Page Comparison

Table of Contents

maxLevel	2
minLevel	2
type	flat

Introduction

The table Tables beginning withcef0.trendmicro.xdr identifies identify events in CEF format generated by Trendmicro XDRTechnologies.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

...

Product / Service	Tags	Data tables
Trend Micro	`cef0.trendMicro.apexCentral`	`cef0.trendMicro.apexCentral`
	`cef0.trendMicro.controlManager`	`cef0.trendMicro.controlManager`
	`cef0.trendMicro.deepDiscoveryAnalyzer`	`cef0.trendMicro.deepDiscoveryAnalyzer`
	`cef0.trendMicro.deepDiscoveryDirector`	`cef0.trendMicro.deepDiscoveryDirector`
	`cef0.trendMicro.deepDiscoveryDirector`	`cef0.trendMicro.deepDiscoveryDirector`
	`cef0.trendMicro.deepDiscoveryDirector`	`cef0.trendMicro.deepDiscoveryDirector`
	`cef0.trendMicro.deepDiscoveryInspector`	`cef0.trendMicro.deepDiscoveryInspector`
	`cef0.trendMicro.deepSecurityAgent`	`cef0.trendMicro.deepSecurityAgent`
	`cef0.trendMicro.deepSecurityAnalyzer`	`cef0.trendMicro.deepSecurityAnalyzer`
	`cef0.trendMicro.deepSecurityManager`	`cef0.trendMicro.deepSecurityManager`

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

Rw ui tabs macro

Rw tab

title	1-4

cef0

...

.trendMicro.apexCentral
cef0.trendMicro.controlManager
cef0.trendMicro.deepDiscoveryAnalyzer
cef0.trendMicro.deepDiscoveryDirector

Anchor
cef0.trendMicro.apexCentral
cef0.trendMicro.apexCentral
cef0.trendMicro.apexCentral

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
priorityCode	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
act	`str`
app	`str`
cat	`str`
cn1	`int8`
cn1Label	`str`
cn2	`int8`
cn2Label	`str`
cn3	`int8`
cn3Label	`str`
cn4	`str`
cn4Label	`str`
cnt	`int4`
cs1	`str`
cs1Label	`str`
cs2	`str`
cs2Label	`str`
cs3	`str`
cs3Label	`str`
cs4	`str`
cs4Label	`str`
cs5	`str`
cs5Label	`str`
cs6	`str`
cs6Label	`str`
deviceDirection	`str`
deviceExternalId	`str`
deviceFacility	`str`
dhost	`str`
dmac	`str`
dpt	`str`
dst	`ip4`
duser	`str`
dvchost	`str`
fileHash	`str`
fname	`str`
proto	`str`
reason	`str`
rt	`str`
shost	`str`
smac	`str`
sourceServiceName	`str`
spt	`int4`
src	`ip4`
suser	`str`
deviceNtDomain	`str`
dntdom	`str`
request	`str`
deviceProcessName	`str`
hostchain	`str`		✓
tag	`str`	cefTag	✓
rawMessage	`str`

Anchor
cef0.trendMicro.controlManager
cef0.trendMicro.controlManager
cef0.trendMicro.controlManager

Field	Type	Extra fields
eventdate	`timestamp`
rawMessage	`str`	✓
hostchain	`str`	✓
priorityCode	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
_cefVer	`str`
act	`str`
app	`str`
cat	`str`
c6a1Label	`str`
c6a1	`str`
c6a2Label	`str`
c6a2	`str`
c6a3Label	`str`
c6a3	`str`
c6a4Label	`str`
c6a4	`str`
cfp1Label	`str`

...

dvc

cfp1	`float8`
cfp2Label	`str`

...

cfp2

...

float8

...


cfp3Label	`str`

...


cfp3	`float8`
cfp4Label	`str`
cfp4	`float8`

...


cn1Label	`str`

...


cn1	`int8`

...


cn2Label	`str`

...


cn2	`int8`
cn3Label	`str`
cn3	`int8`

...


cnt	`int4`

...


cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`

...


cs3Label	`str`

...


cs3	`str`
cs4Label	`str`

...

