Suspicious Object List

Trend Vision One consolidates suspicious object information based on input from different sources.

A suspicious object is a known malicious or potentially malicious domain, file SHA-1, file SHA-256, IP address, sender address, or URL.

You can add suspicious objects to the list manually or though extraction from third-party intelligence. In addition, Sandbox adds suspicious objects to the list when it determines possible threats for consolidation and synchronization. Sandbox assigns risk level based on analysis results.

Note:

For suspicious objects added through third-party intelligence and manual operations, the maximum limit is 10,000 for each object type. For suspicious objects from Sandbox, the maximum limit is 25,000 for each object type.

When the number of suspicious objects exceeds the maximum, the objects that are closest to the expiration date will be removed. You can further check the newly added or imported objects on the Suspicious Object List screen.

The following table outlines the actions available on the Suspicious Object List screen.

Action

Description

Filter object data

Use the Object or Description field and the following drop-down lists to locate specific object data:

  • Last updated: The time range during which a suspicious object was last updated

  • Object type: The type of a suspicious object, such as domain, file SHA-1, file SHA-256, IP address, sender address, and URL

  • Source: The source where a suspicious object was added

Add or import suspicious objects

Click Add to open the Add Suspicious Object screen.

For more information, see:

View or edit object details

Click any object name in the Object column to open the details panel. View the object settings and make changes if necessary.

Manage suspicious objects

Manage one or multiple suspicious objects. Options include:

  • Delete objects: Select unwanted objects and click Delete.

  • Change the applied action: Select objects and choose Log or Block/Quarantine.

  • Change expiration settings: Select objects and click Set to Never Expire.

  • Add one or multiple objects as exceptions: Click the options icon () on an object and click Add to Exception List, or select one or more objects and click Add to Exception List.

  • Search an object: Click the options icon () on the object and click New Search: match field and value.

Configure default settings

Click the Default Settings icon () in the upper-right corner. In the Default Settings dialog box, specify the default actions to take on different types of objects at each risk level and the expiration settings for the objects.

Click Default Settings in the upper-right corner.

  • Specify the default actions to take on different types of objects

  • Specify expiration settings for objects

  • Select labels of suspicious objects to be added to the list

Note:

For objects from Sandbox, default actions apply. For those objects from other sources, if you have not specified action or expiration settings, default settings apply.

Export object data

Click in the upper-right corner to export the object data into a CSV file.

Refresh object data

Click in the upper-right corner to display the latest object data.
  • Adding Suspicious Objects
    You can add the domain, file SHA-1, file SHA-256, IP address, sender address, or URL object to the Suspicious Objects List.
  • Importing Objects
    You can import a properly formatted CSV or Structured Threat Information Expression (STIX) file to add suspicious objects.
  • Suspicious Object Actions
    You can specify actions for connected products to take after detecting specific suspicious objects.
Parent topic: Suspicious Object Management