XDR Threat Investigation

December 9, 2024 — Companion now suggests related Observed Attack Techniques events when you are working with Workbench Insights. This feature helps SOC analysts conduct more thorough investigations by identifying and incorporating relevant events.

December 9, 2024 — Workbench alerts now include MITRE tactics, techniques, and procedures (TTP) notifications.

December 9, 2024 — Companion uses machine learning to identify noteworthy or false-positive Workbench insights and proactively recommend a guided workflow for investigation and remediation.

December 4, 2024—Workbench users can access response actions and detailed profiles from the context menu on the Highlighted Objects tab.

November 25, 2024—When closing a case associated with an insight, users can close all Workbench alerts for the insight. These related alerts can inherit the case findings if they do not already have findings. Alerts with existing findings keep those findings.

November 18, 2024—Create custom detection filters with the MESSAGE_ACTIVITY event type and COLLABORATION_ACTIVITY event ID to enhance email and collaboration activity detections.

For more information, see Email and Collaboration Activity Data.

October 4, 2024—Case Management and Workbench now support assigning SAML groups and IdP-only SAML groups as alert and case owners respectively.

For detailed information and limitations, see the online help for Case Management and Workbench.

August 30, 2024—Detection Model Management now supports creating detection exceptions for your Amazon S3 buckets using the bucket name. Set the Match Criteria field type to cloud_identifier, select requestParameters.bucketName for the field, and provide the bucket name.

August 5, 2024—When using the Observed Attack Techniques search method in the Search app, you can learn more about the events detected in your environment with the help of Trend Companion.

For more information, see Trend Companion.

August 2, 2024 — You can now use the context menu to add IP addresses and domains to the Trusted Domain List, Trusted Service Source List, or Network Group List, enhancing future detections from connected Deep Discovery Inspector appliances and Virtual Network Sensors.

July 1, 2024—Custom detection filters now support AWS VPC flow log activity under the CLOUD_ACTIVITY event type and the VPC_ACTIVITY_LOG event ID.

For more information, see Network Activity Data and Cloud Activity Data.

June 19, 2024—Gain a better understanding of the Observed Attack Techniques events detected in your environment with the help of Trend Vision One - Companion.

For more information, see Trend Companion.

May 8, 2024—Gain a better understanding of the events and executed commands detected in Observed Attack Techniques with the help of Trend Vision One - Companion.

For more information, see Observed Attack Techniques.

May 6, 2024—You can now create custom models that include filters for Identity and Access Activity Data in Detection Model Management.

For more information, see Configuring a custom model.

April 22, 2024—You can now create and import custom filter queries including regex in Detection Model Management. For more information, see Using regex in custom filters.

April 8, 2024—You can now request multi-factor authentication for evidence collection, osquery, and YARA rule scans in the Forensics app.

January 29, 2024 — The new Highlights section of the evidence report in Forensics displays all the high-risk pieces of evidence found in the collected evidence. Use the Highlights section as a starting point for your investigations.

January 29th, 2024 — Forensics now displays the following information about your endpoints in the Workspace view:

January 11, 2023 — The Forensics app now allows you to run YARA, osquery, and Collect Evidence tasks on Linux endpoints, enabling you to better monitor and analyze both Windows and Linux endpoints in your environment.

For more information on these tasks, see Response actions.

January 9, 2024 — Query results for YARA and osquery tasks can now be filtered by status to provide a brief overview. Quickly find the reason for failed tasks by hovering over the status icon next to endpoint names.

January 8, 2024 — Customers can now terminate potentially compromised Amazon Elastic Container Service tasks while investigating threat incidents in Workbench, Observed Attack Techniques, or the Search app.

December 11, 2023 — You can now right-click URLs, domains, IPs, or file SHA-1 and select “VirusTotal” to facilitate thorough investigation of possible threats in your environment.

December 11, 2023 — During an investigation, users can run multiple rounds of osquery or YARA tasks to narrow down the affected endpoint scope. Task names can now be customized to easily distinguish between multiple rounds of task results.

December 11, 2023 — Workspaces in Forensics now offer a quick link to all tasks related to the workspace. Click the Related Tasks button to go to a pre-filtered list in the Task List tab where you can view the status and results of workspace-related tasks.

