The Automated Response Actions work is when a detection model triggers an alert, Trend Vision One automatically investigates highlighted objects detected by the model, evaluates and analyzes the evidence collected, and further identifies certain objects as "Highly Suspicious" or "Suspicious", and then automatically respond to critical alerts or events, which speeds up response and minimizes the impact scope.
Based on the automation settings, Trend Vision One will create response tasks to perform on the associated objects or events.
Automation Settings
- The "Semi Automation" automatically creates a response task but still requires Customer's approval in the Response Management app before task execution.
Click the image to enlarge.
Click the image to enlarge.
- The "Full Automation" automatically creates a response task and executes it for the associated objects automatically without customer's manual intervention.
Click the image to enlarge.
Automation Scope
All Workbench Alert with the following Model severity:
- Low
- Medium
- High
- Critical
Automation Trigger Condition
- There are objects that are identified as "Highly Suspicious" or "Suspicious" in the workbench.
- Enabled the automation settings: "Semi Automation" or "Full Automation" for "Suspicious" and "Highly Suspicious"
- Automated Response current only supports file-based, URLs are not yet.
- "No matching objects found", which means no automated response task is triggered.
Score in Alert View vs. Suspicious/Highly Suspicious in Automated Response
There is no relationship between "[Score] in [Alert View]" and "Automated Response of Suspicious and Highly Suspicious".
- Score in Alert View
- Model severity is defined by a threat expert. Each model will only have one severity.
- The score is calculated by the workbench when the workbench receives an alert triggered by SAE. It will depend on the model severity and how much impact scope is in the raw alert.
- Suspicious and Highly Suspicious in Automated Response (SAE)
- After the workbench alert is generated, the workbench team will send the alert-related information to SAE, SAE calculated Suspicious or Highly Suspicious depending on each highlighted object in the alert.