Suspicious Object Actions

You can specify actions for connected products to take after detecting specific suspicious objects.

Trend Vision One connects to different products and sends the Suspicious Objects List to the connected products for detection. The connected products then apply the specified action based on their capability.

Trend Vision One currently supports sending the Suspicious Object List to the following products if they are connected properly:

  • Trend Micro Apex One as a Service

  • Trend Micro Cloud App Security

    By default, Suspicious Object List synchronization is disabled in the Cloud App Security console. Therefore, make sure you have enabled Suspicious Object List synchronization for Cloud App Security to receive suspicious object information.

  • Trend Cloud One - Endpoint & Workload Security

    By default, Trend Vision One Suspicious Object Management is disabled in Threat Intelligence of Endpoint & Workload Security. Therefore, make sure you have enabled the option in the Endpoint & Workload Security console to receive suspicious object information.

  • Service Gateway Management

    For more information about Service Gateway, see Service Gateway Overview.

Besides, Deep Security Software retrieves the Suspicious Object List from Trend Vision One and currently consumes the file SHA-1 objects added from Sandbox.

The following table outlines the object types and actions supported by different products.

Product

 Object Type

Action

Apex One as a Service

IP address

Log, Block

URL

Domain

File SHA-1
Note:

  • To take action on File SHA-1 objects, you must first activate Application Control for Apex One as a Service.

  • The Log and Block actions for File SHA-1 are only supported for PE and ELF file formats.

Cloud App Security

URL

Log, Quarantine

File SHA-1

File SHA-256

Sender address
Note:

After identifying a suspicious URL, file, or sender address in an email message, Cloud App Security quarantines the message from all supported mailboxes protected by Cloud App Security.

Endpoint & Workload Security (Windows)

IP address

 Log

Domain

 Log

File SHA-1

Log, Block

File SHA-256

Log, Block
Note:

  • Endpoint & Workload Security supports the Log action for Deep Security Agent version 20.0.0-4185 or later for Windows.

  • The Log and Block actions for File SHA-1 and File SHA-256 are only supported for PE and ELF file formats.

Endpoint & Workload Security (Linux)

IP address

 Log

Domain

 Log

File SHA-1

Log, Block

File SHA-256

Log, Block
Note:

  • Endpoint & Workload Security supports the Log action for Deep Security Agent version 20.0.0-4185 or later for Linux.

  • The Log and Block actions for File SHA-1 and File SHA-256 are only supported for PE and ELF file formats.

Endpoint & Workload Security (macOS)

IP address

 Log, Block

Domain

File SHA-1

File SHA-256
Note:

  • Endpoint & Workload Security supports the Log and Block actions for Deep Security Agent version 20.0.0-198 or later for macOS.

  • The Log and Block actions for File SHA-1 and File SHA-256 are only supported for PE and ELF file formats.

Deep Security Software

File SHA-1 from Sandbox

Note:

File SHA-1 objects added through third-party intelligence and manual operations are not supported.

Log, Block

Service Gateway

IP address
Note:

The connected products of Service Gateway apply the specified action based on their capability. For the list of connected products, see Configuring Service Gateway Settings.

URL

Domain

File SHA-1

File SHA-256
Parent topic: Suspicious Object List