Local response filters

Local response filters (Agentic SIEM & XDR → Detection Model Management → Local response filters) are detection filters that can be deployed on Windows endpoints. A process can be terminated locally when a local response filter is matched, shortening MTTD and improving overall usability. Trend Vision One uses filters to detect security events which appear in Observed Attack Techniques, allowing you to transform event detection into a complete threat monitoring workflow.

To add local response filters, go to Agentic SIEM & XDR → Observed Attack Techniques and expand any associated entity. Right-click a detection filter name and select Add filter to local response.

To view and configure local response filters connected to existing endpoint security policies, go to Endpoint Security Configuration → Endpoint Security Policies → Policies. Click a policy name and then XDR for Endpoints (EDR) to view a list of local response filters related to the selected endpoint policy.