Views:
  • What are the limitations and best practices for Search App?

     

    General Search

    1. The query will be sent to all data sources (listed in Query Methods) and get limit of 200 records each from each data source.
    2. Search App will merge the data from all data sources sorted by event time.
    3. If the query condition is too general, or time range is too long, some data source query may timeout.
    4. Considering the returned results are within different event time range, Search App will cut data at the time of any results that match 200 records.

    General search does not support "scroll down for more" function. It is designed to get quick match and you may switch to advanced methods with specified data source for more detailed query.
    Major concerns for increasing the limits in general search are system performance, service cost to data lake, and user experience.

    Advanced Search

    Previously when scrolling down, it will get another set of 500 records, but this has already been removed.
    Search App released a new scroll method on January 5, 2022 . For this method, Search App will display 50 records. To show more results, you can scroll down, and this will get new records for 51-100. Every scroll down will return the next 50 records. Also, there is no limit on the total number of records returned, if you prefer to continue to scroll down. This scroll method is only supported for endpoint activity data, detections, and cloud activity data (preview).

    Data Grouping Column

    Search App set max list is 10 for Data Grouping column. Increasing the maximum list may cause performance issues, so the set default value is 10.

    Export Result

    Clicking on export results will only export the events currently displayed on the page, and you would need to scroll further to extract more results.
    Last January 5, 2022, Search App released a new feature to support exporting large query results.

    Module state

    For CSV and JSON (displayed only), the limit of the exported results is dependent on the limit of the returned results based on the search method used. That is, for search methods that support scroll and retry, there is no limit on the displayed results, and the results that can be exported. On the other hand, for other methods that do not support scroll and retry, the exported results are limited accordingly to the limit of displayed results. For example, general search is limited to display and export 200 events.

     
    Since February 14, 2022, export CSV option has not been available only for raw log JSON view (i.e. default column view).
     
  • Why does Watchlist fail to send notification email

    Saved Queries function has been configured to search ".exe", and enable Watchlist in email notifications. You can search the ".exe" in Search App, but will not receive notification email.

    General search does not support Watchlist. Watchlist only supports endpointActivityData and Detections sources.

    They should change to endpointActivityData and Detection search first, then save the query. Go to Saved Queries page and open the watchlist switch as the attachment below:

    Module state

    XDR already has tips for this action:

    Module state

  • The endpoint from Deep Security listed in TAD does not have record in Search App. Why is this?

    It is because TAD app shows the endpoint according to SPN feedback log. But in Search App, it searches from telemetry log instead of SPN feedback log and the Search Tenant searches in Cloud One - Workload Security instead of Deep Security. That is why it does not show Tenant information in the result.

  • What is the difference between the "General" and "Endpoint Activity Data" search methods?

    "General Search" uses common key search for all data lake (includes all products that register to Trend Vision One). Common key will transform into search key to a different data lake. General search only gets 200 records, and does not have a next page.
    "Endpoint activity data" only gets telemetry logs collected from endpoint product, including "Trend Micro Apex One as a Service", "Trend Cloud One - Endpoint & Workload Security", "Endpoint Sensor", "Trend Micro Deep Security Software".
    Advance search gets 500 records from data lake by first query. You can scroll down and get the next page with 500 records. You may repeat action until you get all the records.

  • Date Retention of Search log

    Trend Micro Vision One retains the collected raw information for 30 days by default, unless the customer purchases extended storage option (maximum of 365 days offered). It also generates and retains alert workbenches for 180 days to give customers the information for investigation/reporting. All data is deleted upon license expiration + 30 day grace period.
    For more details, please refer to the KB article, Trend Micro Vision One Security and Privacy Overview.

  • Can I add an exception using the "remarks" field?

    Currently, the "remarks" field is not available to be used to set in the Detection Model Management exception. It is not part of the product roadmap.

  • I got the error, "Unable to connect the data source...(Error code:6000307)." What should I do?

    This is an issue with access to data source timing out. The data lake may have not responded on time or it may be offline, causing the connection failure. Try accessing again and if the issue persists, contact your support provider.

  • How can I search network activity data?

    Below are some use cases and examples for your reference:

     Search methodQuery
    Search for successful HTTP connectionNetwork Activity Dataapp:HTTP AND respCode:200
    Search for SMB connection with specific file hashNetwork Activity Dataapp:SMB AND fileHash:$fileHash
    Search for RDP connection and exclude specific client IPNetwork Activity Data(app:RDP OR serverPort:3389) AND NOT clientIp:$clientIP