Create, import, and manage filters to detect events in your environment.
Custom filters are user-defined filters that allow you to tailor the detection of
specific threats and suspicious behaviors to your environment's unique needs. Trend Vision One uses custom filters to detect security events which appear in Observed Attack
Techniques. You can then incorporate these filters into custom detection models to generate
alerts and insights in Workbench, allowing you to transform event detection into a complete threat monitoring workflow.
The Custom Filters screen (
) allows you to create and manage custom filters. Custom filters consist of:- Basic information
- Event type
- Event ID or vendor
- A query for detecting events in your environment
The event type, and event ID / vendor define the type of data queried by the filter.
For example, ENDPOINT_ACTIVITY queries endpoint data from endpoint-based data sources
such as Endpoint Sensor. Selecting TELEMETRY_FILE, further refines the query to only file events within endpoint
activity data. For more information about event types and data sources, see Search method data sources.
![]() |
ImportantYou can add a maximum of 50 custom filters. If you need to add more filters, contact
your support provider.
|
The following table outlines the actions available in Custom Filters:
Action
|
Description
|
||
Add custom filters
|
|
||
Export custom filters
|
Trend Vision One generates a password-protected ZIP file that contains all your custom filters (one
YAML file per filter). When the export completes, click
![]() |
||
Import custom filters
|
Click Add filters and select Import from computer from the drop-down menu to import one ZIP file or multiple YAML files.
|
||
Search and filter the list
|
Use the following options to locate specific filters:
|
||
See filter details
|
Click a filter name to view detailed information about the custom filter.
|
||
Edit custom filters
|
Click
![]()
|
||
Delete custom filters
|
Click
![]() You can only delete custom filters that are not included in any model.
|