Supported Formats for User-defined Criteria | Trend Micro Service Central

Views:

Important:

If your environment manages both Apex One on-premises and Apex One as a Service Security Agents, some features may be different compared to Apex One as a Service. Apex One as a Service Security Agents continue to send data to Trend Micro servers but investigation capabilities may differ from the Apex Central as a Service console.

Type	Item
User name (exact match only)	Specify the name of the Active Directory account or local user Examples: jane_smith Note: Use the local user account name only (<user name>). Do not include the domain name.
File name (exact match only)	Specify the full file name including extension Example: filename.exe
File directory (exact match only; on-premises only)	Specify the full path excluding file name Example: c:\windows\system32\wbem\
File hash value (exact match only)	Specify the hash value of a file. Example: `SHA-1: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa` Note: Endpoint Sensor records SHA-1 values only by default. To use SHA-256 or MD5 hash values, update the agent policy to include additional hash types.
FQDN / IP address / Hostname (exact match only)	Specify the remote endpoint FQDN, IP address, or hostname to identify network connections that the investigated endpoint made Note: The IPv6 format is not supported. Examples: cncserver.com malicioussite.com 192.168.0.1
Registry key (partial matching supported)	Specify the full or partial registry key, value name, or value data Note: Trend Micro only records the activity of important registry locations to reduce the resource impact on the endpoint. If your investigation is unsuccessful and you want to investigate further, perform a Live Investigation. Do not specify SID values as registry criteria. Investigations do not support SID values as custom registry criteria. Using registry data as investigation criteria has the following limitations: A criteria can contain up to 10 entries. Each entry must have at least 2 characters. Entries cannot contain spaces.
Registry value name (partial matching supported)
Registry value data (partial matching supported)
CLI command (partial matching supported)	Specify the full or partial command line string, and press ENTER to add an entry. Note: Using command line as investigation criteria has the following limitations: Criteria can contain up to 10 entries. Each entry must have at least 2 characters. Entries cannot contain spaces.

Type

Item

User name

(exact match only)

Specify the name of the Active Directory account or local user

Examples:

jane_smith

Note:

Use the local user account name only (<user name>). Do not include the domain name.

File name

(exact match only)

Specify the full file name including extension

Example:

filename.exe

File directory

(exact match only; on-premises only)

Specify the full path excluding file name

Example:

```
c:\windows\system32\wbem\
```

File hash value

(exact match only)

Specify the hash value of a file.

Example:

SHA-1: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa

Note:

Endpoint Sensor records SHA-1 values only by default. To use SHA-256 or MD5 hash values, update the agent policy to include additional hash types.

FQDN / IP address / Hostname

(exact match only)

Specify the remote endpoint FQDN, IP address, or hostname to identify network connections that the investigated endpoint made

Note:

The IPv6 format is not supported.

Examples:

cncserver.com
malicioussite.com
192.168.0.1

Registry key

(partial matching supported)

Specify the full or partial registry key, value name, or value data

Note:

Trend Micro only records the activity of important registry locations to reduce the resource impact on the endpoint.

If your investigation is unsuccessful and you want to investigate further, perform a Live Investigation.
Do not specify SID values as registry criteria. Investigations do not support SID values as custom registry criteria.
Using registry data as investigation criteria has the following limitations:
- A criteria can contain up to 10 entries.
- Each entry must have at least 2 characters.
- Entries cannot contain spaces.

Registry value name

(partial matching supported)

Registry value data

(partial matching supported)

CLI command

(partial matching supported)

Specify the full or partial command line string, and press ENTER to add an entry.

Note:

Using command line as investigation criteria has the following limitations:

Criteria can contain up to 10 entries.
Each entry must have at least 2 characters.
Entries cannot contain spaces.