Workflow and Automation

June 26, 2024 — Case Management now offers a detailed view of each case, allowing you to retrieve your case information and track progress easily.

The new detailed view includes:

For more information, see Case Management.

June 12, 2024 — You can now configure approval settings for specified response actions in the Response Management app.

The approval settings you configure in the Response Management app do not affect those configured in the Managed Services or Security Playbooks app.

For more information, see Response Management settings.

June 4, 2024 — Automated Response Playbooks are enhanced to include IP address as a condition in playbook settings in addition to Highlighted object risk. With this enhancement, the playbooks can filter highlighted objects with their source IP address, destination IP address, peer IP address, and interested IP address, enabling more targeted response actions.

For more information, see Creating Automated Response Playbooks.

May 27, 2024—Case Management now supports two-way sync of case status and priority changes with ServiceNow.

For more information, see Configuring the Trend Vision One Case Management ticket profile.

May 20, 2024 — Security Playbooks now includes Risk Reduction playbooks, a new feature designed to help you respond to new and ongoing risk events detected in your environment. You can set up the playbooks to respond to or send notifications about the risk events associated with all risk factors identified in Operations Dashboard, with the exception of XDR detection. For XDR detection related risk events, configure Automated Response Playbooks to enable automatic actions in response to high-priority alerts in Workbench.

For more information, see Creating Risk Reduction playbooks.

April 16, 2024 — You can now specify the time-out setting for endpoint response actions. If left unspecified, the default setting is used. For more information, see Response Management settings.

April 8, 2024 — In order to increase the security of critical action use, you can now enable multi-factor authentication (MFA) for security playbooks operations. With MFA, users are required to provide multiple forms of verification before they can create, edit, or delete playbooks, approve pending actions, manually execute playbooks from either Security Playbooks or Workbench, or upload a new custom script from Security Playbooks. You can configure MFA settings in the User Accounts app.

For more information, see Enabling and configuring multi-factor authentication.

April 8, 2024 — In order to increase the security of critical action use, you can now enable multi-factor authentication (MFA) as a requirement to run certain response actions, including Collect File, Run Remote Custom Script, Start Remote Shell Session, and Submit for Sandbox Analysis, as well as to add a new custom script in Response Management. You can configure MFA settings in the User Accounts app.

For more information, see Enabling and configuring multi-factor authentication.

March 28, 2024 — You can now perform Collect File and Submit for Sandbox Analysis response actions on Virtual Network Sensor agents. You can initiate response actions from the context or response menu and monitor task status in the Response Management app.

For more information, see Response actions.

March 25, 2024—Managed XDR customers can use Case Management to receive direct communication from the Trend Micro managed services team to get incident alerts and recommended remediation actions.

March 4, 2024—Case Management can now close cases that have not received updates for over 60 days.

Three days before closing, Case Management sends a notification to remind the case owner to update the case.

January 31, 2024 — Users may now prevent critical endpoints from being affected by selected response actions triggered across Trend Vision One. Add up to six exclusions to apply to lists of up to 100 endpoints by enabling the feature in Settings within Response management. To learn more, see Exclude Specified Endpoints from Response Actions.

January 24, 2024 — The Endpoint Response Actions playbooks and Incident Response Evidence Collection playbooks have been enhanced to support a broader range of IP formats for the playbook target. In addition to using a wildcard, you have the flexibility to use CIDR notation or specify an IP range from a starting IP address to an ending IP address.

Additionally, the email notification content for user-defined Automated Response Playbooks has been improved to enhance the user experience.

January 22, 2024 — Users may now perform a one-time on-demand malware scan on one or more endpoints from context menus in Workbench, Endpoint Inventory, Search, and Observed Attack Techniques, allowing for a direct response to attacks while conducting further investigation. For more information, see Scan for Malware task.

December 18, 2023 — The Automated Response Playbook has been enhanced to support a wider range of response actions, including user account actions such as disabling the user account, forcing sign out, and forcing password reset, and the ability to run custom scripts on endpoints.

November 30, 2023 — Starting now, execution results and any pending actions will be available on the Execution Results tab for a period of 180 days. This change allows us to ensure the most relevant and recent data is always at your fingertips.

