Observed Attack Techniques

Displays the individual events detected in your environment that may trigger an alert and any related MITRE information.

Trend Vision One detects events through use of granular detection filters that make up the detection models that trigger alerts. Events that Trend Vision One lists on the Observed Attack Techniques screen do not necessarily result in a Workbench alert. You can use the data in the Trend Vision One app to further investigate Workbench alerts and evaluate individual detections.

The following table outlines the actions available in the Observed Attack Techniques app.



Filter event data

Use the Endpoint name field and drop-down lists to locate specific event data.

  • Risk level: The risk assigned to the detection filter as determined by Trend Micro threat experts


    Trend Micro experts continuously assess threats and may update the risk level of a detection at any time, based on the latest information available.

  • Detected: When the detection occurred

  • Detection filter: Select from Detection filter, Tactic ID, or Technique ID to locate specific filter or MITRE data

Create a Search query from filters

To create a query in Search based on your specified filters, click Query in Search app.

Hide detection filters from the list

If you receive a lot of detections on particular detection filters that do not interest you, you can temporarily hide the data for specific filters.

Right-click the unwanted Detection filter name and click Hide Value. After adding all unwanted filters to the Hidden objects list, click Apply to reload the screen.


You cannot save the Hidden objects list. If you leave the screen, the list resets.

View event in Search app

Click the View Event in Search icon () to open the Search app in a new tab and view more details.

View detailed information about an associated entity

Click the Show Detailed Profile icon () to open the Detailed Profile panel.

View more details

Expand any row to see more details related to the detection.