Configuring endpoint security policies

Procedure

1. In the Trend Vision One console, go to Endpoint Security → Endpoint Security Configuration → Endpoint Security Policies.
2. Create or edit a policy.
   • To create a new policy, click Add Policy.
   • To edit a policy, find the policy you want to edit and click the policy name.
   The policy configuration screen appears
3. Specify a unique Policy Name.

   Note You cannot edit the policy name for the Default Endpoint Policy.

4. Select one or more endpoint groups to assign to the policy.
   1. In the Endpoint group field, click the edit icon ().
      The Select Endpoint Group window appears.
   2. Locate and select the endpoint group you want to add.

      Important Endpoint groups can only be assigned to one policy at a time. Selecting a group that is already assigned to a policy moves that endpoint group to the new policy. Selecting an endpoint group automatically selects any child groups including those already assigned to a policy. You can clear the selection for any child group you do not want to include in the new policy. Child groups can be assigned to a different policy than the parent group.

   3. After selecting one or more endpoint groups, click Select.
5. Configure your priority rules.
   1. To add a new priority rule, click Add Priority and specify a name for the rule.
      New rules are automatically added to the top of the priority list as Priority 1.
   2. To change the order of your priority rules, click and drag the priority rule you want to change.
      The priority rule number changes automatically.

      For example, moving Priority 1 under Priority 3 automatically changes the original Priority 1 to Priority 3, and the old Priority 2 and Priority 3 become Priority 1 and Priority 2, respectively.
   3. To change the name of a priority rule, click the options icon next to the name () and select Rename.
   4. To delete a priority rule, click the options icon next to the name () and select Delete.

      Important You cannot delete the Default priority rule.

6. Click the priority rule you want to configure.
7. Configure the General Information settings for the selected priority rule.

   Important If an endpoint matches multiple priority rule criteria, the endpoint uses the highest priority rule matched. If an endpoint does not match any priority rule criteria, the endpoint uses the Default priority rule. The Default priority rule criteria is All endpoints and cannot be changed.

   1. Select the Criteria type.
   2. Specify the criteria values.
      The criteria is used to determine which endpoints within the assigned endpoint groups the priority rule applies to. The criteria value input method changes depending on which criteria type you select.

      Criteria type	Description	Input method
      Endpoint name	The priority rule applies to any endpoint containing at least one specified value in the endpoint name For example, if you specify Test, the priority rule applies to the endpoint Test01.	Specify a value and either type a comma (,) or press ENTER to separate values.
      Operating system	The priority rule applies to any endpoint with the specified operating system	Click the edit icon () to select the OS family or a specific OS version.
      IP range	The priority rule applies to any endpoint with an IP address within one of the specified ranges	Specify an IP range in either IPv4 or IPv6 format. Click the add icon () to add up to 3 IP ranges.

   3. To add more criteria to the selected priority rule, click Add Criteria and select the criteria type.
      Priority rules use AND logic when matching multiple criteria. Endpoints must match all defined criteria to apply the priority rule.

      For example, if Criteria 1 is Windows, and Criteria 2 is a defined IP range, then Linux endpoints within the defined IP range do not apply the priority rule.

      Important Make sure that you do not create a priority rule that is impossible for endpoints to match. Trend Micro suggests not using the same criteria type more than once in a priority rule.

8. Configure the Sensor Settings for the selected priority rule.
   Enable the following settings to turn on the features for your endpoint agents.

   Important Certain settings require credits to enable. The first time you enable endpoint sensor detection and response, your currently deployed Trend Endpoint Agents install the new Network Content Inspection Engine. For more information, see Network Content Inspection Engine.

   Setting	Description
   Endpoint sensor detection and response	Sends activity data for state-of-the-art threat detection and alerts (required for advanced XDR detections and Workbench alerts) The detection and response feature collects endpoint activity data that helps provide alerts and enhanced investigation data whenever a suspected attack occurs. The collected data is also used by Attack Surface Risk Management applications to help identify risky endpoint and user behavior, and to identify endpoint vulnerabilities.
   Monitoring level	Controls the sensitivity of endpoint sensor detections Requires enabling Endpoint sensor detection and response. Raising the monitoring level increases the sensitivity of the endpoint sensor, which increases the number of detections and alerts. Higher levels allow for more strict monitoring, but might generate a large number of nonessential logs and impact endpoint performance. The default setting is 2 - Moderate. Trend Micro recommends using the default setting to balance more relevant data with minimal impact on your endpoints. For more information, see About Monitoring Level. Important Monitoring level only supports Windows endpoints.
   Deepfake detector	Analyzes ongoing video calls to determine if they contain synthesized images Requires enabling Endpoint sensor detection and response. Important Deepfake detector only supports Windows endpoints.
   Advanced risk telemetry	Analyzes endpoints for potential security posture weaknesses and performs vulnerability assessments for zero-day threats Note Not supported on macOS or non-persistent virtual desktops. The advanced risk telemetry feature collects data that specifically helps detect zero-day threats and identify weaknesses in your endpoint, user, and security configuration settings.

9. After you have configured all your priority rules, click Save.

   Tip If you are creating a new policy, make sure you configure the Default priority rule.