Viewing Affected Hosts Parent topic

Procedure

  1. Go to DetectionsAffected Hosts.
  2. Set the detection severity level by dragging the Detection severity slider to the desired rating.
  3. Select a time period.
  4. Click Customize Columns, select one or more optional columns for display and click Apply to return to the modified Affected Hosts screen.

    Customize Columns

    Host Information Columns

    Column Name
    Preselected
    Description
    IP Address
    X
    IP address of the affected host
    Host Name
    X
    Computer name of the host
    MAC Address
     
    Media Access Control address of a network node
    Network Group
    X
    Network group that an IP address/host is assigned
    Host Severity
    X
    Highest impact on a host determined from aggregated detections by Trend Micro products and services
    For details about the Host Severity scale, see Host Severity.
    Most Notable Threat
    X
    Threat description of the highest severity detection
    Latest Detection
    X
    Most recent detection, based on timestamp
    Note
    Note
    The default IP Address, Host Severity and Latest Detection columns cannot be removed.

    Notable Statistics Columns

    Column Name
    Preselected
    Description
    Targeted Attack
     
    A threat that aims to exfiltrate data from a target system
    For details, see APT Attack Sequence

    Attack Phase Columns

    Columns
    Preselected
    Description
    Intelligence Gathering
    X
    Attackers identify and research target individuals using public sources (for example, social media websites) and prepare a customized attack.
    Point of Entry
    X
    The initial compromise is typically from zero-day malware delivered via social engineering (email, IM, or drive-by download). A backdoor is created and the network can now be infiltrated. Alternatively, a website exploitation or direct network hack may be employed.
    C&C Communication
    X
    C&C communication is typically used throughout the attack, allowing the attacker to instruct and control the malware used, and to exploit compromised machines, move laterally within the network, and exfiltrate data.
    Lateral Movement
    X
    Once inside the network, an attacker compromises additional machines to harvest credentials, escalate privilege levels, and maintain persistent control.
    Asset/Data Discovery
    X
    Several techniques (such as port scanning) are used to identify the noteworthy servers and the services that house the data of interest.
    Data Exfiltration
    X
    Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker's control.
    Unknown Attack Phase
    X
    Detection is triggered by a rule that is not associated with an attack phase.
  5. To run a basic search, do one of the following:
    • Type an IP address or host name in the search text box and press Enter.
    • Click the detections_search_ic.jpg icon.
    By default, Deep Discovery Inspector searches Affected Hosts by IP Address and Host Name.
  6. To run a saved search, go to DetectionsAffected Hosts, open the drop-down menu of the search box, and click a saved search.
    Deep Discovery Inspector provides the following preset saved searches.

    Preset Saved Searches

    Name
    Filter Options
    Hosts with Targeted Attack detections
    Notable events in Targeted Attack
    Hosts with C&C Communication detections
    Notable events in C&C Communication
    Hosts with Lateral Movement detections
    Notable events in Lateral Movement
  7. To create and apply an advanced search filter, click Advanced.
  8. Click Export.
    The following file downloads:
    • affected_host.csv