Create a custom filter | Trend Micro Service Central

Views:

Define a custom filter with specific settings to detect events in your environment based on your criteria.

Go to XDR Threat Investigation → Detection Model Management → Custom Filters → Create new filter.
Specify the general settings of the filter:
- Filter name
- Description
- Severity
  
  A severity of medium, high, or critical affects the Cyber Risk Index on the Cyber Risk Overview and Threat and Exposure Management. When testing or tuning a model, select low to avoid affecting indexes.
Specify the event settings of the filter:
1. Select an event type.
2. If you select THIRD_PARTY_LOG, specify the vendor associated with the event you want to detect. Otherwise select an event ID.
3. Specify a query to locate the target events in the activity data.
  
  For more information about formatting filter queries, see Filter query format and Use regex in custom filters.
4. Validate the query by clicking Validate Query.
  
  If the query is valid, you can click Preview Search Results to see the search results your query returns.
5. Specify up to 10 custom tags.
  
  Custom tags help you identify events detected by custom filters in Workbench, Observed Attack Techniques, and Search.
  
  Tags can be up to 64 characters long.
Click Save.

Trend Vision One saves and enables the custom filter. This action might require a few minutes before taking effect.

You can use custom filters to create detection models that generate Workbench alerts based on your detections.