Views:

Trend Vision One consolidates suspicious object information from different sources.

A suspicious object is a known malicious or potentially malicious domain, file SHA-1, file SHA-256, IP address, sender address, or URL.
You can add suspicious objects to the Suspicious Object List manually or though extraction from third-party intelligence. In addition, Sandbox Analysis adds suspicious objects to the list after determining possible threats for consolidation and synchronization. Sandbox Analysis then assigns risk level based on analysis results.
Trend Vision One can also connect to different products and send the Suspicious Object List to the connected products for detection. The connected products then apply the specified actions from Suspicious Object Management.
Note
Note
  • For suspicious objects added manually or through third-party intelligence, the maximum limit is 10,000 for each object type.
  • For suspicious objects added by Sandbox Analysis, the maximum limit is 25,000 for each object type.
  • When the maximum number of suspicious objects is exceeded, the objects that are closest to expiration are removed.
The following table outlines the actions available on the Suspicious Object List tab.
Action
Description
Filter suspicious object data
Use the search field or the following drop-down lists to search specific object data:
  • Last updated: The time when a suspicious object was last updated
  • Object type: The suspicious object type, such as domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs
  • Source: The source of a suspicious object
Add or import suspicious objects
Click Add to open the Add Suspicious Object screen.
For more information, see Adding or importing suspicious objects.
View or edit suspicious object details
Click any object name to open the Suspicious Object Details panel.
Manage suspicious objects
Manage one or more suspicious objects. Options include:
  • Delete objects: Select suspicious objects and click Delete.
  • Change the applied action: Select suspicious objects, click Change Action, and choose Log or Block/Quarantine.
  • Change expiration settings: Select suspicious objects and click Set to Never Expire.
  • Add one or multiple suspicious objects as exceptions: Click the options icon (options_icon=GUID-408062FA-DA13-4ECA-81EB-31A5B68355A1=1=en-us=Low.jpg) on an object and click Add to Exception List, or select one or more objects and click Add to Exception List.
  • Search a suspicious object: Click the options icon (options_icon=GUID-408062FA-DA13-4ECA-81EB-31A5B68355A1=1=en-us=Low.jpg) on the object and click New Search: match field and value.
Configure default settings
Click Global_Settings=GUID-1E10BFBD-3AFF-46DD-B853-0438EC2FD3F9.png to specify the default actions to take on different types of objects at each risk level and the expiration settings for the objects.
Note
Note
Default actions apply to suspicious objects added by Sandbox Analysis. For objects from other sources, default settings apply if you have not specified action or expiration settings.
Export object data
Click export_button=GUID-C683DEEE-C19C-484D-A5B1-4CA9D1794756=1=en-us=Low.jpg to export the suspicious object data to a CSV file.
Refresh object data
Click Refresh_icon_TI=GUID-8673A32A-9991-4025-8937-34633E90D9E1=1=en-us=Low.png to display the latest suspicious object data.
Related information