Custom Intelligence

Trend Vision One allows you to build custom intelligence by importing your own reports and retrieving data from third-party intelligence sources.

The following table outlines the actions available on the Custom screen.

Action

Description

Filter intelligence reports

Use the search text box and the following drop-down lists to filter custom intelligence reports:

  • Last updated: The last date and time Trend Vision One received the reports

  • View: The option to show only specific reports or all reports

  • Source: The source where the reports came from

Add intelligence reports

Click Add and choose to import CSV and STIX files or retrieve data from third-party intelligence as custom intelligence reports.

When importing CSV and STIX files, you can choose to extract suspicious object information, select a risk level, specify actions that connected products apply upon detection, and select an expiration option for the extracted objects.

Note:

The CSV files you import will be converted into STIX intelligence reports. Trend Vision One supports converting the following types of indicators from CSV files into STIX patterns:

  • Domain

  • File (SHA-1, SHA-256, MD5)

  • File name

  • IP address

  • Process (command line)

  • Sender address (email address)

  • URL

  • User account

Extract suspicious objects from intelligence reports

Select one or more intelligence reports and click Extract Suspicious Objects. Finish the risk level, action, and expiration settings and click Submit.

Delete intelligence reports

Select one or more intelligence reports and click Delete.

Take additional actions

Click the options button () at the end of the row and choose to take additional actions on the intelligence report:

  • Download STIX Intelligence Report: Click to download the report locally into a STIX file.

  • Start Sweeping: Click to trigger a Manual Sweeping task to search your environment for threat indicators.

  • Configure Auto Sweeping: Click to turn on and specify the period to run Auto Sweeping for the current report and click Submit.

  • Extract Suspicious Objects: Click to extract suspicious objects from the current report. Finish the risk level, action, and expiration settings and click Submit.

  • Start Sweeping (STIX-Shifter): Click to trigger a Manual Sweeping task to search other data sources you have configured in Third-Party Integration for threat indicators using STIX-Shifter.

    For more information about STIX-Shifter connection settings, see Third-Party Integration.

Check the indicator count and matches

Under Indicators for sweeping, check the number of indicators that can be used for sweeping from the intelligence report.

Under Matched sweeps, check the number of tasks that have indicator matches and the total number of sweeping tasks that have been created. For example, the message 1 out of 7 means one sweeping task has indicator matches among a total of seven sweeping tasks.

Note:

The message 0 out of 0 indicates that no sweeping task has been triggered.

In addition, Trend Vision One defines a 180-day data retention period for the sweeping task history. The message underMatched sweeps will be reset to 0 out of 0 once the retention period expires.

View sweeping task details

Click the right arrow () at the beginning of the row to expand sweeping tasks and check the basic information about each task.

To further explore the tasks that have indicator matches, do the following:

  • Click the links under Related links to open Workbench alerts or download sweeping results.

  • Click the Details icon () to check matched indicators and associated entities of the tasks.
Parent topic: Intelligence Reports