Trend Micro Pack
This Trend Micro pack processes on Trend Micro Apex Central events for transforming and optimizing events
8 minute read
Edge Delta Pipeline Pack for Trend Micro Apex Central
Overview
The Trend Micro pack is designed to parse and normalize logs generated by Trend Micro Apex Central and related security solutions using the Common Event Format (CEF). These logs include a wide variety of event types such as intrusion prevention, pattern update statuses, behavior monitoring, suspicious connections, and more.
This pack extracts structured data from CEF-formatted logs using regular expressions and key-value parsing, enabling powerful observability, alerting, and dashboarding use cases.
Pack Description
1. Parse Regex (CEF Header and Body Extraction)
This processor extracts core fields from the CEF-formatted log lines using a custom regex pattern. It separates out standard CEF components such as:
cef_versioncef_device_vendorcef_device_productcef_device_versioncef_signature_idcef_namecef_severity- and the trailing message payload
Regex pattern used:
CEF:(?P<cef_version>\d+)\|(?P<cef_device_vendor>(?:[^\\|]|\\\\\\|)*?)\|(?P<cef_device_product>(?:[^\\|]|\\\\\\|)*?)\|(?P<cef_device_version>(?:[^\\|]|\\\\\\|)*?)\|(?P<cef_signature_id>(?:[^\\|]|\\\\\\|)*?)\|(?P<cef_name>(?:[^\\|]|\\\\\\|)*?)\|(?P<cef_severity>(?:[^\\|]|\\\\\\|)*?)\|(?P<message>.+)
2. Normalize Key-Value Separators
The message payload often contains key-value pairs with inconsistent spacing. This processor normalizes the separators by replacing spaces before keys with a pipe (|) delimiter, preparing the data for parsing.
Example transformation:
Before: "... msg=Sample message key1=value1 key2=value2"
After: "... msg=Sample message|key1=value1|key2=value2"
3. Parse Key-Value
This step extracts the normalized key-value fields from the message payload using the | delimiter.
It supports both numerical (cn1, cn2, …) and contextual (cs1, cs2, …) fields with labels such as Operating_System, Pattern_Version, Update_Agent, etc.
4. Delete Raw Message Field
Finally, the message field is removed to reduce noise and streamline the final output.
Sample Log Input
Aug 10 02:01:44 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jan 10 2023 00:11:44 GMT+00:00 shost=HOST2 cs1Label=Operating_System cs1=Linux cs2Label=Product/Endpoint_IP cs2=10.1.2.3 cs3Label=Update_Agent cs3=0 cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208221989 cs5Label=Pattern/Rule_Version cs5=10092073 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Smart Protection Server msg=Web Blocking List (2.0) ApexCentralHost=APEXCNTHOST deviceNtDomain=N/A dntdom=N/A
Sample Output (After Processing)
{
"attributes": {
"cef_version": "0",
"cef_device_vendor": "Trend Micro",
"cef_device_product": "Apex Central",
"cef_device_version": "2019",
"cef_signature_id": "800101",
"cef_name": "Pattern Update Status",
"cef_severity": "3",
"rt": "Jan 10 2023 00:11:44 GMT+00:00",
"shost": "HOST2",
"cs1Label": "Operating_System",
"cs1": "Linux",
"cs2Label": "Product/Endpoint_IP",
"cs2": "10.1.2.3",
"cs3Label": "Update_Agent",
"cs3": "0",
"cn1Label": "Connection_Status",
"cn1": "100",
"cn2Label": "Pattern/Rule",
"cn2": "1208221989",
"cs5Label": "Pattern/Rule_Version",
"cs5": "10092073",
"cn3Label": "Pattern/Rule_Status",
"cn3": "1",
"cs6Label": "AUComponent_Type",
"cs6": "2",
"deviceFacility": "Smart Protection Server",
"msg": "Web Blocking List (2.0)",
"ApexCentralHost": "APEXCNTHOST",
"deviceNtDomain": "N/A",
"dntdom": "N/A"
}
}
Use Cases
- Detect pattern or engine update failures
- Correlate suspicious connections and IP activity
- Monitor endpoint behavior for abnormal software operations
- Track blocked/allowed file transfers and USB access
- Identify ransomware or malware events with severity levels
Resources
Sample Input
Aug 10 02:01:44 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jan 10 2023 00:11:44 GMT+00:00 shost=HOST2 cs1Label=Operating_System cs1=Linux cs2Label=Product/Endpoint_IP cs2=10.1.2.3 cs3Label=Update_Agent cs3=0 cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208221989 cs5Label=Pattern/Rule_Version cs5=10092073 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Smart Protection Server msg=Web Blocking List (2.0) ApexCentralHost=APEXCNTHOST deviceNtDomain=N/A dntdom=N/A
