Views:

Configure response action time-out settings Parent topic

March 22, 2024 — You can now specify the time-out setting for endpoint response actions. If left unspecified, the default setting is used. For more information, see Response Management settings.
Workflow and AutomationResponse Management

Multi-factor authentication now available for certain critical actions in Security Playbooks

April 8, 2024 — In order to increase the security of critical action use, you can now enable multi-factor authentication (MFA) for security playbooks operations. With MFA, users are required to provide multiple forms of verification before they can create, edit, or delete playbooks, approve pending actions, manually execute playbooks from either Security Playbooks or Workbench, or upload a new custom script from Security Playbooks. You can configure MFA settings in the User Accounts app.
Workflow and AutomationSecurity Playbooks

Multi-factor authentication now available for certain response actions

April 8, 2024 — In order to increase the security of critical action use, you can now enable multi-factor authentication (MFA) as a requirement to run certain response actions, including Collect File, Run Remote Custom Script, Start Remote Shell Session, and Submit for Sandbox Analysis, as well as to add a new custom script in Response Management. You can configure MFA settings in the User Accounts app.
Workflow and AutomationResponse Management

Collect File and Submit for Sandbox Analysis response actions now support Virtual Network Sensor

March 28, 2024 — You can now perform Collect File and Submit for Sandbox Analysis response actions on Virtual Network Sensor agents. You can initiate response actions from the context or response menu and monitor task status in the Response Management app.
For more information, see Response actions.
Workflow and AutomationResponse Management

Use case management to communicate with the Trend Micro managed services team

March 25, 2024—Managed XDR customers can use Case Management to receive direct communication from the Trend Micro managed services team to get incident alerts and recommended remediation actions.
Case Management

Case Management can now close inactive cases automatically

March 4, 2024—Case Management can now close cases that have not received updates for over 60 days.
Three days before closing, Case Management sends a notification to remind the case owner to update the case.
Case Management

Support to exclude specified endpoints from response actions

January 31, 2024 — Users may now prevent critical endpoints from being affected by selected response actions triggered across Trend Vision One. Add up to six exclusions to apply to lists of up to 100 endpoints by enabling the feature in Settings within Response management. To learn more, see Exclude Specified Endpoints from Response Actions.
Workflow and AutomationResponse Management

Security Playbooks feature enhancements and user experience improvement

January 24, 2024 — The Endpoint Response Actions playbooks and Incident Response Evidence Collection playbooks have been enhanced to support a broader range of IP formats for the playbook target. In addition to using a wildcard, you have the flexibility to use CIDR notation or specify an IP range from a starting IP address to an ending IP address.
Additionally, the email notification content for user-defined Automated Response Playbooks has been improved to enhance the user experience.
Workflow and AutomationSecurity Playbooks

New Scan for Malware endpoint response action available

January 22, 2024 — Users may now perform a one-time on-demand malware scan on one or more endpoints from context menus in Workbench, Endpoint Inventory, Search, and Observed Attack Techniques, allowing for a direct response to attacks while conducting further investigation. For more information, see Scan for Malware task.
Workflow and AutomationResponse Management

Automated Response Playbook enhancements

December 18, 2023 — The Automated Response Playbook has been enhanced to support a wider range of response actions, including user account actions such as disabling the user account, forcing sign out, and forcing password reset, and the ability to run custom scripts on endpoints.
Workflow and AutomationSecurity Playbooks

Playbook execution results retained for 180 days

November 30, 2023 — Starting now, execution results and any pending actions will be available on the Execution Results tab for a period of 180 days. This change allows us to ensure the most relevant and recent data is always at your fingertips.
Workflow and AutomationSecurity Playbooks

Case Management now available

November 30, 2023 — Case Management is now available for public preview in the Trend Vision One platform. Case Management enables you to assign priority and ownership to cases containing both individual and correlated alerts from Workbench, and streamlines the start of your threat investigation and incident response workflows.
You can open cases directly from Workbench alerts or with any XDR playbook in Security Playbooks. In Forensics, you can use an existing case to automatically pull impacted endpoints into the related workspace. In addition, Case Viewer allows you to manage your cases while working in other apps.
For more information, see Case Management.
Workflow and AutomationCase Management

Three security playbook templates merged and enhanced

November 13, 2020 — The “Run Custom Script,” “Samba vulnerability assessment,” and “Microsoft exchange vulnerability assessment” playbook templates have been consolidated into the new Endpoint Response Actions template, and their functionality has also been integrated into user-defined playbooks.
To learn how to create a user-defined playbook, see Creating Endpoint Response Actions playbooks.
Workflow and AutomationSecurity Playbooks

