V 2.0 : Spyware/Grayware Event

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-spywaregrayware-.aspx

V 2.0 : Spyware/Grayware Event

Base Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/Grayware : Unknown

Sub Rule

Other Security

General Security

V 2.0 : Spyware/Grayware : Not Applicable

Sub Rule

Other Security

General Security

V 2.0 : Spyware/Grayware : File Cleaned

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spyware/Grayware : File Deleted

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spyware/Grayware : File Quarantined

Sub Rule

Activity

Quarantine

V 2.0 : Spyware/Grayware : File Renamed

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/Grayware : File Passed

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/Grayware : Unable To Clean File, Passed

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spy/Grayware : Unable To Clean File, Deleted

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spy/Grayware : Unable To Clean File, Renamed

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spy/Grayware : Unable To Clean File,Quarantine

Sub Rule

Activity

Quarantine

V 2.0 : Spyware/Grayware : File Dropped

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spy/Grayware : Unable To Clean File, Stripped

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spyware/Grayware : File Replaced

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spyware/Grayware : File Dropped

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spyware/Grayware : File Archived

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/Grayware : Blocked Successfully

Sub Rule

Failed Malware

Failed Spyware Activity

V 2.0 : Spyware/Grayware : Quarantined Successfully

Sub Rule

Activity

Quarantine

V 2.0 : Spyware/Grayware : Stamped Successfully

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/Grayware : File Uploaded

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/Grayware : Access Denied

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/ Grayware : No Action

Sub Rule

Malware

Detected Spyware Activity

V 2.0 : Spyware/ Grayware : Scan Stopped

Sub Rule

Information

Scan Stopped

V 2.0 : Spyware/ Grayware : Encrypted

Sub Rule

Activity

Encrypted Files Detected

V 2.0 : Spyware/ Grayware : Undefined

Sub Rule

Activity

General Activity

V 2.0 : Spyware/ Grayware : System Rebooted

Sub Rule

Startup and Shutdown

System Restarted

V 2.0 : Spyware/Grayware : Action Failed

Sub Rule

Activity

General Activity

V 2.0 : Spyware/Grayware : Action Required

Sub Rule

Activity

General Activity

Header (logVer)

N/A

N/A

CEF format version

Header (vendor)

N/A

N/A

Appliance vendor

Header (pname)

N/A

N/A

Appliance product

Header (pver)

N/A

N/A

Appliance version

Header (eventid)

<vmid> 

Text/String

Device event class ID

Header (eventName)

 N/A

N/A

Event name

Header (severity)

<severity>

Number

Severity

deviceExternalId

N/A

N/A

ID

rt

N/A

N/A

Log generation time in UTC

cnt

<quantity>

Number

Number of detections

dhost

<dname>

Text/String/Number

Endpoint host name

cn1Label

N/A

N/A

Corresponding label for the "cn1" field

cn1

N/A

N/A

Pattern type

cs1Label

N/A

N/A

Corresponding label for the "cs1" field

cs1

<threatname>

Text/String

Spyware/Grayware

cs2Label

 N/A

N/A

Corresponding label for the "cs2" field

cs2

<verison>

Number

Engine version

cs5Label

 N/A

N/A

Corresponding label for the "cs5" field

cs5

<action>
<tag1>

Text/String/Number

Action

cs6Label

N/A

N/A

Corresponding label for the "cs6" field

cs6

N/A

N/A

Pattern version

cat

N/A

N/A

Log type

dvchost

 N/A

N/A

Endpoint host name

fname

<object>

Text/String/Number

Resource

filePath

 N/A

N/A

Resource

dst

<dip>

IP Address

Endpoint IPv4 address

c6a3Label

N/A

N/A

Corresponding label for the "c6a3" field

c6a3

N/A

N/A

Endpoint IPv6 address

deviceFacility

N/A

N/A

Product

deviceNtDomain

N/A

N/A

Active Directory domain

dntdom

N/A

N/A

Apex One domain hierarchy

TMCMLogDetectedHost

<dname>

Text/String/Number

Endpoint name where the log event occurred

TMCMLogDetectedIP

<dip>

IP Address

IP address where the log event occurred

fileHash

<hash>

Text/String/Number

File SHA-1

duser

<account>

Text/String/Number

User Name

cn2Label

N/A

N/A

Corresponding label for the "cn2" field

cn2

N/A

N/A

Scan type

cn3Label

N/A

N/A

Corresponding label for the "cn3" field

cn3

N/A

N/A

Security Threat Type

ApexCentralHost

N/A

N/A

Apex Central host name

devicePayloadId

N/A

N/A

Unique message GUID