Skip to content


Rule Function

Trend Micro provides cybersecurity services via the UnityOne product. This rule parses several fields and sets corresponding user tags (see below).

Vendor Documentation

Incoming Log Format

The log format used is Trend Micro Event Format (TMEF) which is a customized event format developed by Trend Micro and is used by Trend Micro products for reporting event information. This format is space-separated key-value fields.

User Tags

Tagged Tag Name Field Name Example Description
event_class event_class 7610 Tipping Point event class
Protocol app IP network protocol
SrcIP src source IP address
SrcPort spt dynamic source IP port
SrcIPv6 src_ipv6 2001:0db8:85a3:0000:0000:8a2e:0370:7334 source IPv6 address
DstIP dst destination IP address
DestPort dpt mysql destination IP port
DstIPv6 dst_ipv6 2001:0db8:85a3:0000:0000:8a2e:0370:7334 destination IPv6 address
act act Block action taken
dvchost dvchost bwi1-ips-01 device host
cat cat Reputation Tipping Point category
requestMethod requestMethod POST HTTP request method
dhost dhost destination host
sourceTranslatedAddress sourceTranslatedAddress proxy address
cs1 cs1 Customer-TestCompany-6335 market
vendor Tipping Point vendor
product UnityOne product
version OS version
event_description 246 text of event description
severity 0 event severity
cnt 0 event count
request n/a request URI
cs5 vsms.edge.domain (unknown)

In addition two additional user tags are set based on the data in the message:

  1. Event Type
  2. MITRE Category

These are determined from the ATT&CK data included in the message.

HC Tags


Field Notes

SrcPort, DstPort

These fields are translated from port numbers on the incoming log message to port service in the user tag (such as port number 443 being translated to https).

Log Examples

Block outgoing connection

vendor="TippingPoint" product="UnityOne" version=""
event_class="7610" event_description="Banned" severity="1" app="IP"
cnt="1" src="" sourceTranslatedAddress=""
spt="43763" dst="" dpt="3306" act="Block"
cs1="DB-Market-BWI" cs5="vsms.edge.domain" dvchost="bwi1-ips-01"
cat="Reputation" src_ipv6="n/a" dst_ipv6="n/a" request="n/a"
requestMethod="n/a" dhost="n/a"

Permit Windows RDP connection

vendor="TippingPoint"   product="UnityOne" version=""
event_class="5873" event_description="5873: RDP: Windows Remote Desktop
Access (ATT&CK T1076)" severity="1" app="TCP" cnt="1"
src="" sourceTranslatedAddress=""
spt="49799" dst="" dpt="3389" act="Permit"
cs1="DB-Market-BWI" cs5="vsms.edge.domain" dvchost="bwi1-ips-01"
cat="Security Policy" src_ipv6="n/a" dst_ipv6="n/a" request="n/a"
requestMethod="n/a" dhost="n/a"