Workflow and Automation

January 6, 2025—To align with trademarking requirements, Vision One will update to Trend Vision One in the header values for CEF keys Header (Device Product) and Header (Name) in Syslog connector (on-premises/SaaS) Workbench logs and Observed Attack Techniques logs on January 20, 2025.

For more information, see Modification of CEF header values - Trend Vision One.

December 9, 2024 — You can now use Companion to generate summaries of open cases that include case activities, updates, and findings.

This feature streamlines case handoffs between analysts by consolidating information into concise summaries, helping SOC teams keep consistent case documentation and improve collaboration efficiency.

December 9, 2024 — Generate comprehensive PDF reports for true-positive Workbench cases that originate from Workbench Insights.

Companion can now generate PDF reports that include Workbench Insights summaries, threat activity timelines, actions taken, and recommendations to help security teams quickly understand and communicate investigation findings.

December 9, 2024—You can now use Case Management to synchronize Attack Surface Risk Management case information into ServiceNow. When creating a ticket profile for the Trend Vision One for ServiceNow Ticketing System, select "Attack Surface Risk Management case" from the Case type list. Then, when users open a case in Operations Dashboard, they can select the ticket profile to synchronize the case with ServiceNow.

For more information, see Configure ServiceNow ITSM to enable the Trend Vision One for ServiceNow Ticketing System.

December 9, 2024 — The Start Remote Shell Session response action now supports the taskstatus command, which allows you to view the status of the response tasks created in the current remote shell session.

For more information, see Start Remote Shell Session task.

December 6, 2024 — Case Management now offers granular control over third-party ticketing system integration and notification settings at the individual case level.

You can configure case-specific ServiceNow ticket destinations and customize notification channels through webhooks and email, enabling bi-directional synchronization between Trend Vision One cases and external ticketing systems.

November 29—To streamline your risk reduction workflows, in Case Management you can now assign priority and ownership to cases containing risk events from Operations Dashboard. When you open a case in Operations Dashboard, you can choose which third-party ticketing system, webhook channel, or email address to notify.

October 4, 2024—Case Management and Workbench now support assigning SAML groups and IdP-only SAML groups as alert and case owners respectively.

For detailed information and limitations, see the online help for Case Management and Workbench.

September 30, 2024 — Security playbooks now reflect the asset visibility scope of the user role that created them, targeting only the assets within that scope. This helps the organization with different asset visibility scopes to manage their security playbooks effectively.

If the creator's user role is deleted, the playbook becomes deactivated until another user reactivates it by editing or enabling the playbook. Upon reactivation, the playbook applies to targets within the asset visibility scope of the user who reactivated it.

September 30, 2024 — Automated Response Playbooks now provide additional endpoint conditions, including endpoint name, endpoint type, and operating system, to filter targeted endpoints for the playbook.

For more information, see Creating Automated Response Playbooks.

September 23, 2024 — You can now trigger osquery and YARA rules response tasks from the context menu in the Search app, providing you flexibility when investigating potential incidents. You can also upload response scripts, osquery queries, and YARA rules on the Response Scripts tab in Response Management.

For more information, see Response actions.

August 26, 2024 — Security Playbooks has introduced a new playbook template: Automated High-Risk Account Response. This playbook enables users to manage accounts with high risk scores by taking specified response actions. In addition to the standard user account actions, the playbook has expanded its functionality to add these accounts to a dedicate restricted user group within Zscaler. This integration allows for specific Zscaler policies to be applied directly to the group.

To utilize this feature, users must configure one or both Zscaler integrations within the Third-Party Integration app.

For more information, see Creating Automated High-Risk Account Response playbooks.

June 26, 2024 — Case Management now offers a detailed view of each case, allowing you to retrieve your case information and track progress easily.

The new detailed view includes:

For more information, see Case Management.

June 12, 2024 — You can now configure approval settings for specified response actions in the Response Management app.

The approval settings you configure in the Response Management app do not affect those configured in the Managed Services or Security Playbooks app.

