Detailed Suspicious Threat Information

Provides specific information about suspicious threats on your network. Example: the managed product that detects the suspicious threat, specific information about the source and destination, the total number of suspicious threats on the network

Table 1. Detailed Suspicious Threat Information Data View

Data

Description

Received

Displays the time that Control Manager receives data from the managed product.

Generated

Displays the time that the managed product generates data.

Product Entity

Displays the entity display name for a managed product. Control Manager identifies managed products using the managed product's entity display name.

Product

Displays the name of the managed product. Example: OfficeScan, ScanMail for Microsoft Exchange

Mitigation Host

Displays the host name of the mitigation server (Network VirusWall Enforcer or Threat Mitigator)

Traffic/Connection

Displays the direction of network traffic or the position on the network the suspicious threat originates.

Protocol Group

Displays the broad protocol group from which a managed product detects the suspicious threat.

Example: FTP, HTTP, P2P

Protocol

Displays the protocol from which a managed product detects the suspicious threat. Example: ARP, Bearshare, BitTorrent

Destination IP Address

Displays the IP address of the endpoint the suspicious threat affects.

Destination Host

Displays the host name of the endpoint the suspicious threat affects.

Destination Port

Displays the port number of the endpoint the suspicious threat affects.

Destination MAC Address

Displays the MAC address of the endpoint the suspicious threat affects.

Destination OS

Displays the operating system running on the target host.

Destination User <x>

Displays the name used to log on to the target host.

<x> is the user name

Logon (Destination User <x>)

Displays the logon timestamp.

<x> represents the number of logon times and the specific timestamp.

Source IP Address

Displays the IP address of the source where the suspicious threat originates.

Source Host Name

Displays the host name of the source where the suspicious threat originates.

Source Port

Displays the port number of the source where the suspicious threat originates.

Source MAC Address

Displays the MAC address of the source where the suspicious threat originates.

Source OS

Displays the operating system running on the target source host.

Source User <x>

Displays the name used to log on to the target source host.

<x> is the user names

Logon (Source User <x>)

Displays the logon timestamp on the source.

<x> represents the number of logon times and the specific timestamp.

Source Domain

Displays the domain of the source where the suspicious threat originates.

Security Threat Type

Displays the specific type of security threat managed products detect.

Example: virus, spyware/grayware, fraud

Policy/Rule

Displays the policy/rule the suspicious threat violates.

Recipient

Displays the recipient of the suspicious threat.

Sender

Displays the sender of the suspicious threat.

Subject

Displays the content of the subject line of the email containing spyware/grayware.

Attachment File Name

Displays the file and extension name of the attachment.

Attachment File Type

Displays the file type of the attachment.

Attachment SHA-1

Displays the SHA-1 hash of the attachment.

URL

Displays the URL considered a suspicious threat.

User

Displays the user name logged on to the destination when a managed product detects a suspicious threat.

IM/IRC User

Displays the instant messaging or IRC user name logged on when Deep Discovery Inspector detects a violation.

Browser/FTP Client

Displays the Internet browser or FTP endpoint where the suspicious threat originates.

File

Displays the name of the suspicious file.

File in Compressed File

Displays whether the suspicious threat originates from a compressed file.

Archive SHA-1

Displays the SHA-1 hash of the archived file.

Archive File Type

Displays the type of the archived file.

Shared Folder

Displays whether the suspicious threat originates from a shared folder.

SHA-1

Displays the SHA-1 hash.

Mitigation Action

Displays the action the mitigation server takes against suspicious threats.

Example: File cleaned, File dropped, File deleted

Mitigation Result

Displays the result of the action the mitigation server takes against suspicious threats.

Source IP Group

Displays the IP address group of the source where the suspicious threat originates.

Source Network Zone

Displays the network zone of the source where the suspicious threat originates.

Endpoint Group

Displays the IP address group of the endpoint the suspicious threat affects.

Endpoint Network Zone

Displays the network zone of the endpoint the suspicious threat affects.

Detections

Displays the total number of policy/rule violations managed products detect.

Example: A managed product detects 10 violation instances of the same type on one computer.

Detections = 10

C&C List Source

Name of the list that contains the callback address

  • Global Intelligence (Trend Micro Global Intelligence network, including Smart Protection Network)

  • Virtual Analyzer in managed products

  • User-defined C&C list configured in managed products

C&C Risk Level

Severity level of the callback

Remarks

Displays descriptions related to the attack.

C&C Server

Displays the name, URL, or IP address of the C&C server.

C&C Server Type

Displays the server type.

Malware Type

Displays the malware type.