XDR Threat Investigation With

Trend Vision One

Student Guide
Copyright© 2024 Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro logo, the t-ball logo, and [other Trend trademarks] are
trademarks or registered trademarks of Trend Micro Incorporated. All other company
and/or product names may be trademarks or registered trademarks of their owners.
Information contained in this document is subject to change without notice. Trend Micro,
the Trend Micro logo, and the t-ball logo Reg. U.S. Pat. & Tm. Off.

For details about what personal information we collect and why, please see our Privacy
Notice at trendmicro.com/privacy

Released: March 7, 2024

Courseware v1.0
Student Guide

XDR Threat Investigation With

Trend Vision One

XDR Threat Investigation with Trend Vision One 1

Student Guide

Welcome

• SHORT instructor intro

2 | ©2024 Trend Micro Inc.

XDR Threat Investigation with Trend Vision One 2

Student Guide

Objectives

After completing this course, participants will be able to:

• Describe the benefits of Trend’s XDR solution
• Navigate Trend Vision One Workbenches
• Run searches to locate entries in the data lake
• Prepare the environment to maximize analyst productivity

3 | ©2024 Trend Micro Inc.

After completing this course, participants will be able to:

• Describe the benefits of Trend’s XDR solution
• Navigate Trend Vision One Workbenches
• Run searches to locate entries in the data lake
• Prepare the environment to maximize analyst productivity

XDR Threat Investigation with Trend Vision One 3

Student Guide

Before We Start

?
Turn your microphone on for The Q&A pane Download your copy of the Student Guide
questions or comments, but keep it is being monitored and Lab Guide from the Trend Education
off at other times to reduce for questions as well Portal
background noise

4 | ©2024 Trend Micro Inc.

Audio is enabled for this session. Keep your microphone turned off, except when you would
like to ask a question or respond to a trainer questions. This will help reduce background
noise during the session.

The Q&A pane is also being monitored, feel free to pose questions there as well.

The Student Guide for this course can be downloaded from the Trend Education Portal. Log
into your account, click the XDR Threat Investigation With Trend Vision One course. Scroll
to the Course Syllabus section and click to download the Student Guide and ab Guide PDF.

XDR Threat Investigation with Trend Vision One 4

Student Guide

Threat Landscape

Growing attack surface Threat actor evolution

Threat activity evolution Tool sprawl

5 | ©2024 Trend Micro Inc.

Before launching into the Trend Vision One, let’s step back and first examine some of the
issues that organizations are dealing with related to the current threat landscape. The
threat landscape is always changing, but the drastic shifts of recent years have made
unprecedented demands of security teams.

• Growing attack surface: An increased number of cyber assets means more of those
assets are likely to be vulnerable, more areas of weakness arise in the infrastructure,
and, overall, results in an even bigger and more profitable target that cybercriminals are
only too eager to exploit. Due to this attack surface scale in the past year alone,
nearly 70% of organizations have been compromised via an unknown,
unmanaged, or poorly managed internet-facing asset. This is partly due to the
complexity of taking an inventory of external-facing assets — with the average
organization taking upwards of 80 hours to generate an accurate picture of their
attack surface (Source: https://www.randori.com/reports/the-state-of-attack-surface-
management-2022/)

• Threat actor evolution: The tactics used by cyber criminals are changing as they are
focusing more and more on extortion and business email compromise. Extortion can
mean ransomware and other tactics for causing organizations to pay them money. We

XDR Threat Investigation with Trend Vision One 5

Student Guide

know that this behavior is going to grow as we enter a period of economic uncertainty.
Cyber criminals are specializing and are targeting customers more effectively and
customizing their attacks. We've seen instances during 2022 where governments are
hacking back, and that is changing the landscape a little.

