Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO)

Threat intelligence lets you use information consolidated from Vision One to create user-defined suspicious object (UDSO) lists to help detect and respond to threats.

The information consolidated for threat intelligence suspicious object lists can include Vision One sandbox data, order lists by Structured Threat Information eXpression (STIX), and Trusted Automated eXchange of Intelligence Information (TAXII).

You can define suspicious objects through manual operations, or extract and add suspicious objects from third-party intelligence. In addition, Sandbox sends suspicious objects it determines as possible threats for consolidation and synchronization. These suspicious objects have a risk level assigned by Sandbox based on the analysis results.

Once the suspicious object list has been updated in Workload Security and the computer policies have been updated with the action specified, Deep Security Agent then checks the affected computers and uses that action any time the object is encountered again on a protected computer.

For suspicious objects added through third-party intelligence and manual operations, the maximum limit is 10,000 for each object type. For suspicious objects from Sandbox, the maximum limit is 25,000 for each object type. When the number of suspicious objects exceeds the maximum, the objects that are closest to the expiration date will be removed. You can further check the newly added or imported objects on the Suspicious Object List screen.

Requirements

Before connecting Workload Security to Deep Discovery, check that your environment meets these requirements:

• Install the agent version 20.0.0-4185+ for Windows or Linux.
• Register with Trend Micro Vision One (XDR).
• Enable Activity Monitoring
• Set up a connection to Trend Micro Vision One.
• Configure the scan action for a suspicious file.

User Defined Suspicious Objects (USDO)

The following table outlines actions available on the Vision One Suspicious Object List screen.

Action	Description
Filter object data	Use the Object or Description field and the following drop-down lists to locate specific object data: Last updated: The time range during which a suspicious object was last updated Object type: The type of a suspicious object, such as domain, file SHA-1, file SHA-256, IP address, sender address, and domain Source: The source where a suspicious object was added
Add or import suspicious objects	Computer has been added to the computers list via the discovery process. (See Discover computers.)
View or edit object details	Click Add to open the Add Suspicious Object screen. For more information, see: Add Suspicious Objects Import Objects
Manage suspicious objects	Manage one or multiple suspicious objects. Options include: Delete objects: Select unwanted objects and click Delete. Change the applied action: Select objects and choose Log or Quarantine / Block. Change expiration settings: Select objects and click Set to Never Expire. Add one or multiple objects as exceptions: Click options for an object and select Add to Exception List, or select multiple objects and click Add to Exception List. Search an object: Click options on the object and select New Search: match field and value.
Configure default settings	Click Default Settings in the upper-right corner. In the Default Settings dialog box, specify the default actions to take on different types of objects at each risk level and the expiration settings for the objects. For objects from Sandbox, default actions apply. For objects from other sources, default settings apply unless you have specified action or expiration settings.
Export object data	Click export in the upper-right corner to export the object data into a CSV file.
Refresh object data	Click refresh in the upper-right corner to display the latest object data.

Add suspicious objects

You can add domain, file SHA-1, file SHA-256, IP address, sender address, or URL objects to the suspicious objects list.

1. From Vision One, go to Threat Intelligence > Suspicious Object Management. The Suspicious Object Management screen appears with the Suspicious Object List tab displayed.

   

2. Click Add. The Add Suspicious Object screen appears.

   

3. Select one or more of the following from the Method drop-down list:

   • Domain: type a domain name.
   • File SHA-1: type the SHA-1 hash value of a file.
   • File SHA-256: type the SHA-256 hash value of a file.
   • IP address: type an IPv4 or IPv6 address.
   • Sender address: type an email address.
   • URL: type a URL.

4. Select a risk level for the object.

5. Specify the action that connected products apply after detecting the object. For more information, see Suspicious Object Actions.

6. Select one of the following expiration options:

   • Set the object to automatically expire in a specified number of days.
   • Set the object to never expire.

7. (Optional) Enter a description.

8. Click Submit. The object appears in the Suspicious Objects List. The connected products receive the new object information from Trend Micro Vision One during the next synchronization.

Import suspicious objects

You can add suspicious objects by importing a properly formatted CSV or Structured Threat Information Expression (STIX) file.

1. From Vision One, go to Threat Intelligence > Suspicious Object Management. The Suspicious Object Management screen appears with the Suspicious Object List tab displayed.

   

2. Click Add. The Add Suspicious Object screen appears.

   

3. Select one of the Import options from the Method drop-down list:

   • CSV file
   • STIX file

4. Configure your desired risk level, action, and expiration options in the Add Suspicious Object menu and click Select File to choose the file you want to import.

   

5. Click Submit to import the file.

If you want to import a STIX file note that:

• Only STIX 2.0 and 2.1 are supported.
• Only "indicator" type objects can be imported, and they must not be labeled as "anomalous-activity", "anonymization", "benign", "compromised", or "unknown", and that are not revoked will be added to the Suspicious Objects List.
• Only simple indicators whose pattern contains a single object are supported.

Suspicious object actions

The following table outlines the object types and actions supported by Threat Intelligence for Cloud One Workload Security.

Workload Security supports the log action for Deep Security Agent version 20.0.0-3964 or later. Workload Security supports "Log" and "Quarantine / Block" actions for Deep Security Agent version 20.0.0-4124 or later.

Set up a connection to Trend Micro Vision One

You can configure Workload Security to submit the suspicious files and retrieve the suspected object list from Trend Micro Vision One, share it with protected computers, and compare local objects against the Trend Micro Vision One Threat Intelligence Suspicious Object List.

1. In Workload Security, go to Administration > System Settings > Threat Intelligence.

2. Select Trend Micro Vision One Suspicious Object Management and click Save.

   

Configure the scan action for a suspicious file

You can view the suspicious objects list in Trend Micro Vision One and configure the action (Log or Quarantine / Block) that should be taken when a suspicious object is found.

If you have configured Workload Security to obtain the suspicious object list from Trend Micro Vision One, Workload Security will perform the action specified by Vision One when a suspected object is found.

Deep Security Agent version 20.0.0-4124+ supports file, domain, SHA-1, and SHA-256 suspicious objects.