Trend Micro Deep Discovery Director sample event messages

Use these sample event messages as a way of verifying a successful integration with QRadar.

The following table provides sample event messages when you use the Syslog protocol for the Trend Micro Deep Discovery Director DSM:
Table 1. Trend Micro Deep Discovery Director sample message supported by Trend Micro Deep Discovery Director.
Event name Low-level category Sample log message
DENYLIST _CHANGE Successful Configuration Modification
Oct 24 12:37:32 ddd35-1.ddxqa.com LEEF:1.0|Trend 
Micro|Deep Discovery Director|3.5.0.1174|DENYLIST
_CHANGE|devTime=Oct 24 2018 12:37:32 GMT+08:00	
devTimeFormat=MMM dd yyyy HH:mm:ss z	
sev=3	dvc=198.51.100.88	dvchost=ddd35
-1.ddxqa.com	deviceMacAddress=00-00-5E-00-5
3-00	deviceGUID=C4AC760E-8721-4B46-B966-47B
D419376D8	end=Jan 19 2038 11:14:07 GMT+08:0
0	act=Add	type=Deny List IP/Port	
dst=198.51.100.55	deviceExternalRiskType=High	
pComp=UDSO
SECURITY _RISK_ DETECTION Potential Misc Exploit
<156>LEEF:1.0|Trend Micro|Deep Discovery 
Director|2.0.0.1129|SECURITY_RISK_DETECTION|
Origin=Inspector devTimeFormat=MMM dd yyyy 
HH:mm:ss z ptype=IDS dvc=198.51.10065 device
MacAddress=00-00-5E-00-53-00 dvchost=localhost 
deviceGUID=E77B0BE4474D-4413AF2F-752E-5810-1B11 
devTime=May 25 2017 05:59:53 GMT+00:00 sev=8 
origin=Inspector protoGroup=SQL proto=UDP vLAN
Id=4095 deviceDirection=1 dhost=hit-nxdomain.o
pendns.com dst=198.51.100.9 dstPort=1207 dstMAC
=00:00:0c:07:ac:0 shost=198.51.100.22 src=198.
55.100.7 srcPort=1060 srcMAC=00:00:0c:07:ac:0 
malName=OPS_HTTP_SASFIS_REQUEST malType=FRAUD 
sAttackPhase=Data Exfiltration fname=controller.
php fileType=458757 fsize=520704 ruleId=328 msg
=WEMON - HTTP (Request) deviceRiskConfidenceLevel
=1 duser=username@example.com suser=username@ex
ample.com mailMsgSubject=Mail Subject botCommand
=msblast.exe botUrl=0005 channelName=#Infected 
chatUserName=fhkvmxya url=http://1.alisiosanguer
a.com.cn/cgi-bin/forms.cgi requestClientApplicat
ion=Mozilla/4.0 (compatible; MSIE 8.0; Windows 
NT 5.1; Trident/4.0) pComp=VSAPI riskType=0 com
pressedFileName=test_inarc mitigationTaskId=48b
3d717-f30f-4890-8627-50bf75fbb6aa srcGroup=Defa
ult srcZone=1 dstGroup=Default dstZone=1 detect
ionType=2 act=not blocked threatType=1 interest
edIp=198.51.100.35 peerIp=198.51.100.8 fileHash
=F1C9FCF4B2F74E8EE53B6C006A4977F798A4D872 sUser1
=srcusername1 sUser1LoginTime=Mar 09 2017 12:34:
56 GMT+00:00 sUser2=srcusername2 sUser2LoginTime
=Mar 09 2017 12:34:56 GMT+00:00 sUser3=srcuserna
me3 sUser3LoginTime=Mar 09 2017 12:34:56 GMT+00:
00 dUser1=dstusername1 dUser1LoginTime=Mar 09 20
17 12:34:56 GMT+00:00 dUser2=dstusername2 dUser
2LoginTime=Mar 09 2017 12:34:56 GMT+00:00 dUser
3=dstusername3 dUser3LoginTime=Mar 09 2017 12:
34:56 GMT+00:00 suid=TsGh{USA-XP}803469 * 0 :
(null) hostName=datingtipstricks.info cnt=4 sOS
Name=Windows dOSName=Windows aggregatedCnt=1 ccc
aDestinationFormat=URL cccaDetectionSource=RELE
VANCE_RULE cccaRiskLevel=1 cccaDestination=xili
.zerolost.org cccaDetection=1 evtCat=Malware ev
tSubCat=Grayware aptRelated=1 hackerGroup=defau
lt hackingCampaign=IXESHE malFamily=ZEUS pAtta
ckPhase=0 oldFileSize=65530 oldFileType=15073
28 oldFileHash=5A272B7441328E09704B6D7EABDBD5
1B8858FDE4 oldFileName=attachment