Viewing Affected Hosts

  1. Go to Detections > Affected Hosts.

    The Affected Hosts screen appears.

  2. Select the detection severity level by using the drop-down control.
  3. Select a time period.
  4. Select which appliances to include as data source.
  5. (Optional) Click the More icon beside Advanced, select Customize columns, select the columns to hide or display, and then click Apply to return to the modified Affected Hosts screen.
    Table 1. Host Information Columns

    Column Name



    IP Address


    IP address of the affected host

    Host Name


    Computer name of the host

    MAC Address


    Media Access Control address of a network node

    Network Group


    Network group that an IP address/host is assigned

    Host Severity


    Highest impact on a host determined from aggregated detections by Trend Micro products and services

    For details about the Host Severityscale, see Host Severity.

    Most Notable Threat


    Threat description of the highest severity detection

    Latest Detection


    Most recent detection, based on timestamp


    The default IP Address, Host Severity and Latest Detection columns cannot be removed.

    Table 2. Notable Statistics Columns

    Column Name



    Targeted Attack


    A threat that aims to exfiltrate data from a target system

    For details, see APT Attack Sequence.

    Table 3. Attack Phase Columns

    Column Name



    Intelligence Gathering


    Attackers identify and research target individuals using public sources (for example, social media websites) and prepare a customized attack.

    Point of Entry


    The initial compromise is typically from zero-day malware delivered via social engineering (email, IM, or drive-by download). A backdoor is created and the network can now be infiltrated. Alternatively, a website exploitation or direct network hack may be employed.

    C&C Communication


    C&C communication is typically used throughout the attack, allowing the attacker to instruct and control the malware used, and to exploit compromised machines, move laterally within the network, and exfiltrate data.

    Lateral Movement


    Once inside the network, an attacker compromises additional machines to harvest credentials, escalate privilege levels, and maintain persistent control.

    Asset/Data Discovery


    Several techniques (such as port scanning) are used to identify the noteworthy servers and the services that house the data of interest.

    Data Exfiltration


    Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker's control.

    Unknown Attack Phase


    Detection is triggered by a rule that is not associated with an attack phase.

  6. To run a basic search, type an IP address or host name in the search text box, and then press ENTER or click the magnifying glass icon.

    By default, Deep Discovery Director (Consolidated Mode) searches Affected Hosts by IP Address and Host Name.

  7. To run a saved search, click the Saved Searches icon, and then select a saved search.

    Deep Discovery Director (Consolidated Mode) provides the following built-in saved searches:

    Table 4. Built-in Saved Searches


    Filter Options

    Hosts with Targeted Attack detections

    Notable events in targeted attack

    Hosts with C&C Communication detections

    Notable events in C&C communication

    Hosts with Lateral Movement detections

    Notable events in lateral movement

  8. To create and apply an advanced search filter, click Advanced.

    For details, see Affected Hosts Advanced Search Filter.

  9. (Optional) Click the More icon beside Advanced, select Export, select a delimiter to use, and then click OK to export and download the currently filtered list of affected hosts to a CSV file with the chosen delimiter.