Sweeping Types

Trend Micro Vision One provides two types of sweeping that allows you to search your environment for indicators of compromise.


Only Endpoint Activity Data is supported for both types of sweeping.



Auto Sweeping

Auto Sweeping runs based on the following intelligence data:

  • Curated intelligence reports

    After you turn on Auto Sweeping for a source type, Trend Micro Vision One generates a scheduled sweep and runs the sweep once every day for 7 consecutive days to search your environment for threat indicators based on incoming new reports from the selected source.

  • Third-party intelligence

    If you enable the Run an auto sweep option for a specific TAXII feed collection or a MISP event tag, a one-time sweeping task is generated after successful data retrieval to search your environment for indicators extracted from the intelligence data.


    Third-party intelligence is processed to produce custom intelligence reports after successful data retrieval. Therefore, if the number of indicators allowed for Auto Sweeping reaches the daily maximum limit, you can trigger Manual Sweeping for the generated reports under Intelligence Reports > Custom.

Manual Sweeping

You can select a custom intelligence report to initiate a manual sweep based on identified indicators.


A maximum of 10,000 indicators is allowed per day for Manual Sweeping.