• Threat activity evolution: New vulnerabilities are getting exploited faster and faster.
Attackers are getting incredibly efficient at weaponizing new vulnerabilities, turning those
into exploits and moving fast before people have time to patch. Attackers are also getting
smarter at avoiding EDR and other security controls. They are also finding success by
“living off the land”, for example, by leveraging various typical IT tools inside the
organization, such as PowerShell and other pre-installed tools in the organization.
Ransomware has evolved to leverage higher quality encryption and it is becoming harder
to find decryption tools that work. More behavior around data exfiltration and other new
types of extortion have been noted, not just encryption behavior as this behavior has
been so disruptive that it is attracted unwanted law enforcement attention.

• Tool sprawl: Many security organizations today have siloed toolsets from different areas of
the environment, generating a lot of noisy alerts that either get sent to a SIEM, or to a
vendor or independent service provider managing the product on behalf of the customer,
or alerts are being generated from a completely disconnected system and console. For
example, you might use EDR to get detailed visibility for suspicious ac vity on endpoints
but then a separate siloed view of network security alerts and traffic analysis, but there
are some blind spots with IoT and OT entities and little if any visibility into undiscovered
threats already in their user mailboxes. Without a detailed record of system ac vity,
these alerts are missing important attack details, and the analyst ends up buried in alerts
without context. Given the opera onal and commercial implica ons of a distributed
toolset and the current economic and skills shortage, it is critical to resolve this challenges
associated with this common customer scenario. Purchasing, deploying, and maintaining
different tools becomes overwhelming, and disconnected workflows and disjointed views
slow down response time, and create security gaps.

XDR Threat Investigation with Trend Vision One 5

Student Guide

Shift from Security

Tools to a
Cybersecurity
Platform Zero Trust
Architecture

Extended Detection and Response (XDR)

Ecosystem Integration
Managed Services

User and Email Endpoints and Cloud Applications Code Data Network 5G ICS/OT
Identity Servers Infrastructure Repository

Email Security Endpoint Security Cloud Security Network Security Data Security Identity Security

Risk Mitigation • IT Automation Orchestration and Automation Custom Playbooks • Case Management

Attack Surface Intelligence • Zero Day Initiative Global Threat Intelligence Threat Research • Big Data Analytics

AI Privacy and Ethics • AI Companion AI Native Foundation Generative AI • Custom LLM • Machine Learning

6 | ©2024 Trend Micro Inc.

The Trend Vision One platform includes the solutions, services, and technology that
connect and benefit security and opera ons teams across mul ple func ons and provides
a truly integrated approach to protecting your digital environment and provides visibility
across the entire environment.

The platform delivers a single common framework so security teams can bridge threat
protection and cyber risk management to drive better security outcomes and accelerate
the business.

The platform:
• Improves cyber risk resilience, by continuously discovering and assessing risks, thwarting
attackers, and prioritizing mitigation.
• Reduces cost and complexity with one platform to assess, protect, investigate, respond,
automate, and report– even with non-Trend products.
• Protects brand reputation. The longer it takes to stop an attacker, the more it can harm
the reputation of an organization. The platform helps you confidently implement
security controls and policies to reduce chances of a breach and possible business
impact.
• Optimize compliance as the platform makes it easy to implement and ensure you’re
meeting key industry standards– for example Zero Trust.

XDR Threat Investigation with Trend Vision One 6

Student Guide

Shift from Security

Tools to a
Cybersecurity
Platform Zero Trust
Architecture

Extended Detection and Response (XDR)

Ecosystem Integration
Managed Services

User and Email Endpoints and Cloud Applications Code Data Network 5G ICS/OT
Identity Servers Infrastructure Repository

Email Security Endpoint Security Cloud Security Network Security Data Security Identity Security

Risk Mitigation • IT Automation Orchestration and Automation Custom Playbooks • Case Management

Attack Surface Intelligence • Zero Day Initiative Global Threat Intelligence Threat Research • Big Data Analytics

AI Privacy and Ethics • AI Companion AI Native Foundation Generative AI • Custom LLM • Machine Learning

7 | ©2024 Trend Micro Inc.

In this class, we will focus on the Extended Detection and Response (XDR) capabilities of
the Trend Vision One platform.

