Views:

The Summary section displays the severity, number of detected internal hosts, number of Indicators of Compromise (IOCs), and attack patterns, and provides a high-level overview of the malicious activity of the correlated event.

Procedure

  1. Review the severity, detection counts, attack patterns, and activity summary.
    Severity
    The severity assigned by Deep Discovery Director - Network Analytics to the event and related correlations.
    Deep Discovery Director - Network Analytics uses a number of factors to assign severity, including proprietary analysis.
    Internal Hosts and Indicators of Compromise detection count
    The detection count numbers allow you to quickly determine the scope of the correlated event.
    Attack patterns
    The attack patterns for the suspicious object selected in Trend Vision One.
    Activity summary
    The activity summary is broken up by attack pattern and provides the following information:
    • Protocols on which activities were detected.
    • Hosts which were involved in suspicious or malicious activity.
      Activity might be between internal hosts and external servers or might include lateral activity between internal hosts.
      Internal hosts are defined by the Network Groups list.
      Note
      Note
      Deep Discovery Director - Network Analytics treats any IP addresses or ranges in the Trusted Internal Networks list as part of the trusted internal network.
      • To provide an accurate analysis of correlation data, it is important to specify your internal networks and hosts in the Network Groups list.
      • By default, private networks are considered trusted and are set internally as trusted. You only need to add non-private IP addresses to the Network Groups list.
    • Additional hosts that participated in the suspicious activity.
    • Additional suspicious objects when viewing correlation data for suspicious objects.
  2. (Optional) Perform one of the following actions on individual summary items:
    Item
    Action
    Internal Hosts detection number
    Click the detection number and then click on the Copy to clipboard icon (dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png) to copy the entire list to your clipboard, or click on the Focus icon (dddna_summary_detection_focus=GUID-7FD8BAA0-6FF8-4418-9294-5F7305D223E9=1=en-us=Low.png) to focus on the item in the Correlation Graph.
    Indicators of Compromise detection number
    Click the detection number and then click on the Copy to clipboard icon (dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png) to copy the value to your clipboard.
    Attack patterns
    Hover over an attack pattern to highlight only activities related to that attack pattern in the summary.
    IP addresses and domains
    Hover over the triangle icon (dddna_summary_ip_domain_button=GUID-45B7939C-DDB8-447B-8DEF-9F6055E5B75A=1=en-us=Low.png) and select one of the following:
    • Focus: Focus on the item in the Correlation Graph.
    • Copy to clipboard: Copy the value to your clipboard.
    • Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object.
    • DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain.
    • VirusTotal: Open VirusTotal in a new browser tab with a query for this object.
  3. (Optional) Click Export and then select one of the following options to export the correlation data of this correlated event.
    • Printer-friendly: Displays your system's printer dialog. Modify settings and then click Print.
    • CSV: Select a delimiter and then click Export to export and download the correlation data of this correlated event to a CSV file with the chosen delimiter.
    Note
    Note
    If any advanced search filter is applied, export is limited to the currently filtered correlation data.