Trend Micro Deep Discovery Director sample event messages

Use these sample event messages as a way of verifying a successful integration with QRadar.

The following table provides sample event messages when you use the Syslog protocol for the Trend Micro Deep Discovery Director DSM:

Event name Low-level category Sample log message

DENYLIST _CHANGE

Successful Configuration Modification

Table 1. Trend Micro Deep Discovery Director sample message supported by Trend Micro Deep Discovery Director.
Event name	Low-level category	Sample log message
DENYLIST _CHANGE	Successful Configuration Modification	`Oct 24 12:37:32 ddd35-1.ddxqa.com LEEF:1.0\|Trend Micro\|Deep Discovery Director\|3.5.0.1174\|DENYLIST _CHANGE\|devTime=Oct 24 2018 12:37:32 GMT+08:00 devTimeFormat=MMM dd yyyy HH:mm:ss z sev=3 dvc=198.51.100.88 dvchost=ddd35 -1.ddxqa.com deviceMacAddress=00-00-5E-00-5 3-00 deviceGUID=C4AC760E-8721-4B46-B966-47B D419376D8 end=Jan 19 2038 11:14:07 GMT+08:0 0 act=Add type=Deny List IP/Port dst=198.51.100.55 deviceExternalRiskType=High pComp=UDSO`
SECURITY _RISK_ DETECTION	Potential Misc Exploit	<156>LEEF:1.0\|Trend Micro\|Deep Discovery Director\|2.0.0.1129\|SECURITY_RISK_DETECTION\| Origin=Inspector devTimeFormat=MMM dd yyyy HH:mm:ss z ptype=IDS dvc=198.51.10065 device MacAddress=00-00-5E-00-53-00 dvchost=localhost deviceGUID=E77B0BE4474D-4413AF2F-752E-5810-1B11 devTime=May 25 2017 05:59:53 GMT+00:00 sev=8 origin=Inspector protoGroup=SQL proto=UDP vLAN Id=4095 deviceDirection=1 dhost=hit-nxdomain.o pendns.com dst=198.51.100.9 dstPort=1207 dstMAC =00:00:0c:07:ac:0 shost=198.51.100.22 src=198. 55.100.7 srcPort=1060 srcMAC=00:00:0c:07:ac:0 malName=OPS_HTTP_SASFIS_REQUEST malType=FRAUD sAttackPhase=Data Exfiltration fname=controller. php fileType=458757 fsize=520704 ruleId=328 msg =WEMON - HTTP (Request) deviceRiskConfidenceLevel =1 duser=username@example.com suser=username@ex ample.com mailMsgSubject=Mail Subject botCommand =msblast.exe botUrl=0005 channelName=#Infected chatUserName=fhkvmxya url=http://1.alisiosanguer a.com.cn/cgi-bin/forms.cgi requestClientApplicat ion=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) pComp=VSAPI riskType=0 com pressedFileName=test_inarc mitigationTaskId=48b 3d717-f30f-4890-8627-50bf75fbb6aa srcGroup=Defa ult srcZone=1 dstGroup=Default dstZone=1 detect ionType=2 act=not blocked threatType=1 interest edIp=198.51.100.35 peerIp=198.51.100.8 fileHash =F1C9FCF4B2F74E8EE53B6C006A4977F798A4D872 sUser1 =srcusername1 sUser1LoginTime=Mar 09 2017 12:34: 56 GMT+00:00 sUser2=srcusername2 sUser2LoginTime =Mar 09 2017 12:34:56 GMT+00:00 sUser3=srcuserna me3 sUser3LoginTime=Mar 09 2017 12:34:56 GMT+00: 00 dUser1=dstusername1 dUser1LoginTime=Mar 09 20 17 12:34:56 GMT+00:00 dUser2=dstusername2 dUser 2LoginTime=Mar 09 2017 12:34:56 GMT+00:00 dUser 3=dstusername3 dUser3LoginTime=Mar 09 2017 12: 34:56 GMT+00:00 suid=TsGh{USA-XP}803469 * 0 : (null) hostName=datingtipstricks.info cnt=4 sOS Name=Windows dOSName=Windows aggregatedCnt=1 ccc aDestinationFormat=URL cccaDetectionSource=RELE VANCE_RULE cccaRiskLevel=1 cccaDestination=xili .zerolost.org cccaDetection=1 evtCat=Malware ev tSubCat=Grayware aptRelated=1 hackerGroup=defau lt hackingCampaign=IXESHE malFamily=ZEUS pAtta ckPhase=0 oldFileSize=65530 oldFileType=15073 28 oldFileHash=5A272B7441328E09704B6D7EABDBD5 1B8858FDE4 oldFileName=attachment

