The Summary displays the severity, number of detected internal hosts, number of indicators of compromise (IOCs), and attack patterns, as well as provides a high-level overview of the malicious activity of the correlated event.
Procedure
- Review the severity, detection counts, attack patterns, and activity summary.SeverityThe severity assigned by Deep Discovery Director - Network Analytics to the event and related correlations.Deep Discovery Director - Network Analytics uses a number of factors to assign severity, including proprietary analysis.Internal Hosts and Indicators of Compromise detection countThe detection count numbers allow you to quickly determine the scope of the correlated event.Attack patternsThe attack patterns for the suspicious object selected in Trend Vision One.Activity summaryThe activity summary is organized by attack pattern and provides the following information:
-
Protocols on which activities were detected.
-
Hosts involved in suspicious or malicious activity.Activity might be between internal hosts and external servers or might include lateral activity between internal hosts.Internal hosts defined by the Network Groups list.
Note
Deep Discovery Director - Network Analytics treats any internet protocol (IP) address or range in the Trusted Internal Networks list as part of the trusted internal network.-
To provide an accurate analysis of correlation data, specify your internal networks and hosts in the Network Groups list.
-
By default, private networks are considered trusted and set internally as trusted. You only need to add non-private internet protocol (IP) addresses to the Network Groups list.
-
-
Additional hosts that participated in the suspicious activity.
-
Additional suspicious objects when viewing correlation data for suspicious objects.
-
- Do any of the following actions for individual summary items:ItemActionInternal Hosts detection numberClick the detection number and then click Copy to clipboard (
) to copy the list to your clipboard.
Indicators of Compromise detection numberClick the detection number and then click Copy to clipboard () to copy the value to your clipboard.
Attack patternsHover over an attack pattern to highlight only activities related to that attack pattern in the summary.IP addresses and domainsHover overand select one of the following:
-
Focus: Focus on the item in the Correlation Graph.
-
Copy to clipboard: Copy the value to your clipboard.
-
Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object.
-
DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain.
-
VirusTotal: Open VirusTotal in a new browser tab with a query for this object.
-
- Click Export and select one of the following options to export the correlation data of this correlated
event.
-
Printer-friendly: Displays your system's printer dialog. Select the appropriate options then click Print.
-
CSV: Select a delimiter then click Export to export and download the correlation data of this correlated event to a CSV file with the chosen delimiter.
Note
If you apply an advanced search filter, the exported file includes only the currently filtered correlation data. -