Trend Micro : Security Automation with Vision One & Palo Alto

Having the incident details available in the Cortex™ XSOAR platform enables analysts to execute a series of manual or automated actions through the Trend Micro Vision One™ platform in response to a potential threat. In the initial release of this content pack, we have made the following response actions available:

Add item to exception list	Adds domains, IP addresses, URLs, or file hashes to the known good list
Remove item from the exception list	Removes domains, IP address, URLs, or file hashes from the known good list
Add item to suspicious objects list	Adds domains IP addresses, URLs, or file hashes to the suspicious object list and specifies the appropriate action to take if discovered (log or block)
Remove item from suspicious objects list	Removes domains IP addresses, URLs, or file hashes from the suspicious object list
Collect files	Collects the specified file from an endpoint during an investigation
Submit a file for sandbox analysis	Submits a file to the Trend Micro Vision One sandbox for automated analysis
Retrieve sandbox analysis report	Retrieves the analysis report, IOCs, or artifacts available after automated analysis
Quarantine email message	Removes the specified email message from the user's mailbox and places it in the mail quarantine
Delete email message	Permanently deletes the specified email message from the user's mailbox
Gather information on an endpoint	Gathers information from the endpoint such as the current logged on user, operating system details, IP address, hostname, mac address
Terminate process	Terminates the specified process if currently running on an endpoint
Isolate endpoint	Blocks all network activity on an endpoint while the system is being investigated
Restore endpoint connection	Restores the network connectivity on an endpoint after investigation and/or remediation has occurred
Check action status	Checks the status of a triggered Trend Micro Vision One response action

These actions lend the power of Trend Micro Vision One™ to analysts as they investigate and respond to incidents. All of these actions can be run manually or can be included in the organization's pre-defined playbooks for automated response.

To demonstrate the value of these integrated platforms, let us walk through a use case where the combination of Trend Micro Vision One™ and Palo Alto Networks Cortex™ XSOAR improved a customer's ability to investigate and respond to incidents.

Scenario: If credential dumping was detected on a host, the security operations team wanted to automate the collection of artifacts to be used during a subsequent investigation. Threat actors are very efficient at cleaning up their tracks to evade tracing, so this activity would need to be executed quickly.

Trend Micro Vision One™ is very effective at identifying the various techniques threat actors use to discover credentials. One commonly used technique that gets detected is the dumping of credentials via the Local Security Authority Server Service (LSASS) process in Microsoft Windows.