Table of contents
Topics on this page

AWS CloudTrail integration

This feature is currently in private preview and is not available to all Trend Cloud One customers.

If you have both a Trend Vision One and a Trend Cloud One account, you can use AWS CloudTrail to forward your AWS CloudTrail logs to Trend Vision One.

Connect AWS CloudTrail

  1. Obtain the enrollment token from your organization's administrator.

    Your organization's XDR administrator can follow the steps here to obtain the token.

    The token is only valid for 24 hours after it's generated. If it expires, generate a new one using the same steps.

  2. On the Trend Cloud One console home page, click the Integrations icon and select Vision One.

  3. Select Trend Vision One on the navigation bar and then click Register enrollment token.

  4. Paste the enrollment token you received from your organization's administrator and click Register.

    After successful registration, Trend Cloud One - Endpoint & Workload Security automatically forwards activity logs to Trend Micro XDR and changes the Enrollment Status to Registered.

  5. If you want to allow Single Sign-On (SSO) from Trend Vision One to Endpoint & Workload Security, enable SSO from the Trend Vision One toggle and click Save.

  6. In the Trend Vision One console, enable the connections to your Trend Cloud One services:

    1. Go to Point Product Connection > Product Connector.
    2. Select Trend Cloud One.
    3. Verify that the AWS CloudTrail service is enabled.
    4. Click Save.
  7. Connect an AWS account to Trend Cloud One to provide read-only access to your AWS CloudTrail data.

    1. Open your Trend Cloud One console and click Integrations at the bottom of the screen.
    2. Click Cloud Accounts on the navigation bar.
    3. Click New.
    4. Open a new browser window and sign in to your AWS account.
    5. Back in the Connect AWS Account screen, select your AWS region and click Launch Stack to open the AWS management console in a new browser tab to run the IAM role creation template.
    6. In the Quick create stack screen, scroll down to the Capabilities section.
    7. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox.
    8. Click Create stack.
  8. To connect CloudTrail to Trend Cloud One, launch the CloudFormation template for your AWS account:

    1. Open your Trend Cloud One console and click Integrations at the bottom of the screen.
    2. Select Trend Vision One™ on the navigation bar.
    3. Click User Accounts on the navigation bar and ensure that you are viewing the AWS tab.
    4. Select the AWS account that you want to use to manage the CloudTrail integration.
    5. Click Enable next to AWS CloudTrail integration to open the AWS CloudTrail Integration panel.
    6. Open a new browser windows and sign in to the AWS account.
    7. In the AWS CloudTrail Integration panel, select the AWS region used in the CloudFormation template.
    8. Click Launch Stack to automatically launch the CloudFormation template into your AWS account.

      Your browser automatically opens a new tab and displays your AWS account's the Quick create stack screen.

    9. Specify the name of an existing bucket to use for forwarding to Trend Cloud One in the ExistingCloudtrailBucketName field in the Parameters section.

      If you do not specify an existing CloudTrail bucket resource, a new bucket will be created for you and will incur additional AWS costs.

    10. Acknowledge all access rights in the Capabilities section.

    11. Click Create stack.

      After creating the stack, it will take at least 15 minutes before data collection begins.

  9. Verify that CloudTrail data collection is working by searching for data in the Search app:

    1. In the Trend Vision One console, go to XDR Threat Investigation > Search.
    2. Change the Search Method to Cloud Activity Data.
    3. Perform a quick search to locate CloudTrail data. For example, type the following search string and click Search: productCode:sct

After verifying that the CloudTrail data collection is working, you can start receiving alerts on any CloudTrail events that trigger a detection model in the Workbench app (XDR Threat Investigation > Workbench).