UnityOne
Rule Function
Trend Micro provides cybersecurity services via the UnityOne product. This rule parses several fields and sets corresponding user tags (see below).
Vendor Documentation
- Tipping Point Security Management System (SMS)
- Tipping Point Threat Protection System (TPS)
- Tipping Point Advanced Threat Protection Analyzer Administrator's Guide
- Manage Logs
- Syslog Content Mapping Guide
Incoming Log Format
The log format used is Trend Micro Event Format (TMEF) which is a customized event format developed by Trend Micro and is used by Trend Micro products for reporting event information. This format is space-separated key-value fields.
User Tags
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
| ☑ | event_class |
event_class |
7610 |
Tipping Point event class |
| ☑ | Protocol |
app |
IP |
network protocol |
| ☑ | SrcIP |
src |
185.153.64.126 |
source IP address |
| ☑ | SrcPort |
spt |
dynamic |
source IP port |
| ☑ | SrcIPv6 |
src_ipv6 |
2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
source IPv6 address |
| ☑ | DstIP |
dst |
134.122.53.164 |
destination IP address |
| ☑ | DestPort |
dpt |
mysql |
destination IP port |
| ☑ | DstIPv6 |
dst_ipv6 |
2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
destination IPv6 address |
| ☑ | act |
act |
Block |
action taken |
| ☑ | dvchost |
dvchost |
bwi1-ips-01 |
device host |
| ☑ | cat |
cat |
Reputation |
Tipping Point category |
| ☑ | requestMethod |
requestMethod |
POST |
HTTP request method |
| ☑ | dhost |
dhost |
testhost.com |
destination host |
| ☑ | sourceTranslatedAddress |
sourceTranslatedAddress |
11.22.33.44 |
proxy address |
| ☑ | cs1 |
cs1 |
Customer-TestCompany-6335 |
market |
vendor |
Tipping Point |
vendor | ||
product |
UnityOne |
product | ||
version |
1.0.0.17 |
OS version | ||
event_description |
246 |
text of event description | ||
severity |
0 |
event severity | ||
cnt |
0 |
event count | ||
request |
n/a |
request URI | ||
cs5 |
vsms.edge.domain |
(unknown) |
In addition two additional user tags are set based on the data in the message:
Event TypeMITRE Category
These are determined from the ATT&CK data included in the message.
HC Tags
Field Notes
SrcPort, DstPort
These fields are translated from port numbers on the incoming log message to port service in the user tag (such as port number 443 being translated to https).
Log Examples
Block outgoing connection
vendor="TippingPoint" product="UnityOne" version="1.0.0.17"
event_class="7610" event_description="Banned" severity="1" app="IP"
cnt="1" src="11.22.33.44" sourceTranslatedAddress="99.88.77.66"
spt="43763" dst="55.66.77.88" dpt="3306" act="Block"
cs1="DB-Market-BWI" cs5="vsms.edge.domain" dvchost="bwi1-ips-01"
cat="Reputation" src_ipv6="n/a" dst_ipv6="n/a" request="n/a"
requestMethod="n/a" dhost="n/a"
Permit Windows RDP connection
vendor="TippingPoint" product="UnityOne" version="50.179.179.104"
event_class="5873" event_description="5873: RDP: Windows Remote Desktop
Access (ATT&CK T1076)" severity="1" app="TCP" cnt="1"
src="51.231.237.140" sourceTranslatedAddress="51.231.237.140"
spt="49799" dst="120.164.31.48" dpt="3389" act="Permit"
cs1="DB-Market-BWI" cs5="vsms.edge.domain" dvchost="bwi1-ips-01"
cat="Security Policy" src_ipv6="n/a" dst_ipv6="n/a" request="n/a"
requestMethod="n/a" dhost="n/a"