V 2.0 : Device Access Control Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-device-access-co.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Device Access Control Event	Base Rule	Other Audit	General Access Control Message
V 2.0 : Device Access Control : Modify	Sub Rule	Access Success	Object Modified
V 2.0 : Device Access Control : Read & Execute	Sub Rule	Access Success	Object Read
V 2.0 : Device Access Control : Read	Sub Rule	Access Success	Object Read
V 2.0 : DAC : List Device Content Only	Sub Rule	Access Success	Object Read
V 2.0 : Device Access Control : Block	Sub Rule	Access Failure	Access Object Failure

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	N/A	N/A	Event ID
Header (eventName)	<vmid>	Text/String	Log name
Header (severity)	<severity>	Number	Severity
rt	N/A	N/A	The log generation time in UTC
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	N/A	N/A	Server host name
shost	<sname>	Text/String	Source host name
duser	<domainimpacted> <account>	Text/String	User name
dvchost	<dname>	Text/String	Target host name
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	N/A	N/A	Product ID 0 Unknown product 1 ScanMail for ccMail 2 ScanMail for Lotus Domino 3 ScanMail for Microsoft Exchange 4 ScanMail for Microsoft Mail 5 ScanMail for OpenMail 6 Reserved 1 7 Reserved 2 8 Reserved 3 9 Reserved 4 10 InterScan WebProtect 11 Reserved 5 12 Reserved 6 13 Reserved 7 14 PC-cillin Corporate Edition 15 Apex One 16 Apex One for Microsoft SBS 18 ServerProtect for Windows 19 ServerProtect for Windows (SOHO) 20 Apex Central 21 Generic 22 InterScan VirusWall for Unix 23 InterScan VirusWall for Windows 24 MOCA 25 GoldenGate 26 ActiveUpdate 27 IS_Y2K_SCANNER 28 Y2K VIRUS TECH SUPPORT SRV 30 HouseCall 31 PC-cillin ISP server 32 PC-cillin ISP client 33 eManager for ScanMail Exchange 34 InterScan Messaging Security Suite for Windows 35 InterScan Messaging Security Suite for UNIX 36 PortalProtect 37 GateLock Corporate Edition 38 Firewall management (NetScreen) 39 InterScan Web Security Suite for Solaris 40 InterScan Web Security Suite for Windows NT 41 Nokia Message Protector 42 InterScan Web Security Suite for Linux 43 InterScan Web Security Suite for Appliance 44 InterScan Messaging Security Appliance 45 InterScan for Small and Medium Business for Windows NT 46 InterScan Web Security Virtual Appliance 47 InterScan Messaging Security Virtual Appliance 50 InterScan Gateway Security Appliance 51 ServerProtect for Linux 52 ServerProtect for EMC 53 ServerProtect for NetApp 56 Child Apex Central Server 60 Damage Cleanup Services 65 Golden Gate for NT 66 Network VirusWall 1200 67 Network VirusWall MIPS 68 Network VirusWall 2500 69 Network VirusWall 2500 v2 70 Vulnerability Assessment 71 Network Virus Wall Enforcer 1200 72 Network VirusWall Enforcer 73 Network VirusWall Enforcer 75 Trend Micro Threat Mitigator 85 Anti-Spyware Enterprise Edition 87 Trend Micro InterScan for Cisco CSC SSM-20 88 Trend Micro InterScan for Cisco CSC SSM-10 90 IM Security 95 InterScan VirusWall 96 InterScan VirusWall for Linux 100 Control Manager Agent 200 eDoctor Server 300 eDoctor Agent 132 InterScan Messaging Security Suite for Solaris 120 Threat Discovery Appliance 131 Database Protect for Linux 151 Total Discovery Mitigation Server 154 Deep Discovery Inspector 155 ScanMail for IBM Domino 156 Deep Discovery Email Inspector 1000 InterScan eManager 1001 InterScan AppletTrap 1002 InterScan VirusWall Java 1003 IS_SEMAIL 1004 InterScan WebProtect for ICAP 10001 NEC StarOffice 20001 Dr. Soloman Anti-virus 20002 Inoculan 20003 Norton Anti-virus 20004 Sophos Sweep 20005 Intel LANProtect 20006 McAfee Virus Scan 20007 FProt 21000 Other third-party product 31001 Apex One (Mac) 31002 Trend Micro Endpoint Encryption 31003 Trend Micro Endpoint Application Control 31004 Trend Micro Deep Security 31006 Vulnerability Protection 31005 Trend Micro Mobile Security 31007 Trend Micro Safe Mobile Workforce 31008 Deep Discovery Analyzer 31009 Trend Micro Endpoint Sensor 31012 Deep Discovery Web Inspector 31101 Trend Micro Email Security 31102 Worry Free Business Security Services 31103 Trend Micro Web Security 31104 Cloud App Security 55555 Demo product
sproc	<process>	Text/String	Target process
fname	<object>	Text/String	File name
cn2Label	N/A	N/A	Corresponding label for the "cn2" field
cn2	N/A	N/A	0: USB storage device 1: Non-storage USB 2: CD/DVD 3: Floppy disks 4: Network driver
cn3Label	N/A	N/A	Corresponding label for the "cn3" field
cn3	<action> <tag1>	Text/String/Number	0: Modify 1: Read and execute 2: Read 3: List device content only 4: Block
deviceFacility	N/A	N/A	Product
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
TMCMLogDetectedHost	N/A	N/A	Endpoint name where the log event occurred
TMCMLogDetectedIP	<sip>	IP Address	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID