XDR Sensor is the succeeding version of Apex One Endpoint Sensor which is tightly integrated with Trend Micro Vision One. Customers are encouraged to upgrade their existing Apex One Endpoint Sensor to XDR sensor to take advantage of its advanced features.
This article provides a comparison between Apex One Endpoint Sensor and XDR Sensor
For the platforms that XDR sensor supports, please refer to the following link: XDR Sensor System Requirements .
The Sensor used in Apex One SaaS is based on how users deploy Sensors:
- The Apex One Security Agent will use the Apex One Endpoint Sensor (SaaS) when enabling Endpoint Sensor via Apex Central Policy.
- The Apex One Security Agent will use the XDR Sensor when enabling Sensor through Vision One Endpoint Inventory.
|Resource Usage||Frequency of sending data||Average every 5 minutes||Average every 5 minutes||Every 5 minutes||Every 5 minutes|
|Average Generated Data||20 MB/agent/day||7 MB/agent/day||8.7 MB/agent/day||6 MB/(agent*day)|
|Average Network Bandwidth Usage||20 MB/agent/day||7 MB/agent/day||8.7 MB/agent/day||6 MB/(agent*day)|
|Local telemetry cache size when sensor cannot send data to server||500 MB||in memory (200MB)||200MB||in memory (200MB)|
|The agent behavior after the license expired||Don't record and send any telemetry data||Currently, when the license expires, the sensor still sends telemetry data to the server and stops renewing the required tokens, so the server will no longer receive the telemetry data.|
|Investigation||Based on criteria to do an investigation||✔️||✔️||✔️||✔️|
|Do a live investigation to check the present status||✔️*1||✔️*2||✔️*2||✔️*2|
|Detection||Threat Detection w/ Attack Discovery||✔️*3||✔️*4||✔️*4||✔️*4|
|Mitigation/Response||Add to User-defined suspicious object||✔️||✔️||❌||❌|
|Network isolation of endpoint||✔️*6||✔️*7||❌||❌|
|Coordination to EPP production||✔️*8||✔️*9||✔️*9||✔️*9|
*1 The Apex One Endpoint Sensor (SaaS) supports doing live investigation via diskIOC scan, YARA scan, and registry scan.
*2 The XDR sensor supports checking present status via remote shell feature.
*3 The Apex One Endpoint Sensor (SaaS) has its own attack discovery detection engine. After Apex One is registered to Vision One, the Vision One backend server provides detection capability based on recorded activity data.
*4 XDR Sensor doesn't have a detection engine. However, the Vision One backend service provides detection capability based on recorded activity data.
*5 The XDR sensor supports to kill running processes via remote shell feature.
*6 This is for Windows only and it relies on Apex One EPP
*7 Users have to register their Apex One to Vision One.
*8 Apex One Endpoint Sensor (SaaS) is an integrated module of Apex One. If users would like to install Apex One security agent with other EPP products, they have to install the Apex One Coexist agent, not the Full agent.
*9 The XDR Sensor is a standalone sensor, and it can coexist with Trend Micro EPP products and 3rd-party EPP products.
Supported coexistence products:
- Apex One On-Premise
- Apex One as a Service
- Deep Security On-Premise
- Microsoft Defender
- Symantec Endpoint Protection (SEP)
- McAfee Endpoint Security (MES)