cef0.trendMicro.deepDiscoveryAnalyzer

Introduction

The table cef0.trendMicro.deepDiscoveryAnalyzer identifies events in CEF format generated by Trend Micro.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

cef0.trendMicro.deepDiscoveryAnalyzer

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.trendMicro.deepDiscoveryAnalyzer. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.trendMicro.deepDiscoveryAnalyzer

2021-07-27 07:05:39.905 hostname=127.0.0.1 14 CEF: 0|Trend Micro|Deep Discovery Analyzer|5.5.0.1202|200126|URL sandbox analysis is finished|3|rt=Feb 27 2015 09:36:26 GMT+00:00 dvc=10.204.191.249 dvchost=DDAN dvcmac=EC:F4:BB:C6:F1:D0 deviceExternalId=758B04C9-F577-4B8A-B527-ABCB84FDAC83 request=http://www.baidu.com:80/ fileHash=ACB5175554463DD2ADBDFF78AD82C7D6BB8C8B6B cs1Label=SandboxImageType cs1=win8 cn2Label=ROZRating cn2=0 cn3Label=PcapReady cn3=1
2021-07-27 07:05:39.905 hostname=127.0.0.1 14 CEF: 0|Trend Micro|Deep Discovery Analyzer|5.5.1.1034|200128|SUBMISSION_ANALYZED|1|rt=May 06 2016 14:34:29 GMT+00:00 dvc=192.168.1.1 dvchost=DDAN-Active dvcmac=B8:CA:3A:68:2F:CC deviceExternalId=F8E649AA-AF79-4545-9B5A-580BA993D5E3 src=192.168.14.59 spt=20819 smac=98:90:96:CA:78:1F shost=nj-host1 dst=106.120.188.47 dpt=80 dmac=00:00:0C:9F:F0:0E dhost=106.120.188.47 cn1Label=sampleType cn1=0 fname=sgim_usrzoneext.zip fsize=692 fileType=PKZIP fileHash=9D49696A96DB224F7E884146D801DD8C828D17BF request=http://url.es/25123sx/4s5s app=HTTP cs3Label=appGroup cs3=HTTP cs4Label=submitter cs4=Deep Discovery Inspector cs5Label=submitterName cs5=TEST-DDI deviceDirection=1 requestClientApplication=sogou_ime/7.9.0.7504
2021-07-27 07:05:39.905 hostname=127.0.0.1 14 CEF: 0|Trend Micro|Deep Discovery Analyzer|5.5.0.1202|200127|Notable Characteristics of the analyzed sample|6|rt=Feb 27 2015 09:49:06 GMT+00:00 dvc=10.204.191.249 dvchost=DDAN dvcmac=EC:F4:BB:C6:F1:D0 deviceExternalId=758B04C9-F577-4B8A-B527-ABCB84FDAC83 fname=Invoice_06202013_QBK.exe fileHash=CF1A6CF231BDA185DEBF70B8562301798F286FAD fileType=WIN32 EXE fsize=117248 cs1Label=PolicyCategory cs1=Malformed, defective, or with known malware traits msg=Source: ATSE Detection Name: TSPY_FAREIT.WT Engine Version: 9.755.1246 Malware Pattern Version: 11.501.90 cs2Label=PolicyName cs2=Detected as known malware
2021-07-27 07:05:39.905 hostname=127.0.0.1 14 CEF: 0|Trend Micro|Deep Discovery Analyzer|5.5.0.1202|200120|Deny List updated|3|rt=Feb 27 2015 09:49:41 GMT+00:00 dvc=10.204.191.249 dvchost=DDAN dvcmac=EC:F4:BB:C6:F1:D0 deviceExternalId=758B04C9-F577-4B8A-B527-ABCB84FDAC83 cs1Label=type cs1=Deny List File SHA1 end=Mar 28 2015 09:49:06 GMT+00:00 act=Add fileHash=CF1A6CF231BDA185DEBF70B8562301798F286FAD cs2Label=RiskLevel cs2=High
2021-07-27 07:05:39.905 hostname=127.0.0.1 14 CEF: 0|Trend Micro|Deep Discovery Analyzer|6.0.0.1119|300999|Log Settings: Settings modified by admin from 10.204.1.2|3|rt=Nov 07 2017 10:05:58 GMT+00:00 dvc=10.204.1.1 dvchost=DDAN dvcmac=00:0C:29:2F:3B:6B deviceExternalId=423E63AA-D466-406E-A15F-6AC6F3CEE50A cs1Label=eventType cs1=System Setting duser=admin src=10.204.1.2 outcome=Success

And this is how the log would be parsed:

Field	Value	Type	Extra field	Source field name
eventdate	`2021-07-27 07:05:39.905`	`timestamp`
hostname	`hostname`	`str`
priorityCode	`14`	`str`
cefTag	`CEF`	`str`
cefVersion	`0`	`str`
embDeviceVendor	`Trend Micro`	`str`
embDeviceProduct	`Deep Discovery Analyzer`	`str`
deviceVersion	`5.5.0.1202`	`str`
signatureID	`200126`	`str`
name	`URL sandbox analysis is finished`	`str`
severity	`3`	`str`
_cefVer	`null`	`str`
act	`null`	`str`
app	`null`	`str`
cn1Label	`null`	`str`
cn1	`null`	`int8`
cn2Label	`ROZRating`	`str`
cn2	`0`	`int8`
cn3Label	`PcapReady`	`str`
cn3	`1`	`int8`
cs1Label	`SandboxImageType`	`str`
cs1	`win8`	`str`
cs2Label	`null`	`str`
cs2	`null`	`str`
cs3Label	`null`	`str`
cs3	`null`	`str`
cs4Label	`null`	`str`
cs4	`null`	`str`
cs5Label	`null`	`str`
cs5	`null`	`str`
deviceDirection	`null`	`int4`
deviceExternalId	`758B04C9-F577-4B8A-B527-ABCB84FDAC83`	`str`
dhost	`null`	`str`
dmac	`null`	`str`
dst	`null`	`ip4`
dpt	`null`	`int4`
duser	`null`	`str`
dvchost	`DDAN`	`str`
dvc	`/10.204.191.249`	`ip4`
dvcmac	`EC:F4:BB:C6:F1:D0`	`str`
end	`null`	`timestamp`
fileHash	`ACB5175554463DD2ADBDFF78AD82C7D6BB8C8B6B`	`str`
fileType	`null`	`str`
fname	`null`	`str`
fsize	`null`	`int8`
msg	`null`	`str`
outcome	`null`	`str`
requestClientApplication	`null`	`str`
request	`http://www.baidu.com:80/`	`str`
rt	`2015-02-27 09:36:26.0`	`timestamp`
shost	`null`	`str`
smac	`null`	`str`
src	`null`	`ip4`
spt	`null`	`int4`
s3Label	`null`	`str`
hostchain	`hostname=127.0.0.1`	`str`	✓
tag	`CEF`	`str`	✓	cefTag
rawMessage		`str`	✓