Aug 10 02:01:51 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800102|Engine Update Status|3|rt=Jan 13 2023 00:44:55 GMT+00:00 shost=LT-RUH-F29-0060 cs2Label=Product/Endpoint_IP cs2=10.1.2.34 cn1Label=Connection_Status cn1=101 cn2Label=Engine cn2=570425856 cs5Label=Engine_Version cs5=2.98.1912 cn3Label=Engine_Status cn3=1 cs6Label=AUComponent_Type cs6=1 deviceFacility=Apex One msg=Behavior Monitoring Core Service (64-bit) ApexCentralHost=APEXCNTHOST deviceNtDomain=N/A dntdom=N/A
Aug 10 02:46:56 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|Reset|Intrusion Prevention|3|devicePayloadId=48005658-970D1EE-370D-FE12-674 rt=Jan 09 2023 22:22:22 GMT+00:00 dvchost=ANOTHER_HOSTNAME deviceFacility=Trend Micro Deep Security src=10.1.2.36 TMCMLogDetectedIP=10.1.2.38 TMCMLogDetectedHost=10.10.20.3 dst=10.10.20.35 smac=00:22:56:98:52:B6 spt=53158 dmac=00:22:22:98:B0:48 dpt=10051 cn2Label=Mode cn2=0 act=Reset deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=N/A cn1Label=Rule cn1=0 cs1Label=Reason/Rule cs1=URI Path Depth Exceeded cnt=4 ApexCentralHost=APEXCNTHOST TMCMdevicePlatform=Red Hat Enterprise 7 (64 bit)3.10 (Build 0)1160.2.2.el7.x86_64 deviceNtDomain=N/A dntdom=Chakhna\\\\linux\\\\
Aug 10 02:01:52 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|Reset|Intrusion Prevention|3|devicePayloadId=480056509848-970D11EE-3706-FC66-B387 rt=Jan 09 2023 11:11:11 GMT+00:00 dvchost=ANOTHER_HOSTNAME deviceFacility=Trend Micro Deep Security src=10.10.20.38 TMCMLogDetectedIP=10.10.20.39 TMCMLogDetectedHost=10.10.20.40 dst=10.10.20.45 smac=00:22:56:98:52:B6 spt=46292 dmac=00:22:56:98:B0:48 dpt=10051 cn2Label=Mode cn2=0 act=Reset deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=N/A cn1Label=Rule cn1=0 cs1Label=Reason/Rule cs1=URI Path Depth Exceeded cnt=1 ApexCentralHost=APEXCNTHOST TMCMdevicePlatform=Red Hat Enterprise 7 (64 bit)3.10 (Build 0)1160.2.2.el7.x86_64 deviceNtDomain=N/A dntdom=Chakhna\\\\linux\\\\
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208222245 cs5Label=Pattern/Rule_Version cs5=140564 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208222211 cs5Label=Pattern/Rule_Version cs5=293039 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208222100 cs5Label=Pattern/Rule_Version cs5=186513.0.0 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208222099 cs5Label=Pattern/Rule_Version cs5=1.276.00 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208222096 cs5Label=Pattern/Rule_Version cs5=1.032.00 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208222021 cs5Label=Pattern/Rule_Version cs5=1.10885.00 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208221988 cs5Label=Pattern/Rule_Version cs5=1.10235.00 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208221953 cs5Label=Pattern/Rule_Version cs5=39 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208221844 cs5Label=Pattern/Rule_Version cs5=0.017.64 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
Jun 12 16:29:22 SAMPLE_HOSTNAME CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Jun 12 2023 13:25:58 GMT+00:00 shost=XXXX cs1Label=Operating_System cs1=Windows 11 cs2Label=Product/Endpoint_IP cs2=1.1.1.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1208221808 cs5Label=Pattern/Rule_Version cs5=7.5.1555 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One
CEF:0|Trend Micro|Apex Central|2019|700211|Attack Discovery Detections|3|deviceExternalId=5 rt=Jan 17 2019 03:38:06 GMT+00:00 dhost=VCAC-Window-331 dst=10.201.86.150 customerExternalID=8c1e2d8f-a03b-47ea-aef8-5aeab99ea697 cn1Label=SLF_RiskLevel cn1=0 cn2Label=SLF_PatternNumber cn2=30.1012.00 cs1Label=SLF_RuleID cs1=powershell invoke expression cat=point of entry cs2Label=SLF_ADEObjectGroup_Info_1 cs2=process - powershell.exe - {#012 "META_FILE_MD5" : "7353f60b1739074eb17c5f4dddefe239",#012 "META_FILE_NAME" : "powershell.exe",#012 "META_FILE_SHA1" : "6cbce4a295c163791b60fc23d285e6d84f28ee4c",#012 "META_FILE_SHA2" : "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",#012 "META_PATH" : "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\",#012 "META_PROCESS_CMD" : [ "powershell iex test2" ],#012 "META_PROCESS_PID" : 10924,#012 "META_SIGNER" : "microsoft windows",#012 "META_SIGNER_VALIDATION" : true,#012 "META_USER_USER_NAME" : "Administrator",#012 "META_USER_USER_SERVERNAME" : "VCAC-WINDOW-331",#012 "OID" : 1#012}#012
CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monitoring|3|rt=Aug 16 2017 05:00:40 GMT+00:00 dvchost=localhost cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\\Windows\\SysWOW64\\rundll32.exe cn2Label=Event_Type cn2=4 cs1Label=Target cs1=HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\COM+ act=3 cn3Label=Operation cn3=302 shost=shost1 src=10.0.76.40 deviceFacility=Apex One
CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12 rt=Oct 11 2017 06:34:09 GMT+00:00 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=11.0 shost=ApexOneClient01 src=10.201.86.187 cs3Label=SLF_DomainName cs3=DOMAIN act=Block cn1Label=SLF_CCCA_RiskLevel cn1=1 cn2Label=SLF_CCCA_DetectionSource cn2=1 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=10.201.86.195 deviceProcessName=C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe
CEF:0|Trend Micro|Apex Central|2019|MS:0|This is a policy name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00:00 dhost=user@test.com duser=user@test.com act=0 cs2Label=CLF_ProductVersion cs2=3.2 cs3Label=SL_FilterType cs3=0 cs5Label=CLF_ReasonCodeSource cs5=20 cs6Label=SL_MessageAction cs6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=CLF_ServerityCode cn1=2 fname=NE_AEP.1550 msg=plain_qp_no8_av1u_NE_AEP.1550 shost=user2@test.com suser=user2@test.com deviceFacility=Deep Discovery Email Inspector src=10.206.155.122
CEF:0|Trend Micro|Apex Central|2019|700106|Data Loss Prevention|3|cs3Label=Product_Entity/Endpoint cs3=Sample_Host dvchost=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac=34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_Account) cs4=12467 filePath=D:\\2. DRIVER\\drivers WIN7\\Drivers\\DP_CardReader_14032.7z\\O2Micro\\FORCED\\6x86\\ fname=O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Template cs6=Apex One policy cn3Label=Channel cn3=0 cn2Label=Action cn2=4 deviceFacility=Apex One
CEF:0|Trend Micro|Apex Central|2019|700107|Device Access Control|3|rt=Aug 16 2017 04:49:15 GMT+00:00 cs1Label=Product_Entity/Endpoint cs1=Sample_Host shost=shost1 dvchost=localhost cn1Label=Product cn1=15 sproc=C:\\Windows\\explorer.exe fname=F:\\Autorun.inf cn2Label=Device_Type cn2=0 cn3Label=Permission cn3=3 deviceFacility=Apex One
CEF:0|Trend Micro|Apex Central|2019|EAC:1|Endpoint Application Control Violation Information|3|deviceExternalId=39 rt=Jun 27 2012 03:14:03 GMT+00:00 cs1Label=Version cs1=1.299.00 suser=TMCM\\QA cs2Label=ApplicationControlEvent_ClientIPAddress_V4 cs2=0.0.0.0 cn1Label=Connection_Status cn1=0 fileHash=c0869b72C5606D22D92A6AC986686BB87485A25b fname=P2P_TEST.exe cs3Label=Command cs3=C:\\P2P_TEST.exe duser=QA cs4Label=Rule cs4=Test cs5Label=Policy cs5=TestPolicy act=Blocked deviceFacility=Trend Micro Endpoint Application Control
CEF:0|Trend Micro|Apex Central|2019|800102|Engine Update Status|3|rt=Apr 20 2017 12:04:34 GMT+00:00 shost=shost1 cs2Label=Product/Endpoint_IP cs2=10.0.17.6 cn1Label=Connection_Status cn1=100 cn2Label=Engine cn2=4096 cs5Label=Engine_Version cs5=9.950.1006 cn3Label=Engine_Status cn3=1 cs6Label=AUComponent_Type cs6=1 deviceFacility=Apex One . [0]
CEF:0|Trend Micro|Apex Central|2019|700211|Managed Product Logon/Logoff Events|3|deviceExternalId=11 shost=SMEX01 deviceFacility=ScanMail for Microsoft Exchange cs1Label=Product_Version cs1=14 cn1Label=Command_Status cn1=110 msg=A user with the Administrator role(s) has logged on. Detail Information:UserName:TEST2013\\administrator,IP address:10.204.166.127,EventType:Log in/out,SourceType:SMEX UI. #015
CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|Suspicious Connection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+00:00 cat=1756 deviceFacility=Apex One deviceProcessName=C:\\Windows\\system32\\svchost-1.exe act=Pass src=10.201.86.152 dst=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1Label=SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Malicious_identified_CnC_querying_on_UDP_detected
CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Nov 02 2017 12:46:44 GMT+00:00 shost=shost1 cs1Label=Operating_System cs1=Windows 7 cs2Label=Product/Endpoint_IP cs2=10.0.7.20 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Default cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=2048 cs5Label=Pattern/Rule_Version cs5=1548 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One . [0]
CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|virusa|3|deviceFacility=1 dvchost=Sample_Host cs2Label=DetectionName cs2=virusa suser=Sample\\Administrator cn2Label=DetectionType cn2=0 filePath=C:\\WindowsFILENAME deviceCustomDate1Label=FileCreationDate deviceCustomDate1=Nov 03 2016 08:58:03 GMT+00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4=notepad.exe -test duser=admin app=2 cs3Label=InfectionLocation cs3=http://10.0.0.1/ dst=10.0.17.6 cn3Label=Confidence cn3=82 act=21
CEF: 0|Trend Micro|Apex Central|2019|VAD|VAN_RANSOMWARE.umxxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23:23 GMT+00:00 deviceFacility=Apex One dvchost=OSCE01 dhost=Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@trend.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72602F798B642F14140 fname=C:\\\\QA_Log.zip request=http://127.1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhelloransom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categories cs2=Anti-security, self-preservation cs3Label=Cloud_Service_Vendor cs3=Google Drive
CEF:0|Trend Micro|Apex Central|2019|Spyware Detected|Spyware Detected|3|deviceExternalId=3 rt=Oct 06 2017 08:39:46 GMT+00:00 cnt=1 dhost=ApexOneClient01 cn1Label=PatternType cn1=1073741840 cs1Label=VirusName cs1=ADW_OPENCANDY cs2Label=EngineVersion cs2=6.2.3027 cs5Label=ActionResult cs5=Reboot system successfully cs6Label=PatternVersion cs6=1297 cat=1727 dvchost=ApexOneClient01 fname=F:\\Malware\\psas\\rsrc2.bin filePath=F:\\Malware\\psas\\rsrc2.bin dst=50.8.1.1 deviceFacility=Apex One
CEF:0|Trend Micro|Apex Central|2019|FH:Log|Suspicious Files|3|deviceExternalId=1 rt=Nov 15 2016 02:47:21 GMT+00:00 cat=1766 deviceFacility=Apex One cn1Label=SLF_ProductVersion cn1=11 dst=10.201.86.151 dhost=APEX-ONE-CLIENT-1 cs2Label=SLF_TrueFileType cs2=SLF_TrueFileType fileHash=D6712CAE5EC821F910E14945153AE7871AA536CA cs3Label=SLF_FileSource cs3=C:\\Users\\Administrator\\Desktop\\BT-SHA1-SAMPLE\\BT-SHA1-SAMPLE\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE cn2Label=SLF_SourceType cn2=0 act=Log cn3Label=SLF_ScanType cn3=1
CEF:0|Trend Micro|Apex Central|2019|WB:7|7|3|deviceExternalId=38 rt=Nov 15 2017 08:43:57 GMT+00:00 app=17 cntLabel=AggregatedCount cnt=1 dpt=80 act=1 src=10.1.128.46 cs1Label=SLF_PolicyName cs1=External User Policy deviceDirection=2 cat=7 dvchost=ApexOneClient08 fname=test.txt request=http://www.violetsoft.net/counter/insert.php?dbserver\=db1&c_pcode\=25&c_pid\=funpop1&c_kind\=4&c_mac\=FE-ED-BE-EF-0C-E1 deviceFacility=Apex One shost=ABC-HOST-WKS12
CEF:0|Trend Micro|Apex Central|2019|AV:File renamed|JS_EXPLOIT.SMDN|3|deviceExternalId=104 rt=Feb 18 2016 14:34:00 GMT+00:00 cnt=1 dhost=ApexOneClient01 duser=Admin004 act=File renamed cn1Label=VLF_PatternNumber cn1=920500 cn2Label=VLF_SecondAction cn2=3 cs1Label=VLF_FunctionCode cs1=Manual Scan cs2Label=VLF_EngineVersion cs2=9.500.1005 cs3Label=CLF_ProductVersion cs3=10.6 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=VLF_FirstActionResult cs5=File renamed cs6Label=VLF_SecondActionResult cs6=N/A cat=1703 dvchost=ApexOneServer01 cn3Label=CLF_ServerityCode cn3=2 fname=0348C693056617D34FC5B5BAB4643885FEE5FEDF;0xD5D56AC2 filePath=C:\\Users\\Administrator\\Desktop\\trend_test_virus\\Trojans\\ msg=BMAC Schedule of Events.xls shost=ABC-OSCE-WKS12 suser=ABC-OSCE-WKS12 dst=10.201.129.24 deviceFacility=Apex One