Views:

The Summary displays the severity, number of detected internal hosts, number of indicators of compromise (IOCs), and attack patterns, as well as provides a high-level overview of the malicious activity of the correlated event.

Procedure

  1. Review the severity, detection counts, attack patterns, and activity summary.
    Severity
    The severity assigned by Deep Discovery Director - Network Analytics to the event and related correlations.
    Deep Discovery Director - Network Analytics uses a number of factors to assign severity, including proprietary analysis.
    Internal Hosts and Indicators of Compromise detection count
    The detection count numbers allow you to quickly determine the scope of the correlated event.
    Attack patterns
    The attack patterns for the suspicious object selected in Trend Vision One.
    Activity summary
    The activity summary is organized by attack pattern and provides the following information:
    • Protocols on which activities were detected.
    • Hosts involved in suspicious or malicious activity.
      Activity might be between internal hosts and external servers or might include lateral activity between internal hosts.
      Internal hosts defined by the Network Groups list.
      Note
      Note
      Deep Discovery Director - Network Analytics treats any internet protocol (IP) address or range in the Trusted Internal Networks list as part of the trusted internal network.
      • To provide an accurate analysis of correlation data, specify your internal networks and hosts in the Network Groups list.
      • By default, private networks are considered trusted and set internally as trusted. You only need to add non-private internet protocol (IP) addresses to the Network Groups list.
    • Additional hosts that participated in the suspicious activity.
    • Additional suspicious objects when viewing correlation data for suspicious objects.
  2. Do any of the following actions for individual summary items:
    Item
    Action
    Internal Hosts detection number
    Click the detection number and then click Copy to clipboard (dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png) to copy the list to your clipboard.
    Indicators of Compromise detection number
    Click the detection number and then click Copy to clipboard (dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png) to copy the value to your clipboard.
    Attack patterns
    Hover over an attack pattern to highlight only activities related to that attack pattern in the summary.
    IP addresses and domains
    Hover over dddna_summary_ip_domain_button=GUID-45B7939C-DDB8-447B-8DEF-9F6055E5B75A=1=en-us=Low.png and select one of the following:
    • Focus: Focus on the item in the Correlation Graph.
    • Copy to clipboard: Copy the value to your clipboard.
    • Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object.
    • DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain.
    • VirusTotal: Open VirusTotal in a new browser tab with a query for this object.
  3. Click Export and select one of the following options to export the correlation data of this correlated event.
    • Printer-friendly: Displays your system's printer dialog. Select the appropriate options then click Print.
    • CSV: Select a delimiter then click Export to export and download the correlation data of this correlated event to a CSV file with the chosen delimiter.
    Note
    Note
    If you apply an advanced search filter, the exported file includes only the currently filtered correlation data.