Observed Attack Techniques | Trend Micro Service Central

Views:

Review the individual events detected in your environment that might trigger a Workbench alert.

Trend Vision One detects events through use of granular predefined or custom detection filters that make up the detection models that trigger alerts. Events that Trend Vision One lists on Observed Attack Techniques might not result in a Workbench insight or Workbench alert. You can use the data in the Trend Vision One app to further investigate Workbench insights and evaluate individual detections.

The following table outlines the actions available in the Observed Attack Techniques app:

Action

Description

Filter event data

Use the lists to locate specific event data.

Risk level: The risk assigned to the detection filter as determined by Trend Micro threat experts

Trend Micro experts continuously assess threats and may update the risk level of a detection at any time based on the latest information available.
Detected: When the detection occurred
Data source / processor: The product that detected the event
Detection filter: Select from Detection filter, Tactic ID, or Technique ID to locate specific filter or MITRE data

You can also search by endpoint or container name in the search bar.

Create a Search query from filters

To create a query in Search based on your specified filters, click Query in Search app.

Hide detection filters from the list

If you receive a lot of detections on particular detection filters that do not interest you, you can temporarily hide the data for specific filters.

Right-click the unwanted Detection filter name and click Hide Value. After adding all unwanted filters to the Hidden objects list, click Apply to reload the list.

Note

You cannot save the Hidden objects list. If you leave the Observed Attack Techniques, the list resets.

View event details in Search app

Locate an event, click the options icon ( options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png

) at the end of the row and select View Event in Search to open the Search app in a new browser tab.

Add event to case

Locate an event, click the options icon ( options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png

) at the end of the row and select Add to Case to add the event as evidence of a case.

Add event to Workbench insight

Locate and right-click an event, then select Add to Workbench Insight.

Adding events to Workbench insights updates the insight information, including impact scope and highlighted object.

View detailed information about an associated entity

Click the Show Detailed Profile icon ( details_icon=f45ada04-b746-40a7-a5f4-2166c059213c.png

) to view detailed information about the associated entity.

View more details

Expand any row to see more details related to the detection and associated entities.

Chat with Trend Companion

Click to start a conversation with Trend Companion.
Right-click a CLI command element (parentCmd, processCmd, and objectCmd) and choose Explain Command to learn about the commands executed in an event.
To learn about an event, you can right-click an event or click and choose Explain Event. Trend Companion cannot explain events that only contain custom filters.