Document toolboxDocument toolbox

cef0.trendmicro.xdr

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Sept 02, 2021
2 min read

Introduction

The table cef0.trendmicro.xdr identifies events in CEF format generated by Trendmicro XDR.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef0.trendmicro.xdr

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.trendmicro.xdr. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.trendmicro.xdr

<22>2021-08-26 11:23:37.657 localhost=127.0.0.1 22 CEF: 0|TrendMicro|XDR|1|WB-9912-20210823-00000|Cybercrime Malware|Unknown| eventId=428811 msg=Malware associated with cybercrime, such as trojan spyware and backdoors, was detected on an endpoint. customerURI=/All Customers/MSSP/07_Polaris/Polaris art=1629700814556 deviceSeverity=medium rt=1629700814556 fname=A%20boot%20or%20partition%20virus%20has%20been%20found%20on%20drive%20F:. fileHash=(NULL) cs1=https://portal.eu.xdr.trendmicro.com/index.html#/workbench?workbenchId_WB-9912-20210823-00000&ref_0c12e642ca5b7ed4436e5f23f568ae10066608d3 cn1=1 cn2=0 cn3=0 cs1Label=Reference cn1Label=desktopAffected cn2Label=emailAffected cn3Label=serverAffected c6a4Label=Group-AV ahost=211.138.111.192 agt=211.138.111.192 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 202.123.4.158-26.226.63.95 amac=06-2A-74-D9-CD-C0 av=147.43.241.8522.0 atz=UTC at=cef_multifolder_file dtz=UTC geid=2568071064631041024 _cefVer=0.1 ad.cn4Label=accountAffected ad.cn4=0 aid=aid1234

And this is how the log would be parsed: 

Field

Value

Type

Extra fields

hostchain

localhost=127.0.0.1

str


priorityCode

22

str


cefTag

CEF

str


cefVersion

0

str


embDeviceVendor

TrendMicro

str


embDeviceProduct

XDR

str


deviceVersion

1

str


signatureID

WB-9912-20210823-00000

str


name

Cybercrime Malware

str


severity

Unknown

str


extension

eventId=428811 msg=Malware associated with cybercrime, such as trojan spyware and backdoors, was detected on an endpoint. customerURI=/All Customers/MSSP/07_Polaris/Polaris art=1629700814556 deviceSeverity=medium rt=1629700814556 fname=A%20boot%20or%20partition%20virus%20has%20been%20found%20on%20drive%20F:. fileHash=(NULL) cs1=Trend Micro Vision One™ cn1=1 cn2=0 cn3=0 cs1Label=Reference cn1Label=desktopAffected cn2Label=emailAffected cn3Label=serverAffected c6a4Label=Group-AV ahost=211.138.111.192 agt=211.138.111.192 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 202.123.4.158-26.226.63.95 amac=06-2A-74-D9-CD-C0 av=147.43.241.8522.0 atz=UTC at=cef_multifolder_file dtz=UTC geid=2568071064631041024 _cefVer=0.1 ad.cn4Label=accountAffected ad.cn4=0 aid=aid1234

str


eventId

428811

str


msg

Malware associated with cybercrime, such as trojan spyware and backdoors, was detected on an endpoint.

str


customerURI

/All Customers/MSSP/07_Polaris/Polaris

str


art

1629700814556

str


deviceSeverity

medium

str


rt

1629700814556

timestamp


fname

A%20boot%20or%20partition%20virus%20has%20been%20found%20on%20drive%20F:.

str


fileHash

(NULL)

str


cs1

https://portal.eu.xdr.trendmicro.com/index.html#/workbench?workbenchId_WB-9912-20210823-00000&ref_0c12e642ca5b7ed4436e5f23f568ae10066608d3

str


cn1

1

int8


cn2

0

int8


cn3

0

int8


cs1Label

Reference

str


cn1Label

desktopAffected

str


cn2Label

emailAffected

str


cn3Label

serverAffected

str


c6a4Label

Group-AV

str


ahost

211.138.111.192

str


agt

211.138.111.192

str


agentZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 202.123.4.158-26.226.63.95

str


amac

06-2A-74-D9-CD-C0

str


av

147.43.241.8522.0

str


atz

UTC

str


at

cef_multifolder_file

str


dtz

UTC

str


geid

2568071064631041024

str


_cefVer

0.1

str


ad_cn4Label

accountAffected

str


ad_cn4

0

str


aid

aid1234

str


rawMessage

CEF: 0|TrendMicro|XDR|1|WB-9912-20210823-00000|Cybercrime Malware|Unknown| eventId=428811 msg=Malware associated with cybercrime, such as trojan spyware and backdoors, was detected on an endpoint. customerURI=/All Customers/MSSP/07_Polaris/Polaris art=1629700814556 deviceSeverity=medium rt=1629700814556 fname=A%20boot%20or%20partition%20virus%20has%20been%20found%20on%20drive%20F:. fileHash=(NULL) cs1=Trend Micro Vision One™ cn1=1 cn2=0 cn3=0 cs1Label=Reference cn1Label=desktopAffected cn2Label=emailAffected cn3Label=serverAffected c6a4Label=Group-AV ahost=211.138.111.192 agt=211.138.111.192 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 202.123.4.158-26.226.63.95 amac=06-2A-74-D9-CD-C0 av=147.43.241.8522.0 atz=UTC at=cef_multifolder_file dtz=UTC geid=2568071064631041024 _cefVer=0.1 ad.cn4Label=accountAffected ad.cn4=0 aid=aid1234

str

✓