For more information, see Response Management settings.

June 4, 2024 — Automated Response Playbooks are enhanced to include IP address as a condition in playbook settings in addition to Highlighted object risk. With this enhancement, the playbooks can filter highlighted objects with their source IP address, destination IP address, peer IP address, and interested IP address, enabling more targeted response actions.

For more information, see Creating Automated Response Playbooks.

May 27, 2024—Case Management now supports two-way sync of case status and priority changes with ServiceNow.

For more information, see Configure ServiceNow ITSM to enable the Trend Vision One for ServiceNow Ticketing System.

May 20, 2024 — Security Playbooks now includes Risk Event Response playbooks, a new feature designed to help you respond to new and ongoing risk events detected in your environment. You can set up the playbooks to respond to or send notifications about the risk events associated with all risk factors identified in Operations Dashboard, with the exception of XDR detection. For XDR detection related risk events, configure Automated Response Playbooks to enable automatic actions in response to high-priority alerts in Workbench.

For more information, see Creating Risk Event Response playbooks.

April 16, 2024 — You can now specify the time-out setting for endpoint response actions. If left unspecified, the default setting is used. For more information, see Response Management settings.

April 8, 2024 — In order to increase the security of critical action use, you can now enable multi-factor authentication (MFA) for security playbooks operations. With MFA, users are required to provide multiple forms of verification before they can create, edit, or delete playbooks, approve pending actions, manually execute playbooks from either Security Playbooks or Workbench, or upload a new custom script from Security Playbooks. You can configure MFA settings in the User Accounts app.

For more information, see Enabling and configuring multi-factor authentication.

April 8, 2024 — In order to increase the security of critical action use, you can now enable multi-factor authentication (MFA) as a requirement to run certain response actions, including Collect File, Run Remote Custom Script, Start Remote Shell Session, and Submit for Sandbox Analysis, as well as to add a new custom script in Response Management. You can configure MFA settings in the User Accounts app.

For more information, see Enabling and configuring multi-factor authentication.

March 28, 2024 — You can now perform Collect File and Submit for Sandbox Analysis response actions on Virtual Network Sensor agents. You can initiate response actions from the context or response menu and monitor task status in the Response Management app.

For more information, see Response actions.

March 25, 2024—Managed XDR customers can use Case Management to receive direct communication from the Trend Micro managed services team to get incident alerts and recommended remediation actions.

March 4, 2024—Case Management can now close cases that have not received updates for over 60 days.

Three days before closing, Case Management sends a notification to remind the case owner to update the case.

January 31, 2024 — Users may now prevent critical endpoints from being affected by selected response actions triggered across Trend Vision One. Add up to six exclusions to apply to lists of up to 100 endpoints by enabling the feature in Settings within Response management. To learn more, see Exclude Specified Endpoints from Response Actions.

January 24, 2024 — The Endpoint Response Actions playbooks and Incident Response Evidence Collection playbooks have been enhanced to support a broader range of IP formats for the playbook target. In addition to using a wildcard, you have the flexibility to use CIDR notation or specify an IP range from a starting IP address to an ending IP address.

Additionally, the email notification content for user-defined Automated Response Playbooks has been improved to enhance the user experience.

January 22, 2024 — Users may now perform a one-time on-demand malware scan on one or more endpoints from context menus in Workbench, Endpoint Inventory, Search, and Observed Attack Techniques, allowing for a direct response to attacks while conducting further investigation. For more information, see Scan for Malware task.

December 18, 2023 — The Automated Response Playbook has been enhanced to support a wider range of response actions, including user account actions such as disabling the user account, forcing sign out, and forcing password reset, and the ability to run custom scripts on endpoints.

November 30, 2023 — Starting now, execution results and any pending actions will be available on the Execution Results tab for a period of 180 days. This change allows us to ensure the most relevant and recent data is always at your fingertips.

November 30, 2023 — Case Management is now available for public preview in the Trend Vision One platform. Case Management enables you to assign priority and ownership to cases containing both individual and correlated alerts from Workbench, and streamlines the start of your threat investigation and incident response workflows.

