Call a Specialist Today! 800-886-5369

Trend Micro Endpoint Sensor (EDR)
Get more out of endpoint detection and response (EDR)

Endpoint Sensor (EDR)
Trend Micro Products
Endpoint Sensor (EDR)
Get a Quote!

Trend Micro™ Endpoint Sensor As A Service: XDR EDition
Integrated investigation, detection and response capabilities across email, endpoint, and servers

Effective protection against new and emerging threats is a vital part of any organization’s security strategy. Unfortunately, there is no silver bullet when it comes to protecting against threats, and even the most advanced endpoint security solutions can’t prevent 100 percent of new threats 100 percent of the time. That’s why having tightly-integrated protection and detection capabilities that can help quickly detect, track, and investigate threats—that make it past defenses—is so important to eliminate or minimize the impact.

Stealthy advanced threats can manifest themselves in your enterprise networks by bypassing traditional endpoint, email, and server security technologies. Threats can change and spread through an organization before executing and exploiting your intellectual property. Or it can sit dormant until an opportunity presents itself to steal or ransom data. Fortunately, Trend Micro Apex One™ security uses XGen™ threat and malware protection, a blend of cross generational techniques such as machine learning, behavioral analysis and vulnerability protection. Once a detection has been made though, questions remain: What was the root cause? How far did it spread? Was it related to other detections picked up by the endpoint or email protection?

Trend Micro™ Endpoint Sensor as a Service: XDR Edition gives insight to detections by allowing threat investigators to use investigation functionality to explore detections and hunt for new threats across endpoints, emails, and servers.

Advanced detection

As part of a single agent, Endpoint Sensor leverages the full portfolio of advanced detection techniques our Apex One endpoint protection offers. This integration provides a complete detection and response solution with automation and remediation capabilities.

Extended investigation capabilities

Detection and response across endpoints, servers, and email produce connected, more insightful investigations. With email – the #1 attack source – covered, analysts can trace a root cause analysis back to email to identify all impacted parties, contain the threat, and stop the spread.

Single view. Single console.

Receive alerts, view detections, and perform investigations on email, endpoints, and servers – all within our Apex Central console. No more moving from one console to another.

Key Features

Integrated workflow

Threat hunting and detection investigation is performed within the workflow and console of Apex One and shows investigations across connected emails and servers. No more moving from one console to another.

Efficient endpoint recording

Endpoint Sensor records and stores information on system behaviors, communications and user behaviors. Metadata on this information is sent to the Apex One server to allow investigators to “sweep” for indicators of compromise (IoCs)

Server side IoC sweeping

The Apex One server only stores essential metadata of end user recorded data (or telemetry). This allows investigators to perform multiple searches or sweeps of this data without having to query each endpoint individually. In addition, detailed root cause investigations can be made on each endpoint directly.

Flexible searching

Investigators can search (or sweep) with multiple parameters. Searches can be made on parameters such as, specific communications, specific malware, registry activity, account activity, and running processes. Or investigators can search using industry standard OpenIOC or YARA rules.

Root cause analysis

Investigators can drill down on an interactive process tree that illustrates the full chain of attack to analyze how the detection arrived, changed, and spread by viewing activities, objects, and processes. Immediate response can be taken to terminate processes, isolate users, update security, and to sweep further.

Vendor intelligence and assistance

Layering in proactive global threat intelligence, the Trend Micro™ Smart Protection Network™ provides clarity and assistance to threat investigators. Endpoint Sensor recognizes known good objects and processes as well as known bad. Investigators can view a colour-coded root cause analysis to identify risky or unknown processes and guide in the remediation. Investigators can also access Trend Micro™ Threat Connect™ service to research our database of threat information.

Immediate response options

Apex One already provides advanced automation to remediate detections. It can automatically isolate, quarantine, block executions, roll back settings (and files, in the case of ransomware), with the option to manually respond while performing an investigation. Endpoints can be isolated, processes can be terminated, and security intelligence can be automatically updated on a per-user or enterprise-wide basis.

Advanced threat hunting

Threat hunting, based on indicators of attack (IoAs), allows investigators to develop attack discovery rules or work with the IoAs provided by Trend Micro to hunt for threats.

Open APIs

Many customers want to be able to leverage their security operations tools. Apex One has multiple built-in documented application programming interfaces (APIs) that allow the product to work with these tools.

Sandbox integration

Security investigators can select objects and manually submit them to Trend Micro sandboxes. Suspicious objects can be sent to our Trend Micro™ Deep Discovery™ network security sandboxes on-premises, or to Trend Micro Apex One™ Sandbox as a Service subscription option.

How It Works

  1. Endpoints with Trend Micro™ Apex One Endpoint Sensor enabled, and emails with Trend Micro™ Cloud App Security, will record system behaviors, user behaviors, and communications.

  2. Activity and detection data from these servers, endpoints, and emails is sent to the Trend Micro™ XDR data lake.

  3. When a detection is made, investigators can search through the data to understand the impact analysis of the detection to understand how far has it spread and who else has been compromised.

  4. Detection

  5. A full root cause analysis allows investigators to understand the cause of the detection and immediately implement a response that includes remediating affected systems and updating Apex One and Cloud App Security to block similar attacks in the future.

  6. Investigation

  7. Alternately, before a detection, investigators can search for IoAs by using various search parameters or with IoCs and YARA rules.

  8. Searching

Minimum Agent Requirements

Apex One Endpoint Sensor is available as an optional add-on to Apex One endpoint protection. It is available on-premises along with Apex One or in SaaS along with Trend Micro Apex One™ as a Service.

Apex One Endpoint Sensor is supported on the following endpoints with Apex One:


  • Windows 7 SP1 (6.1)
  • Windows 8.1 (6.3)
  • Windows 10 (10.0)

Hardware: 2 GB minimum RAM, 2 GB available disk space (3 GB recommended)


  • macOS™ Mojave 10.14
  • macOS™ High Sierra 10.13
  • macOS™ Sierra 10.12
  • OS X™ El Capitan 10.11
  • OS X™ Yosemite 10.10 or later
  • OS X™ Mavericks 10.9.5 or later

Hardware: Intel Core™ processor, 512 MB RAM minimum, 300 MB minimum disk space