Reviewing the Summary | Trend Micro Service Central

Views:

The Summary section displays the severity, the number of detected internal hosts and Indicators of Compromise (IOCs), and the attack patterns, and provides a high-level overview of the malicious activity of the correlated event.

Review the severity, detection counts, attack patterns, and activity summary.

Severity	The severity assigned by Deep Discovery Director - Network Analytics to the event and related correlations. Deep Discovery Director - Network Analytics uses a number of factors to assign severity, including proprietary analysis.
Internal Hosts and Indicators of Compromise detection count	The detection count numbers allow you to quickly determine the scope of the correlated event.
Attack patterns	The attack patterns for the correlated event or suspicious object selected in Deep Discovery Director.
Activity summary	The activity summary is broken up by attack pattern and provides the following information: Protocols on which activities were detected. Number of detected Suspicious Objects (SOs) and Indicators of Compromise (IOCs). Hosts which were involved in suspicious or malicious activity. Activity might be between internal hosts and external servers or might include lateral activity between internal hosts. Internal hosts are defined by the Network Groups list. Note: To provide an accurate analysis of correlation data, it is important to specify your internal networks and hosts in the Network Groups list. By default, private networks are considered trusted and are set internally as trusted. You only need to add non-private IP addresses to the Network Groups list. The activity with the Trigger Event label is the focal point of this correlated event and contains the IP address found in the Interested Host field of the Correlated Events screen. Additional hosts that participated in the suspicious activity. Additional suspicious objects when viewing correlation data for suspicious objects.

(Optional) Perform one of the following actions on individual summary items:

Item	Action
Internal Hosts detection number	Click the detection number and then click on the Copy to clipboard icon () to copy the entire list to your clipboard, or click on the Focus icon () to focus on the item in the Correlation Graph.
Indicators of Compromise detection number	Click the detection number and then click on the Copy to clipboard icon () to copy the value to your clipboard.
Attack patterns	Hover over an attack pattern to highlight only activities related to that attack pattern in the summary.
IP addresses and domains	Hover over the triangle icon () and select one of the following: Focus: Focus on the item in the Correlation Graph. Copy to clipboard: Copy the value to your clipboard. View network detection events: Open the Network Detections screen in a new browser tab with filters matching this object applied. Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object. DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain. VirusTotal: Open VirusTotal in a new browser tab with a query for this object.

(Optional) Click Export and then select one of the following options to export the correlation data of this correlated event.
- Printer-friendly: Displays your system's printer dialog. Modify settings and then click Print.
- CSV: Select a delimiter and then click Export to export and download the correlation data of this correlated event to a CSV file with the chosen delimiter.
Note:
If any advanced search filter is applied, export is limited to the currently filtered correlation data.