Trend Micro Vision One (XDR) Network Isolation

Network Isolation lets you isolate potentially compromised endpoints from the rest of your network using the Trend Micro Vision One (XDR) interface.

Requirements

Isolate endpoints using Network Isolation

To isolate endpoints using Network Isolation:

  1. Trigger Network Isolation
  2. Create an Isolate Endpoint Task
  3. Monitor task status

Trigger Network Isolation

After identifying the endpoint to isolate, you can trigger Network Isolation from one of the following:

From the Trend Micro Vision One Search App :

Right-click on the endpointHostName for the endpoint you want to isolate and select Isolate Endpoint.

The Isolate Endpoint Task window appears.

From the Trend Micro Vision One Workbench (under XDR ):

Right-click on the server icon for the endpoint you want to isolate and select Isolate Endpoint.

The Isolate Endpoint Task window appears.

From the Trend Micro Vision One Observed Attack Techniques tab (under XDR ):

Right-click on the "Associated endpoint" that you want to isolate and select Isolate Endpoint.

The Isolate Endpoint Task window appears.

Create an Isolate Endpoint Task

From the Isolate Endpoint Task window:

  1. Optional: Enter a description for the task.
  2. Select Create to start the task.

Monitor task status

You can monitor tasks from Response Management .

Task status indicates whether or not the managing server was able to successfully receive and execute a command. If the command target is a Security Agent, the Task status does not necessarily indicate that the target Security Agent or object successfully executed the command.

Task statuses include:

  • In progress: Trend Micro Vision One sent the command to the managing server and is waiting for a response.
  • Queued: The server queued the command due to a high volume of requests or because the Security Agent was offline.
  • Successful: The managing server successfully received the command.
  • Unsuccessful: An error or time-out occurred when attempting to send the command to the managing server.

You can locate tasks by using the Search field or selecting "Isolate Endpoint" from the Action drop-down list.

Restore connection to an endpoint

After resolving the security issue(s) on an isolated endpoint, you can restore its network connectivity from Response Management :

Select the options button beside the endpoint and select Restore Connection.

Troubleshoot common issues

To troubleshoot common issues triggering Network Isolation or Restore Connection, check the following settings in your Workload Security console:

Trend Micro Vision One settings

In the Trend Micro Vision One (XDR) tab (Administration > System Settings > Trend Micro Vision One (XDR)), make sure that:

  • Enrollment status is "Registered"
  • Forward security events to Trend Micro Vision One has its checkbox selected

Security module settings for your computer(s)

In the Activity Monitoring tab for your computer(s) (Computers > (Right- or- double-click) Details > Activity Monitoring > General), make sure Configuration is set to "On" or "Inherited (On)."

You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy you want to enable Activity Monitoring for. Go to the Activity Monitoring > General and make sure that "Activity Monitoring State" is set to "On."

If you've checked the requirements and troubleshoot common issues sections but are still experiencing problems, please contact support.