Skip to content

Trendmicro Deep Discovery Insepctor

Trendmicro Deep Discovery Insepctor

About

Trend Micro™ Deep Discovery™ Inspector is available as a physical or virtual network appliance. It’s designed to quickly detect advanced malware that typically bypasses traditional security defenses and exfiltrates sensitive data. Specialized detection engines and custom sandbox analysis detect and prevent breaches.

Product Details

Vendor URL: Trendmicro Deep Discovery Insepctor

Product Type: Virutal network appliance

Product Tier: Tier I

Integration Method: Syslog

Parser Details

Log Format: CEF

Expected Normalization Rate: 95%

Data Label: TRENDMICRO_DDI

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
act security_result.action_details
app target.application
cn3 security_result.about.labels
cs1 security_result.about.labels
cs4 security_result.about.labels
cs5 security_result.about.labels
cs6 security_result.about.labels
description metadata.description
deviceDirection network.direction
deviceExternalId observer.asset.product_object_id
devicePayloadId additional.fields
dhost target.hostname
dmac target.mac
dpt target.port
dst target.ip
duser target.user.userid
dvc observer.ip
dvchost observer.hostname
dvcmac observer.mac
event_id metadata.product_log_id
fileHash target.file.sha1
fileType security_result.about.labels
flexNumber1 security_result.about.labels
outcome security_result.action
request target.url
severity_details security_result.severity_details
severity_details security_result.about.investigation.severity_score
shost principal.hostname
smac principal.mac
spt principal.port
src principal.ip
suser principal_host

Product Event Types

Event UDM Event Classification
General GENERIC_EVENT

Log Sample

<158>CEF:0|Trend Micro|Deep Discovery Inspector|6.0.2026|1539|Windows Remote Management Service Detected - HTTP (Request)|4|dvc=10.100.100.00 dvcmac=10:1A:00:B1:3C:5B dvchost=obs_host deviceExternalId=1a2b3c4b5d-12345678-a1123-b567-1234 rt=Nov 04 2023 03:24:20 GMT+09:00 app=HTTP deviceDirection=1 dhost=dhost@example.com dst=10.100.200.00 dpt=5985 dmac=10:ex:10:10:10:10 shost=shost@example.com src=10.123.123.100 spt=56683 smac=00:10:1a:a1:00:1b cs3Label=HostName_Ext cs3=host.example.com fileType=-65536 fsize=0 requestClientApplication=Microsoft WinRM Client act=not blocked cn3Label=Threat Type cn3=2 destinationTranslatedAddress=10.100.200.00 sourceTranslatedAddress=10.123.123.100 cnt=20 cat=Suspicious Traffic cs6Label=pAttackPhase cs6=Lateral Movement flexNumber1Label=vLANId flexNumber1=1234 request=http://http://dhost@example.com devicePayloadId=1:1234567

Sample Parsing

additional.fields["devicePayloadId"] = "1:1234567:"
metadata.description = "Windows Remote Management Service Detected - HTTP (Request)"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "TRENDMICRO_DDI"
metadata.product_name = "Deep Discovery Inspector"
metadata.product_version = "6.0.2026"
metadata.vendor_name = "Trend Micro"
network.direction = "OUTBOUND"
observer.asset.product_object_id = "1a2b3c4b5d-12345678-a1123-b567-1234"
observer.hostname = "obs_host"
observer.ip = "10.100.100.00"
observer.mac = "10:1A:00:B1:3C:5B"
principal.hostname = "shost@example.com"
principal.ip = "10.123.123.100"
principal.mac = "00:10:1a:a1:00:1b"
principal.port = 56683
security_result.about.labels.key = "fileType"
security_result.about.labels.value = "-65536"
security_result.about.labels.key = "vLANId"
security_result.about.labels.value = "1234"
security_result.about.labels.key = "Threat Type"
security_result.about.labels.value = "2"
security_result.about.labels.key = "pAttackPhase"
security_result.about.labels.value = "Lateral Movement"
security_result.action_details = "not blocked"
security_result.severity_details = "4"
security_result.summary = "Suspicious Traffic"
target.application = "HTTP"
target.hostname = "dhost@example.com"
target.ip = "10.100.200.00"
target.mac = "10:ex:10:10:10:10"
target.port = 5985
target.url = "http://dhost@example.com"