Viewing Affected Hosts

  1. Go to Detections > Affected Hosts.

    The Affected Hosts screen appears.

  2. Select the detection severity level by using the drop-down control.
  3. Select a time period.
  4. Select which appliances to include as data source.
  5. (Optional) Click the More icon beside Advanced, select Customize columns, select the columns to hide or display, and then click Apply to return to the modified Affected Hosts screen.
    Table 1. Host Information Columns

    Column Name

    Preselected

    Description

    IP Address

    X

    IP address of the affected host

    Host Name

    X

    Computer name of the host

    MAC Address

     

    Media Access Control address of a network node

    Network Group

    X

    Network group that an IP address/host is assigned

    Host Severity

    X

    Highest impact on a host determined from aggregated detections by Trend Micro products and services

    For details about the Host Severityscale, see Host Severity.

    Most Notable Threat

    X

    Threat description of the highest severity detection

    Latest Detection

    X

    Most recent detection, based on timestamp

    Note:

    The default IP Address, Host Severity and Latest Detection columns cannot be removed.

    Table 2. Notable Statistics Columns

    Column Name

    Preselected

    Description

    Targeted Attack

     

    A threat that aims to exfiltrate data from a target system

    For details, see APT Attack Sequence.

    Table 3. Attack Phase Columns

    Column Name

    Preselected

    Description

    Intelligence Gathering

    X

    Attackers identify and research target individuals using public sources (for example, social media websites) and prepare a customized attack.

    Point of Entry

    X

    The initial compromise is typically from zero-day malware delivered via social engineering (email, IM, or drive-by download). A backdoor is created and the network can now be infiltrated. Alternatively, a website exploitation or direct network hack may be employed.

    C&C Communication

    X

    C&C communication is typically used throughout the attack, allowing the attacker to instruct and control the malware used, and to exploit compromised machines, move laterally within the network, and exfiltrate data.

    Lateral Movement

    X

    Once inside the network, an attacker compromises additional machines to harvest credentials, escalate privilege levels, and maintain persistent control.

    Asset/Data Discovery

    X

    Several techniques (such as port scanning) are used to identify the noteworthy servers and the services that house the data of interest.

    Data Exfiltration

    X

    Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker's control.

    Unknown Attack Phase

    X

    Detection is triggered by a rule that is not associated with an attack phase.

  6. To run a basic search, type an IP address or host name in the search text box, and then press ENTER or click the magnifying glass icon.

    By default, Deep Discovery Director (Consolidated Mode) searches Affected Hosts by IP Address and Host Name.

  7. To run a saved search, click the Saved Searches icon, and then select a saved search.

    Deep Discovery Director (Consolidated Mode) provides the following built-in saved searches:

    Table 4. Built-in Saved Searches

    Name

    Filter Options

    Hosts with Targeted Attack detections

    Notable events in targeted attack

    Hosts with C&C Communication detections

    Notable events in C&C communication

    Hosts with Lateral Movement detections

    Notable events in lateral movement

  8. To create and apply an advanced search filter, click Advanced.

    For details, see Affected Hosts Advanced Search Filter.

  9. (Optional) Click the More icon beside Advanced, select Export, select a delimiter to use, and then click OK to export and download the currently filtered list of affected hosts to a CSV file with the chosen delimiter.