V 2.0 : Network Content Inspection Event

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-network-content-.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Network Content Inspection Event	Base Rule	Activity	General Activity
V 2.0 : Network Content Inspection : Unknown	Sub Rule	Activity	General Activity
V 2.0 : Network Content Inspection : Pass	Sub Rule	Activity	Web Activity Allowed
V 2.0 : Network Content Inspection : Block	Sub Rule	Failed Activity	General Failed Activity
V 2.0 : Network Content Inspection : Monitor	Sub Rule	Activity	General Activity
V 2.0 : Network Content Inspection : Delete	Sub Rule	Failed Activity	General Failed Activity
V 2.0 : Network Content Inspection : Quarantine	Sub Rule	Activity	Quarantine
V 2.0 : Network Content Inspection : Warn	Sub Rule	Activity	General Activity
V 2.0 : Network Content Inspection : Warn & Continue	Sub Rule	Activity	Web Activity Allowed
V 2.0 : Network Content Inspection : Override	Sub Rule	Activity	Web Activity Allowed

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	<vmid>	Text/String	NCIE:Action
Header (eventName)	N/A	N/A	Name
Header (severity)	<severity>	Number	Severity
deviceExternalId	N/A	N/A	ID
rt	N/A	N/A	Log generation time in UTC
cat	N/A	N/A	Log type
deviceFacility	N/A	N/A	Product name
deviceProcessName	<process>	Text/String/Number	Target Process
act	<action> <tag1>	Text/String	Action 0: Unknown 1: Pass 2: Block 3: Monitor 4: Delete 5: Quarantine 6: Warn 7: Warn and continue 8: Override
src	<sip>	IP Address	Source IPv4 address
c6a2Label	N/A	N/A	Corresponding label for the "c6a2" field
c6a2	N/A	N/A	Local IPv6 address
dst	<dip>	IP Address	Destination IPv4 address
c6a3Label	N/A	N/A	Corresponding label for the "c6a3" field
c6a3	N/A	N/A	Remote IPv6 address
spt	<sport>	Number	Source port
dpt	<dport>	Number	Destination port
deviceDirection	N/A	N/A	Traffic direction 0: None 1: Inbound 2: Outbound
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	N/A	N/A	Pattern type 0: Global C&C pattern 1: Relevance rules 2: User-defined block list
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	<threatname>	Text/String	Threat name
reason	<reason>	Text/String	Critical threat type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
dvchost	N/A	N/A	Host name
TMCMLogDetectedHost	N/A	N/A	Endpoint name where the log event occurred
TMCMLogDetectedIP	N/A	N/A	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID