Trend Micro Vision One (XDR) Network Isolation

Network Isolation lets you isolate potentially compromised endpoints from the rest of your network using the Trend Micro Vision One (XDR) interface.

If you connect your agents and relays to the 'primary security update source' via a proxy, Network Isolation automatically uses the same proxy settings.

Requirements

Workload Security uses an IoT mechanism to transmit messages and events to Trend Micro Vision One (XDR). If you need to restrict the URLs allowed in your environment, configure your firewall to include the "Event Channel - XDR Activity Monitoring" FQDNs from the Workload Security URLs table.

Isolate endpoints using Network Isolation

To isolate endpoints using Network Isolation:

  1. Trigger Network Isolation
  2. Create an Isolate Endpoint Task
  3. Monitor task status

Trigger Network Isolation

After identifying the endpoint to isolate, you can trigger Network Isolation from one of the following:

From the Trend Micro Vision One Search App Search App icon:

Right-click on the endpointHostName for the endpoint you want to isolate and select Isolate Endpoint.

Trend Micro Vision One Search window with Isolate Endpoint highlighted

The Isolate Endpoint Task window appears.

From the Trend Micro Vision One Workbench (under XDR XDR icon):

Right-click on the server icon Server icon for the endpoint you want to isolate and select Isolate Endpoint.

Trend Micro Vision One Workbench window with Isolate Endpoint highlighted

The Isolate Endpoint Task window appears.

From the Trend Micro Vision One Observed Attack Techniques tab (under XDR XDR icon):

Right-click on the "Associated endpoint" that you want to isolate and select Isolate Endpoint.

Trend Micro Vision One Observed Attack Techniques window

The Isolate Endpoint Task window appears.

Create an Isolate Endpoint Task

From the Isolate Endpoint Task window:

  1. Optional: Enter a description for the task.
  2. Select Create to start the task.

Isolate Endpoint Task dialog box

Monitor task status

You can monitor tasks from Response Management Response Management icon.

Task status indicates whether or not the managing server was able to successfully receive and execute a command. If the command target is a Security Agent, the Task status does not necessarily indicate that the target Security Agent or object successfully executed the command.

Task statuses include:

  • In Progress icon In progress: Trend Micro Vision One sent the command to the managing server and is waiting for a response.
  • Queued icon Queued: The server queued the command due to a high volume of requests or because the Security Agent was offline.
  • Successful icon Successful: The managing server successfully received the command.
  • Unsuccessful icon Unsuccessful: An error or time-out occurred when attempting to send the command to the managing server.

You can locate tasks by using the Search field or selecting "Isolate Endpoint" from the Action drop-down list.

Restore connection to an endpoint

After resolving the security issue(s) on an isolated endpoint, you can restore its network connectivity from Response Management Response Management icon:

Select the options button Options icon beside the endpoint and select Restore Connection.

Response Management window

Troubleshoot common issues

To troubleshoot common issues triggering Network Isolation or Restore Connection, check the following settings in your Workload Security console:

Trend Micro Vision One settings

In the Trend Micro Vision One (XDR) tab (Administration > System Settings > Trend Micro Vision One (XDR)), make sure that:

  • Enrollment status is "Registered"
  • Forward security events to Trend Micro Vision One has its checkbox selected

Workload Security System Settings with Trend Micro Vision One (XDR) tab displayed

Security module settings for your computer(s)

In the Activity Monitoring tab for your computer(s) (Computers > (Right- or- double-click) Details > Activity Monitoring > General), make sure Configuration is set to "On" or "Inherited (On)."

Activity Monitoring properties

You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy you want to enable Activity Monitoring for. Go to the Activity Monitoring > General and make sure that "Activity Monitoring State" is set to "On."

If you've checked the requirements and troubleshoot common issues sections but are still experiencing problems, please contact support.