Trend Vision One allows you to build custom intelligence by importing your own reports and retrieving data from third-party intelligence sources.
The following table outlines available actions on the Custom tab.
|
Action
|
Description
|
|
Filter intelligence reports
|
Use the search and filters to find custom intelligence reports:
|
|
Add intelligence reports
|
Click Add and choose to import CSV and STIX files or retrieve data from third-party intelligence as custom intelligence reports.
When importing CSV and STIX files, you can extract suspicious object information,
select a risk level, specify actions that connected products apply upon detection,
and select an expiration option for the extracted objects.
Click Download sample CSV for an example file.
Trend Vision One converts imported CSV files to STIX intelligence reports. Imported CSV intelligence
report files must contain the appropriate column headers, including at least the type.
Based on the type, you may need to provide other fields. See required fields and supported indicator types for CSV intelligence report files.
STIX files must include one or more indicator type STIX objects for successful import.
|
|
Extract suspicious objects from intelligence reports
|
Select one or more intelligence reports and click Extract Suspicious Objects. Finish the risk level, action, and expiration settings then click Submit.
|
|
Delete intelligence reports
|
Select one or more intelligence reports and click Delete.
|
|
Take additional actions
|
Click
 at the end of the row and choose the action to perform on that intelligence report:
|
|
Check the indicator count and matches
|
Under Indicators for sweeping, check the number of
indicators that can be used for sweeping from the intelligence report.
Under Matched sweeps, review the number of tasks that have indicator matches and the total number of sweeping
tasks. For example, the message means one sweeping task has indicator matches among a total of seven sweeping tasks.
The message 0 out of 0 indicates that no sweeping task was triggered.
Trend Vision One defines a 180-day data retention period for the sweeping task history. The message
under Matched sweeps resets to 0 out of 0 once the retention period expires.
|
|
View sweeping task details
|
Click
 next to the row to expand sweeping tasks and review basic information about each
task.To further explore tasks with indicator matches, do the following:
|
to see matched indicators and associated entities of the tasks.CSV format requirements
Required fields
|
Field
|
Description
|
Format / Data type
|
Example
|
|
Type
|
The type of threat indicator. Supported values include url, domain, ip, sha1, sha256,
md5, filename, user/account, and command_line.
|
String
|
url
|
|
Object
|
The indicator value corresponding to the type.
|
String
|
https://example.com/
|
|
Description
|
Additional information about the indicator.
|
String
|
Indicators of compromise (IOCs) added from Swimlane
|
|
ValidFrom
|
The time from which this indicator should be considered valuable intelligence.
|
2025-08-19T02:25:24Z
|
Supported indicator types
|
Type
|
Description
|
Example format
|
|
url
|
Full URL
|
https://example.com/path?a=1#frag
|
|
domain
|
Domain name
|
example.com
|
|
ip
|
IPv4 or IPv6 address
|
192.0.2.10
2001:db8:1234:5678::1
|
|
sha1
|
SHA-1 file hash
|
40-hex characters
|
|
sha256
|
SHA-256 file hash
|
64-hex characters
|
|
md5
|
MD5 file hash
|
32-hex characters
|
|
filename
|
Name of the file
|
malware.exe
|
|
user/account
|
User name or account identifier
|
trendmicro
|
|
command_line
|
Command line string
|
add GlobalSign.cer -c -s -r localMachine Root$ |