Features and Benefits

Feature

Benefits

Alert notifications

When new alerts are detected, Trend Micro Vision One can send you an email notification. Also as part of Trend Micro’s quality assurance process for threat detections, if our threat expert team identifies an alert in your environment that they believe to be critical or interesting, they will work with regional resources to help notify you directly. This will not occur for all alerts, and is at the discretion of the threat expert team as they do not review all alerts for all customers.

Correlated detection models

Advanced detection models written by Trend Micro threat researchers correlate low activities within or across security layers to find undiscovered attacks. The detection models, which generate the alert triggers, combine multiple rules and filters using a variety of analysis techniques including data stacking and machine learning. You can turn on and off individual models as appropriate for the organization’s risk tolerance and preferences.

Workbench and alert triage

View a list of alerts (workbenches) and drill down for further visibility. Workbenches are the investigation results for a detection, where you can look at the execution profile, identify the scope of impact and take response actions. This is where you prioritize and process the alerts and track what has been done (new, in progress, closed).

Attack visualization

Quickly understand the story of an attack with an interactive visual representation of events. Advanced analysis is available with:

  • The Execution Profile Analysis view to see the threat actions within an endpoint, server, or cloud workload

  • Network Analysis to replay network communications and see details of an attacker’s command and control communications or lateral movement

Search/Threat hunting

Proactively search through endpoint, email, network, and cloud workload activity data (for example, telemetry, NetFlow, metadata, etc.) using a simple query builder. Do IoC sweeping or custom searches using multiple parameters and filter down into things by adding additional search criteria. From a search result, you can initiate response or generate an Execution Profile. You can build, save, and reuse queries for basic threat hunting.

Built-in threat intelligence

Detect threats sooner with automatic searching of your environment with indicators of compromise (IoCs) published by Trend Research. When there is a detection, built-in threat intel can help identify the associated campaign, target platform, associated MITRE ATT&CK™ TTPs, and can even provide links to related intelligence blog posts if available.

MITRE ATT&CK™ mapping

Mapping of techniques to the MITRE ATT&CK framework help organizations quickly understand and communicate what is happening in your environment. Hyperlinks from the workbench link to documentation for the MITRE ATT&CK framework.

Integrated response actions

Offers contextually aware response choices for quick action taken directly from within the platform, Start your response sooner by “right-clicking” on objects in the workbench or within threat hunting search results. In one location, you can initiate and track endpoint, email, server, and network responses.

API integrations

A public API can be used by customers to integrate with various SIEM and SOAR tools. Out of the box, Trend Micro Vision One provides a SIEM connector for alerts to be pulled into Splunk. Unlike regular syslog forwarding, this Splunk add-on calls the Trend Micro Vision One API to get the list of alerts (workbenches). Analysts can click on the alert from within Splunk and be taken to the associated workbench in the Trend Micro Vision One platform for additional visibility and investigation.

Software-as-a-Service solution

Trend Micro Vision One is hosted and managed in the cloud to take advantage of cloud computing technologies. Plus, you do not have the overhead associated with managing local hardware.