XDR Threat Investigation with Trend Vision One 7

Student Guide

What is going on in our environment?

Threats evaded
Threats hiding What is the full
other malware Correlate low
between security story of the attack?
detection confidence events
silos
techniques

8 | ©2024 Trend Micro Inc.

How can we find threats evading detection by hiding in between security silos?

How can we find threats that have evaded other malware detection techniques?

How can we correlate low confidence events across security vectors to quickly detect
complex, multi-layer attacks?

How can we visualize the full attack story with fragments of malicious activity?

XDR Threat Investigation with Trend Vision One 8

Student Guide

Data Lake

Connect as many data sources as possible to broaden the range of the data collected
9 | ©2024 Trend Micro Inc.

Data feeds the XDR capabilities in Trend Vision One. Telemetry collected different sources
in the environment is stored in a centralized cloud-based data lake from which correlation
and analysis can be performed using a variety of big data techniques.

Sources of telemetry in the environment can include:

• End-user endpoint computers
• Servers and workloads
• Email
• Network
• Operational technologies
• Cloud
• Third-party products
• Data
• Identities

A data lake is a centralized repository that allows you to store all your structured and
unstructured data at any scale. You can store your data as-is, without having to first
structure the data, and run different types of analytics—from dashboards and visualizations
to big data processing, real-time analytics, and machine learning to guide better decisions.

XDR Threat Investigation with Trend Vision One 9

Student Guide

Robust Extended Detection and Response (XDR) capabilities are derived from the data
collected in the data lake. The raw activity data collected by Trend sensors allows the
platform components to detect and report on even the sneakiest of attacks, crossing many
layers such as email, endpoint, and the network. With the details of every process ran, every
network connection made, and so forth Trend Vision One continually sweeps the data lake
comparing the collected telemetry with new threat intelligence obtained from various
trusted sources. To understand attacks quicker, Trend Vision One Companion AI can explain
in easily understandable language the attacker’s actions and recommend the best next steps.

Attack Surface Risk Management and Extended Detection and Response work hand in hand.
Having them both in the same platform, working off the same data, allows for powerful
streamlined workflows, increasing proactive measures and reducing the need for as much
responsive action.

Connect as many data sources as possible to broaden the range of the data collect to ensure
that you have a full view of what is going on in your environment.

XDR Threat Investigation with Trend Vision One 9

Student Guide

Telemetry

Both security
event data and
system activity
data are
Security event Security agent
needed to
compile the full
story of an
attack

System activity Sensors

(endpoint, email, network…)
10 | ©2024 Trend Micro Inc.

Telemetry from all the connected sources in the environment is collected in the data lake.
This telemetry includes:

Security Events: Security events are generated by the protection modules such as anti-
malware, virtual patching/IPS, Web reputation… etc on Trend Micro-managed security
agents.
1. Connect your individual Trend Micro security solutions, such as Apex One (on-
premises), Apex One as a Service, Deep Security, Cloud One – Endpoint & Workload
Security and others to Trend Vision One.
2. Install a security agent on each device.
3. Deploy the appropriate policy settings to generate the event details which are then
collected for storage.

System Activity includes internal activities such as registry changes, user creation/deletion,
cronjobs and scheduled tasks, processes starting/stopping, software installed/removed,
network connections to IPs or domains… etc.
1. Install a Trend sensors are to collect this data and forward for storage. Sensors exist for
endpoints, email, and the network.
Data collected from third-party connected solutions is also forwarded to the data lake

XDR Threat Investigation with Trend Vision One 10

Student Guide

Both security events and activity data is required to compile the full story of an attack.

XDR Threat Investigation with Trend Vision One 10

Student Guide

Data Correlation

Ties together low-level events that seem

benign or insignificant on their own to
help uncover stealthy attackers
11 | ©2024 Trend Micro Inc.

How is Trend Vision One going to filter through the large amount of detection and activity
data within the data lake?

Detection models, developed by Trend threat experts, use a variety of techniques including
data stacking, machine learning, expert rules, etc., to find tactics, techniques, and
correlated events. These detection models combine filters to surface attacks. Detection
models are frequently updated/added. Analysts can also create custom detection models.

