File collection lets you collect objects directly from the Trend Vision One extended detection and response (XDR) interface.
If you connect your agents and relays to the primary security update source via a proxy, file collection automatically uses the same proxy settings.

Requirements Parent topic

Workload Security uses an IoT mechanism to transmit messages and events to Trend Vision One. If you need to restrict the URLs allowed in your environment, configure your firewall to include the Event Channel - XDR Activity Monitoring FQDNs from the Workload Security URLs table.

Collect objects using file collection Parent topic

To collect objects using file collection:

Procedure

  1. Trigger File Collection
  2. Create a File Collection task
  3. Monitor task status
  4. Download sample file

Trigger file collection Parent topic

After identifying the object that you want to collect, you can trigger file collection from either of the following:

Procedure

  1. From the Trend Vision One Search App icon-vision-one-searchapp=d75f2424-91f4-428d-80c1-df6dd7ab20f9.png:
    1. Right-click on one of the following from Search App events:
      • processFilePath
      • objectFilePath
      • parentFilePath
    2. Select Collect File.
      file-collection-trigger-searchapp=31f1b936-59b4-4758-aec4-520488a7e377.png
      The Collect File Task window appears.
  2. From the Trend Vision One Workbench (under XDR icon-vision-one-XDRsidebar=fa1898ae-8d66-4b25-810e-56a9be34a661.png):
    1. Right-click the file icon icon-vision-one-file=e266c21b-b388-4fff-9ad7-b7b143c133d5.png for the object you want to collect and select Collect File.
      file-collection-trigger-workbench=9540a7c2-11ef-43a4-946d-7823faebc788.png
      The Collect File Task window appears.

Create a File Collection Task Parent topic

Procedure

  1. From the Collect File Task window, select the checkbox for the task.
  2. Optionally, enter a description for the response or event.
  3. Select Create.
    file-collection-createtask=366115d3-0ca8-42b6-ba6e-b2455ff0eb26.png
    A Security Agent begins creating the task.
    A Security Agent typically creates a collect file task within 20 minutes. If the Security Agent is offline, the task is queued until the Security Agent comes online.

Monitor task status Parent topic

You can monitor tasks from the Response Management tab.
Task statuses include:
  • icon-file-collection-taskstatus-inprogress=69c509c6-f8a4-4476-b3b8-9713f2996b22.png In progress: Trend Vision One sent the command to the managing server and is waiting for a response.
  • icon-file-collection-taskstatus-queued=e693483e-1037-4854-b2e0-e72f47bd77eb.png Queued: The server queued the command due to a high volume of requests or because the Security Agent was offline.
  • icon-file-collection-taskstatus-successful=2203e0bf-74f5-4100-a120-a2b70cfd8dd3.png Successful: The managing server successfully received the command.
  • icon-file-collection-taskstatus-unsuccessful=71b8f3a4-491b-4e5f-a715-c317bf9e6a7d.png Unsuccessful: An error or time-out occurred when attempting to send the command to the managing server.

Download sample file Parent topic

WARNING
WARNING
Downloading samples could harm your endpoint. Trend Vision One automatically stores sample files in a password-protected ZIP archive. Please ensure that you take the necessary precautions before continuing.

Procedure

  1. In the Response Management tab, select Collect File from the menu and select download icon-file-collection-download=2ceff47f-75a9-4a44-809b-0bb2deca27d6.png.
    file-collection-download=3c4a313e-dbfb-40f6-82d5-c28d0b5b382a.png
  2. In the dialog, select Download.
  3. In the Download File window, record the password for the archived sample.
  4. Select Download to download the file.
    file-collection-recordsamplepassword=f05f432d-607e-4ad4-94bc-f711fdd87629.png

Troubleshoot common issues Parent topic

To troubleshoot common issues with file collection, check the following settings in your Workload Security console:

Trend Vision One settings Parent topic

In the Trend Vision One (XDR) tab (Administration System Settings Trend Vision One (XDR)), make sure that:
  • Enrollment status is Registered.
  • Forward security events to Trend Vision One is selected.
file-collection-XDR-and-log-forwarding=d7c2b04c-2236-44d4-b035-ad509cb64bb7.png

Security module settings for your computers Parent topic

In the Activity Monitoring tab for your computers (Computers (Right- or- double-click) Details Activity Monitoring General), make sure Configuration is set to On or Inherited (On).
file-collection-activitymonitoring=89219034-d878-4bfd-a5ce-dcd28a1cde4b.png
Tip
Tip
You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy you want to enable Activity Monitoring for. Go to the Activity Monitoring General and make sure that Activity Monitoring State is set to On.
If you have checked the requirements and troubleshoot common issues sections but are still experiencing problems, contact support.