The Sensor used in Apex One SaaS is based on how users deploy Sensors:
- The Apex One Security Agent will use the Apex One Endpoint Sensor (SaaS) when enabling Endpoint Sensor via Apex Central Policy.
- The Apex One Security Agent will use the SecOps Endpoint Sensor when enabling Sensor through Trend Vision One Endpoint Inventory.
| Features | Apex One Endpoint Sensor (SaaS) | SecOps Endpoint Sensor Windows | SecOps Endpoint Sensor Linux | SecOps Endpoint Sensor macOS | |
|---|---|---|---|---|---|
| Resource Usage | Frequency of sending data | Average every 5 minutes | Average every 5 minutes | Every 5 minutes | Every 5 minutes |
| Average Generated Data | 20 MB/agent/day | 7 MB/agent/day | 8.7 MB/agent/day | 6 MB/(agent*day) | |
| Average Network Bandwidth Usage | 20 MB/agent/day | 7 MB/agent/day | 8.7 MB/agent/day | 6 MB/(agent*day) | |
| Local telemetry cache size when sensor cannot send data to server | 500 MB | in memory (50MB) | 200MB | in memory (200MB) | |
| The agent behavior after the license expired | Don't record and send any telemetry data | Currently, when the license expires, the sensor still sends telemetry data to the server and stops renewing the required tokens, so the server will no longer receive the telemetry data. | |||
| Investigation | Based on criteria to do an investigation | ✔️ | ✔️ | ✔️ | ✔️ |
| Do a live investigation to check the present status | ✔️*1 | ✔️*2 | ✔️*2 | ✔️*2 | |
| Detection | Threat Detection w/ Attack Discovery | ✔️*3 | ✔️*4 | ✔️*4 | ✔️*4 |
| Mitigation/Response | Add to User-defined suspicious object | ✔️ | Regarding the mitigation/response features, please refer to the link below for more details.
|
||
| Terminate Process | ✔️ | ||||
| Network isolation of endpoint | ✔️*5 | ||||
| Collect File | ✔️ | ||||
| Remote Shell | ❌ | ||||
| Coordination to EPP production | ✔️*6 | ✔️*7 | ✔️*7 | ✔️*7 | |
*1 The Apex One Endpoint Sensor (SaaS) supports doing live investigation via diskIOC scan, YARA scan, and registry scan.
*2 The SecOps Endpoint Sensor supports checking present status via remote shell feature.
*3 The Apex One Endpoint Sensor (SaaS) has its own attack discovery detection engine. After Apex One is registered to Trend Vision One, the Trend Vision One backend server provides detection capability based on recorded activity data.
*4 SecOps Endpoint Sensor doesn't have a detection engine. However, the Trend Vision One backend service provides detection capability based on recorded activity data.
*5 This is for Windows only and it relies on Apex One EPP.
*6 Apex One Endpoint Sensor (SaaS) is an integrated module of Apex One. If users would like to install Apex One security agent with other EPP products, they have to install the Apex One Coexist agent, not the Full agent.
*7 The SecOps Endpoint Sensor is a standalone sensor, and it can coexist with Trend Micro EPP products and 3rd-party EPP products.