You can open cases directly from Workbench alerts or with any XDR playbook in Security Playbooks. In Forensics, you can use an existing case to automatically pull impacted endpoints into the related workspace. In addition, Case Viewer allows you to manage your cases while working in other apps.

For more information, see Case Management.

November 13, 2020 — The “Run Custom Script,” “Samba vulnerability assessment,” and “Microsoft exchange vulnerability assessment” playbook templates have been consolidated into the new Endpoint Response Actions template, and their functionality has also been integrated into user-defined playbooks.

To learn how to create a user-defined playbook, see Creating Endpoint Response playbooks.

October 16, 2023 — With the official release of the Forensics app, the Incident Response Evidence Collection playbook now requires credits for evidence collection and uploading to the Forensics app. Users must first configure the data allowance in the Forensics app before setting up the playbook to collect and upload evidence to the Trend Vision One console.

For more information, see Creating Incident Response Evidence Collection playbooks.

September 25, 2023 — You can now specify the operating systems to upload and run custom scripts for when configuring Action nodes for Run Custom Script Security Playbooks. The enhancements also facilitate selecting custom scripts that are added in the Response Management app.

September 25, 2023 — In addition to Workbench alerts automatically triggering playbook execution, users now have the option to manually trigger the execution of Automated Response Playbook from Workbench.

For more information, see Investigating an alert and Alerts (Workbench Insights) in the Workbench documentation.

Furthermore, the Automated Response Playbook now includes an additional automated response action: "Terminate processes". This enhancement enables users to automatically terminate any "unrated" target processes running on an endpoint.

For more information, see Creating Automated Response Playbooks.

August 21, 2023 — The Security Playbooks app made updates to the two CVEs with Global Exploit Activity playbook templates. It allows you to create the playbooks from scratch with a flexible workflow, while still allowing you to create the playbooks from a fully customizable template.

The updated playbook templates provide the following new filtering options to help mitigate risks posed by highly-exploitable CVEs on your managed assets for more fine-grained control:

For more information, see Creating CVEs with Global Exploit Activity playbooks.

July 4, 2023 — Customers must now enable the Risk Insights license entitlement to create, edit, or execute the following playbooks.

For more information, see Security playbooks requirements

July 4, 2023 — You can now specify custom detection models when configuring Target nodes for Automated Response Playbooks. Subsequent nodes in the playbook are only triggered for Workbench alerts related to the specified detection models.

Enhancements to the Security Playbooks user interface facilitate selecting and enabling detection models.

For more information, see Creating Automated Response Playbooks.

July 3, 2023 — For customers that signed up for or expressly updated Trend Vision One on or after July 3, 2023, Security Playbooks now supports management scope.

Permissions to view or manage playbooks can be assigned based on management scope for custom roles. Users can only approve the execution of playbooks and view execution results for endpoints in their management scope. Newly created playbooks are executed based on the playbook creator's management scope.

All roles retain full permissions for playbooks created before the implementation of management scope.

You can now specify detection models when configuring trigger settings for Automated Response playbooks. The subsequent nodes in the playbook are only triggered for Workbench alerts related to the specified detection models.

Playbooks also adds support for additional webhook types in user-defined Automated Response playbooks.

For more information, see Creating Automated Response Playbooks.

Security Playbooks is now officially released and can be utilized alongside your Risk Insights and XDR entitlements as part of the Trend Vision One platform.

For details on what types of entitlements are required for each playbook type, see Security playbooks requirements.

Security Playbooks now enables you to create Automatic Response Playbooks from scratch with a flexible workflow, while still allowing you to create the playbooks from a fully customizable template.

In addition to "highly suspicious" and "suspicious" highlighted objects, you can use Automatic Response Playbooks to take response actions on other "unrated" highlighted objects in Workbench alerts.

Additionally, Security Playbooks provides one more response action "Submit URL to sandbox" to help you quickly respond to Workbench alerts.