If your environment manages both Apex One on-premises and Apex One as a Service Security Agents, some features may be different compared to Apex One as a Service. Apex One as a Service Security Agents continue to send data to Trend Micro servers but investigation capabilities may differ from the Apex Central as a Service console.
| Type | Item | 
|---|---|
| User name (exact match only) | Specify the name of the Active Directory account or local user Examples: 
 Note:
 Use the local user account name only (<user name>). Do not include the domain name. | 
| File name (exact match only) | Specify the full file name including extension Example: 
 | 
| File directory (exact match only; on-premises only) | Specify the full path excluding file name Example: 
 | 
| File hash value (exact match only) | Specify the hash value of a file. Example: 
 Note:
 Endpoint Sensor records SHA-1 values only by default. To use SHA-256 or MD5 hash values, update the agent policy to include additional hash types. | 
| FQDN / IP address / Hostname (exact match only) | Specify the remote endpoint FQDN, IP address, or hostname to identify network connections that the investigated endpoint made Note:
 The IPv6 format is not supported. Examples: 
 | 
| Registry key (partial matching supported) | Specify the full or partial registry key, value name, or value data Note:
 
 | 
| Registry value name (partial matching supported) | |
| Registry value data (partial matching supported) | |
| CLI command (partial matching supported) | Specify the full or partial command line string, and press ENTER to add an entry. Note:
 Using command line as investigation criteria has the following limitations: 
 | 
 
		