ResourceName

...

str

...

rt

...

timestamp

...

sourceServiceName

...

str

...

src

...

ip4

...

shost

...

str

...

suser

...

str

...

original_message_id

...

str

...

original_sender

...

str

...

original_subject

...

str

...

email_encryption_type

...

str

...

file_sig

...

str

...

file_size

...

int8

...

dlp_hostname

...

str

...

hostdomain_name

...

str

...

mac_address

...

mac

...

uuid

...

str

...

protocol

...

str

...

protocol_response

...

str

...

protocol_response_line

...

str

...

product_phase

...

str

...

error_code

...

str

...

error_category

...

str

...

error_text

...

str

...

error_description

...

str

...

evidence_copy_error

...

str

...

server_response_code

...

str

...

receive_tls

...

str

...

send_tls

...

str

...

receive_auth

...

str

...

send_auth

...

str

...

modified_recipients

...

str

...

email_sender

...

str

...

email_recipients

...

str

...

capture_search_id

...

str

...

capture_search_query

...

str

...

current_bucket_id

...

str

...

new_bucket_id

...

str

...

bucket_id_in_use

...

str

...

rows_written

...

str

...

db_error_string

...

str

...

directory_name

...

str

...

sss_path

...

str

...

sss_offset

...

str

...

sss_metadata_size

...

str

...

sss_size

...

str

...

source_port

...

str

...

request_id

...

str

...

given_request_id

...

str

...

transaction_id

...

str

...

pii_deletion

...

str

...

pii_deleted_records

...

str

...

product

...

str

...

hardware_component

...

str

...

build_tag

...

str

...

scan_host_ip

...

ip4

...

cs1Label

...

str

...

cs1

...

str

...

cs2Label

...

str

...

cs2

...

str

...

cs3Label

...

str

...

cs3

...

str

...

cs4Label

...

str

...

cs4

...

str

...

cs5Label

...

str

...

cs5

...

str

...

cs6Label

...

str

...

cs6

...

str

...

cn1Label

...

str

...

cn1

...

int8

...

cn2Label

...

str

...

cn2

...

int8

...

cn3Label

...

str

...

cn3

...

int8

...


cs4	`str`
cs5Label	`str`
cs5	`str`
cs6Label	`str`
cs6	`str`
destinationDnsDomain	`str`
destinationServiceName	`str`
destinationTranslatedAddress	`ip4`
destinationTranslatedPort	`int4`
deviceCustomDate1Label	`str`
deviceCustomDate1	`timestamp`
deviceCustomDate2Label	`str`
deviceCustomDate2	`timestamp`
deviceDirection	`int4`
deviceDnsDomain	`str`
deviceExternalId	`str`
deviceInboundInterface	`str`
deviceMacAddress	`str`
deviceNtDomain	`str`
deviceOutboundInterface	`str`
deviceProcessName	`str`
deviceTranslatedAddress	`ip4`
dhost	`str`
dmac	`str`
dntdom	`str`
dpid	`int4`
dpriv	`str`
dproc	`str`
dst	`ip4`
duid	`str`
duser	`str`
dvchost	`str`
dvc	`ip4`
dvcpid	`int4`
end	`timestamp`
deviceFacility	`str`
externalId	`str`
fileCreateTime	`timestamp`
fileHash	`str`
fileId	`str`
fileModificationTime	`timestamp`
filePath	`str`
filePermission	`str`
fileType	`str`
fname	`str`
fsize	`int8`
in	`int8`
msg	`str`
oldFileCreateTime	`timestamp`
oldFileHash	`str`
oldFileId	`str`
oldFileModificationTime	`timestamp`
oldFileName	`str`
oldFilePath	`str`
oldFilePermission	`str`
oldFileSize	`int8`
oldFileType	`str`
outcome	`str`
out	`int8`
proto	`str`
reason	`str`
requestClientApplication	`str`
requestCookies	`str`
requestMethod	`str`
request	`str`
rt	`timestamp`
shost	`str`
smac	`str`
sntdom	`str`
sourceDnsDomain	`str`
sourceServiceName	`str`
sourceTranslatedAddress	`ip4`
sourceTranslatedPort	`int4`
spid	`int4`
spriv	`str`
sproc	`str`
spt	`int4`
src	`ip4`
start	`timestamp`
suid	`str`
suser	`str`
catdt	`str`
deviceDomain	`str`
deviceSeverity	`str`
dpt	`int4`
dtz	`str`
dvcmac	`str`
endTime	`str`
eventId	`str`
flexNumber1	`str`
flexNumber1Label	`str`
flexNumber2	`str`
flexNumber2Label	`str`
flexString1	`str`
flexString1Label	`str`
flexString2	`str`
flexString2Label	`str`
modelConfidence	`int4`
priority	`int4`
relevance	`int4`
requestContext	`str`
sessionId	`str`
slat	`float8`
slong	`float8`
dlat	`float8`
dlong	`float8`
sourceGeoCountryCode	`str`
sourceGeoLocationInfo	`str`
sourceGeoPostalCode	`str`
sourceGeoRegionCode	`str`
destinationGeoCountryCode	`str`
destinationGeoLocationInfo	`str`
destinationGeoPostalCode	`str`
destinationGeoRegionCode	`str`
agt	`ip4`
ahost	`str`
art	`str`
atz	`str`
mrt	`timestamp`
categoryBehavior	`str`
categoryCustomFormatField	`str`
categoryDeviceGroup	`str`
categoryObject	`str`
categoryOutcome	`str`
categorySignificance	`str`
categoryTechnique	`str`
categoryTupleDescription	`str`
assetCriticality	`str`
customerID	`str`
customerURI	`str`
tag	`str`	cefTag	✓

