Having the incident details available in the Cortex™ XSOAR platform enables analysts to execute a series of manual or automated actions through the Trend Micro Vision One™ platform in response to a potential threat. In the initial release of this content pack, we have made the following response actions available:
Add item to exception list | Adds domains, IP addresses, URLs, or file hashes to the known good list |
Remove item from the exception list | Removes domains, IP address, URLs, or file hashes from the known good list |
Add item to suspicious objects list | Adds domains IP addresses, URLs, or file hashes to the suspicious object list and specifies the appropriate action to take if discovered (log or block) |
Remove item from suspicious objects list | Removes domains IP addresses, URLs, or file hashes from the suspicious object list |
Collect files | Collects the specified file from an endpoint during an investigation |
Submit a file for sandbox analysis | Submits a file to the Trend Micro Vision One sandbox for automated analysis |
Retrieve sandbox analysis report | Retrieves the analysis report, IOCs, or artifacts available after automated analysis |
Quarantine email message | Removes the specified email message from the user's mailbox and places it in the mail quarantine |
Delete email message | Permanently deletes the specified email message from the user's mailbox |
Gather information on an endpoint | Gathers information from the endpoint such as the current logged on user, operating system details, IP address, hostname, mac address |
Terminate process | Terminates the specified process if currently running on an endpoint |
Isolate endpoint | Blocks all network activity on an endpoint while the system is being investigated |
Restore endpoint connection | Restores the network connectivity on an endpoint after investigation and/or remediation has occurred |
Check action status | Checks the status of a triggered Trend Micro Vision One response action |
These actions lend the power of Trend Micro Vision One™ to analysts as they investigate and respond to incidents. All of these actions can be run manually or can be included in the organization's pre-defined playbooks for automated response.
To demonstrate the value of these integrated platforms, let us walk through a use case where the combination of Trend Micro Vision One™ and Palo Alto Networks Cortex™ XSOAR improved a customer's ability to investigate and respond to incidents.
Scenario: If credential dumping was detected on a host, the security operations team wanted to automate the collection of artifacts to be used during a subsequent investigation. Threat actors are very efficient at cleaning up their tracks to evade tracing, so this activity would need to be executed quickly.
Trend Micro Vision One™ is very effective at identifying the various techniques threat actors use to discover credentials. One commonly used technique that gets detected is the dumping of credentials via the Local Security Authority Server Service (LSASS) process in Microsoft Windows.
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Trend Micro Inc. published this content on 14 February 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 February 2022 22:03:08 UTC.