Oct 24 12:37:32 ddd35-1.ddxqa.com LEEF:1.0|Trend 
Micro|Deep Discovery Director|3.5.0.1174|DENYLIST
_CHANGE|devTime=Oct 24 2018 12:37:32 GMT+08:00	
devTimeFormat=MMM dd yyyy HH:mm:ss z	
sev=3	dvc=198.51.100.88	dvchost=ddd35
-1.ddxqa.com	deviceMacAddress=00-00-5E-00-5
3-00	deviceGUID=C4AC760E-8721-4B46-B966-47B
D419376D8	end=Jan 19 2038 11:14:07 GMT+08:0
0	act=Add	type=Deny List IP/Port	
dst=198.51.100.55	deviceExternalRiskType=High	
pComp=UDSO

SECURITY _RISK_ DETECTION

Potential Misc Exploit

<156>LEEF:1.0|Trend Micro|Deep Discovery 
Director|2.0.0.1129|SECURITY_RISK_DETECTION|
Origin=Inspector devTimeFormat=MMM dd yyyy 
HH:mm:ss z ptype=IDS dvc=198.51.10065 device
MacAddress=00-00-5E-00-53-00 dvchost=localhost 
deviceGUID=E77B0BE4474D-4413AF2F-752E-5810-1B11 
devTime=May 25 2017 05:59:53 GMT+00:00 sev=8 
origin=Inspector protoGroup=SQL proto=UDP vLAN
Id=4095 deviceDirection=1 dhost=hit-nxdomain.o
pendns.com dst=198.51.100.9 dstPort=1207 dstMAC
=00:00:0c:07:ac:0 shost=198.51.100.22 src=198.
55.100.7 srcPort=1060 srcMAC=00:00:0c:07:ac:0 
malName=OPS_HTTP_SASFIS_REQUEST malType=FRAUD 
sAttackPhase=Data Exfiltration fname=controller.
php fileType=458757 fsize=520704 ruleId=328 msg
=WEMON - HTTP (Request) deviceRiskConfidenceLevel
=1 duser=username@example.com suser=username@ex
ample.com mailMsgSubject=Mail Subject botCommand
=msblast.exe botUrl=0005 channelName=#Infected 
chatUserName=fhkvmxya url=http://1.alisiosanguer
a.com.cn/cgi-bin/forms.cgi requestClientApplicat
ion=Mozilla/4.0 (compatible; MSIE 8.0; Windows 
NT 5.1; Trident/4.0) pComp=VSAPI riskType=0 com
pressedFileName=test_inarc mitigationTaskId=48b
3d717-f30f-4890-8627-50bf75fbb6aa srcGroup=Defa
ult srcZone=1 dstGroup=Default dstZone=1 detect
ionType=2 act=not blocked threatType=1 interest
edIp=198.51.100.35 peerIp=198.51.100.8 fileHash
=F1C9FCF4B2F74E8EE53B6C006A4977F798A4D872 sUser1
=srcusername1 sUser1LoginTime=Mar 09 2017 12:34:
56 GMT+00:00 sUser2=srcusername2 sUser2LoginTime
=Mar 09 2017 12:34:56 GMT+00:00 sUser3=srcuserna
me3 sUser3LoginTime=Mar 09 2017 12:34:56 GMT+00:
00 dUser1=dstusername1 dUser1LoginTime=Mar 09 20
17 12:34:56 GMT+00:00 dUser2=dstusername2 dUser
2LoginTime=Mar 09 2017 12:34:56 GMT+00:00 dUser
3=dstusername3 dUser3LoginTime=Mar 09 2017 12:
34:56 GMT+00:00 suid=TsGh{USA-XP}803469 * 0 :
(null) hostName=datingtipstricks.info cnt=4 sOS
Name=Windows dOSName=Windows aggregatedCnt=1 ccc
aDestinationFormat=URL cccaDetectionSource=RELE
VANCE_RULE cccaRiskLevel=1 cccaDestination=xili
.zerolost.org cccaDetection=1 evtCat=Malware ev
tSubCat=Grayware aptRelated=1 hackerGroup=defau
lt hackingCampaign=IXESHE malFamily=ZEUS pAtta
ckPhase=0 oldFileSize=65530 oldFileType=15073
28 oldFileHash=5A272B7441328E09704B6D7EABDBD5
1B8858FDE4 oldFileName=attachment