Views:

General Product Operation

Active Directory Synchronization
Description	Active Directory synchronization maps the User/Endpoint Directory according to your existing organizational structure.
Data Collected	Active Directory site information: AD site GUID (GUID) AD site name (Name) AD site location (Location) AD site subnet name (subnet name) AD site subnet range (subnet range) Active Directory group information: AD group GUID (objectGUID) AD group common name (cn) AD group distinguished name (distinguishedName) AD group member (member) AD group SID (objectSid) Organizational Unit information: OU GUID (objectguid) OU name (name) OU distinguished name (distinguishedname) OU last logon time (lastLogonTimestamp) User information: User account name (sAMAccountName) User distinguished name (distinguishedName) Manager (manager) Direct reports (directReports) User GUID (objectGUID) Email addresses (mail, proxyAddresses) Job title (title) Department (department) Telephone numbers (telephoneNumber, homePhone) Office name (physicalDeliveryOfficeName) Principal name (userPrincipalName) Display name (displayName) User SID (objectSID) User account properties (userAccountControl)
Console Location	Endpoint Security Operations > Standard Endpoint Protection Administration > Settings > Active Directory and Compliance Settings
Console Settings	Enable Active Directory Synchronization

Contact Groups
Description	Contact Groups for event notifications can include manually added email addresses for additional recipients.
Data Collected	Email address
Console Location	Endpoint Security Operations > Standard Endpoint Protection Logs & Reports > Notifications > Contact Groups
Console Settings	Additional recipients

Application Control Criteria
Description	Application Control supports different types of Application Control criteria for filtering.
Data Collected	File path File name Digital signer
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Resources > Application Control Criteria > [new or existing policy resources]
Console Settings	For File paths match method, type the file path information. For Certificates match method, type the certificate properties. For Hash values match method, type the hash value and the description. For Hash values match method, you can import a file with hash values and file path information.

DLP Data Identifiers
Description	Keyword lists contain special words or phrases that define digital assets belonging to your organization.
Data Collected	Keywords
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Resources > DLP Data Identifiers > Keyword Lists
Console Settings	Add Edit (Click the Name of a list to edit keywords.) Copy Import

Live Investigation: Scan disk files using OpenIOC
Description	Live Investigation performs threat investigations on the current system state. It can be configured to run at specific periods and support a wider set of criteria through the use of OpenIOC and YARA rules.
Data Collected	File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Response > Live Investigation > One-time Investigation > Scan disk files using OpenIOC Response > Live Investigation > Scheduled Investigation > Scan disk files using OpenIOC
Console Settings	Upload OpenIOC File

Live Investigation: Search registry
Description	Live Investigation performs threat investigations on the current system state. It can be configured to directly search registry keys, names, and data stored in the Windows Registry database for changes.
Data Collected	Registry key Registry value name Registry value data
Console Location	Endpoint Security Operations > Standard Endpoint Protection Investigation > Live Investigation > One-time Investigation Investigation > Live Investigation > Scheduled Investigation
Console Settings	Search registry

Syslog Forwarding Service
Description	With the Syslog forwarding service enabled, Apex Central can forward logs to the specified syslog server.
Data Collected	Endpoint name User name File name File path File owner Process name Process path Process owner Registry dump URL IP address MAC address
Console Location	Endpoint Security Operations > Standard Endpoint Protection Administration > Settings > Syslog Settings
Console Settings	Enable syslog forwarding

Troubleshooting Settings
Description	Troubleshooting Settings allow Trend Micro Support to collect information during the troubleshooting process to resolve issues related to the Security Agent program.
Data Collected	User account Host name Domain name IP address MAC address File name File path URL
Console Location	Endpoint Security Operations > Standard Endpoint Protection Administration > Settings > Troubleshooting Settings
Console Settings

Apex One Security Agent Policy Settings

Application Control
Description	Application Control prevents unwanted and unknown applications from executing on your endpoints.
Data Collected	Host name IP address User name File name File path Digital signer Command line input that triggered violation Application Control criteria
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Application Control Settings
Console Settings	Enable Application Control

