header (eventName)<vmid>Text/StringLog name
Header (severity) N/AN/ASeverity
devicePayloadId N/AN/AUnique message GUID
rt N/AN/ALog generation time in UTC
dvcHost N/AN/AHost name
cs5Label N/AN/ACorresponding label for the "cs5" field
cs5Label<severity>Number/Text/StringRisk Level
0: Low
1: High
cs2Label N/AN/ACorresponding label for the "cs2" field
cs2<policy>

Number

Text/String

0: Compromised executable file
1: New startup program
2: Host file modification
3: Program library injection
4: New Internet Explorer plugin
5: Internet Explorer setting modification
6: Shell modification
7: New service
8: Security policy modification
9: Firewall policy modification
10: System file modification
11: Duplicated system file
13: Layered service provider
14: System process modification
16: Suspicious behavior
100: Newly encountered programs
200: Unauthorized file encryption
1000: Threat behavior analysis
9999: User-defined policy
sproc<process>Text/String/NumberTarget of the event
cs3Label N/AN/ACorresponding label for the "cs3" field
cs3 N/AN/A1: Process
2: Process image
4: Registry
8: File system
16: Driver
32: SDT
64: System API
128: User Mode
2048: Exploit
65535: All
cs1Label N/AN/ACorresponding label for the "cs1" field
cs1<object>Text/String/NumberTarget host
act<action>
<tag1>

Number

Text/String

Translated action
0: Allow
1: Ask
2: Deny
3: Terminate
4: Read Only
5: Read/Write Only
6: Read/Execute Only
7: Feedback
8: Clean
1002: Unknown
1003: Assess
1004: Terminated. Files were recovered.
1005: Terminated. Some files were not recovered.
1006: Terminated. Files were not recovered.
1007: Terminated. Restart result: Files were recovered.
1008: Terminated: Restart result: Some files were not recovered.
1009: Terminated: Restart result: Files were not recovered.
cs4Label N/AN/ACorresponding label for the "cn3" field
cs4 N/AN/AThe operation to be performed by the target of the event
101: Create Process
102: Open
103: Terminate
104: Terminate
301: Delete
302: Write
303: Access
401: Create File
402: Close
403: Execute
501: Invoke
601: Exploit
9999: Unhandled Operation
shost<dname>Text/String/NumberSource host (endpoint)
src<dip>IP AddressSource host IP address
TMCMLogDetectedHost N/AN/AEndpoint name where the log event occurred
TMCMLogDetectedIP N/AN/AIP address where the log event occurred
deviceFacility N/AN/AProduct
ApexCentralHost N/AN/AApex Central host name
reason<reason>Text/StringCritical threat type
A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware
deviceNtDomain N/AN/AActive Directory domain
dntdom N/AN/AApex One domain hierarchy
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close