Anchor
tag3cef0.trendMicro.deepDiscoveryAnalyzer
tag3cef0.trendMicro.deepDiscoveryAnalyzer
cef0.trendMicro.deepDiscoveryAnalyzer

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`		✓
priorityCode	`str`		✓
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
_cefVer	`str`
act	`str`
app	`str`
cn1Label	`str`
cn1	`int8`
cn2Label	`str`
cn2	`int8`
cn3Label	`str`
cn3	`int8`
cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`
cs3Label	`str`
cs3	`str`
cs4Label	`str`
cs4	`str`
cs5Label	`str`
cs5	`str`
deviceDirection	`int4`
deviceExternalId	`str`
dhost	`str`
dmac	`str`
dst	`ip4`
dpt	`int4`
duser	`str`
dvchost	`str`
dvc	`ip4`
dvcmac	`str`
end	`timestamp`
fileHash	`str`
fileType	`str`
fname	`str`
fsize	`int8`
msg	`str`
outcome	`str`
requestClientApplication	`str`
request	`str`
rt	`timestamp`
shost	`str`
smac	`str`
src	`ip4`
spt	`int4`
s3Label	`str`
hostchain	`str`		✓
tag	`str`	cefTag	✓
rawMessage	`str`		✓

Anchor
cef0.trendMicro.deepDiscoveryDirector
cef0.trendMicro.deepDiscoveryDirector
cef0.trendMicro.deepDiscoveryDirector

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
priorityCode	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
_cefVer	`str`
act	`str`
app	`str`
cat	`str`
cn3Label	`str`
cn3	`int8`
cnt	`int4`
cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`
cs3Label	`str`
cs3	`str`
cs6Label	`str`
cs6	`str`
destinationTranslatedAddress	`ip4`
deviceDirection	`int4`
deviceExternalId	`str`
dhost	`str`
dmac	`str`
dst	`ip4`
dpt	`int4`
duser	`str`
dvc	`ip4`
dvchost	`str`
dvcmac	`str`
end	`timestamp`
fileHash	`str`
filePath	`str`
fileType	`str`
fname	`str`
fsize	`int8`
request	`str`
requestClientApplication	`str`
rt	`timestamp`
shost	`str`
smac	`str`
sourceTranslatedAddress	`ip4`
spt	`int4`
src	`ip4`
suid	`str`
suser	`str`
devicepayloadid	`str`
flexnumber1label	`str`
flexnumber1	`str`
hostchain	`str`
tag	`str`	cefTag	✓
rawMessage	`str`		✓

Rw tab

title	5-9

cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityManager

Anchor
cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepDiscoveryInspector

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostchain	`str`		✓
hostname	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
act	`str`
cat	`str`
app	`str`
rt	`str`
dvc	`ip4`
dvchost	`str`
dvcmac	`str`
deviceExternalId	`str`
deviceDirection	`int4`
devicePayloadId	`str`
dhost	`str`
dst	`ip4`
dpt	`str`
duser	`str`
dmac	`str`
shost	`str`
src	`ip4`
spt	`int4`
suid	`str`
smac	`str`
filePath	`str`
fname	`str`
fileHash	`str`
fileType	`str`
fsize	`int8`
outcome	`str`
flexNumber1Label	`str`
flexNumber1	`str`
sourceTranslatedAddress	`ip4`
destinationTranslatedAddress	`ip4`
cs1Label	`str`
cs1	`str`
cs3Label	`str`
cs3	`str`
cs4Label	`str`
cs4	`str`
cs6Label	`str`
cs6	`str`
cnt	`int4`
cn1Label	`str`
cn1	`int8`
cn2Label	`str`
cn2	`int8`
cn3Label	`str`
cn3	`int8`
tag	`str`	cefTag	✓
rawMessage	`str`		✓

