Case Management integration with Forensics

October 30, 2023—Case Management now offers integration with Forensics. This allows you to create a Forensics workspace specifically for endpoints included in a Workbench insight or alert. From there, you can perform quick responses such as isolation, Osquery, and YARA process scanning within the Forensics app.
Additionally, you can gather advanced digital evidence from the endpoints in Forensics to conduct a more thorough analysis, identifying root causes and constructing an attack chain using the Forensics timeline.
Once you establish the attack chain, you can add the timeline to a case to record the location of the results.

Network Inventory enhancements allow for detection exceptions and greater Virtual Network Sensor visibility

October 30, 2023 — Users may now create and configure lists of detection exceptions, preventing network traffic detections that match specified criteria from appearing in detection logs. To use the feature, go to Network InventoryMonitoring/ScanningDetection Exceptions.
Additionally, users can now view detailed information about each connected Virtual Network Sensor appliance, including system information and system settings, from the list of Virtual Network Sensors in Network Inventory.
Network SecurityNetwork Inventory

AWS Italy region has new PoP site for Internet Access Cloud Gateway in Zero Trust Secure Access

October 24, 2023 — Zero Trust Secure Access has launched a new PoP site for Internet Access Cloud Gateway in the AWS Italy region. For details on available PoP sites for Internet Access Cloud Gateway, see Port and FQDN/IP address requirements.

Custom filter import and export

October 30, 2023 — The Detection Model Management app now supports the import and export of custom filters via YAML files. Users can now easily import custom filters from YAML files or export custom filters into YAML files as a ZIP file.
Fore more information, see Custom filters.
XDR Threat InvestigationDetection Model Management

New risk events highlight potential attack paths for cloud assets

October 23, 2023 — New risk events demonstrate potential attack paths that originate from the internet or potentially compromised cloud assets. These potential attack paths are visualized to help you identify and prioritize risks.
Attack Surface Risk ManagementOperations Dashboard

Asset graph visualizes cloud asset relationships

October 23, 2023 — Cloud asset profiles now feature an asset graph illustrating the relationships of cloud assets. The visualization showcases how identities access cloud resources, as well as traffic routing and other relationships, helping you to prioritize risks associated with your cloud assets.
Attack Surface Risk ManagementAttack Surface Discovery

Attack Surface Discovery asset profiles available free for XDR customers

October 23, 2023 — Customers that have enabled XDR sensors can now access a free version of asset profiles in Attack Surface Discovery, even if credits have not been allocated to Risk Insights capabilities. When viewing the profile of an endpoint, account or cloud asset in a Workbench alert, click View asset risk assessment in Attack Surface Discovery to see the asset's risk assessment and asset profile in Attack Surface Discovery.
Attack Surface Risk ManagementAttack Surface Discovery

Forensics has been officially launched

October 16, 2023 —A new application, Forensics, has been officially launched. With Forensics, you can respond to security incidents, conduct compromise assessments, threat hunting, and monitoring.
Forensics allows you to create workspaces. Within the workspace, you can isolate the scope of an incident and execute osqeury and YARA for quick triage and investigation. If you require more details about an incident, you can collect evidence. Evidence Collection gathers the digital evidence and uploads it to the Trend Vision One console.
Forensics offers an evidence viewing and searching function, facilitating advanced investigations. As you progress through the investigation, you can add notes with important timestamps or create customized records in timelines. In other words, the Forensics timeline is your tool for creating a comprehensive attack chain report using the collected evidence records.
Furthermore, you can use the Evidence Archive section of Forensics to manage all the evidence collected by Incident Response playbooks. Evidence packages can be added to the workspaces, used for generating evidence reports, and utilized for investigation at any time.
For more information, see Forensics.

Support for multiple custom filters in a custom model

October 16, 2023 — The Detection Model Management app has been updated to support multiple custom filters in a custom model, with a maximum limit of five custom filters per model. Users can configure the Workbench to trigger an alert based on two more criteria: when events defined by the custom filters occur, or when events defined by the custom filters occur in the specified order.
Fore more information, see Configuring a custom model.
XDR Threat InvestigationDetection Model Management

Incident Response Evidence Collection playbooks now require credits

October 16, 2023 — With the official release of the Forensics app, the Incident Response Evidence Collection playbook now requires credits for evidence collection and uploading to the Forensics app. Users must first configure the data allowance in the Forensics app before setting up the playbook to collect and upload evidence to the Trend Vision One console.
Workflow and AutomationSecurity Playbooks

Agent uninstall tool now available for download from Endpoint Inventory

October 16, 2023 — The Trend Micro uninstall tool is now available for download in Endpoint Inventory for both Windows and macOS endpoints. The tool allows for the uninstallation of the following agents and sensors from a particular endpoint:
  • Standard Endpoint Protection Agent
  • Server & Workload Protection Agent
  • XDR Endpoint Sensor
The tool is capable of uninstalling a single agent or multiple agents at once from the endpoint. Download the tool by going toEndpoint InventoryAgent InstallerDownload Uninstall Tool. Downloaded tools are valid for seven days.
Endpoint SecurityEndpoint Inventory

Sensor only endpoints now removable in Endpoint Inventory

October 13, 2023 — You can now remove sensor only endpoints from Endpoint Inventory by selecting applicable endpoints and clicking the Remove Endpoint button. Removing a sensor only endpoint does not uninstall the Trend Vision One agent from the endpoint or stop the agent program sending information to Trend Vision One. Support for removing Standard Endpoint Protection and Server & Workload Protection agents from the Endpoint Inventory screen is under development.
Endpoint SecurityEndpoint Inventory

Email Account Inventory provides central visibility and management of email accounts

October 9, 2023 — Email Account Inventory now provides an overview of how well your organization’s email accounts are protected by Email Sensor and Cloud App Security and allows you to manage protection over the accounts.
Email Account Inventory provides the following central features:
  • Email Account Inventory provides an overview of your organization’s email account inventory and available actions to protect email accounts in your organization. If you have not yet enabled any email solutions, you can set up Email Sensor and Cloud App Security from the inventory.
  • You can enable key features of Cloud App Security and configure policies for unprotected accounts.
  • You can conduct necessary investigations into suspicious account activity.
In addition, the sensor management functionality has moved from Email Account Inventory into a separate menu item.
Email and Collaboration SecurityEmail Asset Inventory

Trend Vision One console now supports daylight saving time

October 9, 2023 — The Trend Vision One console now adjusts the displayed time according to daylight saving time, depending on your selected time zone.
AdministrationConsole Settings

Zero Trust Secure Access Internet Access supports Kerberos authentication with on-premises Active Directory servers

October 9, 2023 — In addition to NTLM v2 authentication, Zero Trust Secure Access Internet access now supports Kerberos as an authentication service for single sign-on with on-premises Active Directory servers. Find and configure the new method in the Global Settings of Internet Access Configuration.
Zero Trust Secure AccessSecure Access ConfigurationInternet Access Configuration