Views:

Create or edit endpoint security policies to manage agent and sensor settings.

Important
Important
  • Endpoint security policies only support endpoints with the Trend Vision One Endpoint Security agent version October 2024 release or later installed.
  • Certain settings require credits to enable.
  • Sensor-only deployments use the Sensor Only General Policy.
  • Endpoint groups not assigned to a policy automatically adopt the Default Endpoint Policy.
  • Endpoint groups can only be assigned to one policy at a time.
Configure endpoint security policies to manage settings for endpoints with the Trend Vision One Endpoint Security agent installed which report to Trend Vision One Endpoint Inventory.

Procedure

  1. In the Trend Vision One console, go to Endpoint SecurityEndpoint Security ConfigurationEndpoint Security Policies.
  2. Create or edit a policy.
    • To create a new policy, click Add Policy.
    • To edit a policy, find the policy you want to edit and click the policy name.
    The policy configuration screen appears
  3. Specify a unique Policy Name.
    Note
    Note
    You cannot edit the policy name for the Default Endpoint Policy.
  4. Select one or more endpoint groups to assign to the policy.
    1. In the Endpoint group field, click the edit icon (proxyConfigIcon=20230614160101.jpg).
      The Select Endpoint Group window appears.
    2. Locate and select the endpoint group you want to add.
      Important
      Important
      • Endpoint groups can only be assigned to one policy at a time. Selecting a group that is already assigned to a policy moves that endpoint group to the new policy.
      • Selecting an endpoint group automatically selects any child groups including those already assigned to a policy. You can clear the selection for any child group you do not want to include in the new policy.
        Child groups can be assigned to a different policy than the parent group.
    3. After selecting one or more endpoint groups, click Select.
  5. Configure your priority rules.
    1. To add a new priority rule, click Add Priority and specify a name for the rule.
      New rules are automatically added to the top of the priority list as Priority 1.
    2. To change the order of your priority rules, click and drag the priority rule you want to change.
      The priority rule number changes automatically.
      For example, moving Priority 1 under Priority 3 automatically changes the original Priority 1 to Priority 3, and the old Priority 2 and Priority 3 become Priority 1 and Priority 2, respectively.
    3. To change the name of a priority rule, click the options icon next to the name (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) and select Rename.
    4. To delete a priority rule, click the options icon next to the name (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) and select Delete.
      Important
      Important
      You cannot delete the Default priority rule.
  6. Click the priority rule you want to configure.
  7. Configure the General Information settings for the selected priority rule.
    Important
    Important
    If an endpoint matches multiple priority rule criteria, the endpoint uses the highest priority rule matched.
    If an endpoint does not match any priority rule criteria, the endpoint uses the Default priority rule.
    The Default priority rule criteria is All endpoints and cannot be changed.
    1. Select the Criteria type.
    2. Specify the criteria values.
      The criteria is used to determine which endpoints within the assigned endpoint groups the priority rule applies to. The criteria value input method changes depending on which criteria type you select.

      Criteria type
      Description
      Input method
      Endpoint name
      The priority rule applies to any endpoint containing at least one specified value in the endpoint name
      For example, if you specify Test, the priority rule applies to the endpoint Test01.
      Specify a value and either type a comma (,) or press ENTER to separate values.
      Operating system
      The priority rule applies to any endpoint with the specified operating system
      Click the edit icon (proxyConfigIcon=20230614160101.jpg) to select the OS family or a specific OS version.
      IP range
      The priority rule applies to any endpoint with an IP address within one of the specified ranges
      Specify an IP range in either IPv4 or IPv6 format. Click the add icon (add_icon=cf892c2f-1a1f-4d22-848f-023067e4a507.png) to add up to 3 IP ranges.
    3. To add more criteria to the selected priority rule, click Add Criteria and select the criteria type.
      Priority rules use AND logic when matching multiple criteria. Endpoints must match all defined criteria to apply the priority rule.
      For example, if Criteria 1 is Windows, and Criteria 2 is a defined IP range, then Linux endpoints within the defined IP range do not apply the priority rule.
      Important
      Important
      Make sure that you do not create a priority rule that is impossible for endpoints to match. Trend Micro suggests not using the same criteria type more than once in a priority rule.
  8. Configure the Sensor Settings for the selected priority rule.
    Enable the following settings to turn on the features for your endpoint agents.
    Important
    Important
    Certain settings require credits to enable.
    The first time you enable endpoint sensor detection and response, your currently deployed Trend Vision One Endpoint Security Agents install the new Network Content Inspection Engine. For more information, see Network Content Inspection Engine.

    Setting
    Description
    Endpoint sensor detection and response
    Sends activity data for state-of-the-art threat detection and alerts (required for advanced XDR detections and Workbench alerts)
    The detection and response feature collects endpoint activity data that helps provide alerts and enhanced investigation data whenever a suspected attack occurs. The collected data is also used by Attack Surface Risk Management applications to help identify risky endpoint and user behavior, and to identify endpoint vulnerabilities.
    Monitoring level
    Controls the sensitivity of endpoint sensor detections
    Requires enabling Endpoint sensor detection and response.
    Raising the monitoring level increases the sensitivity of the endpoint sensor, which increases the number of detections and alerts. Higher levels allow for more strict monitoring, but might generate a large number of nonessential logs and impact endpoint performance.
    The default setting is 2 - Moderate. Trend Micro recommends using the default setting to balance more relevant data with minimal impact on your endpoints. For more information, see About Monitoring Level.
    Important
    Important
    Monitoring level only supports Windows endpoints.
    Deepfake detector
    Analyzes ongoing video calls to determine if they contain synthesized images
    Requires enabling Endpoint sensor detection and response.
    Important
    Important
    Deepfake detector only supports Windows endpoints.
    Advanced risk telemetry
    Analyzes endpoints for potential security posture weaknesses and performs vulnerability assessments for zero-day threats
    Note
    Note
    Not supported on macOS or non-persistent virtual desktops.
    The advanced risk telemetry feature collects data that specifically helps detect zero-day threats and identify weaknesses in your endpoint, user, and security configuration settings.
  9. After you have configured all your priority rules, click Save.
    Tip
    Tip
    If you are creating a new policy, make sure you configure the Default priority rule.