Create or edit endpoint security policies to manage agent and sensor settings.
Important
|
Configure endpoint security policies to manage settings for endpoints with the Trend
Vision One Endpoint Security agent installed which report to Trend Vision One Endpoint Inventory.
Procedure
- In the Trend Vision One console, go to .
- Create or edit a policy.
-
To create a new policy, click Add Policy.
-
To edit a policy, find the policy you want to edit and click the policy name.
The policy configuration screen appears -
- Specify a unique Policy Name.
Note
You cannot edit the policy name for the Default Endpoint Policy. - Select one or more endpoint groups to assign to the policy.
- In the Endpoint group field, click the edit icon ().The Select Endpoint Group window appears.
- Locate and select the endpoint group you want to add.
Important
-
Endpoint groups can only be assigned to one policy at a time. Selecting a group that is already assigned to a policy moves that endpoint group to the new policy.
-
Selecting an endpoint group automatically selects any child groups including those already assigned to a policy. You can clear the selection for any child group you do not want to include in the new policy.Child groups can be assigned to a different policy than the parent group.
-
- After selecting one or more endpoint groups, click Select.
- In the Endpoint group field, click the edit icon ().
- Configure your priority rules.
- To add a new priority rule, click Add Priority and specify a name for the rule.New rules are automatically added to the top of the priority list as Priority 1.
- To change the order of your priority rules, click and drag the priority rule you want
to change.The priority rule number changes automatically.For example, moving Priority 1 under Priority 3 automatically changes the original Priority 1 to Priority 3, and the old Priority 2 and Priority 3 become Priority 1 and Priority 2, respectively.
- To change the name of a priority rule, click the options icon next to the name () and select Rename.
- To delete a priority rule, click the options icon next to the name () and select Delete.
Important
You cannot delete the Default priority rule.
- To add a new priority rule, click Add Priority and specify a name for the rule.
- Click the priority rule you want to configure.
- Configure the General Information settings for the selected priority rule.
Important
If an endpoint matches multiple priority rule criteria, the endpoint uses the highest priority rule matched.If an endpoint does not match any priority rule criteria, the endpoint uses the Default priority rule.The Default priority rule criteria is All endpoints and cannot be changed.- Select the Criteria type.
- Specify the criteria values.The criteria is used to determine which endpoints within the assigned endpoint groups the priority rule applies to. The criteria value input method changes depending on which criteria type you select.Criteria typeDescriptionInput methodEndpoint nameThe priority rule applies to any endpoint containing at least one specified value in the endpoint nameFor example, if you specify Test, the priority rule applies to the endpoint
Test01
.Specify a value and either type a comma (,) or press ENTER to separate values.Operating systemThe priority rule applies to any endpoint with the specified operating systemClick the edit icon () to select the OS family or a specific OS version.IP rangeThe priority rule applies to any endpoint with an IP address within one of the specified rangesSpecify an IP range in either IPv4 or IPv6 format. Click the add icon () to add up to 3 IP ranges. - To add more criteria to the selected priority rule, click Add Criteria and select the criteria type.Priority rules use AND logic when matching multiple criteria. Endpoints must match all defined criteria to apply the priority rule.For example, if Criteria 1 is Windows, and Criteria 2 is a defined IP range, then Linux endpoints within the defined IP range do not apply the priority rule.
Important
Make sure that you do not create a priority rule that is impossible for endpoints to match. Trend Micro suggests not using the same criteria type more than once in a priority rule.
- Configure the Sensor Settings for the selected priority rule.Enable the following settings to turn on the features for your endpoint agents.
Important
Certain settings require credits to enable.The first time you enable endpoint sensor detection and response, your currently deployed Trend Endpoint Agents install the new Network Content Inspection Engine. For more information, see Network Content Inspection Engine.SettingDescriptionEndpoint sensor detection and responseSends activity data for state-of-the-art threat detection and alerts (required for advanced XDR detections and Workbench alerts)The detection and response feature collects endpoint activity data that helps provide alerts and enhanced investigation data whenever a suspected attack occurs. The collected data is also used by Attack Surface Risk Management applications to help identify risky endpoint and user behavior, and to identify endpoint vulnerabilities.Monitoring levelControls the sensitivity of endpoint sensor detectionsRequires enabling Endpoint sensor detection and response.Raising the monitoring level increases the sensitivity of the endpoint sensor, which increases the number of detections and alerts. Higher levels allow for more strict monitoring, but might generate a large number of nonessential logs and impact endpoint performance.The default setting is 2 - Moderate. Trend Micro recommends using the default setting to balance more relevant data with minimal impact on your endpoints. For more information, see About Monitoring Level.Important
Monitoring level only supports Windows endpoints.Deepfake detectorAnalyzes ongoing video calls to determine if they contain synthesized imagesRequires enabling Endpoint sensor detection and response.Important
Deepfake detector only supports Windows endpoints.Advanced risk telemetryAnalyzes endpoints for potential security posture weaknesses and performs vulnerability assessments for zero-day threatsNote
Not supported on macOS or non-persistent virtual desktops.The advanced risk telemetry feature collects data that specifically helps detect zero-day threats and identify weaknesses in your endpoint, user, and security configuration settings. - After you have configured all your priority rules, click Save.
Tip
If you are creating a new policy, make sure you configure the Default priority rule.