Incident Response Evidence Collection playbooks now require credits

October 16, 2023 — With the official release of the Forensics app, the Incident Response Evidence Collection playbook now requires credits for evidence collection and uploading to the Forensics app. Users must first configure the data allowance in the Forensics app before setting up the playbook to collect and upload evidence to the Trend Vision One console.
Workflow and AutomationSecurity Playbooks

Enhancements to Run Custom Script security playbooks

September 25, 2023 — You can now specify the operating systems to upload and run custom scripts for when configuring Action nodes for Run Custom Script Security Playbooks. The enhancements also facilitate selecting custom scripts that are added in the Response Management app.
Workflow and AutomationSecurity Playbooks

Enhancements to Automated Response Playbooks

September 25, 2023 — In addition to Workbench alerts automatically triggering playbook execution, users now have the option to manually trigger the execution of Automated Response Playbook from Workbench.
For more information, see Investigating an alert and Alerts (Workbench Insights) in the Workbench documentation.
Furthermore, the Automated Response Playbook now includes an additional automated response action: "Terminate processes". This enhancement enables users to automatically terminate any "unrated" target processes running on an endpoint.
For more information, see Creating Automated Response Playbooks.
Workflow and AutomationSecurity Playbooks

User-defined security playbooks for CVEs with Global Exploit Activity are available

August 21, 2023 — The Security Playbooks app made updates to the two CVEs with Global Exploit Activity playbook templates. It allows you to create the playbooks from scratch with a flexible workflow, while still allowing you to create the playbooks from a fully customizable template.
The updated playbook templates provide the following new filtering options to help mitigate risks posed by highly-exploitable CVEs on your managed assets for more fine-grained control:
  • Filter targets by more operating systems, vulnerability process status, and Trend solutions for prevention rules
  • Retrieve the number of assets targeted for the playbook right after the target configuration
  • Notify recipients of playbook results by individual CVE or all CVEs
Workflow and AutomationSecurity Playbooks

Risk Insights-related security playbooks require entitlement

July 4, 2023 — Customers must now enable the Risk Insights license entitlement to create, edit, or execute the following playbooks.
  • Account Configuration Risk
  • CVEs with High or Medium Global Exploit Activity - Internet-Facing Assets
  • CVEs with High or Medium Global Exploit Activity
For more information, see Security playbooks requirements
Workflow and AutomationSecurity Playbooks

Automated Response Playbooks gain support for custom detection models

July 4, 2023 — You can now specify custom detection models when configuring Target nodes for Automated Response Playbooks. Subsequent nodes in the playbook are only triggered for Workbench alerts related to the specified detection models.
Enhancements to the Security Playbooks user interface facilitate selecting and enabling detection models.
For more information, see Creating Automated Response Playbooks.
Workflow and AutomationSecurity Playbooks

Security Playbooks supports management scope

July 3, 2023 — For customers that signed up for or expressly updated Trend Vision One on or after July 3, 2023, Security Playbooks now supports management scope.
Permissions to view or manage playbooks can be assigned based on management scope for custom roles. Users can only approve the execution of playbooks and view execution results for endpoints in their management scope. Newly created playbooks are executed based on the playbook creator's management scope.
All roles retain full permissions for playbooks created before the implementation of management scope.
Workflow and AutomationSecurity Playbooks

Enhancements to Automated Response Playbooks

You can now specify detection models when configuring trigger settings for Automated Response playbooks. The subsequent nodes in the playbook are only triggered for Workbench alerts related to the specified detection models.
Playbooks also adds support for additional webhook types in user-defined Automated Response playbooks.
For more information, see Creating Automated Response Playbooks.
Workflow and AutomationSecurity Playbooks

Security Playbooks official release

Security Playbooks is now officially released and can be utilized alongside your Risk Insights and XDR entitlements as part of the Trend Vision One platform.
For details on what types of entitlements are required for each playbook type, see Security playbooks requirements.
Workflow and AutomationSecurity Playbooks

User-defined Automated Response Playbooks are available in the Security Playbooks app

Security Playbooks now enables you to create Automatic Response Playbooks from scratch with a flexible workflow, while still allowing you to create the playbooks from a fully customizable template.
In addition to "highly suspicious" and "suspicious" highlighted objects, you can use Automatic Response Playbooks to take response actions on other "unrated" highlighted objects in Workbench alerts.
Additionally, Security Playbooks provides one more response action "Submit URL to sandbox" to help you quickly respond to Workbench alerts.
Workflow and AutomationSecurity Playbooks