Trendmicro Deep Discovery Insepctor¶
About¶
Trend Micro™ Deep Discovery™ Inspector is available as a physical or virtual network appliance. It’s designed to quickly detect advanced malware that typically bypasses traditional security defenses and exfiltrates sensitive data. Specialized detection engines and custom sandbox analysis detect and prevent breaches.
Product Details¶
Vendor URL: Trendmicro Deep Discovery Insepctor
Product Type: Virutal network appliance
Product Tier: Tier I
Integration Method: Syslog
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 95%
Data Label: TRENDMICRO_DDI
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
act | security_result.action_details |
app | target.application |
cn3 | security_result.about.labels |
cs1 | security_result.about.labels |
cs4 | security_result.about.labels |
cs5 | security_result.about.labels |
cs6 | security_result.about.labels |
description | metadata.description |
deviceDirection | network.direction |
deviceExternalId | observer.asset.product_object_id |
devicePayloadId | additional.fields |
dhost | target.hostname |
dmac | target.mac |
dpt | target.port |
dst | target.ip |
duser | target.user.userid |
dvc | observer.ip |
dvchost | observer.hostname |
dvcmac | observer.mac |
event_id | metadata.product_log_id |
fileHash | target.file.sha1 |
fileType | security_result.about.labels |
flexNumber1 | security_result.about.labels |
outcome | security_result.action |
request | target.url |
severity_details | security_result.severity_details |
severity_details | security_result.about.investigation.severity_score |
shost | principal.hostname |
smac | principal.mac |
spt | principal.port |
src | principal.ip |
suser | principal_host |
Product Event Types¶
Event | UDM Event Classification |
---|---|
General | GENERIC_EVENT |
Log Sample¶
<158>CEF:0|Trend Micro|Deep Discovery Inspector|6.0.2026|1539|Windows Remote Management Service Detected - HTTP (Request)|4|dvc=10.100.100.00 dvcmac=10:1A:00:B1:3C:5B dvchost=obs_host deviceExternalId=1a2b3c4b5d-12345678-a1123-b567-1234 rt=Nov 04 2023 03:24:20 GMT+09:00 app=HTTP deviceDirection=1 dhost=dhost@example.com dst=10.100.200.00 dpt=5985 dmac=10:ex:10:10:10:10 shost=shost@example.com src=10.123.123.100 spt=56683 smac=00:10:1a:a1:00:1b cs3Label=HostName_Ext cs3=host.example.com fileType=-65536 fsize=0 requestClientApplication=Microsoft WinRM Client act=not blocked cn3Label=Threat Type cn3=2 destinationTranslatedAddress=10.100.200.00 sourceTranslatedAddress=10.123.123.100 cnt=20 cat=Suspicious Traffic cs6Label=pAttackPhase cs6=Lateral Movement flexNumber1Label=vLANId flexNumber1=1234 request=http://http://dhost@example.com devicePayloadId=1:1234567
Sample Parsing¶
additional.fields["devicePayloadId"] = "1:1234567:"
metadata.description = "Windows Remote Management Service Detected - HTTP (Request)"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "TRENDMICRO_DDI"
metadata.product_name = "Deep Discovery Inspector"
metadata.product_version = "6.0.2026"
metadata.vendor_name = "Trend Micro"
network.direction = "OUTBOUND"
observer.asset.product_object_id = "1a2b3c4b5d-12345678-a1123-b567-1234"
observer.hostname = "obs_host"
observer.ip = "10.100.100.00"
observer.mac = "10:1A:00:B1:3C:5B"
principal.hostname = "shost@example.com"
principal.ip = "10.123.123.100"
principal.mac = "00:10:1a:a1:00:1b"
principal.port = 56683
security_result.about.labels.key = "fileType"
security_result.about.labels.value = "-65536"
security_result.about.labels.key = "vLANId"
security_result.about.labels.value = "1234"
security_result.about.labels.key = "Threat Type"
security_result.about.labels.value = "2"
security_result.about.labels.key = "pAttackPhase"
security_result.about.labels.value = "Lateral Movement"
security_result.action_details = "not blocked"
security_result.severity_details = "4"
security_result.summary = "Suspicious Traffic"
target.application = "HTTP"
target.hostname = "dhost@example.com"
target.ip = "10.100.200.00"
target.mac = "10:ex:10:10:10:10"
target.port = 5985
target.url = "http://dhost@example.com"