Application Control: Active Directory accounts
Description	You can specify the user or group names of Active Directory accounts to apply Application Control criteria to.
Data Collected	AD user name AD group name
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Application Control Settings > Assign Rule
Console Settings	Type the user or group name of Active Directory accounts

Behavior Monitoring
Description	Behavior Monitoring provides an additional layer of protection against programs that exhibit malicious behavior.
Data Collected	For detection log: Host name IP address URL File name File path User name Domain Process chain Info For Smart Feedback: Host name IP address File name File path Suspicious file content Industry Country For uploaded files: Quarantined files
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Behavior Monitoring Settings > Rules > Malware Behavior Blocking
Console Settings	Enable Malware Behavior Blocking

Behavior Monitoring: Approved/Blocked Program lists
Description	Behavior Monitoring: Approved/Blocked Program lists
Data Collected	Full file path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Behavior Monitoring Settings > Exceptions
Console Settings

Data Loss Prevention
Description	Data Loss Prevention
Data Collected	For detection log: Host name IP address User name Domain Process name Process Source Destination Email sender Email subject Email recipients URL FTP user account Rule name For uploaded files: Forensic data
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Data Loss Prevention > [new or existing policy] > Apex One DLP > [new or existing rule] > Action
Console Settings	Record data

Data Loss Prevention Exceptions
Description	The Data Loss Prevention Exceptions list contains network locations that Security Agents do not monitor for sensitive information. Data Loss Prevention automatically takes the specified action according to the list type.
Data Collected	IP address Endpoint name FQDN For USB devices: Name Vendor Model Serial number
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One (Mac) > [new or existing policy] > Device Control Settings
Console Settings

Data Discovery
Description	Data Discovery searches endpoints for the presence of sensitive information.
Data Collected	Endpoint domain User name User domain File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Data Loss Prevention > [new or existing policy] > Apex One Data Discovery
Console Settings	Enable Data Discovery

Device Control
Description	Configure Device Control rules to control access to storage devices for specific Active Directory users.
Data Collected	For detection log: User name Target file Full file path For USB devices: Name Vendor Model Serial number
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Device Control Settings > External Agents/Internal Agents
Console Settings	Add Device Control Rule

Device Control: Allowed Programs
Description	The Device Control Allowed Programs list contains program or publisher names that Security Agents do not block using Device Control. Programs in the specified path or by the specified publisher can execute or perform read/write operations on files in restricted storage devices.
Data Collected	For allowed programs: Full file path File name Digital signer For USB devices: Name Vendor Model Serial number
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Device Control Settings > External Agents/Internal Agents > All users (default) > Allowed Programs
Console Settings

Manual Scan: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during a Manual Scan.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Manual Scan Setting > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Manual Scan: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agent do not scan during a Manual Scan.
Data Collected	File name Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Manual Scan Setting > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Predictive Machine Learning
Description	Predictive Machine Learning performs in-depth file analysis to detect emerging unknown security risks.
Data Collected	For cloud query: URL File name File path Digital signer Attachment file name IP address Process name Full process path For detection log: Host name IP address File name File path User name Suspicious process data Domain Full process path For Smart Feedback: Host name IP address File name File path Suspicious file content Industry Country For uploaded files: Quarantined files
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Predictive Machine Learning Settings
Console Settings

Predictive Machine Learning: Exception List
Description	The Predictive Machine Learning Exception List contains the hash values of files that Security Agents do not scan during Predictive Machine Learning scanning.
Data Collected	Notes
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Predictive Machine Learning Setting > Exceptions > Add file
Console Settings

Real-time Scan: Malware detection
Description	Virus/Malware scanning checks files for known security risks.
Data Collected	For detection log: Host name IP address File name File path User name Domain Full process path For Smart Feedback: Host name IP address File name File path Suspicious file content Industry Country For uploaded files: Quarantined files
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Real-time Scan Settings
Console Settings	Enable virus/malware scan

