Views:

Trend Vision One provides two types of sweeping that allows you to search your environment for indicators of compromise.

Note
Note
Only Endpoint Activity Data, Email Activity Data, and Network Activity Data are supported for both types of sweeping.
Type
Description
Auto Sweeping
Auto Sweeping runs based on the following intelligence data:
  • Intelligence reports
    • By source type of curated reports
      Trend Vision One generates a scheduled sweep and runs the sweep once every day for 7 consecutive days to search your environment for threat indicators based on incoming new reports from the selected source.
    • By a single curated or custom report
      A scheduled sweep runs once every day during the specified period to search your environment for threat indicators extracted from the current report.
  • Third-party intelligence
    If you enable the Run an auto sweep option for a specific intelligence source, for example, a TAXII feed collection or a MISP event tag, a scheduled sweep will be generated and triggered within 24 hours to search your environment for indicators extracted from the source.
    Third-party intelligence is processed to produce custom intelligence reports after successful data retrieval.
Trend Vision One triggers Auto Sweeping tasks at the same scheduled time every day and calculates the total number of indicators applied for Auto Sweeping over the past 24 hours to track quota usage.
Note
Note
A maximum of 50,000 indicators is allowed per day for Auto Sweeping. The quota limit is shared by Auto Sweeping tasks triggered from both intelligence reports and third-party intelligence.
If the total number of indicators reaches the daily quota limit for Auto Sweeping, you can trigger Manual Sweeping when necessary.
Manual Sweeping
You can select any intelligence report to initiate a manual sweep based on identified indicators.
Note
Note
A maximum of 10,000 indicators is allowed per day for Manual Sweeping.