Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Targeted Attack Detection feature on Vision One

    • Updated:
    • 13 Dec 2021
    • Product/Version:
    • Trend Micro Vision One
    • Trend Micro Vision One
    • Platform:

Trend Micro Vision One has a feature called Targeted Attack Detection (previously called Early Warning Service) that provides the current active attack campaigns and the enabled protection services on their environment.

Make sure that the requirements are me before enabling the Targeted Attack Detection. Refer to Enabling the required services for Targeted Attack Detection.

Periodic analysis of your Smart Protection Network dataModern attacks often involve multiple seemingly unrelated threats. Analysis of Smart Protection Network data allows Trend Micro Vision One to identify previously isolated detections that are likely to be part of complex attack chains.
Continuous analysis of attack campaignsTrend Micro threat researchers monitor and analyze attack campaigns affecting organizations around the world. Their research provides context to identified indicators and allows Trend Micro Vision One to predict possible next steps by attackers.

The Attack campaign provides the information to identify and understand the campaign focus:

  • Targeted Countries / Regions ( ex. North America, Europe)
  • Targeted Industries (ex. healthcare, Financial)
  • What platform is currently being attacked. (ex. Windows, Linux, Mac OS)

Attack Campaign

Click the image to enlarge.

Targeted Attack Detection advises the customer on its risk level based on this information, at the same time, identifying how many Trend protection services were enabled in the environment for security posture assessment.

This section displays the total number of affected endpoints. In this context, "endpoint" consists of desktops and servers. You can find the count and percent change for each category below the total.

Clicking the total opens another screen that displays the following details for each affected endpoint:

  • Endpoint GUID
  • Combined severity of the detected attack indicators
  • Reasons behind the assigned severity
  • Actions that you can perform to mitigate risk
  • The first time an attack indicator was observed on the endpoint

This section displays comparative line graphs for four attack phases that precede command-and-control communication. The attack phases follow the MITRE ATT&CK® technique Matrix for Enterprise.

The graphs provide the following information:

  • How suspicious event counts from the last 14 days compared to your organization's baseline
  • Notable short-term or persistent changes to suspicious event counts (in the form of spikes or steps)
Elevated Suspicious event counts in Initial Access and/or PersistenceAttackers are attempting to gain or maintain their foothold on your network. If successful, they may gain account credentials and access remote systems.
Elevated suspicious event counts in Credential Access and/or Lateral MovementData exfiltration or some form of system impact may soon occur. Attackers may interrupt, manipulate, steal, or destroy your critical assets.
Negligible suspicious event counts in any attack phaseThe numbers are lower than the baseline for your organization and therefore do not require your attention.

Graphs are based on Smart Protection Network data that was analyzed within a specific period. The data may change when any of the following events occur.

  • You connected more management servers to Trend Micro Vision One and enabled specific security features.
  • You installed and enabled XDR sensors.
  • Trend Micro added attack campaigns or indicators to the scan scope.

To detect more suspicious events, enable the recommended security features on all endpoints.


The image below indicates the attack phases and their correlation to an active attack campaign which indicates which pattern of attack.

Attack Phases

Click the image to enlarge.

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.