December 11, 2023 — Powered by Trend Micro Smart Protection Network services such as Web Reputation Services, the Forensics app can now enrich network-related data collected as evidence. You can now view the score and corresponding risk level of certain URLs, IP addresses, and domain names that you collect and add to Forensics workspaces.

December 1, 2023 — Targeted Attack Detection is out of preview, and now an officially released app. Targeted Attack Detection is free to use, so any Trend Vision One user can leverage the app to analyze Smart Feedback data to determine if your environment is under attack.

November 10, 2023 — The Search app now supports threat hunting queries from Cyborg Security to facilitate identification of elusive IOAs in the environment. Moreover, users may view related intelligence reports to aid the understanding and resolution of cyber attacks.

November 6, 2023 — You can now filter security event information by data source in the Observed Attack Techniques app. Filtering by data source allows you to evaluate the individual data contribution of different Trend Vision One products.

October 30, 2023—Case Management now offers integration with Forensics. This allows you to create a Forensics workspace specifically for endpoints included in a Workbench insight or alert. From there, you can perform quick responses such as isolation, Osquery, and YARA process scanning within the Forensics app.

Additionally, you can gather advanced digital evidence from the endpoints in Forensics to conduct a more thorough analysis, identifying root causes and constructing an attack chain using the Forensics timeline.

Once you establish the attack chain, you can add the timeline to a case to record the location of the results.

October 30, 2023 — The Detection Model Management app now supports the import and export of custom filters via YAML files. Users can now easily import custom filters from YAML files or export custom filters into YAML files as a ZIP file.

Fore more information, see Custom filters.

October 16, 2023 —A new application, Forensics, has been officially launched. With Forensics, you can respond to security incidents, conduct compromise assessments, threat hunting, and monitoring.

Forensics allows you to create workspaces. Within the workspace, you can isolate the scope of an incident and execute osqeury and YARA for quick triage and investigation. If you require more details about an incident, you can collect evidence. Evidence Collection gathers the digital evidence and uploads it to the Trend Vision One console.

Forensics offers an evidence viewing and searching function, facilitating advanced investigations. As you progress through the investigation, you can add notes with important timestamps or create customized records in timelines. In other words, the Forensics timeline is your tool for creating a comprehensive attack chain report using the collected evidence records.

Furthermore, you can use the Evidence Archive section of Forensics to manage all the evidence collected by Incident Response playbooks. Evidence packages can be added to the workspaces, used for generating evidence reports, and utilized for investigation at any time.

For more information, see Forensics.

October 16, 2023 — The Detection Model Management app has been updated to support multiple custom filters in a custom model, with a maximum limit of five custom filters per model. Users can configure the Workbench to trigger an alert based on two more criteria: when events defined by the custom filters occur, or when events defined by the custom filters occur in the specified order.

Fore more information, see Configuring a custom model.

September 30, 2023 — The Observed Attack Techniques API has been updated to support container-related information such as threats or activities. SIEM apps and customers can now utilize the Observed Attack Techniques Pipeline endpoints to export events that trigger filters or container events. This enables threat and activity investigation related to container security within the exported events.

For more information about the Observed Attack Techniques API, see https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques-Pipeline

August 15, 2023 — To facilitate the visibility of container attacks, the Observed Attack Techniques app has been updated to show all detected events with filter hits originating from container security point products. The app now lists the container name or ID under Associated Entity, providing customers with immediate insight into which entity was targeted. Customers are able to search events by container name, in addition to the existing search criteria.

August 1, 2023 — Notifications are now displayed for disabled custom filters. The notifications include the notification message that pops up in the Notification Center and the tooltip message displayed next to the filter name on the Custom Filter tab and the associated model name on the Custom Model tab.

July 4, 2023 — The Detection Model Management app now offers the ability to create custom filters using search query syntax. Create custom detection models that use the new custom filters to trigger the generation of custom Observed Attack Techniques events and Workbench alerts.

The custom Observed Attack Techniques events and Workbench alerts are accessible by several downstream features and services, including the Observed Attack Techniques app, the Workbench public API, widgets, and third-party SIEM integrations. In addition, the new custom detection models can be leveraged by the Security Playbooks app to create automated response actions.

April 8, 2024 — The Forensics app now includes risk scores from Attack Surface Risk Management. Forensic investigators can prioritize endpoints with high risk scores when adding endpoints in a workspace. Once added, each endpoint risk score has a Detailed Profile for further investigation.