Online Help Center Home
Privacy and Personal Data Collection Disclosure
- Pre-release Disclaimer
- Pre-release Sub-feature Disclaimer
Trend Vision One Data Privacy, Security, and Compliance
What's New
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- Release Notes
Introduction
- Trend Vision One
- Checking the Trend Vision One Service Status
  - SERVICE LEVEL OBJECTIVES FOR TREND VISION ONE (herein this “SLO”)
Getting Started
- Getting Started with Trend Vision One
- Getting Started with Vulnerability Assessment
Risk Insights
- Executive Dashboard
- Attack Surface Discovery
- Operations Dashboard
Dashboards and Reports
- Security Dashboard
  - Customizing the Security Dashboard
  - Protocol Groups in the Scanned Traffic Summary Widget
- Reports
XDR Threat Investigation
- Detection Model Management
- Workbench
  - Alert View
  - Incident View
    - Incident Details
      - Alerts (Incident View)
      - Incident-based Execution Profile
    - Assigning Incidents
- Search App
- Observed Attack Techniques
- Targeted Attack Detection
- Forensics
- Managed Services
- Companion
Threat Intelligence
- Campaign Intelligence
  - Threat Information Screen
- Intelligence Reports
- Suspicious Object Management
  - Suspicious Object List
  - Exception List
    - Adding Exceptions
- Sandbox Analysis
- Third-Party Intelligence
  - TAXII Feeds
    - Configuring a TAXII Feed
  - MISP Feeds
Workflow and Automation
- Security Playbooks
- Response Management
- Third-Party Integration
- API Automation Center
- Service Gateway Management
Zero Trust Secure Access
- Getting Started with Zero Trust Secure Access
- Secure Access Overview
- Secure Access Rules
- Secure Access Resources
- Secure Access History
- Secure Access Configuration
- Troubleshooting Zero Trust Secure Access
Assessment
- Cyber Risk Assessment
Endpoint Security Operations
- Endpoint Inventory 2.0
- Endpoint Inventory
  - Getting Started with XDR for Endpoints
  - Managing the Endpoint List in Endpoint Inventory 1.0
    - Endpoint List Settings in Endpoint Inventory 1.0
- Endpoint Policies
- Trend Cloud One - Endpoint & Workload Security
Endpoint Security Operations (for Standard Endpoint and Server & Workload Protection)
- Getting Started with Trend Vision One Endpoint Security
- Endpoint Inventory
- Standard Endpoint Protection
- Server & Workload Protection
Cloud Security Operations
- Trend Vision One Container Security
- XDR for Containers
  - Getting Started with XDR for Containers
Network Security Operations
- Network Inventory
- Network Intrusion Prevention
Email Security Operations
- Email Account Inventory
  - Email Sensor Management
Mobile Security Operations
- Getting Started with Mobile Security
- Using Mobile Security in Conjunction with MDM Solutions or Azure AD
- Using Mobile Device Director
Service Management
- Product Connector
  - Connecting a Product
  - Required Settings on Supported Products
- Product Instance
- Cloud Accounts
Administration
- User Accounts, Roles, and Single Sign-On (Legacy)
- User Accounts, Identity Providers, and User Roles (July 2023 update)
- Notifications
- Audit Logs
  - User Logs
    - User Log Data
  - System Logs
    - System Log Data
- Console Settings
- License Information
- Credit Usage
- Support Settings
  - Enabling Hypersensitive Mode
Getting Help and Troubleshooting
- Help and Support
  - Creating a Support Case
- Self-Diagnosis

Response Actions

Explore the response actions available to the Managed Services operations team.

Approval Not Required

The following response actions do not require your approval. The operations team is automatically authorized to perform these actions on your behalf:

Link or unlink Workbench alerts to or from incidents
Add exceptions in Suspicious Object Management
Add exceptions in Detection Model Management
Conduct memory dumps of processes running on endpoints

Note: Process memory dumps on endpoints require remote shell sessions, which you must approve. For instructions on auto approving operations team requests, see Configuring Response Approval Settings.

Automatically Approved

You can automate the approval of the following response action requests submitted by the operations team. For instructions on enabling auto approval of requests, see Configuring Response Approval Settings.

Table 1. Critical Actions
Response Action Name	Description
Add Objects to Block List	Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections
Run Trend Micro Investigation Kit	Deploys and executes the Trend Micro Investigation Kit on target endpoints
Terminate Process	Terminates the active process and allows you to terminate the process on all affected endpoints
Collect Suspicious File Sample	Compresses the selected file on the endpoint in a password-protected archive and then sends the archive to the Response Management app
Isolate Endpoint	Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product
Quarantine Email Message	Adds the email address to the Blocked Sender list in Cloud App Security and quarantines incoming messages
Disable User Account	Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session.

Table 2. Recommended Actions
Response Action Name	Description
Submit for Sandbox Analysis	Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment
Start Remote Shell Session	Connects to monitored endpoints to remotely execute commands, custom scripts or process memory dumps for investigation
Run Remote Custom Script	Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file
Collect Network Analysis Package	Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app
Configure and Deploy TippingPoint Filter Policy	Configures TippingPoint virtual patching filter policies in Network Intrusion Prevention and applies the policies on TippingPoint SMS profiles to mitgate CVE risks