Low-level activities that may seem benign, harmless or insignificant on their own may
reveal an attack when tied together to create a full story.

XDR Threat Investigation with Trend Vision One 11

Student Guide

Data Correlation
Threat Intelligence
Collaboration
Workloads Latest Threat campaigns
(IOCs and STIX)
Third-party
Fewer
High

Trend Data Lake

Containers
Fidelity

Observed Attack

Threat Intel
Cloud

Techniques
Activity Data Alerts

Triage
Identity Detections

OT
SOC Analyst
Network
Triage
Email and
Workbench

Endpoint

12 | ©2024 Trend Micro Inc.

Trend Vision One Extended Detection and Response (XDR) finds attacks within the noise of
alerts and telemetry with powerful detection models.

Raw activity telemetry (activity data and detections) is forwarded to the data lake from
sources in the environment, such as endpoint, server, cloud, email, network, etc.

The data lake is scanned regularly looking for any data that matches what was described in
the filter. A match on a filter generates an alert, which is displayed in Trend Vision One as a
Workbench.

Detection model alerts are investigated and responded to by either your security team or
by Trend Micro-Managed XDR personnel (MDR service).

XDR Threat Investigation with Trend Vision One 12

Student Guide

Effect of Data Correlation

5B Raw logs processed

22 M Filter hits
(Observed Attack Techniques)

116 Workbench alerts

(Alerts triggered by Detection Models)

7 Workbench insights
(Correlated Workbench alerts)
Company with 1000 devices
in a 7-day period

13 | ©2024 Trend Micro Inc.

How effective is the data correlation. Consider the filtering that occurs at each phase of the
data analysis.
Trend Micro investigated data across our customer base over a period and distilled that
down to highlight the effect correlation can have. Sifting through this large number of log
data manually will be difficult, if not impossible.

XDR Threat Investigation with Trend Vision One 13

Student Guide

Integration with SIEMs

SIEM

Workbench App

Data lake Correlation → Alerts Workbenches

14 | ©2024 Trend Micro Inc.

Many organizations incorporate a Security Information and Event Management (SIEM)

system as part of their workflow. Trend Vision integrates with popular SIEMs through the
Third-Party Integration app.
When Trend Vision One is connected to a SIEM, workbench alerts which are available in the
Trend Vision One Workbench app will also be forwarded to the SIEM, allowing these
organizations to deal with workbenches without having to modify their workflow.

XDR Threat Investigation with Trend Vision One 14

Student Guide

• Helps connect the dots of an attack

• Not focused on the tools and malware itself
− Focus on interactions and techniques used by APTs and notable threats
• Comprehensive list of known adversary tactics and techniques used
during a cyberattack
• Workbenches in Trend Vision One will refer back to MITRE details to
provide background and feedback on what occurred

15 | ©2024 Trend Micro Inc.

How can an analyst get an understanding of what is occurring in the generated

Workbenches? We need a common language that analysts can use to refer to the activities
we are discovering in our workbenches. Trend Vision One refers extensively to the MITRE
ATT&CK framework.

ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge.

This is a knowledge base of adversary behavior and attack techniques collected to help
organization understand how attackers work.
This information is based on real work observations. Researchers have examined attacks
and distilled their behavior down to identified tactics, techniques and procedures.
This knowledge base is free and open to anyone. It can be accessed globally at
attack.mitre.org
Since this information if community driven, anyone can contribute to it. If you detect an
attack tactic, technique or procedure you feel has not been seen before you can contribute
and have it added to the list.

The ATT&CK framework is used as a foundation for the development of specific threat
models, and methodologies in the private sector, government, and the broader
cybersecurity community. It is widely used by both cyber security vendors and customers in
building out security programs and is used of Cyber Threat Intelligence mapping

XDR Threat Investigation with Trend Vision One 15

Student Guide

You can think of ATT&CK as an Encyclopedia of things that ATT&CK has seen an adversary do!
Information that ATT&CK provides is based on real world observations – every single one is
linked back to a report that you can find out in the community.

