Threat intelligence lets you use information consolidated from Trend Vision One to
create user-defined suspicious object (UDSO) lists to help detect and respond to threats.
The information consolidated for threat intelligence suspicious object lists can include
Trend Vision One sandbox data, order lists by Structured Threat Information eXpression
(STIX), and Trusted Automated eXchange of Intelligence Information (TAXII).
You can define suspicious objects through manual operations, or extract and add suspicious objects from third-party intelligence. In addition,
Sandbox sends suspicious objects it determines as possible threats for consolidation
and synchronization. These suspicious objects have a risk level assigned by Sandbox
based on the analysis results.
Once the suspicious object list has been updated in Workload Security and the computer
policies have been updated with the action specified, Deep Security Agent then checks
the affected computers and uses that action any time the object is encountered again
on a protected computer.
For suspicious objects added through third-party intelligence and manual operations,
the maximum limit is 10,000 for each object type. For suspicious objects from Sandbox,
the maximum limit is 25,000 for each object type. When the number of suspicious objects
exceeds the maximum, the objects that are closest to the expiration date will be removed.
You can further check the newly added or imported objects on the Suspicious Object List screen.
Requirements
Before connecting Workload Security to Deep Discovery, ensure that your environment
meets the following requirements:
- Install the agent version 20.0.0-4185 or later (for Windows or Linux) or version 20.0.0-198 or later (for macOS).
- Register with Trend Vision One.
- Enable Activity Monitoring
- Set up a connection to Trend Vision One.
- Configure the scan action for a suspicious file.
User-defined suspicious objects
The following table outlines actions available on the Trend Vision One Suspicious Object List screen.
Action
|
Description
|
Filter object data
|
Use the Object or Description field and the following drop-down lists to locate specific object data:
|
Add or import suspicious objects
|
Computer has been added to the computers list via the discovery process. See Discover computers.
|
View or edit object details
|
Click Add to open the Add Suspicious Object screen. For more information, see:
|
Manage suspicious objects
|
Manage one or multiple suspicious objects. Options include:
|
Configure default settings
|
Click Default Settings in the upper-right corner. In the Default Settings dialog, specify the default actions to take on different types of objects at each
risk level and the expiration settings for the objects.
For objects from Sandbox, default actions apply. For objects from other sources, default
settings apply unless you have specified action or expiration settings.
|
Export object data
|
Click export
![]() |
Refresh object data
|
Click refresh
![]() |
Add suspicious objects
You can add domain, file SHA-1, file SHA-256, IP address, sender address, or URL objects
to the suspicious objects list.
-
From Trend Vision One, go to. The Suspicious Object Management screen appears with the Suspicious Object List tab displayed.
-
Click Add. The Add Suspicious Object screen appears.
-
Select one or more of the following from the Method list:
- Domain: type a domain name.
- File SHA-1: type the SHA-1 hash value of a file.
- File SHA-256: type the SHA-256 hash value of a file.
- IP address: type an IPv4 or IPv6 address.
- Sender address: type an email address.
- URL: type a URL.
-
Select a risk level for the object.
-
Specify the action that connected products apply after detecting the object. For more information, see Suspicious Object Actions.
-
Select one of the following expiration options:
- Set the object to automatically expire in a specified number of days.
- Set the object to never expire.
-
Optionally, enter a description.
-
Click Submit.
The object appears in the Suspicious Objects List. The connected products receive the new object information from Trend Vision One
during the next synchronization.
Import suspicious objects
You can add suspicious objects by importing a properly formatted CSV or Structured
Threat Information Expression (STIX) file.
-
From Trend Vision One, go to.The Suspicious Object Management screen appears with the Suspicious Object List tab displayed.
-
Click Add to open the Add Suspicious Object screen.
-
Select one of the Import options from the Method list:
- CSV file
- STIX file
-
Configure your desired risk level, action, and expiration options in the Add Suspicious Object menu and click Select File to select the file you want to import.
-
Click Submit to import the file.
If you want to import a STIX file, note the following:
- Only STIX 2.0 and 2.1 are supported.
- Only indicator type objects can be imported. These objects must not be labeled as anomalous-activity, anonymization, benign, compromised, or unknown, and that are not revoked are added to the Suspicious Objects List.
- Only simple indicators whose pattern contains a single object are supported.
Suspicious object actions
The following table outlines the object types and actions supported by Threat Intelligence
for Trend Cloud One - Endpoint & Workload Security.
Object Type
|
Action
|
IP address
|
Log
|
Domain
|
Log
|
File SHA-1
|
Log, Quarantine / Block
|
File SHA-256
|
Log, Quarantine / Block
|
Workload Security supports the LOG action for Deep Security Agent version 20.0.0-3964 or later. Workload Security supports
Log and Quarantine / Block actions for Deep Security Agent version 20.0.0-4124 or later.
![]() |
NoteThe Block / Quarantine action applies only to process objects. The agent does not actually block objects,
it terminates specific processes whose file hash matches the rules in the Suspicious
Object list after the processes have been created.
Script files (,sh, ps1, ...) are not executable files. This means they are not process
objects when executing their scripts and the agent cannot terminate the execution
of the script files.
|
Set up a connection to Trend Vision One
You can configure Workload Security to submit the suspicious files and retrieve the
suspected object list from Trend Vision One, share it with protected computers, and
compare local objects against the Trend Vision One Threat Intelligence Suspicious
Object List.
-
In Workload Security, go to.
-
Select Trend Micro Vision One Suspicious Object Management and click Save.
Configure the scan action for a suspicious file
You can view the suspicious objects list in Trend Vision One and configure the action
(Log or Quarantine / Block) that should be taken when a suspicious object is found.
If you have configured Workload Security to obtain the suspicious object list from
Trend Vision One, Workload Security performs the action specified by Trend Vision
One when a suspected object is found.
Deep Security Agent version 20.0.0-4124 or later supports file, domain, SHA-1, and
SHA-256 suspicious objects.