Suspicious Object Actions

You can specify actions for connected products to take after detecting specific suspicious objects.

Trend Micro Vision One connects to different products and sends the Suspicious Objects List to the connected products for detection. The connected products then apply the specified action based on their capability.

Trend Micro Vision One currently supports sending the Suspicious Object List to the following products if they are connected properly:

  • Apex One as a Service

  • Cloud App Security

    By default, Suspicious Object List synchronization is disabled in the Cloud App Security console. Therefore, make sure you have enabled Suspicious Object List synchronization for Cloud App Security to receive suspicious object information.

  • Cloud One - Workload Security

    By default, Trend Micro Vision One Suspicious Object Management is disabled in Threat Intelligence of Cloud One - Workload Security. Therefore, make sure you have enabled the option in the Cloud One - Workload Security console to receive suspicious object information.

  • Service Gateway

    For more information about Service Gateway, see Service Gateway Overview.

Besides, Deep Security Software retrieves the Suspicious Object List from Trend Micro Vision One and currently consumes the file SHA-1 objects added from Sandbox.

The following table outlines the object types and actions supported by different products.

Product

Object Type

Action

Apex One as a Service

IP address

Log, Block

URL

Domain

File SHA-1

Note:

Application Control must be activated for Apex One as a Service to take the Block action.

Cloud App Security

URL

Log, Quarantine

File SHA-1

File SHA-256

Sender address

Note:

After identifying a suspicious URL, file, or sender address in an email message, Cloud App Security quarantines the message from all supported mailboxes protected by Cloud App Security.

Cloud One - Workload Security

IP address

Log

Domain

Log

File SHA-1

Log, Block

File SHA-256

Log, Block

Note:

Cloud One - Workload Security supports the Log action for Deep Security Agent version 20.0.0.4185 or later.

Deep Security Software

File SHA-1 from Sandbox

Note:

File SHA-1 objects added through third-party intelligence and manual operations are not supported.

Log, Block

Service Gateway

IP address

Note:

The connected products of Service Gateway apply the specified action based on their capability. For the list of connected products, see Configuring Service Gateway Settings.

URL

Domain

File SHA-1

File SHA-256