V 2.0 : Virus/Malware Logs

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-virusmalware-log.aspx

V 2.0 : Virus/Malware Logs

Base Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : Unknown

Sub Rule

Other Security

General Security

V 2.0 : Virus/Malware : Not Applicable

Sub Rule

Other Security

General Security

V 2.0 : Virus/Malware : File Cleaned

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : File Deleted

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : File Quarantined

Sub Rule

Activity

Quarantine

V 2.0 : Virus/Malware : File Renamed

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : File Passed

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : Unable To Clean File, Passed

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : Unable To Clean File, Deleted

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : Unable To Clean File, Renamed

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/MW : Unable To Clean File, Quarantined

Sub Rule

Activity

Quarantine

V 2.0 : Virus/Malware : Unable To Clean File, Stripped

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : File Replaced

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : File Dropped

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : File Archived

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : Blocked Successfully

Sub Rule

Failed Malware

Failed Malware Activity

V 2.0 : Virus/Malware : Quarantined Successfully

Sub Rule

Activity

Quarantine

V 2.0 : Virus/Malware : Stamped Successfully

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : File Uploaded

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : Access Denied

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : No Action

Sub Rule

Malware

Detected Malware Activity

V 2.0 : Virus/Malware : Scan Stopped

Sub Rule

Information

Scan Stopped

V 2.0 : Virus/Malware : Encrypted

Sub Rule

Activity

Encrypted Files Detected

V 2.0 : Virus/Malware : Undefined

Sub Rule

Activity

General Activity

V 2.0 : Virus/Malware : System Rebooted

Sub Rule

Startup and Shutdown

System Restarted

V 2.0 : Virus/Malware : Action Failed

Sub Rule

Activity

General Activity

V 2.0 : Virus/Malware : Action Required

Sub Rule

Activity

General Activity

Header (logVer)

N/A

N/A

CEF format version

Header (vendor)

N/A

N/A

Appliance vendor

Header (pname)

N/A

N/A

Appliance product

Header (pver)

N/A

N/A

Appliance version

Header (eventid)

<vmid>

Text/String

AV:Action

Header (eventName)

<threatname>

Text/String

Virus/Malware name

Header (severity)

<severity>

Number

Severity

deviceExternalId

N/A

N/A

ID

rt

N/A

N/A

Log generation time in UTC

cnt

<quantity>

Number

Detections

dhost

<dname>

Text/String

Endpoint

duser

<account>

Text/String/Number

User

act

<action>
<tag1>

Text/String

Action

cn1Label

N/A

N/A

Corresponding label for the "cn1" field

cn1

N/A

N/A

Pattern/Rule version

cn2Label

N/A

N/A

Corresponding label for the "cn2" field

cn2

N/A

N/A

Second action

cs1Label

N/A

N/A

Corresponding label for the "cs1" field

cs1

N/A

N/A

0: Unknown
1: N/A
11: Real-time Scan
12: Manual Scan
13: Scheduled Scan
16: Scan Now
17: Card Scan
18: Damage Cleanup Services
19: Storage Scan

cs2Label

N/A

N/A

Corresponding label for the "cs2" field

cs2

N/A

N/A

Engine version

cs3Label

N/A

N/A

Corresponding label for the "cs3" field

cs3

<version>

Number

Product version

cs4Label

N/A

N/A

Corresponding label for the "cs4" field

cs4

N/A

N/A

Reason code

cs5Label

N/A

N/A

Corresponding label for the "cs5" field

cs5

<result>

Text/String

First action result

cs6Label

N/A

N/A

Corresponding label for the "cs6" field

cs6

N/A

N/A

Second action result

cat

N/A

N/A

Log type

dvchost

N/A

N/A

Product server name

cn3Label

N/A

N/A

Corresponding label for the "cn3" field

cn3

N/A

N/A

0: Low
1: Low
2: Medium
3: High

fname

<object>

Text/String

File

filePath

N/A

N/A

File path

msg

<subject>

Text/String

File in compressed file

shost

<sname>

Text/String/Number

Source host

suser

<login>

Text/String/Number

Source host

dst

<dip>

IP Address

Endpoint IPv4 address

fileHash

<hash>

Text/String/Number

File SHA-1

deviceFacility

N/A

N/A

Product name

reason

<reason>

Text/String

Critical Threat Type
A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware

deviceNtDomain

N/A

N/A

Active Directory domain

dntdom

N/A

N/A

Apex One domain hierarchy

ApexCentralHost

N/A

N/A

Apex Central host name

devicePayloadId

N/A

N/A

Unique message GUID