Sweeping Types

Trend Micro Vision One provides two types of sweeping that allows you to search your environment for indicators of compromise.


Only Endpoint Activity Data is supported for both types of sweeping.



Auto Sweeping

Auto Sweeping runs based on the following intelligence data:

  • Curated intelligence reports

    After you turn on Auto Sweeping for a source type, Trend Micro Vision One generates a scheduled sweep and runs the sweep once every day for 7 consecutive days to search your environment for threat indicators based on incoming new reports from the selected source.

  • Third-party intelligence

    If you enable the Run an auto sweep option for a specific TAXII feed collection or a MISP event tag, a scheduled sweep will be generated and triggered within 24 hours to search your environment for indicators extracted from the intelligence data.

    Third-party intelligence is processed to produce custom intelligence reports after successful data retrieval.

Trend Micro Vision One triggers Auto Sweeping tasks at the same scheduled time every day and calculates the total number of indicators applied for Auto Sweeping over the past 24 hours to track quota usage.


A maximum of 50,000 indicators is allowed per day for Auto Sweeping. The quota limit is shared by Auto Sweeping tasks triggered for:

  • Curated reports from external sources

  • Custom reports produced by third-party intelligence

If the total number of indicators reaches the daily quota limit for Auto Sweeping, you can trigger Manual Sweeping when necessary.

Manual Sweeping

You can select a custom intelligence report to initiate a manual sweep based on identified indicators.


A maximum of 10,000 indicators is allowed per day for Manual Sweeping.