Real-time Scan: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during a Real-time Scan.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Agent > Real-time Scan Setting > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Real-time Scan: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agents do not scan during a Real-time Scan.
Data Collected	File directory Full file path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Real-time Scan Setting > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Sample Submission
Description	Sample Submission enables Security Agents to send suspicious files that may contain previously unknown threats directly to Virtual Analyzer for further analysis.
Data Collected	Suspicious executable file Files detected heuristically (downloaded through supported web browsers or email channels)
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Sample Submission Settings
Console Settings	Enable suspicious file submission to Virtual Analyzer

Scan Now: Malware detection
Description	Virus/Malware scanning checks files for known security risks.
Data Collected	File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scan Now Settings
Console Settings	Enable virus/malware scan

Scan Now: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during Scan Now.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scan Now Settings > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Scan Now: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agents do not scan during Scan Now.
Data Collected	Directory path File name
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scan Now Settings > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Scheduled Scan: Malware detection
Description	Virus/Malware scanning checks files for known security risks.
Data Collected	File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scheduled Scan Settings
Console Settings	Enable virus/malware scan

Scheduled Scan: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during a Scheduled Scan.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Scheduled Scan Setting > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Scheduled Scan: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agents do not scan during a Scheduled Scan.
Data Collected	Directory path File name
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Scheduled Scan Setting > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Suspicious Connection Detection

Description

Suspicious Connection manages the User-defined and Global IP C&C lists, and monitors the behavior of connections that endpoints make to potential C&C servers.

Data Collected

For detection log:
- Host name
- IP address
- URL
- User name
- Full file path
For Smart Feedback:
- Host name
- IP address
- File name
- File path
- Suspicious file content
- Industry
- Country
  
  Web Reputation Service

Console Location

Endpoint Security Operations > Standard Endpoint Protection
Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Suspicious Connection Settings

Console Settings

Detect network connections made to addresses in the Global C&C IP list

Trusted Program List
Description	Add programs (with a valid digital signature) to the Trusted Programs List to exclude processes from suspicious activity monitoring.
Data Collected	Program full path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Trusted Program List
Console Settings

Web Reputation Service
Description	Web Reputation tracks the credibility of web domains accessed by endpoints.
Data Collected	For cloud query: URL IP address Endpoint name User name For detection log: Host name IP address Full file path URL User name For Smart Feedback: Host name IP address Industry Country URL
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Web Reputation Settings > External/Internal Agents > Enable Web Reputation on the following operation systems
Console Settings	Windows desktop platforms Windows Server platforms

Web Reputation Service: Browser Exploit Prevention
Description	Browser Exploit Prevention identifies web browser exploits and malicious scripts, and prevents the use of these threats from compromising web browsers.
Data Collected	Suspicious or malicious URLs HTTP header/HTML files from Suspicious or malicious URLs Browser information
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Web Reputation Settings > External/Internal Agents > Browser Exploit Prevention
Console Settings	Block pages containing malicious script

Web Reputation Service: Approved/Blocked URL List
Description	The Approved/Blocked URL List contains URLs that Security Agents do not monitor using Web Reputation. Web Reputation automatically takes the specified action according to the list type.
Data Collected	URL
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Web Reputation Settings > External Agents/Internal Agents > Approved/Blocked URL List
Console Settings

Vulnerability Protection
Description	Vulnerability Protection automates the application of virtual patches before official patches become available.
Data Collected	For custom rules: Rule name Rule description Rule configuration For detection log: Host name IP address Rule Application type Attack source Interface Source IP address Source MAC address Source port Destination IP address Destination MAC address Destination port Suspicious process data
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Vulnerability Protection Settings
Console Settings	Enable Vulnerability Protection

Apex One Cloud Console

Smart Feedback
Description	Smart Feedback shares protected threat information with the Smart Protection Network, allowing Trend Micro to rapidly identify and address new threats.
Data Collected	Email address File name File path Host name Suspicious executable files URL
Console Location	Directories > Product Servers > SSO to Apex One Server Administration > Smart Protection > Smart Feedback
Console Settings	Enable Trend Micro Smart Feedback (recommended)

