Trendmicro

LogZilla App Store application: Trendmicro

Overview

Trend Micro TippingPoint is an Intrusion Prevention System (IPS) that provides network threat protection through deep packet inspection. TippingPoint devices detect and block exploits, malware, and suspicious traffic in real-time using signature-based and behavioral analysis.

App Function

  • Parse TippingPoint UnityOne logs in TMEF (Trend Micro Event Format)
  • Extract source/destination IPs, ports, protocols, and actions
  • Map security events to MITRE ATT&CK techniques and tactics
  • Identify permitted threats indicating IPS policy gaps
  • Categorize events with Event Class: security
  • Provide dashboards for threat analysis and attack investigation

Vendor Documentation

Device Configuration

Configure TippingPoint SMS to send syslog to LogZilla:

  1. Log in to the Security Management System (SMS) console
  2. Navigate to Admin > Server Properties > Syslog
  3. Click Add to create a new syslog destination
  4. Configure the following:
    • Server: LogZilla server IP address
    • Port: 514
    • Protocol: TCP recommended (UDP may cause data loss with URI strings)
    • Format: CEF or TMEF
    • Delimiter: TAB (default)
  5. Click OK to save

Verification

Generate test traffic or trigger a filter match, then verify events appear in LogZilla with Vendor tag set to Trend Micro.

Incoming Log Format

UnityOne uses Trend Micro Event Format (TMEF), a customized event format developed by Trend Micro for reporting security event information. TMEF uses space-separated key-value fields for structured logging.

Parsed Metadata Fields

Global Tags

Tag NameExampleDescription
VendorTrend MicroVendor name
ProductUnityOneProduct name
Event ClasssecurityCross-vendor event classification

UnityOne Tags

Tag NameExampleDescription
SeverityCriticalEvent severity (Critical, Major, Minor, Low, Normal)
ProtocolTCPNetwork protocol
SrcIP185.153.64.126Source IP address
DstIP134.122.53.164Destination IP address
DstPortmysqlDestination port (translated to service name)
ActionBlockAction taken by IPS
Device Hostbwi1-ips-01IPS device hostname
CategoryReputationTippingPoint event category
SignatureDB-Market-BWIIPS filter/rule name that triggered
Event TypeRDPSecurity event classification
MitreIdT1076MITRE ATT&CK technique ID
MITRE TacticLateral MovementMITRE ATT&CK tactic

Log Examples

Reputation Block

text
product="UnityOne" version="1.0.0.17" event_class="7610"
event_description="7610: RepDV: Reputation Block" severity="4" app="TCP"
cnt="1" src="203.0.113.50" sourceTranslatedAddress="203.0.113.50"
spt="54321" dst="192.168.1.100" dpt="443" act="Block"
cs1="Default-Block" cs5="sms.example.com" dvchost="ips-dc1-01"
cat="Reputation"

MITRE ATT&CK Detection (Lateral Movement)

text
product="UnityOne" version="1.0.0.17" event_class="5873"
event_description="5873: RDP: Windows Remote Desktop Access (ATT&CK T1076)"
severity="2" app="TCP" cnt="1" src="10.10.10.50"
sourceTranslatedAddress="10.10.10.50" spt="49152" dst="10.10.10.100"
dpt="3389" act="Permit" cs1="Allow-Internal" cs5="sms.example.com"
dvchost="ips-dc1-01" cat="Security Policy"

Triggers

TriggerDescription
UnityOne: MITRE ATT&CK DetectionCatch-all for MITRE-mapped events
UnityOne: Permitted Threat (Policy Gap)Threat detected but permitted - review IPS policy
UnityOne: Traffic QuarantinedTraffic quarantined for analysis
UnityOne: Lateral Movement (T1021)RDP/SSH lateral movement detected
UnityOne: Credential Attack (T1110)Brute force or credential attack
UnityOne: Critical Severity EventCritical severity (4) events
UnityOne: Malware DetectedMalware category events
UnityOne: Command and ControlC2 communication detected
Trendmicro | LogZilla Documentation