Table of contents

Integrate Workload Security with Trend Micro Vision One

The XDR capabilities of Trend Micro Vision One applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

To integrate XDR with Workload Security, you'll need to register with both Trend Micro Cloud One and Trend Micro Vision One (XDR).

If you are already registered to Trend Micro Vision One through Trend Micro Cloud One Workload Security, we recommend that you unregister from Workload Security and re-register in Trend Micro Cloud One.

Register with Trend Micro Vision One (XDR)

  1. Obtain the enrollment token from your organization's administrator.

    Your organization's XDR administrator can follow the steps here to obtain the token.

    The token is only valid for 24 hours after it's generated. If it expires, generate a new one using the same steps.

  2. On the Trend Micro Cloud One console home page, click the Integrations icon and select Vision One.

  3. Select Trend Micro Vision One on the navigation bar and then click Register enrollment token.

  4. In the pop-up window, paste the enrollment token you received from your organization's administrator and click Register.

  5. On the Vision One Product Connector page, enable Endpoint & Workload Security in "Trend Micro Cloud One".

After registration has completed successfully, the connection status of "Endpoint & Workload Security" will be "Connected" in the Trend Micro Cloud One portal.

Forward security events to Trend Micro Vision One (XDR)

After successfully registering with Trend Micro Vision One (XDR), the Forward security events to Trend Micro Vision One setting is enabled by default. When this configuration is enabled, events from the following protection modules are forwarded to the Trend Micro Vision One (XDR) platform:

  • Anti-Malware
  • Web Reputation
  • Device Control
  • Integrity Monitoring
  • Log Inspection
  • Intrusion Prevention
  • Activity Monitoring

If you'd like to stop forwarding events, go to the Vision One Administrator > Product Connector page and disable the "Endpoint & Workload Security" in "Trend Micro Cloud One". If you have connected your agents and relays to the 'primary security update source' via a proxy, XDR will automatically use the same proxy settings.

Enable Activity Monitoring

Activity Monitoring is supported on agent version 20.0.0-1681 (20 LTS Update 2021-01-04) and newer on Linux, Windows, and Unix. Activity Monitoring is supported on agent version 20.0.0-158+ (20 LTS Update 2022-07-11) on macOS.

Activity Monitoring is a security policy that takes your detection and response support to the next level, providing complete visibility of your workloads. When Activity Monitoring is enabled, the following activity information is forwarded to the Trend Micro Vision One (XDR) platform:

  • Process activity
  • File activity
  • Network activity
  • Connection activity
  • Domain query activity
  • Registry activity (Windows only)
  • User account activity (Windows and macOS only)

To configure Activity Monitoring:

  1. Before enabling Activity Monitoring, ensure agents have outbound connectivity to the FQDNs that are related to XDR listed in the Workload Security URLs table. This is the network connection that the agents will use to send data to the XDR data lake.
  2. Follow the steps above to register with Trend Micro Vision One (XDR) and forward events to XDR.
  3. Navigate to the Workload Security console and go to the Policies tab.
  4. Double-click the policy where you want to enable Activity Monitoring.
  5. Click Activity Monitoring > General.
  6. For Activity Monitoring State, select On.
  7. Click Save.

Screenshot of Activity Monitoring

Activity Monitoring is now enabled and your activity logs will be sent to the Trend Micro Vision One (XDR) platform, providing better visibility and protection to your workloads.