Trendmicro
LogZilla App Store application: Trendmicro
Overview
Trend Micro UnityOne is a cybersecurity platform that provides threat protection and network security services. The platform includes Tipping Point Intrusion Prevention Systems (IPS) and Advanced Threat Protection (ATP) capabilities.
App Function
The Trend Micro app parses UnityOne log messages and extracts security event information, creating user tags for threat analysis and network monitoring.
Vendor Documentation
- Tipping Point Security Management System (SMS)
- Tipping Point Threat Protection System (TPS)
- Tipping Point Advanced Threat Protection Analyzer Administrator's Guide
- Manage Logs
Incoming Log Format
UnityOne uses Trend Micro Event Format (TMEF), a customized event format developed by Trend Micro for reporting security event information. TMEF uses space-separated key-value fields for structured logging.
Parsed Metadata Fields
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
| ☑ | event_class | event_class | 7610 | Tipping Point event class |
| ☑ | Protocol | app | IP | network protocol |
| ☑ | SrcIP | src | 185.153.64.126 | source IP address |
| ☑ | SrcPort | spt | dynamic | source IP port |
| ☑ | SrcIPv6 | src_ipv6 | 2001:0db8:85a3:0000:0000:8a2e:0370:7334 | source IPv6 address |
| ☑ | DstIP | dst | 134.122.53.164 | destination IP address |
| ☑ | DestPort | dpt | mysql | destination IP port |
| ☑ | DstIPv6 | dst_ipv6 | 2001:0db8:85a3:0000:0000:8a2e:0370:7334 | destination IPv6 address |
| ☑ | act | act | Block | action taken |
| ☑ | dvchost | dvchost | bwi1-ips-01 | device host |
| ☑ | cat | cat | Reputation | Tipping Point category |
| ☑ | requestMethod | requestMethod | POST | HTTP request method |
| ☑ | dhost | dhost | testhost.com | destination host |
| ☑ | sourceTranslatedAddress | sourceTranslatedAddress | 11.22.33.44 | proxy address |
| ☑ | cs1 | cs1 | Customer-TestCompany-6335 | market |
vendor | Tipping Point | vendor | ||
product | UnityOne | product | ||
version | 1.0.0.17 | OS version | ||
event_description | 246 | text of event description | ||
severity | 0 | event severity | ||
cnt | 0 | event count | ||
request | n/a | request URI | ||
cs5 | vsms.edge.domain | (unknown) |
Additional User Tags
Two additional user tags are generated based on message data:
| Tag Name | Description |
|---|---|
Event Type | Security event classification |
MITRE Category | MITRE ATT&CK framework category |
These tags are derived from the ATT&CK data included in the message.
High-Cardinality (HC) Tags
SrcIPDstIPSrcIPv6DstIPv6sourceTranslatedAddress
Field Notes
Port Translation
SrcPort and DstPort fields are translated from port numbers to service
names in user tags (e.g., port 443 becomes https).
Log Examples
Block Outgoing Connection
textvendor="TippingPoint" product="UnityOne" version="1.0.0.17" event_class="7610" event_description="Banned" severity="1" app="IP" cnt="1" src="11.22.33.44" sourceTranslatedAddress="99.88.77.66" spt="43763" dst="55.66.77.88" dpt="3306" act="Block" cs1="DB-Market-BWI" cs5="vsms.edge.domain" dvchost="bwi1-ips-01" cat="Reputation" src_ipv6="n/a" dst_ipv6="n/a" request="n/a" requestMethod="n/a" dhost="n/a"
Permit Windows RDP Connection
textvendor="TippingPoint" product="UnityOne" version="50.179.179.104" event_class="5873" event_description="5873: RDP: Windows Remote Desktop Access (ATT&CK T1076)" severity="1" app="TCP" cnt="1" src="51.231.237.140" sourceTranslatedAddress="51.231.237.140" spt="49799" dst="120.164.31.48" dpt="3389" act="Permit" cs1="DB-Market-BWI" cs5="vsms.edge.domain" dvchost="bwi1-ips-01" cat="Security Policy" src_ipv6="n/a" dst_ipv6="n/a" request="n/a" requestMethod="n/a" dhost="n/a"