Integrate Workload Security with XDR

Trend Micro XDR applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

To integrate Workload Security with XDR, you'll need to register to Trend Micro XDR.

Register to Trend Micro XDR

  1. Obtain the XDR enrollment token from your organization's XDR administrator.

    Your organization's XDR administrator can follow the steps here to obtain the token.

    Note: The token is only valid for 24 hours after it's generated. If it expires, generate a new one using the same steps.

  2. In Workload Security, go to Administration > System Settings > Trend Micro XDR.
  3. Click Register enrollment token.
  4. In the pop-up window, paste the enrollment token you received from your organization's XDR administrator and click Register.

After registration has completed successfully, Workload Security automatically forwards data to the Trend Micro XDR platform, where it is analyzed.

Forwarding logs to XDR

After successfully registering to Trend Micro XDR, the Forward activity logs to Trend Micro XDR setting is enabled by default. When this configuration is enabled, events from the following protection modules are forwarded to Trend Micro XDR:

  • Anti-Malware
  • Web Reputation
  • Integrity Monitoring
  • Log Inspection
  • Intrusion Prevention

If you'd like to stop forwarding logs to Trend Micro XDR, go to Administration > System Settings > Trend Micro XDR and deselect the Forward activity logs to Trend Micro XDR option.

Enable Activity Monitoring

This feature is part of a controlled release and is in preview.

If you are currently participating in the Activity Monitoring preview, you must upgrade to Deep Security Agent 20.0.0-1304 (or a newer version) by November 16, 2020. If you do not upgrade your agents, Activity Monitoring data will stop being collected on November 16, 2020.

Activity Monitoring is a security policy that takes your detection and response support to the next level, providing complete visibility of your workloads. When Activity Monitoring is enabled, the following activity information is forwarded to Trend Micro XDR:

  • Process activity
  • File activity
  • Network activity
  • Connection activity
  • Domain query activity
  • Registry activity (Windows only)
  • User account activity (Windows only)

To configure Activity Monitoring:

  1. Before enabling Activity Monitoring, ensure agents have outbound connectivity to:
    • Source: Deep Security Agent
    • Destination: ak5ih4ev105f2-ats.iot.us-east-1.amazonaws.com
    • Port: 443

    This is the network connection that the agents will use to send data to the XDR data lake.


  2. Follow the steps above to register to Trend Micro XDR and forward logs to XDR.
  3. Navigate to the Workload Security console and go to the Policies tab.
  4. Double-click the policy where you want to enable Activity Monitoring.
  5. Click Activity Monitoring > General.
  6. For Activity Monitoring State, select On.
  7. Click Save.
Screenshot of Activity Monitoring

Activity Monitoring is now enabled and your activity logs will be sent to Trend Micro XDR, providing better visibility and protection to your workloads.