MITRE ATT&CK helps connect the dots of an attack. It is not focused on the tools and
malware itself, but instead, it focuses on interactions and techniques used by APTs and
notable threats.
MITRE ATT&CK provides a comprehensive list of known adversary tactics and techniques
used during a cyberattack.

XDR Threat Investigation with Trend Vision One 15

Student Guide

Framework

Tactics Techniques Procedures

WHY? HOW? WHAT?
Initial Access, Spear phishing Sandworm was used,
Execution, Attachment, Non- PowerShell,
Credential Access, Standard Port, Keylogger, Mimikatz, and PsExec,
Command & Network Sniffing Conti, Emotet
Control

Threat actions/operations are classified as

Tactics, Techniques and Procedures (TTP)
Open MITRE
16 | ©2024 Trend Micro Inc.

Threat actions/operations are classified as TTPs : Tactics, Techniques and Procedures

Tactics
Tactics are the adversary’s technical goals.
Represents WHY, or the adversary’s objective when performing an action.
There are 13 tactics in Enterprise (March 2023) : Reconnaissance, Resource Development,
Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential
Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact

Techniques
Procedures are specific implementations of techniques.
Represents HOW adversary will perform an action
As March 2023 there are 250+ techniques
Example : Spearphishing Attachment, Data Destruction, Process Injection, Brute Force …
A technique can be part of multiple Tactics

Procedures
Describe the way adversaries or software implements a technique
Represents WHAT are they doing?
Examples

XDR Threat Investigation with Trend Vision One 16

Student Guide

APT12 has sent emails with malicious Microsoft Office documents and PDFs attached
APT32 has used macros, PowerShell scripts, COM scriptlets, and VBS scripts.

XDR Threat Investigation with Trend Vision One 16

Student Guide

Open Trend Vision One console

17 | ©2024 Trend Micro Inc.

XDR Threat Investigation with Trend Vision One 17

Student Guide

Review

• What data sources feed into the Trend data lake?

• How is the list of Observed Attack Techniques compiled?

• How are Workbenches created?

18 | ©2024 Trend Micro Inc.

What data sources feed into the Trend data lake?

__________________________________________________________________________
__________________________________________________________________________
________________________________________________________________

How is the list of Observed Attack Techniques compiled?

__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
_________________________________________________________________________

How are Workbenches created?

__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________

XDR Threat Investigation with Trend Vision One 18

Student Guide

Lab 1

• Log into the sample Trend Vision One instance at:

https://portal.xdr.trendmicro.com
Username: XDR_Student_x@outlook.com (assigned by instructor)
Password: Pa$$w0rd

• Answer the questions in Lab 1 - Exercise 1 (page 1 of the Lab Guide)

19 | ©2024 Trend Micro Inc.

XDR Threat Investigation with Trend Vision One 19

Student Guide

Review

• What are some of the details that an analyst can find in Workbench?

• How can an analyst apply an action to an item in a Workbench?

• What is the difference between a correlated event and a standalone
event on the Workbench Insights tab?
• Why do Workbenches provide details about MITRE tactics and
techniques within the Highlights pane of the Workbench details?

• What is an Execution Profile?

20 | ©2024 Trend Micro Inc.

What are some of the details that an analyst can find in a Workbench?
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________

How can an analyst apply an action to an item in a Workbench?

__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
What is the difference between a correlated event and a standalone event on the
Workbench Insights tab?
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Why do Workbenches provide details about MITRE tactics and techniques within the
Highlights pane of the Workbench details?

XDR Threat Investigation with Trend Vision One 20

Student Guide

__________________________________________________________________________
__________________________________________________________________________
___________________________________________________________________________
_________________________________________________________________________

What is an Execution Profile?