Certified Safe Software Service
Description	The Certified Safe Software Service queries Trend Micro data centers to verify the safety of a program detected by Malware Behavior Blocking, Event Monitoring, Firewall, or antivirus scans.
Data Collected	File name Company
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Global Agent Settings > System > Certified Safe Software Service Settings
Console Settings	Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans

User-defined IP List
Description	Administrators can configure Apex One to allow, block, or log all connections between Security Agents and user-defined C&C IP addresses.
Data Collected	IP address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Global Agent Settings > Security Settings > Suspicious Connection Settings > Edit User-defined IP list
Console Settings

Firewall: Policy Exception
Description	Security Agents can perform specific actions (block or allow) on network traffic that meets the exception criteria for the traffic direction (inbound or outbound).
Data Collected	Full file path Host name Registry key IP address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Firewall > Policies > Add/Edit Policy > Add Exception
Console Settings	Add

Firewall: Profile
Description	Firewall profiles provide flexibility by allowing you to choose the attributes that a Security Agent or group of Security Agents must have before applying a policy.
Data Collected	For custom rules: IP address Description Domain User name For detection log: Host name Source IP address Source port Destination IP address Destination port
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Firewall > Profiles
Console Settings	Add

Endpoint Location
Description	Apex One classifies Security Agents that cannot connect to a configured reference server or gateway IP address as being in an external network. Security Agents in an external network apply different policy settings.
Data Collected	Gateway IP address MAC address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Endpoint Location
Console Settings

Outbreak Prevention: Deny Write Access to Files and Folders
Description	Configure this setting to prevent viruses/malware from modifying or deleting files and folders on Security Agent endpoints.
Data Collected	File name File path
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Outbreak Prevention > Start Outbreak Prevention > Deny Write Access to Files and Folders
Console Settings

Update Source
Description	Security Agents can obtain component updates from custom update sources.
Data Collected	URL IP Address
Console Location	Directories > Product Servers > SSO to Apex One Server Updates > Agents > Update Source > Customized Update Source List > Add
Console Settings

Apex One Agent Management
Description	Security Agents send the endpoint status and information to the Apex One server.
Data Collected	Computer Name Logon User Name IP Address MAC Address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Agent Management
Console Settings

Keywords: Trend Vision One Endpoint Security - Standard Endpoint Protection DCN, data collected in Trend Vision One Endpoint Security - Standard Endpoint Protection, information collected in Trend Vision One Endpoint Security - Standard Endpoint Protection DCN, dat

Trend Vision One Endpoint Security - Standard Endpoint Protection Data Collection Notice

Product / Version includes:

Trend Vision OneAll

Last updated: 2024/01/31

Solution ID: KA-0014915

Category: SPEC

Summary

The following sections outline the features that collect data, the data transmitted, and the locations on the product console where you can disable the features.

All connections to the Trend Micro Smart Protection Network (SPN) include the Internet-facing source IP that originated the request to the Trend Micro servers, along with product type and version and operating system type and version. This data is collected in web server logs and Security Information and Event Management (SIEM) systems.

For common endpoint management and endpoint sensor capabilities included in all 3 agent packages, please check the details in Trend Vision One Endpoint Security - Endpoint Sensor Data Collection Notice.

General Product Operation

Active Directory Synchronization
Contact Groups
Application Control Criteria
DLP Data Identifiers
Live Investigation: Scan disk files using OpenIOC
Live Investigation: Search registry
Syslog Forwarding Service
Troubleshooting Settings

Apex One Security Agent Policy Settings

Application Control
Application Control: Active Directory accounts
Behavior Monitoring
Behavior Monitoring: Approved/Blocked Program lists
Data Loss Prevention
Data Loss Prevention Exceptions
Data Discovery
Device Control
Device Control: Allowed Programs
Manual Scan: Scan Exclusion List (Directories)
Manual Scan: Scan Exclusion List (Files)
Predictive Machine Learning
Predictive Machine Learning: Exception List
Real-time Scan: Malware detection
Real-time Scan: Scan Exclusion List (Directories)
Real-time Scan: Scan Exclusion List (Files)
Sample Submission
Scan Now: Malware detection
Scan Now: Scan Exclusion List (Directories)
Scan Now: Scan Exclusion List (Files)
Scheduled Scan: Malware detection
Scheduled Scan: Scan Exclusion List (Directories)
Scheduled Scan: Scan Exclusion List (Files)
Suspicious Connection Detection
Trusted Program List
Web Reputation Service
Web Reputation Service: Browser Exploit Prevention
Web Reputation Service: Approved/Blocked URL List
Vulnerability Protection

