Apex Central as a Service Online Help
>
Managed Product Integration
> Command Tracking and Product Communication
Online Help Center Home
Privacy and Personal Data Collection Disclosure
Pre-release Disclaimer
Trend Micro Apex One as a Service Data Privacy, Security, and Compliance
Preface
Documentation
Audience
Document Conventions
Terminology
Introduction
Introducing Apex Central
About Apex Central
What's New
Key Features and Benefits
Getting Started
The Web Console
About the Web Console
Accessing the Web Console
Logging On with Active Directory Authentication
Configuring Web Console Settings
The Dashboard
About the Dashboard
Tabs and Widgets
Working with Tabs
Working with Widgets
Summary Tab
Critical Threats Widget
Users with Threats Widget
Endpoints with Threats Widget
Product Component Status Widget
Product Connection Status Widget
Ransomware Prevention Widget
Threat Investigation Tab
Critical Threats Widget
Security Posture Tab
Compliance Indicators
Critical Threats
Resolved Events
Security Posture Chart
Security Posture Details Pane
Data Loss Prevention Tab
DLP Incidents by Severity and Status Widget
DLP Incident Trends by User Widget
DLP Incidents by User Widget
DLP Incidents by Channel Widget
DLP Template Matches Widget
Top DLP Incident Sources Widget
DLP Violated Policy Widget
Compliance Tab
Product Application Compliance Widget
Product Component Status Widget
Product Connection Status Widget
Agent Connection Status Widget
Threat Statistics Tab
Apex Central Top Threats Widget
Apex Central Threat Statistics Widget
Threat Detection Results Widget
Policy Violation Detections Widget
C&C Callback Events Widget
Account Management
User Accounts
Adding a User Account
Managed Product Access Control
Editing a User Account
Enabling or Disabling Two-Factor Authentication
Viewing or Editing User Account Information
User Roles
Default User Roles
Adding a User Role
Editing a User Role
License Management
Activation and License Information
Activating Apex Central and Apex One: Sandbox as a Service
Viewing or Renewing License Information for Apex Central and Apex One: Sandbox as a Service
Managed Product License Details
Active Directory and Compliance Settings
Active Directory Integration
Configuring Active Directory Synchronization
Configuring Active Directory Authentication
Troubleshooting Active Directory Synchronization
Compliance Indicators
Configuring the Antivirus Pattern Compliance Indicators
Configuring the Data Loss Prevention Compliance Indicator
Endpoint and User Grouping
Sites
Creating a Custom Site
Merging Sites
Reporting Lines
Creating a Custom Reporting Line
Merging Reporting Lines
User/Endpoint Directory
User/Endpoint Directory
User Details
Security Threats for Users
Policy Status
Contact Information
Synchronizing Contact Information with Active Directory
Endpoint Details
Labels
Creating a Custom Label or Auto-label Rule
Assigning/Removing Labels
Using Labels to Query Logs
Specifying Labels as Policy Targets
Specifying Labels as Report Targets
Endpoint Information
Security Threats on Endpoints
Policy Status
Notes for Endpoints
General Information for Endpoints
Isolating Endpoints
Active Directory Details
Affected Users
General Information for Security Threats
Using the Advanced Search
Advanced Search Categories
Custom Tags and Filters
Custom Tags
Creating a Custom Tag
Assigning Custom Tags to Users/Endpoints
Filters
Default Endpoint Filters
Creating a Custom Filter
User or Endpoint Importance
Managed Product Integration
Managed Product Registration
Managed Product Registration Methods
Managed Product Servers
Managed Server Details
Adding a Managed Server
Deleting a Managed Server
Configuring Proxy Settings for Managed Products
Cloud Service Integration
Configuring Cloud Service Settings
Enabling Correlation Events for Threat Investigations
Security Agent Installation
Security Agent System Requirements
Windows Endpoint Platforms
Windows 7 (32-bit / 64-bit) Service Pack 1 Requirements
Windows 8.1 (32-bit / 64-bit) Requirements
Windows 10 (32-bit / 64-bit) Requirements
Windows 11 (64-bit) Requirements
Windows Server Platforms
Windows Server 2008 R2 (64-bit) Platforms
Windows MultiPoint Server 2010 (64-bit) Platform
Windows MultiPoint Server 2011 (64-bit) Platform
Windows Server 2012 (64-bit) Platforms
Windows Server 2016 (64-bit) Platforms
Windows Server 2019 (64-bit) Platforms
Windows Server 2022 (64-bit) Platforms
Mac Platforms
