Curated Intelligence

Trend Micro gathers and integrates curated threat intelligence from internal and external sources.

The following table outlines the actions available on the Curated screen.



Filter intelligence reports

Use the search text box and the following drop-down lists to filter curated intelligence reports:

  • Last updated: The last date and time Trend Micro Vision One received the reports

  • View: The option to show only specific reports or all reports

  • Source: The source where the reports came from

Turn on Auto Sweeping

Click Auto Sweeping and turn on Auto Sweeping for certain sources.

After you turn on Auto Sweeping for a source type, Trend Micro Vision One generates a scheduled sweep and runs the sweep once every day for 7 consecutive days to search your environment for threat indicators based on incoming new reports from the selected source.


The auto-sweeping paused icon () indicates that the report has produced potential false positives and is currently being analyzed by Trend Micro threat experts. If false positives are confirmed, the IoCs that caused the false positives may be revoked from the report or added to global exceptions before restarting the sweep.

View campaign details

Click the Campaign links to learn about the threat campaign associated with each report.

View source details

Click the Source links to check details about the source of each report.

On the Source Details panel, turn on Auto Sweeping for the current source.

Take additional actions

Click the options button () at the end of the row and choose to take additional actions on the intelligence report:

  • Trend Micro Research: Click to access related blogs or articles from Trend Micro.

  • External Reference: Click to access related blogs or articles from third parties.

  • Download STIX Intelligence Report: Click to download the report locally into a STIX file.


    If the report download option is not available, it indicates that the report file cannot be distributed externally as classified by the Traffic Light Protocol (TLP).

  • Start Sweeping: Click to trigger a Manual Sweeping task to search your environment for threat indicators.

  • Start Sweeping (STIX-Shifter): Click to trigger a Manual Sweeping task to search other data sources you have configured in Third-Party Integration for threat indicators using STIX-Shifter.

    For more information about STIX-Shifter connection settings, see Third-Party Integration.

Check matched sweeps

Under Matched sweeps, check the number of tasks that have indicator matches and the total number of sweeping tasks that have been created. For example, the message 1 out of 7 means one sweeping task has indicator matches among a total of seven sweeping tasks.


The message 0 out of 0 indicates that no sweeping task has been triggered.

In addition, Trend Micro Vision One defines a 180-day data retention period for the sweeping task history. The message underMatched sweeps will be reset to 0 out of 0 once the retention period expires.

View sweeping task details

Click the right arrow () at the beginning of the row to expand sweeping tasks and check the basic information about each task.

To further explore the tasks that have indicator matches, do the following:

  • Click the links under Related links to open Workbench alerts or download sweeping results.

  • Click the Details icon () to check matched indicators and associated entities of the tasks.