Trend Micro Vision One (XDR) File Collection

File Collection lets you collect objects directly from the Trend Micro Vision One (XDR) interface.

If you connect your agents and relays to the 'primary security update source' via a proxy, File Collection automatically uses the same proxy settings.


Workload Security uses an IoT mechanism to transmit messages and events to Trend Micro Vision One (XDR). If you need to restrict the URLs allowed in your environment, configure your firewall to include the "Event Channel - XDR Activity Monitoring" FQDNs from the Workload Security URLs table.

Collect objects using File Collection

To collect objects using File Collection:

  1. Trigger File Collection
  2. Create a File Collection task
  3. Monitor task status
  4. Download sample file

Trigger File Collection

After identifying the object that you want to collect, you can trigger File Collection from either of the following:

From the Trend Micro Vision One Search App :
  1. Right-click on one of the following from "Search App events":
    • processFilePath
    • objectFilePath
    • parentFilePath
  2. Select Collect File.

The Collect File Task window appears.

From the Trend Micro Vision One Workbench (under XDR ):

Right-click on the file icon for the object you want to collect and select Collect File.

The Collect File Task window appears.

Create a File Collection Task

  1. From the Collect File Task window, select the checkbox for the task.
  2. (Optional) Enter a description for the response or event.
  3. Select Create.

A Security Agent will begin creating the task.

A Security Agent normally creates a collect file task within 20 minutes. If the Security Agent is offline, the task is queued until the Security Agent comes online.

Monitor task status

You can monitor tasks from the Response Management tab.

Task statuses include:

  • In progress: Trend Micro Vision One sent the command to the managing server and is waiting for a response.
  • Queued: The server queued the command due to a high volume of requests or because the Security Agent was offline.
  • Successful: The managing server successfully received the command.
  • Unsuccessful: An error or time-out occurred when attempting to send the command to the managing server.

Download sample file

Downloading samples could harm your endpoint. Trend Micro Vision One automatically stores sample files in a password-protected ZIP archive. Please ensure that you take the necessary precautions before continuing.

  1. In the Response Management tab, select "Collect File" from the pulldown menu and select download .
  2. In the popup window, select Download.
  3. In the Download File window, record the password for the archived sample.
  4. Select Download to download the file.

Troubleshoot common issues

To troubleshoot common issues with File Collection, check the following settings in your Workload Security console:

Trend Micro Vision One settings

In the Trend Micro Vision One (XDR) tab (Administration > System Settings > Trend Micro Vision One (XDR)), make sure that:

  • Enrollment status is "Registered"
  • Forward security events to Trend Micro Vision One has its checkbox selected

Security module settings for your computer(s)

In the Activity Monitoring tab for your computer(s) (Computers > (Right- or- double-click) Details > Activity Monitoring > General), make sure Configuration is set to "On" or "Inherited (On)."

You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy you want to enable Activity Monitoring for. Go to the Activity Monitoring > General and make sure that "Activity Monitoring State" is set to "On."

If you've checked the requirements and troubleshoot common issues sections but are still experiencing problems, please contact support.