Views:

Trend Vision One provides two types of sweeping that allow you to search your environment for indicators of compromise (IoCs).

Both types of sweeping support endpoint activity data, email activity data, network activity data, Container Security, and third-party logs.
Type
Description
Auto Sweeping
Auto Sweeping runs based on the following intelligence data:
  • Intelligence reports
    • By source type of curated reports
      Trend Vision One generates a scheduled sweep and runs the sweep once every day for 7 consecutive days to search your environment for threat indicators based on incoming new reports from the selected source.
    • By a single curated or custom report
      A scheduled sweep runs once every day during the specified period to search your environment for threat indicators extracted from the current report.
  • Third-party intelligence
    Enabling Run an auto sweep for a specific intelligence source, like a TAXII feed collection or an MISP event tag, schedules a sweep which the system triggers within 24 hours to search your environment for indicators extracted from the source.
    Third-party intelligence is processed to produce custom intelligence reports after successful data retrieval.
Trend Vision One triggers Auto Sweeping tasks at the same scheduled time every day and calculates the total number of indicators applied for Auto Sweeping over the past 24 hours to track quota usage.
A maximum of 50,000 indicators is allowed per day for Auto Sweeping. The quota limit is shared by Auto Sweeping tasks triggered from both intelligence reports and third-party intelligence. If the total number of indicators reaches the daily quota limit for Auto Sweeping, you can trigger Manual Sweeping.
Manual Sweeping
You can select any intelligence report to initiate a manual sweep based on identified indicators.
A maximum of 10,000 indicators is allowed per day for Manual Sweeping.