Using the Apex One Security Agent Web Installer
Downloading Security Agent Installation Packages
Apex One (Mac) Security Agent Installation
Agent Installation Methods
Agent Post-installation
Product Directory
Product Directory Overview
Managed Product Icons
Connection Status Icons
Viewing Managed Product Status Summaries
Performing an Advanced Search of the Product Directory
Executing Managed Product Tasks
Configuring Managed Product Settings
Querying Logs from the Product Directory
Directory Management
Managing the Product Directory
Component Updates
Component Updates
Component List
Update Source
Deployment Plan
Adding a Deployment Schedule
Configuring Scheduled Update Settings
Configuring Manual Update Settings
Command Tracking and Product Communication
Command Tracking
Querying and Viewing Commands
Command Details
Configuring Communication Time-out Settings
Automated Troubleshooting
Automated Troubleshooting of Apex One as a Service
Configuring Troubleshooting Settings
Policies
Policy Management
Policy Management
Creating a New Policy
Filtering by Criteria
Assigning Endpoints to Filtered Policies
Specifying Policy Targets
Working with Parent Policy Settings
Copying Policy Settings
Inheriting Policy Settings
Modifying a Policy
Importing and Exporting Policies
Deleting a Policy
Changing the Policy Owner
Understanding the Policy List
Reordering the Policy List
Policy Status
Policy Resources
Application Control Criteria
Defining Allowed Application Criteria
Defining Blocked Application Criteria
Application Match Methods
Application Reputation List
File Paths
File Path Example Usage
Certificates
Hash Values
Data Loss Prevention
Data Identifier Types
Expressions
Predefined Expressions
Viewing Settings for Predefined Expressions
Customized Expressions
Criteria for Customized Expressions
Creating a Customized Expression
Importing Customized Expressions
File Attributes
Creating a File Attribute List
Importing a File Attribute List
Keywords
Predefined Keyword Lists
How Keyword Lists Work
Number of Keywords Condition
Distance Condition
Customized Keyword Lists
Customized Keyword List Criteria
Creating a Keyword List
Importing a Keyword List
Data Loss Prevention Templates
Predefined DLP Templates
Customized DLP Templates
Condition Statements and Logical Operators
Creating a Template
Importing Templates
Intrusion Prevention Rules
Intrusion Prevention Rule Properties
Device Control Allowed Devices
Detections
Logs
Querying Logs
Log Names and Data Views
Configuring Log Aggregation
Configuring Syslog Forwarding
Disabling Syslog Forwarding
Supported Log Types and Formats
Deleting Logs
Notifications
Event Notifications
Contact Groups
Adding Contact Groups
Editing Contact Groups
Advanced Threat Activity Events
Attack Discovery Detections
Behavior Monitoring Violations
C&C Callback Alert
C&C Callback Outbreak Alert
Correlated Incident Detections
Email Messages with Advanced Threats
High Risk Virtual Analyzer Detections
High Risk Host Detections
Known Targeted Attack Behavior
Potential Document Exploit Detections
Predictive Machine Learning Detections
Rootkit or Hacking Tool Detections
SHA-1 Deny List Detections
Watchlisted Recipients at Risk
Worm or File Infector Propagation Detections
Content Policy Violation Events
Email Policy Violation
Web Access Policy Violation
Data Loss Prevention Events
Incident Details Updated
Scheduled Incident Summary
Significant Incident Increase
Significant Incident Increase by Channel
Significant Incident Increase by Sender
Significant Incident Increase by User
Significant Template Match Increase
Known Threat Activity Events
Network Virus Alert
Special Spyware/Grayware Alert
Special Virus Alert
Spyware/Grayware Found - Action Successful
Spyware/Grayware Found - Further Action Required
Virus Found - First Action Successful
Virus Found - First Action Unsuccessful and Second Action Unavailable
Virus Found - First and Second Actions Unsuccessful
Virus Found - Second Action Successful
Virus Outbreak Alert
Network Access Control Events
Network VirusWall Policy Violations
Potential Vulnerability Attacks
Unusual Product Behavior Events
Managed Product Unreachable
Real-time Scan Disabled
Real-time Scan Enabled
Updates
Antispam Rule Update Successful
Antispam Rule Update Unsuccessful
Pattern File/Cleanup Template Update Successful
Pattern File/Cleanup Template Update Unsuccessful
Scan Engine Update Successful
Scan Engine Update Unsuccessful
Reports
