Viewing Affected Hosts

Procedure

1. Go to Detections → Affected Hosts.
2. Set the detection severity level by dragging the Detection severity slider to the desired rating.
3. Select a time period.
4. Click Customize Columns, select one or more optional columns for display and click Apply to return to the modified Affected Hosts screen.

   Host Information Columns

   Column Name	Preselected	Description
   IP Address	X	IP address of the affected host
   Host Name	X	Computer name of the host
   MAC Address		Media Access Control address of a network node
   Network Group	X	Network group that an IP address/host is assigned
   Host Severity	X	Highest impact on a host determined from aggregated detections by Trend Micro products and services For details about the Host Severity scale, see Host Severity.
   Most Notable Threat	X	Threat description of the highest severity detection
   Latest Detection	X	Most recent detection, based on timestamp

   Note The default IP Address, Host Severity and Latest Detection columns cannot be removed.

   Notable Statistics Columns

   Column Name	Preselected	Description
   Targeted Attack		A threat that aims to exfiltrate data from a target system For details, see APT Attack Sequence

   Attack Phase Columns

   Columns	Preselected	Description
   Intelligence Gathering	X	Attackers identify and research target individuals using public sources (for example, social media websites) and prepare a customized attack.
   Point of Entry	X	The initial compromise is typically from zero-day malware delivered via social engineering (email, IM, or drive-by download). A backdoor is created and the network can now be infiltrated. Alternatively, a website exploitation or direct network hack may be employed.
   C&C Communication	X	C&C communication is typically used throughout the attack, allowing the attacker to instruct and control the malware used, and to exploit compromised machines, move laterally within the network, and exfiltrate data.
   Lateral Movement	X	Once inside the network, an attacker compromises additional machines to harvest credentials, escalate privilege levels, and maintain persistent control.
   Asset/Data Discovery	X	Several techniques (such as port scanning) are used to identify the noteworthy servers and the services that house the data of interest.
   Data Exfiltration	X	Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker's control.
   Unknown Attack Phase	X	Detection is triggered by a rule that is not associated with an attack phase.

5. To run a basic search, do one of the following:
   • Type an IP address or host name in the search text box and press Enter.
   • Click the icon.
   By default, Deep Discovery Inspector searches Affected Hosts by IP Address and Host Name.
6. To run a saved search, go to Detections → Affected Hosts, open the drop-down menu of the search box, and click a saved search.
   Deep Discovery Inspector provides the following preset saved searches.

   Preset Saved Searches

   Name	Filter Options
   Hosts with Targeted Attack detections	Notable events in Targeted Attack
   Hosts with C&C Communication detections	Notable events in C&C Communication
   Hosts with Lateral Movement detections	Notable events in Lateral Movement

7. To create and apply an advanced search filter, click Advanced.
   For details, see Affected Hosts Advanced Search Filter.
8. Click Export.
   The following file downloads:

   • affected_host.csv