Forensics now supports multi-factor authentication

April 8, 2024—You can now request multi-factor authentication for evidence collection, osquery, and YARA rule scans in the Forensics app.

Forensics supports YARA, osquery, and Collect Evidence tasks on Linux endpoints

January 11, 2023 — The Forensics app now allows you to run YARA, osquery, and Collect Evidence tasks on Linux endpoints, enabling you to better monitor and analyze both Windows and Linux endpoints in your environment.
For more information on these tasks, see Response actions.
XDR Threat InvestigationForensics

Filter query results of YARA and osquery tasks by status

January 9, 2024 — Query results for YARA and osquery tasks can now be filtered by status to provide a brief overview. Quickly find the reason for failed tasks by hovering over the status icon next to endpoint names.
XDR Threat InvestigationForensics

Support for terminating Amazon ECS containers

January 8, 2024 — Customers can now terminate potentially compromised Amazon Elastic Container Service tasks while investigating threat incidents in Workbench, Observed Attack Techniques, or the Search app.

Enhance investigations with VirusTotal threat intelligence in Evidence Report view

December 11, 2023 — You can now right-click URLs, domains, IPs, or file SHA-1 and select “VirusTotal” to facilitate thorough investigation of possible threats in your environment.
XDR Threat InvestigationForensics

Customize YARA and osquery task names

December 11, 2023 — During an investigation, users can run multiple rounds of osquery or YARA tasks to narrow down the affected endpoint scope. Task names can now be customized to easily distinguish between multiple rounds of task results.
XDR Threat InvestigationForensics

Forensics workspaces provide quick link to related tasks

December 11, 2023 — Workspaces in Forensics now offer a quick link to all tasks related to the workspace. Click the Related Tasks button to go to a pre-filtered list in the Task List tab where you can view the status and results of workspace-related tasks.
XDR Threat InvestigationForensics

Forensics app now enriches evidence with Trend Micro Smart Protection Network data

December 11, 2023 — Powered by Trend Micro Smart Protection Network services such as Web Reputation Services, the Forensics app can now enrich network-related data collected as evidence. You can now view the score and corresponding risk level of certain URLs, IP addresses, and domain names that you collect and add to Forensics workspaces.
XDR Threat InvestigationForensics

Targeted Attack Detection officially released

December 1, 2023 — Targeted Attack Detection is out of preview, and now an officially released app. Targeted Attack Detection is free to use, so any Trend Vision One user can leverage the app to analyze Smart Feedback data to determine if your environment is under attack.
XDR Threat InvestigationTargeted Attack Detection

The Search app supports threat hunting queries from Cyborg Security

November 10, 2023 — The Search app now supports threat hunting queries from Cyborg Security to facilitate identification of elusive IOAs in the environment. Moreover, users may view related intelligence reports to aid the understanding and resolution of cyber attacks.
XDR Threat InvestigationSearch

Observed Attack Techniques supports filtering by data source

November 6, 2023 — You can now filter security event information by data source in the Observed Attack Techniques app. Filtering by data source allows you to evaluate the individual data contribution of different Trend Vision One products.
XDR Threat InvestigationObserved Attack Techniques

Case Management integration with Forensics

October 30, 2023—Case Management now offers integration with Forensics. This allows you to create a Forensics workspace specifically for endpoints included in a Workbench insight or alert. From there, you can perform quick responses such as isolation, Osquery, and YARA process scanning within the Forensics app.
Additionally, you can gather advanced digital evidence from the endpoints in Forensics to conduct a more thorough analysis, identifying root causes and constructing an attack chain using the Forensics timeline.
Once you establish the attack chain, you can add the timeline to a case to record the location of the results.

Custom filter import and export

October 30, 2023 — The Detection Model Management app now supports the import and export of custom filters via YAML files. Users can now easily import custom filters from YAML files or export custom filters into YAML files as a ZIP file.
Fore more information, see Custom filters.
XDR Threat InvestigationDetection Model Management

Forensics has been officially launched

October 16, 2023 —A new application, Forensics, has been officially launched. With Forensics, you can respond to security incidents, conduct compromise assessments, threat hunting, and monitoring.
Forensics allows you to create workspaces. Within the workspace, you can isolate the scope of an incident and execute osqeury and YARA for quick triage and investigation. If you require more details about an incident, you can collect evidence. Evidence Collection gathers the digital evidence and uploads it to the Trend Vision One console.
Forensics offers an evidence viewing and searching function, facilitating advanced investigations. As you progress through the investigation, you can add notes with important timestamps or create customized records in timelines. In other words, the Forensics timeline is your tool for creating a comprehensive attack chain report using the collected evidence records.
Furthermore, you can use the Evidence Archive section of Forensics to manage all the evidence collected by Incident Response playbooks. Evidence packages can be added to the workspaces, used for generating evidence reports, and utilized for investigation at any time.
For more information, see Forensics.

Support for multiple custom filters in a custom model

October 16, 2023 — The Detection Model Management app has been updated to support multiple custom filters in a custom model, with a maximum limit of five custom filters per model. Users can configure the Workbench to trigger an alert based on two more criteria: when events defined by the custom filters occur, or when events defined by the custom filters occur in the specified order.
Fore more information, see Configuring a custom model.
XDR Threat InvestigationDetection Model Management

The Observed Attack Techniques API adds support for container data

September 30, 2023 — The Observed Attack Techniques API has been updated to support container-related information such as threats or activities. SIEM apps and customers can now utilize the Observed Attack Techniques Pipeline endpoints to export events that trigger filters or container events. This enables threat and activity investigation related to container security within the exported events.
For more information about the Observed Attack Techniques API, see

Observed Attack Techniques offers visibility into container attack information

August 15, 2023 — To facilitate the visibility of container attacks, the Observed Attack Techniques app has been updated to show all detected events with filter hits originating from container security point products. The app now lists the container name or ID under Associated Entity, providing customers with immediate insight into which entity was targeted. Customers are able to search events by container name, in addition to the existing search criteria.
XDR Threat InvestigationObserved Attack Techniques

Notifications implemented for disabled custom filters

August 1, 2023 — Notifications are now displayed for disabled custom filters. The notifications include the notification message that pops up in the Notification Center and the tooltip message displayed next to the filter name on the Custom Filter tab and the associated model name on the Custom Model tab.
XDR Threat InvestigationDetection Model Management

Custom detection model public preview

July 4, 2023 — The Detection Model Management app now offers the ability to create custom filters using search query syntax. Create custom detection models that use the new custom filters to trigger the generation of custom Observed Attack Techniques events and Workbench alerts.
The custom Observed Attack Techniques events and Workbench alerts are accessible by several downstream features and services, including the Observed Attack Techniques app, the Workbench public API, widgets, and third-party SIEM integrations. In addition, the new custom detection models can be leveraged by the Security Playbooks app to create automated response actions.
XDR Threat InvestigationDetection Model Management