Anchor
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAgent

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

deviceVersion

str

signatureID

str

name

str

severity

str

TrendMicroDsFrameType

str

TrendMicroDsTenant

str

TrendMicroDsTenantId

str

dvchost

str

act

str

src

str

dst

str

in

int8

msg

str

smac

str

dmac

str

cnt

int4

spt

int4

dpt

int4

app

str

cat

str

c6a1Label

str

c6a1

str

c6a2Label

str

c6a2

str

c6a3Label

str

c6a3

str

c6a4Label

str

c6a4

str

cfp1Label

str

cfp1

float8

cfp2Label

str

cfp2

float8

cfp3Label

str

cfp3

float8

cfp4Label

str

cfp4

float8

cn1Label

str

cn1

int8

cn2Label

str

cn2

int8

cn3Label

str

cn3

int8

cs1Label

str

cs1

str

cs2Label

str

cs2

str

cs3Label

str

cs3

str

cs4Label

str

cs4

str

cs5Label

str

cs5

str

cs6Label

str

cs6

str

destinationDnsDomain

str

destinationServiceName

str

destinationTranslatedAddress

ip4

destinationTranslatedPort

int4

deviceCustomDate1Label

str

deviceCustomDate1

timestamp

deviceCustomDate2Label

str

deviceCustomDate2

timestamp

deviceDirection

int4

deviceDnsDomain

str

deviceExternalId

str

deviceInboundInterface

str

deviceMacAddress

str

deviceNtDomain

str

deviceOutboundInterface

str

deviceProcessName

str

deviceTranslatedAddress

ip4

dhost

str

dntdom

str

dpid

int4

dpriv

str

dproc

str

duid

str

duser

str

dvc

ip4

dvcpid

int4

end

timestamp

deviceFacility

str

externalId

int8

fileCreateTime

timestamp

fileHash

str

fileId

str

fileModificationTime

timestamp

filePath

str

filePermission

str

fileType

str

fname

str

fsize

int8

oldFileCreateTime

timestamp

oldFileHash

str

oldFileId

str

oldFileModificationTime

timestamp

oldFileName

str

oldFilePath

str

oldFilePermission

str

oldFileSize

int8

oldFileType

str

outcome

str

out

int8

proto

str

reason

str

requestClientApplication

str

requestCookies

str

requestMethod

str

request

str

result

str

rt

timestamp

shost

str

sntdom

str

sourceDnsDomain

str

sourceServiceName

str

sourceTranslatedAddress

ip4

sourceTranslatedPort

int4

spid

int4

spriv

str

sproc

str

start

timestamp

suid

str

suser

str

host_id

int8

Code Block
ifthenelse(cn1Label = "Host ID", cn1, null(int8(0)))

cn1

cn1Label

tcp_flags

str

Code Block
ifthenelse(cs2Label = "TCP Flags", cs2, null(""))

cs2

cs2Label

dpi_note

str

Code Block
ifthenelse(cs1Label = "DPI Note", cs1, null(""))

cs1Label

cs1

dpi_flags

str

Code Block
ifthenelse(cs6Label = "DPI Flags", cs6, null(""))

cs6

cs6Label

dpi_packet_position

int8

Code Block
ifthenelse(cn3Label = "DPI Packet Position", cn3, null(int8(0)))

cn3

cn3Label

dpi_stream_position

str

Code Block
ifthenelse(cs5Label = "DPI Stream Position", cs5, null(""))

cs5

cs5Label

fragmentation_bits

str

Code Block
ifthenelse(cs3Label = "Fragmentation Bits", cs3, null(""))

cs3

cs3Label

hostchain

str

✓

tag

str

cefTag

✓

rawMessage

str

✓

Anchor
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityAnalyzer

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
priorityCode	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
_cefVer	`str`
cn1Label	`str`
cn1	`str`
cn2Label	`str`
cn2	`ip4`
cn3Label	`str`
cn3	`str`
cs1Label	`str`
cs1	`int4`
cs3Label	`str`
cs3	`str`
deviceExternalId	`ip4`
dvchost	`str`
dvc	`str`
dvcmac	`str`
fileHash	`str`
fileType	`ip4`
fname	`int4`
fsize	`str`
rt	`str`
hostchain	`str`		✓
tag	`str`	cefTag	✓
rawMessage	`str`		✓

