June 2, 2025—Trend Vision One now supports Microsoft Defender for Endpoint logs in
custom detection filters.
This update includes the following changes:
-
Suspicious Behavior by cmd.exe Observed
-
USB Drive Letter Changed
-
USB Drive Mounted
-
USB Drive Unmounted
-
User Account Added to Local Group
-
User Account Created
-
User Account Deleted
-
User Account Modified
-
User Account Removed from Local Group
-
LSASS Process Memory Write
-
Post-exploitation Tool Detected
-
SmartScreen Exploit Warning
-
SmartScreen URL Warning
-
SmartScreen User Override
-
Attempt to Tamper with Microsoft Defender XDR
-
Connection to Untrusted Wi-Fi Network
-
Get Clipboard Data
-
High Severity Alert
-
Registry Auto-Start Service
-
Remote Desktop Connection
-
Security Group Deleted
The related custom detection filters have been added to the tm-v1-detection-models GitHub repository. You can import these detection filters to your Trend Vision One environment to test
the new integration.
For more information about custom detection filters, see Create a custom filter.