Online Help Center Home
Privacy and Personal Data Collection Disclosure
- Pre-release Disclaimer
- Pre-release Sub-feature Disclaimer
Trend Vision One Data Privacy, Security, and Compliance
What's New
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- Release Notes
Introduction
- Trend Vision One
- Checking the Trend Vision One Service Status
  - SERVICE LEVEL OBJECTIVES FOR TREND VISION ONE (herein this “SLO”)
Getting Started
- Getting Started with Trend Vision One
- Getting Started with Vulnerability Assessment
Risk Insights
- Executive Dashboard
- Attack Surface Discovery
- Operations Dashboard
Dashboards and Reports
- Security Dashboard
  - Customizing the Security Dashboard
  - Protocol Groups in the Scanned Traffic Summary Widget
- Reports
XDR Threat Investigation
- Detection Model Management
- Workbench
  - Alert View
  - Incident View
    - Incident Details
      - Alerts (Incident View)
      - Incident-based Execution Profile
    - Assigning Incidents
- Search App
- Observed Attack Techniques
- Targeted Attack Detection
- Forensics
- Managed Services
- Companion
Threat Intelligence
- Campaign Intelligence
  - Threat Information Screen
- Intelligence Reports
- Suspicious Object Management
  - Suspicious Object List
  - Exception List
    - Adding Exceptions
- Sandbox Analysis
- Third-Party Intelligence
  - TAXII Feeds
    - Configuring a TAXII Feed
  - MISP Feeds
Workflow and Automation
- Security Playbooks
- Response Management
- Third-Party Integration
- API Automation Center
- Service Gateway Management
Zero Trust Secure Access
- Getting Started with Zero Trust Secure Access
- Secure Access Overview
- Secure Access Rules
- Secure Access Resources
- Secure Access History
- Secure Access Configuration
- Troubleshooting Zero Trust Secure Access
Assessment
- Cyber Risk Assessment
Endpoint Security Operations
- Endpoint Inventory 2.0
- Endpoint Inventory
  - Getting Started with XDR for Endpoints
  - Managing the Endpoint List in Endpoint Inventory 1.0
    - Endpoint List Settings in Endpoint Inventory 1.0
- Endpoint Policies
- Trend Cloud One - Endpoint & Workload Security
Endpoint Security Operations (for Standard Endpoint and Server & Workload Protection)
- Getting Started with Trend Vision One Endpoint Security
- Endpoint Inventory
- Standard Endpoint Protection
- Server & Workload Protection
Cloud Security Operations
- Trend Vision One Container Security
- XDR for Containers
  - Getting Started with XDR for Containers
Network Security Operations
- Network Inventory
- Network Intrusion Prevention
Email Security Operations
- Email Account Inventory
  - Email Sensor Management
Mobile Security Operations
- Getting Started with Mobile Security
- Using Mobile Security in Conjunction with MDM Solutions or Azure AD
- Using Mobile Device Director
Service Management
- Product Connector
  - Connecting a Product
  - Required Settings on Supported Products
- Product Instance
- Cloud Accounts
Administration
- User Accounts, Roles, and Single Sign-On (Legacy)
- User Accounts, Identity Providers, and User Roles (July 2023 update)
- Notifications
- Audit Logs
  - User Logs
    - User Log Data
  - System Logs
    - System Log Data
- Console Settings
- License Information
- Credit Usage
- Support Settings
  - Enabling Hypersensitive Mode
Getting Help and Troubleshooting
- Help and Support
  - Creating a Support Case
- Self-Diagnosis

Creating a Custom Model

Create a custom model to define the specific events that you want to trigger Workbench alerts.

Note:

This feature is not yet available in all regions.

Custom models are composed of basic information, the user-defined custom filter, and other parameters, such as the number of events required to trigger an alert and how often the filter query is applied to your activity data.

Note:

You can create a maximum of 50 custom models.

From XDR Threat Investigation > Detection Model Management, click the Custom Models tab and then click Add.
Specify the General settings.
1. Type the Model name to identify the model on the Custom Models tab.
2. Type the Description.
  Note:
  You can view the description in the details panel that appears when you click the model name in the custom models list.
3. Select the Severity of the model.
  Note:
  Selecting a severity of Medium or higher affects the Risk Index in Executive Dashboard and Operations Dashboard. During testing and tuning of the model, select a severity of Low to avoid inadvertently affecting your indexes.
Specify Event filtering settings.
Note:
Currently, only a single event filter is supported. The option to specify multiple filters is coming soon.
1. Select a custom filter in the Filter name drop-down menu.
  Selecting Create custom filter opens the Custom Filter Settings screen in a new browser tab. After creating the new custom filter, return to the previous browser tab and select the filter.
  
  For more information, see Creating a Custom Filter.
2. Specify the Threshold to determine the number of events that must occur to trigger an alert.
  Note:
  The threshold must be a positive integer greater than 0.
Specify the Event Grouping.
- Company: Trigger an event when the threshold is met anywhere in your organization.
- Endpoint: Trigger an event when the threshold is met and associated with a single endpoint.
  
  Note:
  Only the 10 endpoints with the most matched events will be included in the event.
- User account: Trigger an event when the threshold is met and associated with a single user account.
Note:
To reduce alert fatigue, Workbench alerts only include the top targets with matched events. For example, if you group by Endpoint, alerts will include only the top 10 endpoints with the highest number of matched events.
Specify the query Schedule.
1. Select the Frequency to determine how often the filter queries the activity data.
2. Specify the Period to determine the span of time that is queried each time the filter is run.
  Note:
  If you specify a period that is greater than the frequency, it will cause the filter to be applied to previously queried data. This can lead to the same event appearing in multiple alerts.
3. Select the Status whether to enable the custom detection model after saving the settings.
Click Save.

When enabled, the custom model continuously searches for matched events.

Tip:

The custom model triggers an alert when an event occurs the number of times specified by the threshold, within the event grouping, and according to the configured schedule. For example, you specify a threshold of 5, group by Endpoint, the period is Last 1 hour, and a frequency of 15 minutes. Every 15 minutes when the filter queries the activity data, an alert would be triggered if the event specified by your custom filter occurs five times on a single endpoint during a one-hour period of queried activity data.