V 2.0 : Web Security Event

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-web-security-log.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Web Security Event	Base Rule	Activity	General Threat Message
V 2.0 : Web Security : Unknown	Sub Rule	Activity	General Threat Message
V 2.0 : Web Security : Pass	Sub Rule	Activity	General Threat Message
V 2.0 : Web Security : Block	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Web Security : Monitor	Sub Rule	Activity	General Threat Message
V 2.0 : Web Security : Delete	Sub Rule	Failed Activity	Threat Deleted
V 2.0 : Web Security : Quarantine	Sub Rule	Activity	Quarantine
V 2.0 : Web Security : Warn	Sub Rule	Activity	General Threat Message
V 2.0 : Web Security : Warn And Continue	Sub Rule	Activity	General Threat Message
V 2.0 : Web Security : Override	Sub Rule	Activity	General Threat Message

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	<vmid>	Text/String	WB:Filter/Blocking Type
Header (eventName)	N/A	N/A	Blocking Rule or "Filter/Blocking Type"
Header (severity)	<severity>	Number	Severity
deviceExternalId	N/A	N/A	ID
rt	N/A	N/A	Log generation time in UTC
app	<protnum>	Number	Protocol
cntLabel	N/A	N/A	Corresponding label for the "cnt" field
cnt	<quantity>	Number	Detections
dpt	<dport>	Number	Server port
act	<action> <tag1>	Number	0: Unknown 1: Pass 2: Block 3: Monitor 4: Delete 5: Quarantine 6: Warn 7: Warn and continue 8: Override
src	<sip>	IP Address	Endpoint IPv4 address
c6a2Label	N/A	N/A	Corresponding label for the "c6a2" field
c6a2	<sip>	IP Address	Endpoint IPv6 address
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	<policy>	Text/String	Policy
cat	<subject>	Number/Text/String	Filter/Blocking Type
dvchost	N/A	N/A	Endpoint host name
fname	<object>	Text/String	File
request	<url>	Text/String/Number	URL
deviceFacility	N/A	N/A	Product
shost	<sname>	String/Number	Client host name
reason	<reason>	String/Number	Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
TMCMLogDetectedHost	<sname>	Text/String	Endpoint name where the log event occurred
TMCMLogDetectedIP	<sip>	IP Address	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID
deviceDirection	N/A	Text/String	Traffic/Connection 0: None 1: Inbound 2: Outbound
deviceProcessName	<process>	Text/String/Number	Process name
duser	<domainimpacted> <account>	Text/String/Number	User name
cn3Label	N/A	N/A	Corresponding label for the "cn3" field
cn3	N/A	N/A	Reputation score
cn2Label	N/A	N/A	Corresponding label for the "cn2" field
cn2	N/A	N/A	Severity level 100: High 300: Medium high 500: Medium 700: Medium low 900: Low
dst	<dip>	IP Address	Server IP address
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	N/A	N/A	Blocking rule
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	N/A	N/A	Severity code 0: Unknown 1: Information 2: Warning 3: Error 4: Critical
cs5Label	N/A	N/A	Corresponding label for the "cs5" field
cs5	N/A	N/A	Reason code source
cs4Label	N/A	N/A	Corresponding label for the "cs4" field
cs4	<responsecode>	Number	Reason Code