Apex One Cloud Console

Smart Feedback
Certified Safe Software Service
User-defined IP List
Firewall: Policy Exception
Firewall: Profile
Endpoint Location
Outbreak Prevention: Deny Write Access to Files and Folders
Update Source
Apex One Agent Management

Apex One (Mac) Policy Settings

Apex One (Mac) Cloud Console

General Product Operation

Active Directory Synchronization
Description	Active Directory synchronization maps the User/Endpoint Directory according to your existing organizational structure.
Data Collected	Active Directory site information: AD site GUID (GUID) AD site name (Name) AD site location (Location) AD site subnet name (subnet name) AD site subnet range (subnet range) Active Directory group information: AD group GUID (objectGUID) AD group common name (cn) AD group distinguished name (distinguishedName) AD group member (member) AD group SID (objectSid) Organizational Unit information: OU GUID (objectguid) OU name (name) OU distinguished name (distinguishedname) OU last logon time (lastLogonTimestamp) User information: User account name (sAMAccountName) User distinguished name (distinguishedName) Manager (manager) Direct reports (directReports) User GUID (objectGUID) Email addresses (mail, proxyAddresses) Job title (title) Department (department) Telephone numbers (telephoneNumber, homePhone) Office name (physicalDeliveryOfficeName) Principal name (userPrincipalName) Display name (displayName) User SID (objectSID) User account properties (userAccountControl)
Console Location	Endpoint Security Operations > Standard Endpoint Protection Administration > Settings > Active Directory and Compliance Settings
Console Settings	Enable Active Directory Synchronization

Contact Groups
Description	Contact Groups for event notifications can include manually added email addresses for additional recipients.
Data Collected	Email address
Console Location	Endpoint Security Operations > Standard Endpoint Protection Logs & Reports > Notifications > Contact Groups
Console Settings	Additional recipients

Application Control Criteria
Description	Application Control supports different types of Application Control criteria for filtering.
Data Collected	File path File name Digital signer
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Resources > Application Control Criteria > [new or existing policy resources]
Console Settings	For File paths match method, type the file path information. For Certificates match method, type the certificate properties. For Hash values match method, type the hash value and the description. For Hash values match method, you can import a file with hash values and file path information.

DLP Data Identifiers
Description	Keyword lists contain special words or phrases that define digital assets belonging to your organization.
Data Collected	Keywords
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Resources > DLP Data Identifiers > Keyword Lists
Console Settings	Add Edit (Click the Name of a list to edit keywords.) Copy Import

Live Investigation: Scan disk files using OpenIOC
Description	Live Investigation performs threat investigations on the current system state. It can be configured to run at specific periods and support a wider set of criteria through the use of OpenIOC and YARA rules.
Data Collected	File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Response > Live Investigation > One-time Investigation > Scan disk files using OpenIOC Response > Live Investigation > Scheduled Investigation > Scan disk files using OpenIOC
Console Settings	Upload OpenIOC File

Live Investigation: Search registry
Description	Live Investigation performs threat investigations on the current system state. It can be configured to directly search registry keys, names, and data stored in the Windows Registry database for changes.
Data Collected	Registry key Registry value name Registry value data
Console Location	Endpoint Security Operations > Standard Endpoint Protection Investigation > Live Investigation > One-time Investigation Investigation > Live Investigation > Scheduled Investigation
Console Settings	Search registry

