Trend Micro Apex Central sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Trend Micro Apex Central sample messages when you use the TLS syslog protocol
Sample 1: The following sample event message shows that a call back from source 10.201.86.187 to destination 10.201.86.195 is detected and blocked.
CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12 rt=Oct 11 2017 06:34:09 GMT+00:00 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=11.0 shost=ApexOneClient01 src=10.201.86.187 cs3Label=SLF_DomainName cs3=DOMAIN act=Block cn1Label=SLF_CCCA_RiskLevel cn1=1 cn2Label=SLF_CCCA_DetectionSource cn2=1 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=10.201.86.195 deviceProcessName=C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | CnC:Block |
| Source IP | 10.201.86.187 |
| Destination IP | 10.201.86.195 |
| Device Time | Oct 11 2017 06:34:09 GMT+00:00 |
Sample 2: The following sample event message shows that a suspicious connection has occurred.
CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|SuspiciousConnection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+00:00 cat=1756 deviceFacility=Apex One deviceProcessName=C:\\Windows\\system32\\svchost-1.exe act=Pass src=10.201.86.152 dst=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1Label=SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Malicious_identified_CnC_querying_on_UDP_detected reason=F
| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | NCIE:Pass |
| Source IP | 10.201.86.152 |
| Source Port | 54594 |
| Destination IP | 10.69.81.64 |
| Destination Port | 80 |
| Device Time | Oct 11 2017 06:34:06 GMT+00:00 |