Sample CEF and Syslog Notifications
Sample CEF, LEEF, and Syslog notification examples are shown for various event types in this section.
The definitions for each of the <extension> field keys per event type are provided in the section CEF Extension Field Key=Value Pair Definitions
Note:
Be aware that if a value is null, the label will still display in the notification; for example, dst= and filename remain blank in the CEF message:
eventId=13423 lastActivityTime=2016-7-26 21:50:50+00 dst= fileHash=c01e057e6b7115057d9465311346f198a7fed574 fileName= fileType=PE32 executable
CEF Phishing Event Examples:
Phishing events are included in CEF/Syslog. Here are few examples:
Example 1: Email with Both Malicious URL and Attachment
Dec 6 16:52:22 IP Dec 06 16:51:38 hostname
CEF:0|JATP|Cortex|3.6.0.1444|email|Phishing|8|externalId=1504
eventId=14067 lastActivityTime=2016-12-06 23:51:38+00 src= dst=
src_hostname= dst_hostname= src_username= dst_username=
mailto:src_email_id=src@abc.comdst_email_id={mailto:test@abc.com} startTime=2016-12- 06 23:51:38+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/74280968a4917da52b5555351eeda969.bin
fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32
executable (GUI) Intel 80386, for MS Windows
Example 2: Email Sent to Multiple Recipients with Malicious Attachment
Dec 9 19:47:19 IP Dec 09 19:49:36 hostname
CEF:0|JATP|Cortex|3.6.0.1444|email|TROJAN_GIPPERS.DC|8|externalId=1505
eventId=14068 lastActivityTime=2016-05-10 02:49:36+00 src= dst=
src_hostname= dst_hostname= src_username= dst_username=
mailto:src_email_id=src@abc.com
dst_email_id={mailto:test1@abc.com,mailto:test2@abc.com,mailto:test3@abc.com}
fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32
executable (GUI) Intel 80386, for MS Windows startTime=2016-05-10
02:49:36.000000+00
Example 3: Email Sent to Multiple Recipients with Multiple Bad URLs (Separated by Space) and Attachment
Dec 3 16:42:24 IP Dec 03 16:42:54 hostname
CEF:0|JATP|Cortex|3.6.0.1444|email|Phishing|8|externalId=1499
eventId=14058 lastActivityTime=2016-05-03 23:42:54+00 src= dst=
src_hostname= dst_hostname= src_username= dst_username=
mailto:src_email_id=src@abc.com
dst_email_id={mailto:test1@abc.com,mailto:test2@abc.com,mailto:test3@abc.com} startTime=2016-
05-03 23:42:54+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/
74280968a4917da52b5555351eeda969.bin http://greatfilesarey.asia/QA/
files_to_pcaps/1813791bcecf3a3af699337723a30882.bin
fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32
executable (GUI) Intel 80386, for MS Windows
Example 4: Infection Event for which Identity Information is Obtained from Active Directory
Dec 2 17:17:25 IP Dec 02 17:08:08 hostname
CEF:0|JATP|Cortex|3.6.0.1444|cnc|TROJAN_DUSVEXT.CY|10|externalId=1489
eventId=14046 lastActivityTime=2016-05-03 00:08:08.349+00
src=31.170.165.131 dst=172.20.1.201 src_hostname=
dsthostname=emailuser-host src_username= dst_username=emailuser
malwareSeverity=0.75 malwareCategory=Trojan_Generic
cncServers=31.170.165.131
CEF System Health Notification Example:
2016-01-23 17:36:39.841+00 tap0.test.JATP.net
CEF:0|JATP|Cortex|3.6.0.3|3|services-health|5|desc=Behavior Engine is
not running json={"status": "0", "service": "Behavior Engine"}
source = udp:514 sourcetype = syslog
2016-01-23 17:36:39.841+00 tap0.test.JATP.net
CEF:0|JATP|Cortex|3.6.0.3|3|appliance-connect-health|5|desc=Lost
connection to web_collector upgrade (10.2.11.107) for 10 minutes
json={"ip": "10.2.11.107", "age": 10.3804142, "type": "web_collector",
"appliance": "upgrade", "pretty_age": "10 minutes"}
Syslog System Health Notification Example:
<134>Nov 24 17:22:56 tap54.eng.JATP.net JATP:
CEF:0|JATP|Cortex|3.6.0.15|3|traffic-health|5|desc=10.2.20.54
(10.2.20.54) received 0 KB of monitor traffic over last 10 minutes
json={"pretty_age": "10 minutes", "ip": "10.2.20.54", "age": 10,
