Topics on this page
Forward AWS CloudTrail logs to Trend Micro Vision One
This feature is part of a controlled release and is in Preview. Content on this page is subject to change.
Limitations of the private preview
- Upgrade of the CloudTrail client is not supported. To re-deploy, delete the existing CloudTrail Client and then pull the new one.
- After generating the create stack link, it is valid for 30 days. After 30 days, the CloudTrail logs are no longer forwarded to Trend Micro Vision One and you will need to re-generate the create stack link, delete previous stacks, and then deploy new stacks with the updated link.
The XDR capability of Trend Micro Vision One applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks. Trend Micro Vision One can also analyze the AWS CloudTrail logs from your AWS Accounts, identify threats and attacks, alert you to problems, and create a visualization of the log.
There are 3 steps required to start forwarding your CloudTrail logs to Trend Micro Vision One:
- Step 1: Enroll for the preview and enable Trend Micro Vision One
- Step 2: Deploy the CloudTrail Client in your AWS account
- Step 3: Access the CloudTrail data in Trend Micro Vision One
Step 1: Enroll for the preview and enable Trend Micro Vision One
If you are selected to participate in this private preview, a representative from the Trend Micro Cloud One team will contact you. If you want to participate, the representative enables the XDR feature for your account and provides you with a link.
-
In Trend Micro Vision One, obtain an enrollment token that you'll use to register Trend Micro Cloud One to Trend Micro Vision One. For details on how to do this, refer to the Trend Micro Vision One documentation.
-
Use the link provided by the Trend Micro Cloud One representative to log in to Trend Micro Cloud One with an email and password.
Legacy sign-ins are not supported with this feature.
-
Go to https://cloudone.trendmicro.com/management/vision-one, select Register enrollment token, and register using the enrollment token you obtained in step 1.
-
If the Trend Micro Vision One connection status is "Connecting", click Refresh. It will display as "Connected" when the feature is enabled.
In the Trend Micro Vision One portal, the Product Connector page indicates that the CloudTrail service is enabled.
Step 2: Deploy the CloudTrail Client in your AWS account
-
Generate an API Key for use with the CloudTrail Client.
-
Make an API Post request:
https://cloudtrail.us-1.cloudone.trendmicro.com/api/stacks
For example, in Postman:
Or get the link using a Curl command:
curl --location --request POST 'https://{{SERVICE-CLOUD-TRAIL}}/api/stacks' \
--header 'Authorization: ApiKey {{C1_API_KEY}}' \
--header 'Api-Version: v1' \
--data-raw '' -
Use AWS CloudFormation to create a stack. Click the createStackURL link generated by the previous step, which redirects you to https://console.aws.amazon.com/cloudformation/. Check the access capabilities and select Create Stack. Wait until the status changes to "CREATE_COMPLETE".
For details, see Creating a stack on the AWS CloudFormation console in the AWS documentation.
Step 3: Access the CloudTrail data in Trend Micro Vision One
After it's been deployed, the CloudTrail Client automatically starts to collect data. See Getting and viewing your CloudTrail log files in the AWS documentation.
Trend Micro Cloud One uses the token to authenticate the request from the CloudTrail Client and then forwards the data.
You can search for CloudTrail events in the Trend Micro Vision One console, using the Cloud Activity Data search method:
If a CloudTrail event matches a Security Analytics Engine filter in Trend Micro Vision One, a detection is shown in the Workbench app, which displays a root cause analysis graph of the CloudTrail malicious event.
