Integrate Workload Security with Trend Micro Vision One

The XDR capabilities of Trend Micro Vision One applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

To integrate XDR with Workload Security, you'll need to register with Trend Micro Vision One (XDR).

Register with Trend Micro Vision One (XDR)

  1. Obtain the enrollment token from your organization's administrator.

Your organization's XDR administrator can follow the steps here to obtain the token.

The token is only valid for 24 hours after it's generated. If it expires, generate a new one using the same steps.

  1. In Workload Security, go to Administration > System Settings > Trend Micro Vision One (XDR).
  2. Click Register enrollment token.
  3. In the pop-up window, paste the enrollment token you received from your organization's administrator and click Register.

After registration has completed successfully, Workload Security automatically forwards data to the Trend Micro Vision One (XDR) platform, where it is analyzed.

Forward security events to Trend Micro Vision One (XDR)

After successfully registering with Trend Micro Vision One (XDR), the Forward security events to Trend Micro Vision One setting is enabled by default. When this configuration is enabled, events from the following protection modules are forwarded to the Trend Micro Vision One (XDR) platform:

  • Anti-Malware
  • Web Reputation
  • Integrity Monitoring
  • Log Inspection
  • Intrusion Prevention
  • Activity Monitoring

If you'd like to stop forwarding events, go to Administration > System Settings > Trend Micro Vision One (XDR) and deselect the Forward security events to Trend Micro Vision One option. If you have connected your agents and relays to the 'primary security update source' via a proxy, XDR will automatically use the same proxy settings.

Enable Activity Monitoring

Activity Monitoring is supported on Deep Security Agent 20.0.0-1681 (20 LTS Update 2021-01-04) and newer agents.

Activity Monitoring is a security policy that takes your detection and response support to the next level, providing complete visibility of your workloads. When Activity Monitoring is enabled, the following activity information is forwarded to the Trend Micro Vision One (XDR) platform:

  • Process activity
  • File activity
  • Network activity
  • Connection activity
  • Domain query activity
  • Registry activity (Windows only)
  • User account activity (Windows only)

To configure Activity Monitoring:

  1. Before enabling Activity Monitoring, ensure agents have outbound connectivity to the FQDNs that are related to XDR listed in the Deep Security URLs table. This is the network connection that the agents will use to send data to the XDR data lake.
  2. Follow the steps above to register with Trend Micro Vision One (XDR) and forward events to XDR.
  3. Navigate to the Workload Security console and go to the Policies tab.
  4. Double-click the policy where you want to enable Activity Monitoring.
  5. Click Activity Monitoring > General.
  6. For Activity Monitoring State, select On.
  7. Click Save.

Screenshot of Activity Monitoring

Activity Monitoring is now enabled and your activity logs will be sent to the Trend Micro Vision One (XDR) platform, providing better visibility and protection to your workloads.