Syslog Forwarding Service
Description	With the Syslog forwarding service enabled, Apex Central can forward logs to the specified syslog server.
Data Collected	Endpoint name User name File name File path File owner Process name Process path Process owner Registry dump URL IP address MAC address
Console Location	Endpoint Security Operations > Standard Endpoint Protection Administration > Settings > Syslog Settings
Console Settings	Enable syslog forwarding

Troubleshooting Settings
Description	Troubleshooting Settings allow Trend Micro Support to collect information during the troubleshooting process to resolve issues related to the Security Agent program.
Data Collected	User account Host name Domain name IP address MAC address File name File path URL
Console Location	Endpoint Security Operations > Standard Endpoint Protection Administration > Settings > Troubleshooting Settings
Console Settings

Apex One Security Agent Policy Settings

Application Control
Description	Application Control prevents unwanted and unknown applications from executing on your endpoints.
Data Collected	Host name IP address User name File name File path Digital signer Command line input that triggered violation Application Control criteria
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Application Control Settings
Console Settings	Enable Application Control

Application Control: Active Directory accounts
Description	You can specify the user or group names of Active Directory accounts to apply Application Control criteria to.
Data Collected	AD user name AD group name
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Application Control Settings > Assign Rule
Console Settings	Type the user or group name of Active Directory accounts

Behavior Monitoring
Description	Behavior Monitoring provides an additional layer of protection against programs that exhibit malicious behavior.
Data Collected	For detection log: Host name IP address URL File name File path User name Domain Process chain Info For Smart Feedback: Host name IP address File name File path Suspicious file content Industry Country For uploaded files: Quarantined files
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Behavior Monitoring Settings > Rules > Malware Behavior Blocking
Console Settings	Enable Malware Behavior Blocking

Behavior Monitoring: Approved/Blocked Program lists
Description	Behavior Monitoring: Approved/Blocked Program lists
Data Collected	Full file path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Behavior Monitoring Settings > Exceptions
Console Settings

Data Loss Prevention
Description	Data Loss Prevention
Data Collected	For detection log: Host name IP address User name Domain Process name Process Source Destination Email sender Email subject Email recipients URL FTP user account Rule name For uploaded files: Forensic data
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Data Loss Prevention > [new or existing policy] > Apex One DLP > [new or existing rule] > Action
Console Settings	Record data

Data Loss Prevention Exceptions
Description	The Data Loss Prevention Exceptions list contains network locations that Security Agents do not monitor for sensitive information. Data Loss Prevention automatically takes the specified action according to the list type.
Data Collected	IP address Endpoint name FQDN For USB devices: Name Vendor Model Serial number
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One (Mac) > [new or existing policy] > Device Control Settings
Console Settings

Data Discovery
Description	Data Discovery searches endpoints for the presence of sensitive information.
Data Collected	Endpoint domain User name User domain File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Data Loss Prevention > [new or existing policy] > Apex One Data Discovery
Console Settings	Enable Data Discovery

Device Control
Description	Configure Device Control rules to control access to storage devices for specific Active Directory users.
Data Collected	For detection log: User name Target file Full file path For USB devices: Name Vendor Model Serial number
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Device Control Settings > External Agents/Internal Agents
Console Settings	Add Device Control Rule

Device Control: Allowed Programs
Description	The Device Control Allowed Programs list contains program or publisher names that Security Agents do not block using Device Control. Programs in the specified path or by the specified publisher can execute or perform read/write operations on files in restricted storage devices.
Data Collected	For allowed programs: Full file path File name Digital signer For USB devices: Name Vendor Model Serial number
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Device Control Settings > External Agents/Internal Agents > All users (default) > Allowed Programs
Console Settings

Manual Scan: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during a Manual Scan.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Manual Scan Setting > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Manual Scan: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agent do not scan during a Manual Scan.
Data Collected	File name Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Manual Scan Setting > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Predictive Machine Learning
Description	Predictive Machine Learning performs in-depth file analysis to detect emerging unknown security risks.
Data Collected	For cloud query: URL File name File path Digital signer Attachment file name IP address Process name Full process path For detection log: Host name IP address File name File path User name Suspicious process data Domain Full process path For Smart Feedback: Host name IP address File name File path Suspicious file content Industry Country For uploaded files: Quarantined files
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Predictive Machine Learning Settings
Console Settings