November 30, 2023 — Case Management is now available for public preview in the Trend Vision One platform. Case Management enables you to assign priority and ownership to cases containing both individual and correlated alerts from Workbench, and streamlines the start of your threat investigation and incident response workflows.

You can open cases directly from Workbench alerts or with any XDR playbook in Security Playbooks. In Forensics, you can use an existing case to automatically pull impacted endpoints into the related workspace. In addition, Case Viewer allows you to manage your cases while working in other apps.

For more information, see Case Management.

November 13, 2020 — The “Run Custom Script,” “Samba vulnerability assessment,” and “Microsoft exchange vulnerability assessment” playbook templates have been consolidated into the new Endpoint Response Actions template, and their functionality has also been integrated into user-defined playbooks.

To learn how to create a user-defined playbook, see Creating Endpoint Response Actions playbooks.

October 16, 2023 — With the official release of the Forensics app, the Incident Response Evidence Collection playbook now requires credits for evidence collection and uploading to the Forensics app. Users must first configure the data allowance in the Forensics app before setting up the playbook to collect and upload evidence to the Trend Vision One console.

For more information, see Creating Incident Response Evidence Collection playbooks.

September 25, 2023 — You can now specify the operating systems to upload and run custom scripts for when configuring Action nodes for Run Custom Script Security Playbooks. The enhancements also facilitate selecting custom scripts that are added in the Response Management app.

September 25, 2023 — In addition to Workbench alerts automatically triggering playbook execution, users now have the option to manually trigger the execution of Automated Response Playbook from Workbench.

For more information, see Investigating an alert and Alerts (Workbench Insights) in the Workbench documentation.

Furthermore, the Automated Response Playbook now includes an additional automated response action: "Terminate processes". This enhancement enables users to automatically terminate any "unrated" target processes running on an endpoint.

For more information, see Creating Automated Response Playbooks.

August 21, 2023 — The Security Playbooks app made updates to the two CVEs with Global Exploit Activity playbook templates. It allows you to create the playbooks from scratch with a flexible workflow, while still allowing you to create the playbooks from a fully customizable template.

The updated playbook templates provide the following new filtering options to help mitigate risks posed by highly-exploitable CVEs on your managed assets for more fine-grained control:

For more information, see Creating CVEs with Global Exploit Activity playbooks.

July 4, 2023 — Customers must now enable the Risk Insights license entitlement to create, edit, or execute the following playbooks.

For more information, see Security playbooks requirements

July 4, 2023 — You can now specify custom detection models when configuring Target nodes for Automated Response Playbooks. Subsequent nodes in the playbook are only triggered for Workbench alerts related to the specified detection models.

Enhancements to the Security Playbooks user interface facilitate selecting and enabling detection models.

For more information, see Creating Automated Response Playbooks.

July 3, 2023 — For customers that signed up for or expressly updated Trend Vision One on or after July 3, 2023, Security Playbooks now supports management scope.

Permissions to view or manage playbooks can be assigned based on management scope for custom roles. Users can only approve the execution of playbooks and view execution results for endpoints in their management scope. Newly created playbooks are executed based on the playbook creator's management scope.

All roles retain full permissions for playbooks created before the implementation of management scope.

You can now specify detection models when configuring trigger settings for Automated Response playbooks. The subsequent nodes in the playbook are only triggered for Workbench alerts related to the specified detection models.

Playbooks also adds support for additional webhook types in user-defined Automated Response playbooks.

For more information, see Creating Automated Response Playbooks.

Security Playbooks is now officially released and can be utilized alongside your Risk Insights and XDR entitlements as part of the Trend Vision One platform.

For details on what types of entitlements are required for each playbook type, see Security playbooks requirements.

Security Playbooks now enables you to create Automatic Response Playbooks from scratch with a flexible workflow, while still allowing you to create the playbooks from a fully customizable template.

In addition to "highly suspicious" and "suspicious" highlighted objects, you can use Automatic Response Playbooks to take response actions on other "unrated" highlighted objects in Workbench alerts.

Additionally, Security Playbooks provides one more response action "Submit URL to sandbox" to help you quickly respond to Workbench alerts.