Reports Overview
Custom Templates
Adding or Editing Custom Templates
Configuring the Static Text Report Element
Configuring the Bar Chart Report Element
Configuring the Line Chart Report Element
Configuring the Pie Chart Report Element
Configuring the Dynamic Table Report Element
Configuring the Grid Table Report Element
One-time Reports
Creating One-time Reports
Viewing One-Time Reports
Scheduled Reports
Adding Scheduled Reports
Editing Scheduled Reports
Viewing Scheduled Reports
Configuring Report Maintenance
Viewing My Reports
Data Loss Prevention Incidents
Administrator Tasks
Setting Up Manager Information in Active Directory Users
Understanding DLP User Roles
Creating DLP Auditing Logs
DLP Incident Review Process
Understanding the Incident Information List
Reviewing Incident Details
Threat Intelligence and Response
Connected Threat Defense
About Connected Threat Defense
Feature Requirements
Connected Threat Defense Integration
Suspicious Object List Management
Suspicious Object Lists
Adding Exceptions to the Virtual Analyzer Suspicious Object List
Suspicious Object Scan Actions
Configuring Distribution Settings
Suspicious Object Detection
Viewing At Risk Endpoints and Recipients
Viewing the Handling Process
Preemptive Protection Against Suspicious Objects
Adding Objects to the User-Defined Suspicious Object List
Importing User-Defined Suspicious Object Lists
Adding STIX Objects to the User-Defined Suspicious Object List
Adding OpenIOC Objects to the User-Defined Suspicious Object List
Isolating Endpoints
Threat Investigation
Threat Investigation Overview
Historical Investigations
Live Investigations
Starting a One-time Investigation
One-Time Investigation
Starting a Scheduled Investigation
Scheduled Investigation
Reviewing the Scheduled Investigation History
Supported IOC Indicators for Live Investigations
Investigation Results
Analysis Chains
Object Details: Profile Tab
Object Details: Related Objects Tab
Email Message Correlation
Navigating the Analysis Chain
Root Cause Analysis Icons
Object Details
Managed Detection and Response
Managed Detection and Response Overview
Registering Apex Central to the Threat Investigation Center
Unregistering from the Threat Investigation Center Server
Suspending or Resuming the Managed Detection and Response Service
Approving or Rejecting Investigation Tasks
Threat Investigation Center Task Commands
Endpoint Sensor Service Statuses
Tracking Investigation Tasks
Threat Investigation Center Task Statuses
Threat Investigation Center Command Statuses
Viewing Automated Analyses
Tracking Managed Detection and Response Task Commands
Command Details
Querying Supported Targets
Suspicious Object Hub and Node Architecture
Suspicious Object Hub and Node Apex Central Servers
Configuring the Suspicious Object Hub and Nodes
Unregistering a Suspicious Object Node from the Hub Apex Central
Configuration Notes
Automation Center
Apex Central Automation Center
Getting Help
Technical Support
Troubleshooting Resources
Using the Support Portal
Threat Encyclopedia
Contacting Trend Micro
Speeding Up the Support Call
Sending Suspicious Content to Trend Micro
Email Reputation Services
File Reputation Services
Web Reputation Services
Other Resources
Download Center
Documentation Feedback
Apex One as a Service FAQs
Appendices
Data Views
Data View: Security Logs
Advanced Threat Information
Detailed C&C Callback Information
Detailed Predictive Machine Learning Information
Detailed Suspicious File Information
Virtual Analyzer Detection Information
Detailed Virtual Analyzer Suspicious Object Impact Information
Attack Discovery Detections
Attack Discovery Detection Information
Detailed Attack Discovery Detection Information
Content Violation Information
Content Violation Action/Result Summary
Content Violation Detection Over Time Summary
Content Violation Policy Summary
Content Violation Sender Summary
Detailed Content Violation Information
Email Messages with Advanced Threats
Data Discovery Information
Data Discovery Data Loss Prevention Detection Information
Data Discovery Endpoint Information
Data Loss Prevention Information
DLP Incident Information
DLP Template Match Information
Deep Discovery Information
Detailed Correlation Information
Detailed Mitigation Information
Detailed Suspicious Threat Information
Overall Suspicious Threat Summary
Suspicious Source Summary
Suspicious Riskiest Endpoints Summary
Suspicious Riskiest Recipient Summary