Predictive Machine Learning: Exception List
Description	The Predictive Machine Learning Exception List contains the hash values of files that Security Agents do not scan during Predictive Machine Learning scanning.
Data Collected	Notes
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Predictive Machine Learning Setting > Exceptions > Add file
Console Settings

Real-time Scan: Malware detection
Description	Virus/Malware scanning checks files for known security risks.
Data Collected	For detection log: Host name IP address File name File path User name Domain Full process path For Smart Feedback: Host name IP address File name File path Suspicious file content Industry Country For uploaded files: Quarantined files
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Real-time Scan Settings
Console Settings	Enable virus/malware scan

Real-time Scan: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during a Real-time Scan.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Agent > Real-time Scan Setting > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Real-time Scan: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agents do not scan during a Real-time Scan.
Data Collected	File directory Full file path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Real-time Scan Setting > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Sample Submission
Description	Sample Submission enables Security Agents to send suspicious files that may contain previously unknown threats directly to Virtual Analyzer for further analysis.
Data Collected	Suspicious executable file Files detected heuristically (downloaded through supported web browsers or email channels)
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Sample Submission Settings
Console Settings	Enable suspicious file submission to Virtual Analyzer

Scan Now: Malware detection
Description	Virus/Malware scanning checks files for known security risks.
Data Collected	File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scan Now Settings
Console Settings	Enable virus/malware scan

Scan Now: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during Scan Now.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scan Now Settings > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Scan Now: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agents do not scan during Scan Now.
Data Collected	Directory path File name
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scan Now Settings > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Scheduled Scan: Malware detection
Description	Virus/Malware scanning checks files for known security risks.
Data Collected	File name File path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Scheduled Scan Settings
Console Settings	Enable virus/malware scan

Scheduled Scan: Scan Exclusion List (Directories)
Description	The Scan Exclusion List contains directories that Security Agents do not scan during a Scheduled Scan.
Data Collected	Directory path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Scheduled Scan Setting > Scan Exclusion > Scan Exclusion List (Directories)
Console Settings

Scheduled Scan: Scan Exclusion List (Files)
Description	The Scan Exclusion List contains file names that Security Agents do not scan during a Scheduled Scan.
Data Collected	Directory path File name
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > Scheduled Scan Setting > Scan Exclusion > Scan Exclusion List (Files)
Console Settings

Suspicious Connection Detection

Description

Suspicious Connection manages the User-defined and Global IP C&C lists, and monitors the behavior of connections that endpoints make to potential C&C servers.

Data Collected

For detection log:
- Host name
- IP address
- URL
- User name
- Full file path
For Smart Feedback:
- Host name
- IP address
- File name
- File path
- Suspicious file content
- Industry
- Country
  
  Web Reputation Service

Console Location

Endpoint Security Operations > Standard Endpoint Protection
Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Suspicious Connection Settings

Console Settings

Detect network connections made to addresses in the Global C&C IP list

Trusted Program List
Description	Add programs (with a valid digital signature) to the Trusted Programs List to exclude processes from suspicious activity monitoring.
Data Collected	Program full path
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Trusted Program List
Console Settings

Web Reputation Service
Description	Web Reputation tracks the credibility of web domains accessed by endpoints.
Data Collected	For cloud query: URL IP address Endpoint name User name For detection log: Host name IP address Full file path URL User name For Smart Feedback: Host name IP address Industry Country URL
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Web Reputation Settings > External/Internal Agents > Enable Web Reputation on the following operation systems
Console Settings	Windows desktop platforms Windows Server platforms

Web Reputation Service: Browser Exploit Prevention
Description	Browser Exploit Prevention identifies web browser exploits and malicious scripts, and prevents the use of these threats from compromising web browsers.
Data Collected	Suspicious or malicious URLs HTTP header/HTML files from Suspicious or malicious URLs Browser information
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Web Reputation Settings > External/Internal Agents > Browser Exploit Prevention
Console Settings	Block pages containing malicious script

