Views:

Get an overview of the detected network events associated with the target node and associated objects.

The Summary displays the severity, number of detected internal hosts, number of indicators of compromise (IOCs), and attack patterns, as well as provides a high-level overview of the malicious activity of the correlated event.
SummaryBlurred=603c5501-f165-4ed2-b47a-31e726d31182.png
Network analytics summary
You can export the summary data as a CSV file or in a printer-friendly format. Click Export and choose the format you want to use.
Note
Note
If you applied an advanced filter in the Correlation Graph, the exported report only contains the filtered information.
The summary includes various details about the network activity and provides actions you can take to investigate the event.

Detail
Description
Available actions
Severity
The severity assigned by Network Analytics to the event and related correlations.
Network Analytics uses a number of factors to assign severity, including proprietary analysis.
-
Internal Hosts and Indicators of Compromise detection count
The number of hosts within your network involved in the event and the number of indicators of compromise (IoCs) detected
Click the detection number and then click Copy to clipboard (dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png) to copy the list to your clipboard.
Attack patterns
The detected attack patterns for the suspicious object selected in Workbench.
Hover over an attack pattern to highlight only activities related to that attack pattern in the summary.
Activity summary
The activity summary is organized by attack pattern and provides the following information:
  • Protocols on which activities were detected.
  • Hosts involved in suspicious or malicious activity.
    Activity might be between internal hosts and external servers or might include lateral activity between internal hosts.
    Internal hosts are defined by the Network Group List in Network Resources.
    Note
    Note
    • To provide an accurate analysis of correlation data, configure your Network Resource Lists.
    • By default, private networks are considered trusted and set internally as trusted. You only need to add non-private internet protocol (IP) addresses to the Network Group List.
  • Additional hosts that participated in the suspicious activity.
  • Additional suspicious objects when viewing correlation data for suspicious objects.
Hover over the details icon (dddna_summary_ip_domain_button=GUID-45B7939C-DDB8-447B-8DEF-9F6055E5B75A=1=en-us=Low.png) for an IP address or domain and select one of the following actions:
  • Focus: Focus on the item in the correlation graph.
  • Copy to clipboard: Copy the value to your clipboard.
  • Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object.
  • DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain.
  • VirusTotal: Open VirusTotal in a new browser tab with a query for this object.