Suspicious Sender Summary
Suspicious Threat Protocol Detection Summary
Suspicious Threat Detection Over Time Summary
Gray Detection Information
Overall Threat Information
Network Protection Boundary Information
Network Security Threat Analysis Information
Security Threat Endpoint Analysis Information
Security Threat Entry Analysis Information
Security Threat Source Analysis Information
Policy/Rule Violation Information
Device Access Control Information
Detailed Application Activity
Detailed Application Control Violation Information
Detailed Behavior Monitoring Information
Detailed Endpoint Security Compliance Information
Detailed Endpoint Security Violation Information
Detailed Firewall Violation Information
Detailed Intrusion Prevention Information
Integrity Monitoring Information
Network Content Inspection Information
Spam Violation Information
Detailed Spam Information
Overall Spam Violation Summary
Spam Connection Information
Spam Detection Over Time Summary
Spam Recipient Summary
Spyware/Grayware Information
Detailed Spyware/Grayware Information
Endpoint Spyware/Grayware
Endpoint Spyware/Grayware Summary
Email Spyware/Grayware
Network Spyware/Grayware
Overall Spyware/Grayware Summary
Spyware/Grayware Action/Result Summary
Spyware/Grayware Detection Over Time Summary
Spyware/Grayware Source Summary
Web Spyware/Grayware
Virus/Malware Information
Detailed Virus/Malware Information
Endpoint Virus/Malware Information
Email Virus/Malware Information
Network Virus/Malware Information
Overall Virus/Malware Summary
Virus/Malware Action/Result Summary
Virus/Malware Detection Over Time Summary
Virus/Malware Endpoint Summary
Virus/Malware Source Summary
Web Virus/Malware Information
Web Violation/Reputation Information
Detailed Web Reputation Information
Detailed Web Violation Information
Overall Web Violation Summary
Web Violation Detection Over Time Summary
Web Violation Detection Summary
Web Violation Endpoint Summary
Web Violation Filter/Blocking Type Summary
Web Violation URL Summary
Data View: Product Information
Apex Central Information
Apex Central Event Information
Command Tracking Information
Detailed Command Tracking Information
Unmanaged Endpoint Information
User Access Information
Component Information
Endpoint Pattern/Engine Status Summary
Endpoint Pattern/Rule Update Status Summary
Engine Status
Pattern/Rule Status
Pattern File/Rule Status Summary
Product Component Deployment
Scan Engine Status Summary
License Information
Detailed Product License Information
Product License Information Summary
Product License Status
Managed Product Information
Product Auditing Event Log
Product Distribution Summary
Product Event Information
Product Status Information
Token Variables
Standard Token Variables
Advanced Threat Activity Token Variables
Attack Discovery Token Variables
C&C Callback Token Variables
Content Policy Violation Token Variables
Data Loss Prevention Token Variables
Known Threat Activity Token Variables
Network Access Control Token Variables
Web Access Policy Violation Token Variables
IPv6 Support
IPv6 Support Limitations
Configuring IPv6 Addresses
Screens That Display IP Addresses
Threat Investigation Extraction Rules
OpenIOC Extraction Rules
STIX Extraction Rules
Syslog Content Mapping - CEF
CEF Attack Discovery Detection Logs
CEF Behavior Monitoring Logs
CEF C&C Callback Logs
CEF Content Security Logs
Filter Action Mapping Table
Filter Action Result Mapping Table
CEF Data Loss Prevention Logs
Action Result Mapping Table
Channel Mapping Table
CEF Device Access Control Logs
Product ID Mapping Table
CEF Endpoint Application Control Logs
CEF Engine Update Status Logs
CEF Intrusion Prevention Logs
CEF Network Content Inspection Logs
CEF Pattern Update Status Logs
CEF Predictive Machine Learning Logs
Threat Type Mapping Table
CEF Product Auditing Events
CEF Sandbox Detection Logs
CEF Spyware/Grayware Logs
Action Mapping Table
Spyware/Grayware Scan Type Mapping Table
Spyware/Grayware Risk Type Mapping Table
CEF Suspicious File Logs
CEF Virus/Malware Logs
Second Action Mapping Table
CEF Web Security Logs
Filter/Blocking Type Mapping Table
Protocol Mapping Table
Command Tracking and Product Communication
This section discusses how to track commands issued from the
Apex Central
server.
Topics include:
Command Tracking
Querying and Viewing Commands
Configuring Communication Time-out Settings
Parent topic:
Managed Product Integration