___________________________________________________________________________
_________________________________________________________________________
___________________________________________________________________________
_________________________________________________________________________
___________________________________________________________________________
_________________________________________________________________________

XDR Threat Investigation with Trend Vision One 20

Student Guide

Lab 2

• Log into the sample Trend Vision One instance at:

https://portal.xdr.trendmicro.com
Username: XDR_Student_x@outlook.com (assigned by instructor)
Password: Pa$$w0rd
• Answer the questions in Lab 2 - Exercise 1 (page 3 of the Lab Guide)

21 | ©2024 Trend Micro Inc.

XDR Threat Investigation with Trend Vision One 21

Student Guide

Lab 3

• Log into the sample Trend Vision One instance at:

https://portal.xdr.trendmicro.com
Username: XDR_Student_x@outlook.com (assigned by instructor)
Password: Pa$$w0rd
• Create and run the queries in Lab 3 - Exercise 1 (page 5 of the Lab
Guide)

22 | ©2024 Trend Micro Inc.

XDR Threat Investigation with Trend Vision One 22

Student Guide

Security Analyst

Where do
I begin??

23 | ©2024 Trend Micro Inc.

When an analyst starts working in Trend Vision One, they might not know where to start.

XDR Threat Investigation with Trend Vision One 23

Student Guide

Analyst Workflow

Security dashboards Case management

Attack Surface Risk Management

Open Trend Vision One console

24 | ©2024 Trend Micro Inc.

Tools in Trend Vision One simplify the job of the analyst by surfacing important issues that
need to be resolved.

Security dashboards: Dashboards can be displayed in Trend Vision One to highlight

important issues that require attention. A default Analyst board can be added to display
details such as My Open Cases, Highly Exploitable Unique CVEs, Time-critical CVEs,
Observed Attack Techniques Summary and Unassigned Alerts and Insights. The dashboard
can be customized by adding any other widgets that may be of interest.

Case Management: Case management features have been added in Trend Vision One to
allow the assignment of workbenches or alerts to specific analysts. When assigned, the
case is displayed in the My Open Cases widget for the specific analyst. This allows the
analyst to track which workbenches they has in progress and gives them quick access to
the case log to track their progress on the resolution. Organizations that use ServiceNow
can integrate it with Trend Vision One allowing case management tickets to be managed in
the ServiceNow portal.

Attack Surface Risk Management: The apps in the Attack Surface Risk Management app
group help surface vulnerabilities, configuration errors, and more, as well as displaying an
overall risk index for the organization. These details can help the analyst focus effort on

XDR Threat Investigation with Trend Vision One 24

Student Guide

hardening the system and reducing exposure to threats.

XDR Threat Investigation with Trend Vision One 24

Student Guide

Analyst Workflow – An example

25 | ©2024 Trend Micro Inc.

Joe is an analyst and begins his day by logging into Trend Vision One V1 and is directed to
his Analyst Board security dashboard.

XDR Threat Investigation with Trend Vision One 25

Student Guide

Analyst Workflow – An example

26 | ©2024 Trend Micro Inc.

Joe checks the My Open Cases widget to see if any new cases have been assigned to him,
and paying attention to priority of the case logs he has in progress, as well as how long they
have been open.

XDR Threat Investigation with Trend Vision One 26

Student Guide

Analyst Workflow – An example

27 | ©2024 Trend Micro Inc.

Joe also check the Unassigned Alerts and Insights widget to see if there are any High or
Critical items here.

XDR Threat Investigation with Trend Vision One 27

Student Guide

Analyst Workflow – An example

28 | ©2024 Trend Micro Inc.

Joe then checks to see if there are any Time-Critical CVEs or Highly Exploitable Unique
CVEs. These items should be dealt with a soon as possible as they are time-sensitive and
highly exploitable.

XDR Threat Investigation with Trend Vision One 28

Student Guide

Analyst Workflow – An example

• Joe begins addressing the items he considers to the highest priority,
recording all his tasks and observations in the Case Log
− He may use the Workbench, Observed Attack Techniques and Search apps as part
of his investigation
• Joe may use Companion for suggestions on remediation actions
• Joe always updates Findings once the alert has been
resolved
• Joe may escalate the case if he is unable to
resolve the issue

29 | ©2024 Trend Micro Inc.