Web Reputation Service: Approved/Blocked URL List
Description	The Approved/Blocked URL List contains URLs that Security Agents do not monitor using Web Reputation. Web Reputation automatically takes the specified action according to the list type.
Data Collected	URL
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Web Reputation Settings > External Agents/Internal Agents > Approved/Blocked URL List
Console Settings

Vulnerability Protection
Description	Vulnerability Protection automates the application of virtual patches before official patches become available.
Data Collected	For custom rules: Rule name Rule description Rule configuration For detection log: Host name IP address Rule Application type Attack source Interface Source IP address Source MAC address Source port Destination IP address Destination MAC address Destination port Suspicious process data
Console Location	Endpoint Security Operations > Standard Endpoint Protection Policies > Policy Management > Apex One Security Agent > [new or existing policy] > Vulnerability Protection Settings
Console Settings	Enable Vulnerability Protection

Apex One Cloud Console

Smart Feedback
Description	Smart Feedback shares protected threat information with the Smart Protection Network, allowing Trend Micro to rapidly identify and address new threats.
Data Collected	Email address File name File path Host name Suspicious executable files URL
Console Location	Directories > Product Servers > SSO to Apex One Server Administration > Smart Protection > Smart Feedback
Console Settings	Enable Trend Micro Smart Feedback (recommended)

Certified Safe Software Service
Description	The Certified Safe Software Service queries Trend Micro data centers to verify the safety of a program detected by Malware Behavior Blocking, Event Monitoring, Firewall, or antivirus scans.
Data Collected	File name Company
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Global Agent Settings > System > Certified Safe Software Service Settings
Console Settings	Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans

User-defined IP List
Description	Administrators can configure Apex One to allow, block, or log all connections between Security Agents and user-defined C&C IP addresses.
Data Collected	IP address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Global Agent Settings > Security Settings > Suspicious Connection Settings > Edit User-defined IP list
Console Settings

Firewall: Policy Exception
Description	Security Agents can perform specific actions (block or allow) on network traffic that meets the exception criteria for the traffic direction (inbound or outbound).
Data Collected	Full file path Host name Registry key IP address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Firewall > Policies > Add/Edit Policy > Add Exception
Console Settings	Add

Firewall: Profile
Description	Firewall profiles provide flexibility by allowing you to choose the attributes that a Security Agent or group of Security Agents must have before applying a policy.
Data Collected	For custom rules: IP address Description Domain User name For detection log: Host name Source IP address Source port Destination IP address Destination port
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Firewall > Profiles
Console Settings	Add

Endpoint Location
Description	Apex One classifies Security Agents that cannot connect to a configured reference server or gateway IP address as being in an external network. Security Agents in an external network apply different policy settings.
Data Collected	Gateway IP address MAC address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Endpoint Location
Console Settings

Outbreak Prevention: Deny Write Access to Files and Folders
Description	Configure this setting to prevent viruses/malware from modifying or deleting files and folders on Security Agent endpoints.
Data Collected	File name File path
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Outbreak Prevention > Start Outbreak Prevention > Deny Write Access to Files and Folders
Console Settings

Update Source
Description	Security Agents can obtain component updates from custom update sources.
Data Collected	URL IP Address
Console Location	Directories > Product Servers > SSO to Apex One Server Updates > Agents > Update Source > Customized Update Source List > Add
Console Settings

Apex One Agent Management
Description	Security Agents send the endpoint status and information to the Apex One server.
Data Collected	Computer Name Logon User Name IP Address MAC Address
Console Location	Directories > Product Servers > SSO to Apex One Server Agents > Agent Management
Console Settings

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Trend Vision One Endpoint Security - Standard Endpoint Protection Data Collection Notice

General Product Operation

Apex One Security Agent Policy Settings

Apex One Cloud Console

Trend Vision One Endpoint Security - Standard Endpoint Protection Data Collection Notice

Product / Version includes:

Summary

General Product Operation

Apex One Security Agent Policy Settings

Apex One Cloud Console