Local response filters

Local response filters (Agentic SIEM & XDR → Detection Model Management → Local response filters) are detection filters that can be deployed on Windows endpoints. A process can be terminated locally when a local response filter is matched, shortening MTTD and improving overall usability. TrendAI Vision One™ uses filters to detect security events which appear in Observed Attack Techniques, allowing you to transform event detection into a complete threat monitoring workflow.

To add local response filters, go to Agentic SIEM & XDR → Observed Attack Techniques and expand any associated entity. Right-click a detection filter name and select Add filter to local response.

To view and configure local response filters connected to existing endpoint security policies, go to Endpoint Security Configuration → Endpoint Security Policies → Policies. Click a policy name and then XDR for Endpoints (EDR) to view a list of local response filters related to the selected endpoint policy.