-
Go to Detections > Affected Hosts.
The Affected Hosts screen appears.
- Select the detection severity level by using the drop-down control.
- Select a time period.
- Select which appliances to include as data source.
-
(Optional) Click the More icon beside
Advanced, select Customize
columns, select the columns to hide or display, and then click
Apply to return to the modified Affected Hosts screen.
Table 1. Host Information Columns Column Name
Preselected
Description
IP Address
X
IP address of the affected host
Host Name
X
Computer name of the host
MAC Address
Media Access Control address of a network node
Network Group
X
Network group that an IP address/host is assigned
Host Severity
X
Highest impact on a host determined from aggregated detections by Trend Micro products and services
For details about the Host Severityscale, see Host Severity.
Most Notable Threat
X
Threat description of the highest severity detection
Latest Detection
X
Most recent detection, based on timestamp
Note:The default IP Address, Host Severity and Latest Detection columns cannot be removed.
Table 2. Notable Statistics Columns Column Name
Preselected
Description
Targeted Attack
A threat that aims to exfiltrate data from a target system
For details, see APT Attack Sequence.
Table 3. Attack Phase Columns Column Name
Preselected
Description
Intelligence Gathering
X
Attackers identify and research target individuals using public sources (for example, social media websites) and prepare a customized attack.
Point of Entry
X
The initial compromise is typically from zero-day malware delivered via social engineering (email, IM, or drive-by download). A backdoor is created and the network can now be infiltrated. Alternatively, a website exploitation or direct network hack may be employed.
C&C Communication
X
C&C communication is typically used throughout the attack, allowing the attacker to instruct and control the malware used, and to exploit compromised machines, move laterally within the network, and exfiltrate data.
Lateral Movement
X
Once inside the network, an attacker compromises additional machines to harvest credentials, escalate privilege levels, and maintain persistent control.
Asset/Data Discovery
X
Several techniques (such as port scanning) are used to identify the noteworthy servers and the services that house the data of interest.
Data Exfiltration
X
Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker's control.
Unknown Attack Phase
X
Detection is triggered by a rule that is not associated with an attack phase.
-
To run a basic search, type an IP address or host name in the search text box, and then press ENTER or click the magnifying glass icon.
By default, Deep Discovery Director (Internal Network Analytics Version) searches Affected Hosts by IP Address and Host Name.
-
To run a saved search, click the Saved Searches icon, and then select a saved search.
Deep Discovery Director (Internal Network Analytics Version) provides the following built-in saved searches:
Table 4. Built-in Saved Searches Name
Filter Options
Targeted Attack detections
Notable events in targeted attack
C&C Communication detections
Notable events in C&C communication
Lateral Movement detections
Notable events in lateral movement
-
To create and apply an advanced search filter, click
Advanced.
For details, see Affected Hosts Advanced Search Filter.
- (Optional) Click the More icon beside Advanced, select Export, select a delimiter to use, and then click OK to export and download the currently filtered list of affected hosts to a CSV file with the chosen delimiter.
Views: