Custom Intelligence

Trend Micro Vision One allows you to build custom intelligence by importing your own reports and retrieving data from third-party intelligence sources.

The following table outlines the actions available on the Custom screen.

Action

Description

Filter intelligence reports

Use the search text box and the following drop-down lists to filter custom intelligence reports:

  • Last updated: The last date and time Trend Micro Vision One received the reports

  • View: The option to show only specific reports or all reports

  • Source: The source where the reports came from

Add intelligence reports

Click Add and choose to import CSV and STIX files or retrieve data from third-party intelligence as custom intelligence reports.

When importing CSV and STIX files, you can choose to extract suspicious object information, select a risk level, specify actions that connected products apply upon detection, and select an expiration option for the extracted objects.

Note:

The CSV files you import will be converted into STIX intelligence reports. Trend Micro Vision One supports converting the following types of indicators from CSV files into STIX patterns:

  • Domain

  • File (SHA-1, SHA-256, MD5)

  • IP address

  • Process (command line)

  • Sender address (email address)

  • URL

  • User account

Extract suspicious objects from intelligence reports

Select one or more intelligence reports and click Extract Suspicious Objects. Finish the risk level, action, and expiration settings and click Submit.

Delete intelligence reports

Select one or more intelligence reports and click Delete.

Take additional actions

Click the options button () at the end of the row and choose to take additional actions on the intelligence report:

  • Download STIX Intelligence Report: Click to download the report locally into a STIX file.

  • Start Sweeping: Click to trigger a Manual Sweeping task to search your environment for threat indicators.

  • Start Sweeping (STIX-Shifter): Click to trigger a Manual Sweeping task to search other data sources you have configured in Third-Party Integration for threat indicators using STIX-Shifter.

    For more information about STIX-Shifter connection settings, see Third-Party Integration.

  • Extract Suspicious Objects: Click to extract suspicious objects from the current intelligence report. Finish the risk level, action, and expiration settings and click Submit.

Check the indicator count and matches

Under Indicators for sweeping, check the number of indicators that can be used for sweeping from the intelligence report.

Under Matched sweeps, check the number of tasks that have indicator matches and the total number of sweeping tasks that have been created.

View sweeping task details

Click the right arrow () at the beginning of the row to expand sweeping tasks and check the basic information about each task.

To further explore the tasks that have indicator matches, do the following:

  • Click the links under Related links to open Workbench alerts or download sweeping results.

  • Click the Details icon () to check matched indicators and associated entities of the tasks.