Suspicious object actions

Views:

You can specify actions for connected products to take after detecting specific suspicious objects.

TrendAI Vision One™ connects to different products and sends the Suspicious Object List to the connected products for detection. The connected products then apply the specified action based on their capability.

Adding IP addresses to the Suspicious Object List does not disrupt the existing connection to the specified endpoints. TrendAI Vision One™ blocks only new attempts to connect to the specified endpoints.

Refer to the table below to see which actions each product supports.

Product/Service

Object Type

Action

TrendAI Vision One™ Endpoint Security agent - XDR for Endpoint (EDR)

(Windows)

File SHA-1

Log, Block

File SHA-256

IP address

URL

Domain

The Log and Block actions for File SHA-1 and File SHA-256 support both PE and non-PE file types. The list of supported non-PE file extensions is configured through endpoint security policies.
When non-PE file suspicious object support is enabled, XES handles file suspicious object priority instead of the endpoint protection agent.
Quarantine actions may fail because file events are handled asynchronously to improve performance.
The Block action for URL and Domain requires enabling the browser extension in endpoint security policies. For more information, see Browser Extension.

TrendAI Vision One™ Endpoint Security agent - XDR for Endpoint (EDR)

(Mac)

File SHA-1

Log, Block

File SHA-256

IP address

URL

Domain

The Log and Block actions for File SHA-1 and File SHA-256 support both MACH-O and non-PE file types. The list of supported non-PE file extensions is configured through endpoint security policies.
Quarantine actions may fail because file events are handled asynchronously to improve performance.

TrendAI Vision One™ Endpoint Security agent - XDR for Endpoint (EDR)

(Linux)

File SHA-1

Log, Block

File SHA-256

The Log and Block actions for File SHA-1 and File SHA-256 support both ELF and non-PE file types. The list of supported non-PE file extensions is configured through endpoint security policies.
Quarantine actions may fail because file events are handled asynchronously to improve performance.

TrendAI Vision One™ Endpoint Security agent with Standard Endpoint Protection

(Windows)

IP address

Log, Block

URL

Domain

File SHA-1

File SHA-256

To take action on File SHA-1 and SHA-256 objects, you must first activate Application Control for Standard Endpoint Protection.
The Log and Block actions for File SHA-1 and File SHA-256 support both PE and non-PE file types. The list of supported non-PE file extensions is configured through endpoint security policies.
When non-PE file suspicious object support is enabled, XES handles file suspicious object priority instead of the endpoint protection agent.
Quarantine actions may fail because file events are handled asynchronously to improve performance.

Service Gateway

IP address

Log, Block

URL

Domain

File SHA-1

File SHA-256

When suspicious objects synchronize through Service Gateway, it acts as a distribution mechanism only. Service Gateway does not directly enforce actions. Each connected product enforces actions based on its own supported object types and capabilities. So any actions that a connected product does not support, Service Gateway does not enforce.

Zero Trust Secure Access – Internet Access enforces network indicators (IP addresses, URLs, and domains). File hash objects are not enforced in the web gateway path.
Endpoint, email, and cloud protection products can enforce file hash objects, depending on product type and configuration.

TrendAI Vision One™ Internet Access

IP address

Log, Block

URL

Domain

File SHA-1

Cloud One - Endpoint & Workload Security (Windows)

TrendAI Vision One™ Endpoint Security agentServer & Workload Protection (Windows)

IP address

Log

Domain

Log

File SHA-1

Log, Block

File SHA-256

Endpoint & Workload Security supports the Log action for Deep Security Agent version 20.0.0-4185 or later for Windows.
The Log and Block actions for File SHA-1 and File SHA-256 are only supported for PE and EXE file formats.
You must enable Activity Monitoring and have an XDR add-on license for Cloud One - Endpoint & Workload Security in order to block and log suspicious objects.

Cloud One - Endpoint & Workload Security (Linux)

TrendAI Vision One™ Endpoint Security agentServer & Workload Protection (Linux)

IP address

Log

Domain

Log

File SHA-1

Log, Block

File SHA-256

Endpoint & Workload Security supports the Log action for Deep Security Agent version 20.0.0-4185 or later for Linux.
The Log and Block actions for File SHA-1 and File SHA-256 are only supported for the ELF file format.
You must enable Activity Monitoring and have an XDR add-on license for Cloud One - Endpoint & Workload Security in order to block and log suspicious objects.

Cloud One - Endpoint & Workload Security (macOS)

TrendAI Vision One™ Endpoint Security agentServer & Workload Protection (macOS)

IP address

Log, Block

Domain

File SHA-1

File SHA-256

URL

Endpoint & Workload Security supports the Log and Block actions for Deep Security Agent version 20.0.0-198 or later for macOS.
The Log and Block actions for File SHA-1 and File SHA-256 are only supported for MACH-O file format.
You must enable Activity Monitoring and have an XDR add-on license for Cloud One - Endpoint & Workload Security in order to block and log suspicious objects.

TrendAI™ Apex One as a Service

IP address

Log, Block

URL

Domain

File SHA-1

File SHA-256

To take action on File SHA-1 and SHA-256 objects, you must first activate Application Control for TrendAI™ Apex One as a Service.
The Log and Block actions for File SHA-1 and SHA-256 objects are only supported for PE and ELF file formats.

TrendAI™ Apex One (on-premises)

IP address

Log, Block

URL

Domain

File SHA-1

File SHA-256

To take action on File SHA-1 and SHA-256 objects, you must first activate Application Control for TrendAI™ Apex One (on-premises).
The Log and Block actions for File SHA-1 and SHA-256 objects are only supported for PE and ELF file formats.

TrendAI™ Cloud App Security
Cloud Email and Collaboration Protection

URL

Log, Quarantine

File SHA-1

File SHA-256

Sender address

TrendAI™ Deep Discovery Email Inspector 5.1 or later

IP address

Log

Domain

URL

Log, Quarantine

File SHA-1

File SHA-256

Deep Discovery Email Inspector detects suspicious email messages based on File SHA-1, File SHA-256, and URL object types.

TrendAI™ Deep Discovery Inspector version 6.7 SP1 or later

IP address

Log

URL

Domain

File SHA-1

TrendAI™ Deep Security

File SHA-1 from Sandbox Analysis

File SHA-1 objects added through third-party intelligence and manual operations are not supported.

Log, Block

TrendAI™ Email Security
Cloud Email Gateway Protection

URL

Log, Quarantine

File SHA-1

File SHA-256

Sender address

Block

TrendAI™ TippingPoint™ Security Management System (SMS)

IP address

Log, Block

URL

Domain

File SHA-1

File SHA-256

Important

TrendAI™ TippingPoint™ SMS does not automatically apply actions provided by TrendAI Vision One™. You must set up a profile in TrendAI™ TippingPoint™ SMS with a reputation filter that selects entries from the reputation database and specifies the action.

Comments (0)