"appliance": "10.2.20.54", "sample_size": 2, "traffic": "0”}
Note:
The priority value in syslog headers from pcaps is “134”. The Juniper ATP Appliance mirrors the output of CEF for the fields supported by Syslog to generate Syslog output
CEF Download (DL) Malware Event Notification Examples
2016-7-11 17:36:39.841+00 tap0.test.JATP.net
CEF:0|JATP|Cortex|3.6.0.12|http|TROJAN_Zemot.CY|5|eventId=123
src=50.154.149.189 dst=192.168.1.10 startTime=2016-6-30
01:05:16.001+00fileHash=1d81e21db086a2c385696f17f17bdde6d4be04d
fileName=ccaed7c3c6e58a2844c9896246997f62.bin fileType=PE32 executable
(GUI) Intel 80386, for MS Windows startTime=2016-08-11 17:36:39.841+00
Syslog Download (DL) Malware Event Notification Examples
<134>Nov 23 21:58:05 tap54.eng.JATP.net JATP:
CEF:0|JATP|Cortex|3.6.0.15|http|TROJAN_GIPPERS.DC|8|externalId=374
eventId=13348 lastActivityTime=2016-02-24 05:58:05.151123+00
src=172.16.0.1 dst=10.1.1.26
fileHash=acf69d292d2928c5ddfe5e6af562cd482e6812dc
fileName=79ea1163c0844a2d2b6884a31fc32cc4.bin fileType=PE32 executable
(GUI) Intel 80386, for MS Windows startTime=2016-02-24
05:58:05.151123+00
CEF HTTP Malware Event Notification Example
Dec 31 16:43:47 10-3 2016-12-26 18:06:52.333023+00 tap0.test.JATP.net
CEF:0|JATP|Cortex|3.6.0.12|http|TROJAN_FAREIT.DC|10|13405
lastActivityTime=2016-12-26 18:06:52.333023+00 src=172.16.0.1
dst=10.1.1.44 fileHash=6ff61bec9baa970df54c69fbef1209004a01f068
fileName=e309ea0c7271f3845d86621717220479.bin fileType=PE32 executable
(GUI) Intel 80386, for MS Windows startTime=2016-12-26
18:06:52.333023+00
LEEF Event Examples
LEEF log for Download
<134>Sep 24 16:23:36 ovf-core.eng.ovf-core.com LEEF:1.0|Cyphort|Cortex|5.0.4.16|http|src=172.16.1.101 dst=172.16.1.105 usrName= devTime=2018-09-24 16:23:36 PDT cat=malware devTimeFormat=yyyy-MM-dd HH:mm:ss z sev=10 dst_hostname= src_hostname= src_username= incidentId=2614 eventId=80543 fileHash=a1e6d991e4464e7c018182951faa468c42ca3937 fileType=Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Jonh Deddi, Last Saved By: Jonh Deddi, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Aug 24 23:23:16 2015, Last Saved Time/Date: Tue Aug 25 11:54:39 2015, Security: 0 fileName=61646e7802b449ee02f7269129079829b5eae37c0b934b40475f1f0e94409ad4 malwareName=HEUR_MACRO fileHashMd5=7aeea812c00fcf77d4214f430078e3c4 LEEF log for 3rd party log ingestion (Virus scan log from Symantec)
LEEF log for 3rd party log ingestion (Virus scan log from Symantec)
<134>Sep 24 14:23:41 ovf-core.eng.ovf-core.com LEEF:1.0|Cyphort|Cortex|5.0.4.16|third_party|src= dst=169.254.31.242 usrName=Administrator devTime=2018-09-24 14:23:41 PDT cat=malware devTimeFormat=yyyy-MM-dd HH:mm:ss z sev=3 dst_hostname= src_hostname= src_username= incidentId=2613 eventId=80517 malwareName=Virus Scan
LEEF for email with both phishing links and also a malicious attachment
<134>Sep 12 12:27:24 ovf-core.eng.ovf-core.com LEEF:1.0|Cyphort|Cortex|5.0.4.12|email|src= dst= usrName= devTime=2018-09-12 12:27:24 PDT cat=malware devTimeFormat=yyyy-MM-dd HH:mm:ss z sev=10 url=http://www.two-of-us.at/images/W.exe http://lm.beilequ.com/update/365/365weatherIns_61.rar http://abc.adamoads.com/fda dst_hostname= src_hostname= src_username= src_email_id=kalyan@cyphort.com dst_email_id=jane.doe@cydevel.com incidentId=2531 eventId=78703 fileHash=1f0b0376c0f39b33673363d61294abfaab9fb837 fileType=Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: PowerPoint Presentation, Last Saved By: MC SYSTEM, Revision Number: 5, Name of Creating Application: Microsoft PowerPoint, Total Editing Time: 01:28, Last Saved Time/Date: Sat Sep 29 04:42:55 2007, Number of Words: 2 malwareName=EXPLOIT_OFFICE_XDS email_msg_id=CABo8cN_mCTN5XAL+G=C4OcVXry7eiKm4uctkguf2Lqvv_KfWrg@mail.gmail.com fileHashMd5=17e9e5a4c807f3d2d50ba512542c982c