Review the summary | Trend Micro Service Central

Views:

Get an overview of the detected network events associated with the target node and associated objects.

The Summary displays the severity, number of detected internal hosts, number of indicators of compromise (IOCs), and attack patterns, as well as provides a high-level overview of the malicious activity of the correlated event.

SummaryBlurred=603c5501-f165-4ed2-b47a-31e726d31182.png — Network analytics summary

You can export the summary data as a CSV file or in a printer-friendly format. Click Export and choose the format you want to use.

Note

If you applied an advanced filter in the Correlation Graph, the exported report only contains the filtered information.

The summary includes various details about the network activity and provides actions you can take to investigate the event.

Detail

Description

Available actions

Severity

The severity assigned by Network Analytics to the event and related correlations.

Network Analytics uses a number of factors to assign severity, including proprietary analysis.

Internal Hosts and Indicators of Compromise detection count

The number of hosts within your network involved in the event and the number of indicators of compromise (IoCs) detected

Click the detection number and then click Copy to clipboard ( dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png

dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png

) to copy the list to your clipboard.

Attack patterns

The detected attack patterns for the suspicious object selected in Workbench.

Hover over an attack pattern to highlight only activities related to that attack pattern in the summary.

Activity summary

The activity summary is organized by attack pattern and provides the following information:

Protocols on which activities were detected.

Hosts involved in suspicious or malicious activity.

Activity might be between internal hosts and external servers or might include lateral activity between internal hosts.

Internal hosts are defined by the Network Group List in Network Resources.

Note

To provide an accurate analysis of correlation data, configure your Network Resource Lists.
By default, private networks are considered trusted and set internally as trusted. You only need to add non-private internet protocol (IP) addresses to the Network Group List.

Additional hosts that participated in the suspicious activity.
Additional suspicious objects when viewing correlation data for suspicious objects.

Hover over the details icon ( dddna_summary_ip_domain_button=GUID-45B7939C-DDB8-447B-8DEF-9F6055E5B75A=1=en-us=Low.png

) for an IP address or domain and select one of the following actions:

Focus: Focus on the item in the correlation graph.
Copy to clipboard: Copy the value to your clipboard.
Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object.
DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain.
VirusTotal: Open VirusTotal in a new browser tab with a query for this object.