Indicator Scan Results

After scanning your Smart Protection Network data, the Early Warning app displays information about your organization's overall exposure to early attack indicators for a specific period.

The displayed information is influenced by the following factors:

  • Security features that are enabled on Trend Micro management servers that you have connected to Trend Micro Vision One

  • XDR sensors that you have installed and enabled in your environment

  • Attack campaigns monitored and analyzed by Trend Micro threat experts

The following table outlines the content available in each section.



Overall risk assessment

This section displays one of the following ratings:

  • High: Early indicators of one or more ongoing attack campaigns were found on your endpoints. Check the details of these endpoints and perform the recommended mitigation actions.

  • Low: No early attack indicators were found on your endpoints.


    Ratings are based on Smart Protection Network data that was scanned within a specific period. Your organization's rating may change when any of the following events occurs.

    • You connected more management servers to Trend Micro Vision One and enabled the required security features.
    • You installed and enabled XDR sensors.

    • Trend Micro added indicators or attack campaigns to the scan scope.

  • Unable to Analyze: The required security features are not enabled.

Total at-risk endpoints

This section displays the total number of endpoints with one or more early attack indicators. In this context, "endpoint" consists of desktops and servers. You can find the count and percent change for each category below the total.

Clicking the total opens another screen that displays the following details for each at-risk endpoint:

  • Endpoint GUID

  • Combined severity of the detected early attack indicators

  • Reasons behind the assigned severity

  • Actions that you can perform to mitigate risk

  • First time an early attack indicator was observed on the endpoint

Attack Progression Analysis

This section displays comparative line graphs for four attack phases that precede command-and-control communication. The graphs provide the following information:

  • How suspicious event counts from the last 14 days compare to your organization's baseline

  • Notable short-term or persistent changes to suspicious event counts (in the form of spikes or steps)

For more information, see Attack Progression Analysis.

Recommended Security Features

This section displays information about the following security features:

  • Predictive Machine Learning and Smart Feedback: You must enable these features to allow the Early Warning app to scan your Smart Protection Network data.

  • Other listed security features, including XDR sensors: Trend Micro recommends enabling these features to improve your overall security posture.

Attack Campaigns

This section displays information about attack campaigns that are monitored and analyzed by Trend Micro threat experts. You can use the information to identify other potentially compromised assets and to mitigate risk posed by each campaign.