Alert notifications
When new alerts are detected, Trend Vision One can send you an email notification. Also as part of Trend Micro’s quality assurance process for threat detections, if our threat expert team identifies an alert in your environment that they believe to be critical or interesting, they will work with regional resources to help notify you directly. This will not occur for all alerts, and is at the discretion of the threat expert team as they do not review all alerts for all customers.
Correlated detection models
Advanced detection models written by Trend Micro threat researchers correlate low activities within or across security layers to find undiscovered attacks. The detection models, which generate the alert triggers, combine multiple rules and filters using a variety of analysis techniques including data stacking and machine learning. You can turn on and off individual models as appropriate for the organization’s risk tolerance and preferences.
Workbench and alert triage
View a list of alerts (workbenches) and drill down for further visibility. Workbenches are the investigation results for a detection, where you can look at the execution profile, identify the scope of impact and take response actions. This is where you prioritize and process the alerts and track what has been done (new, in progress, closed).
Attack visualization
Quickly understand the story of an attack with an interactive visual representation of events. Advanced analysis is available with:
  • The Execution Profile Analysis view to see the threat actions within an endpoint, server, or cloud workload
  • Network Analysis to replay network communications and see details of an attacker’s command and control communications or lateral movement
Search/Threat hunting
Proactively search through endpoint, email, network, and cloud workload activity data (for example, telemetry, NetFlow, metadata, etc.) using a simple query builder. Do IoC sweeping or custom searches using multiple parameters and filter down into things by adding additional search criteria. From a search result, you can initiate response or generate an Execution Profile. You can build, save, and reuse queries for basic threat hunting.
Built-in threat intelligence
Detect threats sooner with automatic searching of your environment with indicators of compromise (IoCs) published by Trend Research. When there is a detection, built-in threat intel can help identify the associated campaign, target platform, associated MITRE ATT&CK™ TTPs, and can even provide links to related intelligence blog posts if available.
MITRE ATT&CK™ mapping
Mapping of techniques to the MITRE ATT&CK framework help organizations quickly understand and communicate what is happening in your environment. Hyperlinks from the workbench link to documentation for the MITRE ATT&CK framework.
Integrated response actions
Offers contextually aware response choices for quick action taken directly from within the platform, Start your response sooner by “right-clicking” on objects in the workbench or within threat hunting search results. In one location, you can initiate and track endpoint, email, server, and network responses.
API integrations
A public API can be used by customers to integrate with various SIEM and SOAR tools. Out of the box, Trend Vision One provides a SIEM connector for alerts to be pulled into Splunk. Unlike regular syslog forwarding, this Splunk add-on calls the Trend Vision One API to get the list of alerts (workbenches). Analysts can click on the alert from within Splunk and be taken to the associated workbench in the Trend Vision One platform for additional visibility and investigation.
Software-as-a-Service solution
Trend Vision One is hosted and managed in the cloud to take advantage of cloud computing technologies. Plus, you do not have the overhead associated with managing local hardware.