Trend Micro Apex Central sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Trend Micro Apex Central sample messages when you use the TLS syslog protocol

Sample 1: The following sample event message shows that a call back from source 10.201.86.187 to destination 10.201.86.195 is detected and blocked.

CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12 rt=Oct 11 2017 06:34:09 GMT+00:00 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=11.0 shost=ApexOneClient01 src=10.201.86.187 cs3Label=SLF_DomainName cs3=DOMAIN act=Block cn1Label=SLF_CCCA_RiskLevel cn1=1 cn2Label=SLF_CCCA_DetectionSource cn2=1 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=10.201.86.195 deviceProcessName=C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe
Table 1. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID CnC:Block
Source IP 10.201.86.187
Destination IP 10.201.86.195
Device Time Oct 11 2017 06:34:09 GMT+00:00

Sample 2: The following sample event message shows that a suspicious connection has occurred.

CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|SuspiciousConnection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+00:00 cat=1756 deviceFacility=Apex One deviceProcessName=C:\\Windows\\system32\\svchost-1.exe act=Pass src=10.201.86.152 dst=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1Label=SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Malicious_identified_CnC_querying_on_UDP_detected reason=F
QRadar field name Highlighted values in the event payload
Event ID NCIE:Pass
Source IP 10.201.86.152
Source Port 54594
Destination IP 10.69.81.64
Destination Port 80
Device Time Oct 11 2017 06:34:06 GMT+00:00