Views:

Why isn't an account without MFA (Multi-Factor Authentication) enabled reported on the Operation Dashboard?
Trend Vision One cannot directly retrieve information about "MFA Disabled" accounts from Azure AD due to Azure AD's limitations. Instead, Trend Vision One determines the MFA status based on a user's sign-in logs. To minimize false alerts, we do not tag any "MFA Disabled" events until there is enough sign-in log data for the account to trigger this event. As a result, you may not see any related events under Operations Dashboards > System Configurations > Accounts with Weak Authentication > MFA Disabled, even if the account in question has not enabled MFA in Azure AD. In such cases, it is advisable to wait for some time until there is sufficient Azure AD login activity log data. Eventually, "MFA Disabled" accounts will be displayed on the Trend Vision One console.
Why am I unable to use the Operations Dashboard and Attack Surface Discovery features?
Starting from July 3, 2023, access to the Operations Dashboard and Attack Surface Discovery features will require credits or an Attack Surface Risk Management license. To enable these apps, you can go to Trend Vision One > Risk Insights > Operations Dashboard > Credit Setting button > Enable Risk Insights capabilities.

For more information, refer to Trend Micro Offerings Supporting Credits.
Why are patched CVEs still listed in highly exploitable unique CVEs list?
Once the system identifies that vulnerabilities have been patched on a computer, it will stop reporting these vulnerabilities to Risk Insights, resulting in the disappearance of patched CVEs from the highly exploitable unique CVEs list. However, please note that vulnerability-related data is synchronized with Risk Insights on a daily basis, so you may still observe patched CVEs existing there for up to one day. In addition, if a computer is shut down or not connected to the network, its current status will not be updated until it regains internet access during the next session.

If you can confirm that the related patch is installed, you can manually close the CVE in Risk Insights by following the instructions below:
1. Go to Risk Insights > Operations Dashboard > Vulnerabilities.
2. Search the CVE ID under HIGHLY EXPLOITABLE UNIQUE CVEs.
3. Select the CVE and then set the status to Closed, this will reduce overall risk index.
What occurs when I "close" a CVE in Vision One?
When you 'close' a CVE from Vision One console, it means that this particular CVE has been added to the exception list. Consequently, it will no longer be added into new risk detections anymore. However, this 'close' action does not patch the CVE.
Do patched CVE vulnerabilities automatically close? Do I need to manually close them? When will the remediated CVE detections be closed? Does closing CVEs reduce the Risk Score?
Yes, once a CVE vulnerability has been completely patched, the detection will automatically close, typically by the following day. You do not need to manually close them. Moreover, Risk Score of Vulnerabilities will be reduced.
What steps can I take to permanently close specific risk events?
Currently we do not have this feature available in the Trend Vision One console however this feature is already on our development roadmap. In the future, users will have the ability to directly add specific events to the exception list through the user interface. Once an event is added to the exception list, it no longer impacts the risk index or creates new instances. For now, please contact Trend Micro Technical Support to add the event to exception list in the backend.
Why didn't the risk index reduce after the event was closed?

Please note that after an event is closed, it may take up to four hours for the risk index to update. We recommend checking the risk index again after this period. Furthermore, the risk index is constantly evaluated in real-time and can be influenced by newly occurring risk events. Therefore, if other high-risk events occur after the closing of an event, the risk index might not show a decrease. If you need more details of score analysis, please contact Trend Micro Technical Support.

Can I configure the frequency of vulnerability scanning for TrendMicro as Data source?

Now Trend Vision One did not support the customer to configure the frequency of vulnerability scanning, the default value of this setting is every 24 hours to scan it.

Why there are multiple “Certificate expired” alert under “Operations Dashboard->System Configuration-> Hosts with Insecure Connection Issue”, which domain does not belong of this customer?

1. Internet-facing can scan any customer-added domain, even if these domains are not directly related to the customer.
2. If the customer added a domain which did not belong of this customer, and this domain or subdomain has expired certificates, then Internet-facing discovered these domains simply and save the scanning result to the backend server.
3. If these domains are unrelated to the customer, they can be deleted.

