Trend Vision One XDR Advanced

Lab Guide
Copyright© 2024 Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro logo, the t-ball logo, and [other Trend trademarks] are
trademarks or registered trademarks of Trend Micro Incorporated. All other company
and/or product names may be trademarks or registered trademarks of their owners.
Information contained in this document is subject to change without notice. Trend Micro,
the Trend Micro logo, and the t-ball logo Reg. U.S. Pat. & Tm. Off.

For details about what personal information we collect and why, please see our Privacy
Notice at trendmicro.com/privacy

Released: September 26, 2024

Courseware v1.0
Lab 1: Data Sources, Observed Attack
Techniques and Detection
Models

Estimated time to complete this lab: 15 minutes

Access the Trend Vision One console:

● Click on the link in the email invite sent from [email protected].

● Click on "Access Platform Experience."

● Click on "Start Experience."

● Click on the "Vision One" link to open your Trend Vision One console.

Exercise 1: Answer the following

1 What data sources are currently enabled in this instance of Trend Vision One?
______________________________________________________________________________________
______________________________________________________________________________________
2 How many detection models are currently available in Trend Vision One?
______________________________________________________________________________________
3 How many of these are assigned the Severity level of Critical?
______________________________________________________________________________________
4 How many of these are used exclusively for Standard Endpoint Protection?
______________________________________________________________________________________
5 What is/are the most recently updated Detection Model(s)?
______________________________________________________________________________________
6 How many of the total number of Detection Models are currently disabled in this instance of
Trend Vision One?
______________________________________________________________________________________
7 Why is the ability to enable or disable a Detection Model greyed out in this instance of Trend
Vision one?
______________________________________________________________________________________
8 Filter the Observed Attack Techniques list to display entries at the Critical and High level for the
last 30 days. Expand the entry captured by the Demo - Possible Credential Dumping via Registry
Hive detection filter.
How many entries did it locate?
______________________________________________________________________________________

© 2024 Trend Micro Inc. Education 1

Lab 1: Data Sources, Observed Attack Techniques and Detection Models

What is the name of the endpoint affected?

______________________________________________________________________________________
Trend Vision One analyzes Highlighted Objects to correlate alerts. How many Highlighted Objects
are in this Observed Attack Technique?
______________________________________________________________________________________
What is the name of the file that was run through the command prompt?
______________________________________________________________________________________
What MITRE technique was used?
______________________________________________________________________________________
What MITRE tactic uses this technique?
______________________________________________________________________________________
What platforms may be affected by this technique?
______________________________________________________________________________________
9 Filter the Observed Attack Techniques list to display entries at the Critical and High level for the
last 30 days. Expand the entry captured by the Disable Windows Defender Realtime Monitoring
detection filter.
Which user was affected by this technique?
______________________________________________________________________________________
What operating system is being used on this user’s device?
______________________________________________________________________________________
What component/product was responsible for detecting this technique?
______________________________________________________________________________________
When was this technique seen for the first time for this entry?
______________________________________________________________________________________
10 Filter the Observed Attack Techniques list to display entries at the Critical and High level for the
last 30 days. Expand the entry captured by the Suspicious Child Process Execution via
UserInit detection filter.
What process was used in this detection?
______________________________________________________________________________________
What is the IPV4 address of the victim in this detection?
______________________________________________________________________________________
What MITRE tactic(s) is/were used in this detection?
______________________________________________________________________________________
What operating systems can be affected by the MITRE technique used here?
______________________________________________________________________________________

2 © 2024 Trend Micro Inc. Education

Lab 2: Workbenches
Estimated time to complete this lab: 15 minutes

Access the Trend Vision One console:

● Click on the link in the email invite sent from [email protected].

● Click on "Access Platform Experience."

● Click on the "Vision One" link to open your Trend Vision One console.

Exercise 1: Answer the following

1 Filter the list of Workbenches to display all the entries for the last 30 days and locate the
Privilege Escalation Through UAC Bypass workbench. (Hint: use the Model name field to simplify
locating this workbench)
What product was responsible for this workbench?
______________________________________________________________________________________
What endpoint was affected in this workbench?
______________________________________________________________________________________
What user was affected in this workbench?
______________________________________________________________________________________
What happened in this workbench?
______________________________________________________________________________________
2 Filter the list of Workbenches to display all the entries for the last 30 days.
Open the Possible Disabling of Antivirus Software workbench. What actions can be applied to
the user account affected by this workbench?
______________________________________________________________________________________
______________________________________________________________________________________
What application was used to disable Windows Defender RealTime Monitoring?
______________________________________________________________________________________
What MITRE tactic is being used in this workbench?
______________________________________________________________________________________
3 Filter the list of Workbenches to display all the entries for the last 30 days.
Open the Demo - Copying of NTDS File workbench. What component/product was the source for
this workbench entry?
______________________________________________________________________________________
What is the file that was copied in this event?
_____________________________________________________________________________________

© 2024 Trend Micro Inc. Education 3

Lab 2: Workbenches

What is the score and severity level of this workbench?

______________________________________________________________________________________
4 On the Workbench Insights tab, filter the list to display entries that were Last Updated and
Created in the last 30 days.
Click to open the Detection avoidance by Data Encrypted for Impact insight. How many
workbench alerts make up this insight?
______________________________________________________________________________________
Why were these workbenches correlated into an insight?
______________________________________________________________________________________
What MITRE tactics are being used by the entries that make up this insight?
______________________________________________________________________________________

4 © 2024 Trend Micro Inc. Education

Lab 3: Searches
Estimated time to complete this lab: 15 minutes

Access the Trend Vision One console:

● Click on the link in the email invite sent from [email protected].

● Click on "Access Platform Experience."

● Click on the "Vision One" link to open your Trend Vision One console.

Exercise 1: Search queries

Create and run the search queries to locate the following information in the data lake. In all examples,
search for the last 30 days.
1 Locate endpoint activity entries involving the admin user on an endpoint called TRILOGY-PC5.
______________________________________________________________________________________
How many entries were retrieved?
______________________________________________________________________________________

2 Locate endpoint activity entries where any batch scripts (*.bat) were run on any Windows
devices.
______________________________________________________________________________________
How many entries were retrieved?
______________________________________________________________________________________

3 Locate observed attack technique entries found be using MITRE technique 1059. (Hint: Use
tags field to search for MITRE tactics and techniques.)
How many entries were retrieved?
______________________________________________________________________________________

4 Locate any general entries where Java applications were run on a Windows Server 2019
computer.
______________________________________________________________________________________
What is the name of the endpoint?
______________________________________________________________________________________

5 What is the name of the endpoint that the user called Gunter is logging onto?
______________________________________________________________________________________

6 Locate any observed attack techniques at a filter risk level of medium involving an endpoint host
name of VMI-Printserver01.
______________________________________________________________________________________

© 2024 Trend Micro Inc. Education 5