• Joe begins addressing the items he considers to the highest priority, recording all his
tasks and observations in the Case Log. He may use the Workbench, Observed Attack
Techniques and Search apps as part of his investigation.
• Joe may use Companion for suggestions on remediation actions.
• Joe always updates Findings once the alert has been resolved.
• Joe may escalate the case if he is unable to resolve the issue.

XDR Threat Investigation with Trend Vision One 29

Student Guide

Attack Surface Risk Management

Open Trend Vision One console

30 | ©2024 Trend Micro Inc.

The apps in the Attack Surface Risk Management group provide the analyst with a wide
range of details regarding vulnerabilities in the environment, misconfigurations,
recommended security features, current cyber risks in the wild, suspicious activity and
behaviors, app activity and more.

Analysts can use these details to prevent attacks and reduce the number of alerts to deal
with by ensuring that resource in the environment are up-to-date and configured properly.
These details also surface risky device and user behaviors.

XDR Threat Investigation with Trend Vision One 30

Student Guide

Learning From Others

Campaign intelligence Intelligence reports

Open Trend Vision One console

31 | ©2024 Trend Micro Inc.

Analysts are not on their own when dealing with new threats. Trend Vision One includes
capabilities that incorporate shared threat information gathered from other trusted
sources.

These include:
Campaign Intelligence: The Campaign Intelligence app collects and organizes information
about active threats and threat actors. Campaign Intelligence is an always up-to-date
information resource for active threats and threat actors, curated by Trend Micro threat
experts. Analysts can view threat campaign details by targeted countries or industries. This
app will also surface Workbench alerts matched to Campaign Intelligence tracked threats.

Intelligence Reports: The Intelligence Reports app allows analysts to leverage valuable
indicators of potential threats from curated intelligence reports. The data lake is swept for
any indicators of compromise that are reported by trusted third-parties. Analysts can create
custom intelligence reports by subscribing to TAXII feeds or by retrieving data from a MISP
server.

XDR Threat Investigation with Trend Vision One 31

Student Guide

Summary

Earlier threat detection

Complete response

Faster threat investigation Sweeping with new intel

Advanced correlation Companion AI

32 | ©2024 Trend Micro Inc.

Benefits of Trend Vision One Extended Detection and Response include:

Earlier threat detection

• Improve visibility and reduces silos to unearth threats evading detection by hiding in
between security silos amid disconnected solution alerts.
• Correlate low confidence events across security vectors to quickly detect complex,
multi-layer attacks.
• Detect and stop threats before they take hold.
• Comprehensive MITRE ATT&CK mapping (common framework and language for the SOC
team) delivers visualizations for trending alerts to give a clear understanding of the
tactics, techniques, and procedures associated with suspicious activity happening in the
environment.
• Early threat indication tooling analyzes, predicts, and alerts security teams before an
event can happen.

Faster threat investigation

• Power to search, investigate, analyze, and respond from a single console, leveraging AI
assistance to understand complex threat activity.
• Quickly visualize the full attack story. XDR automatically pieces together fragments of
malicious activity and paints a complete picture across security layers.

XDR Threat Investigation with Trend Vision One 32

Student Guide

Advanced correlation leveraging native and third-party data

• Native sensors deliver deep activity data—not just XDR detections—across endpoint,
email, server, network, cloud workloads and more. This provides full context of every
piece of data that we produce. Competitors who do not leverage native integrations can
struggle to make sense of data they do not own.
• The API-friendly platform integrates third-party inputs to deliver more data (firewall,
vulnerability management, network, identity access management, SIEM, SOAR, for
example) for analytical enrichment, as well as optimizing processes and workflows.