Keywords: Trend Vision One,Operations Dashboard,Frequently Asked Questions,Security Operations,v1 faqs, mfa, operation dashboard, operations dashboard of trend vision, multi factor authentication, azure ad, faqs

Comments (0)

Frequently Asked Question (FAQs) about Operations Dashboard of Trend Vision One

Product / Version includes:

Trend Vision OneAll

Last updated: 2024/08/02

Solution ID: KA-0015297

Category: Configure

Summary

This article will help you to address the frequently asked questions related to Operations Dashboard of Trend Vision One.

Why isn't an account without MFA (Multi-Factor Authentication) enabled reported on the Operation Dashboard?
Trend Vision One cannot directly retrieve information about "MFA Disabled" accounts from Azure AD due to Azure AD's limitations. Instead, Trend Vision One determines the MFA status based on a user's sign-in logs. To minimize false alerts, we do not tag any "MFA Disabled" events until there is enough sign-in log data for the account to trigger this event. As a result, you may not see any related events under Operations Dashboards > System Configurations > Accounts with Weak Authentication > MFA Disabled, even if the account in question has not enabled MFA in Azure AD. In such cases, it is advisable to wait for some time until there is sufficient Azure AD login activity log data. Eventually, "MFA Disabled" accounts will be displayed on the Trend Vision One console.
Why am I unable to use the Operations Dashboard and Attack Surface Discovery features?
Starting from July 3, 2023, access to the Operations Dashboard and Attack Surface Discovery features will require credits or an Attack Surface Risk Management license. To enable these apps, you can go to Trend Vision One > Risk Insights > Operations Dashboard > Credit Setting button > Enable Risk Insights capabilities.

For more information, refer to Trend Micro Offerings Supporting Credits.
Why are patched CVEs still listed in highly exploitable unique CVEs list?
Once the system identifies that vulnerabilities have been patched on a computer, it will stop reporting these vulnerabilities to Risk Insights, resulting in the disappearance of patched CVEs from the highly exploitable unique CVEs list. However, please note that vulnerability-related data is synchronized with Risk Insights on a daily basis, so you may still observe patched CVEs existing there for up to one day. In addition, if a computer is shut down or not connected to the network, its current status will not be updated until it regains internet access during the next session.

If you can confirm that the related patch is installed, you can manually close the CVE in Risk Insights by following the instructions below:
1. Go to Risk Insights > Operations Dashboard > Vulnerabilities.
2. Search the CVE ID under HIGHLY EXPLOITABLE UNIQUE CVEs.
3. Select the CVE and then set the status to Closed, this will reduce overall risk index.
What occurs when I "close" a CVE in Vision One?
When you 'close' a CVE from Vision One console, it means that this particular CVE has been added to the exception list. Consequently, it will no longer be added into new risk detections anymore. However, this 'close' action does not patch the CVE.
Do patched CVE vulnerabilities automatically close? Do I need to manually close them? When will the remediated CVE detections be closed? Does closing CVEs reduce the Risk Score?
Yes, once a CVE vulnerability has been completely patched, the detection will automatically close, typically by the following day. You do not need to manually close them. Moreover, Risk Score of Vulnerabilities will be reduced.
What steps can I take to permanently close specific risk events?
Currently we do not have this feature available in the Trend Vision One console however this feature is already on our development roadmap. In the future, users will have the ability to directly add specific events to the exception list through the user interface. Once an event is added to the exception list, it no longer impacts the risk index or creates new instances. For now, please contact Trend Micro Technical Support to add the event to exception list in the backend.
Why didn't the risk index reduce after the event was closed?

Can I configure the frequency of vulnerability scanning for TrendMicro as Data source?

Now Trend Vision One did not support the customer to configure the frequency of vulnerability scanning, the default value of this setting is every 24 hours to scan it.

Why there are multiple “Certificate expired” alert under “Operations Dashboard->System Configuration-> Hosts with Insecure Connection Issue”, which domain does not belong of this customer?

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Frequently Asked Question (FAQs) about Operations Dashboard of Trend Vision One

Frequently Asked Question (FAQs) about Operations Dashboard of Trend Vision One

Product / Version includes:

Summary