Anchor
cef0.trendMicro.deepSecurityManager
cef0.trendMicro.deepSecurityManager
cef0.trendMicro.deepSecurityManager

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

target

str

deviceVersion

str

signatureID

str

name

str

severity

str

TrendMicroDsTenant

str

TrendMicroDsTenantId

str

src

ip4

suser

str

msg

str

hostchain

str

tag

str

✓

rawMessage

str

cefTag

✓

Versions Compared

Old Version 4

New Version Current

Key

Introduction

Tag structure

How is the data sent to Devo?

Table structure

Anchor
cef0.trendMicro.apexCentral
cef0.trendMicro.apexCentral
cef0.trendMicro.apexCentral

Anchor
cef0.trendMicro.controlManager
cef0.trendMicro.controlManager
cef0.trendMicro.controlManager

Anchor
tag3cef0.trendMicro.deepDiscoveryAnalyzer
tag3cef0.trendMicro.deepDiscoveryAnalyzer
cef0.trendMicro.deepDiscoveryAnalyzer

Anchor
cef0.trendMicro.deepDiscoveryDirector
cef0.trendMicro.deepDiscoveryDirector
cef0.trendMicro.deepDiscoveryDirector

Anchor
cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepDiscoveryInspector

Anchor
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAgent

Anchor
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityAnalyzer

Anchor
cef0.trendMicro.deepSecurityManager
cef0.trendMicro.deepSecurityManager
cef0.trendMicro.deepSecurityManager

Page Comparison

Versions Compared

Old Version 4

New Version Current

Key

Introduction

Tag structure

How is the data sent to Devo?

Table structure

Anchorcef0.trendMicro.apexCentralcef0.trendMicro.apexCentralcef0.trendMicro.apexCentral

Anchorcef0.trendMicro.controlManagercef0.trendMicro.controlManagercef0.trendMicro.controlManager

Anchortag3cef0.trendMicro.deepDiscoveryAnalyzertag3cef0.trendMicro.deepDiscoveryAnalyzercef0.trendMicro.deepDiscoveryAnalyzer

Anchorcef0.trendMicro.deepDiscoveryDirectorcef0.trendMicro.deepDiscoveryDirectorcef0.trendMicro.deepDiscoveryDirector

Anchorcef0.trendMicro.deepDiscoveryInspectorcef0.trendMicro.deepDiscoveryInspectorcef0.trendMicro.deepDiscoveryInspector

Anchorcef0.trendMicro.deepSecurityAgentcef0.trendMicro.deepSecurityAgentcef0.trendMicro.deepSecurityAgent

Anchorcef0.trendMicro.deepSecurityAnalyzercef0.trendMicro.deepSecurityAnalyzercef0.trendMicro.deepSecurityAnalyzer

Anchorcef0.trendMicro.deepSecurityManagercef0.trendMicro.deepSecurityManagercef0.trendMicro.deepSecurityManager

Anchor
cef0.trendMicro.apexCentral
cef0.trendMicro.apexCentral
cef0.trendMicro.apexCentral

Anchor
cef0.trendMicro.controlManager
cef0.trendMicro.controlManager
cef0.trendMicro.controlManager

Anchor
tag3cef0.trendMicro.deepDiscoveryAnalyzer
tag3cef0.trendMicro.deepDiscoveryAnalyzer
cef0.trendMicro.deepDiscoveryAnalyzer

Anchor
cef0.trendMicro.deepDiscoveryDirector
cef0.trendMicro.deepDiscoveryDirector
cef0.trendMicro.deepDiscoveryDirector

Anchor
cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepDiscoveryInspector
cef0.trendMicro.deepDiscoveryInspector

Anchor
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAgent
cef0.trendMicro.deepSecurityAgent

Anchor
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityAnalyzer
cef0.trendMicro.deepSecurityAnalyzer

Anchor
cef0.trendMicro.deepSecurityManager
cef0.trendMicro.deepSecurityManager
cef0.trendMicro.deepSecurityManager