Complete response
• Enact embedded response options across multiple security layers from one location and
all with one action (e.g. quarantine an email across multiple mail accounts or block an IP
address across email, endpoint, servers, cloud).
• Automated remediation capabilities to deal with threats like ransomware (e.g. auto-
restore any files damaged prior to detection or cleanup malware automatically).
• Automate and integrate detection and response with Trend Vision One APIs and
integrated parties, including SIEM and SOAR.
• Manually and automatically submit samples for analysis in a secure virtual environment.

Sweeping with new intel

With the details of every process ran, every network connection made, etc., Trend Vision
One is constantly sweeping with new threat intelligence obtained from trusted third-parties.
Trend updates detection models on a regular basis, the data lake will be searched to take
into account those updates.

Companion AI
To understand attacks quicker, Trend Vision One Companion uses AI to explain the attacker’s
actions and recommend the best next steps.

XDR Threat Investigation with Trend Vision One 32

Student Guide

Best Practices
• Connect as many data source as possible
• Endpoints should always host both a security agent and a sensor
• Consult the Attack Surface Risk Management apps regularly to monitor
your Risk Index as well as risky users and devices
• Keep up to date on emerging security threats/trends/issues
− Take advantage of the Campaign Intelligence app to understand who is being
affected by recent attack campaigns
− Take advantage of Curated Intelligence Reports to learn from others
• Keep communication open with others in IT organization
− Learn of new additions to the environment
− Share what have been discovered as sources of compromise

33 | ©2024 Trend Micro Inc.

These are just a few of the best practices related to incident response and XDR.
• Improve the breadth of data collect by connecting as many data source as
possible, including Trend product and third-party products
• Endpoints should always host both a security agent and a sensor
• Consult the Attack Surface Risk Management apps regularly to monitor your
Risk Index as well as risky users and devices, vulnerabilities and more. These apps
can offer remediation actions to harden your system and avoid future
compromises or attacks
• Keep up to date on security threats/trends/issues, including security blogs, industry web
sites, industry journals and more
• Take advantage of Campaign Intelligence to understand who is being affected by
recent attack campaigns
• Take advantage of Curated Intelligence Reports to learn from others
• Always stay in contact with other members of the IT organization
• Learn about recent changes to the environment, including additions, new
devices, new software. Offer suggestions on how these can be hardened to
avoid compromise
• When a compromise has occurred, share the details to avoid it becoming
an issue again in the future

XDR Threat Investigation with Trend Vision One 33

Student Guide

Best Practices

• Take advantage of automation tools, such as Playbooks

• Make sure endpoint security solutions are regularly updated and
patched
− Monitor the Security Configuration tab of Executive Dashboard
• Stay informed about relevant regulatory requirements and
compliance standards
• Document and share lessons learned
• Think like an attacker
• Consider Trend Managed Services if your organization does not have
adequate incident response resources

34 | ©2024 Trend Micro Inc.

• Take advantage of automation tools to avoid repetitive tasks

• Make sure endpoint security solutions are regularly updated and patched
• Might be someone else’s responsibility, monitor the Security Configuration
tab of Executive Dashboard
• Stay informed about relevant regulatory requirements and compliance standards.
• Ensure that security measures align with industry best practices and legal
requirements.
• Document lessons learned
• Use these to improve processes
• Think like an attacker
• Understand how attackers think and operate to anticipate their tactics and
techniques.
• Consider Trend Managed Services if your organization does not have adequate incident
response resources
• Trend Micro Managed Services provides 24/7 monitoring and detection,
rapid threat investigation and mitigation, as well as expert threat hunting

XDR Threat Investigation with Trend Vision One 34

Student Guide

Try it yourself

30-day full access trial

35 | ©2024 Trend Micro Inc.

A 30-day full access trial of Trend Vision One is available for download.

XDR Threat Investigation with Trend Vision One 35

Student Guide

Thank you for attending

Please complete the course survey

©2024 Trend Micro Inc.

Please complete the class survey at the following URL or by scanning the QR code:
https://www.surveymonkey.com/r/TrendMicroVisionOne

This helps guide the development of courses and helps ensure that content matches your
requirements.

Thank you for attending.

XDR Threat Investigation with Trend Vision One 36