Professional Documents
Culture Documents
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
1
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Course Objectives
After completing this course, participants will be able to:
• Describe the benefits of an XDR solution
• Connect Trend Micro products to Trend Vision One
• Collect telemetry from endpoints, email, the Web, and the network
• Integrate third‐party products with Trend Vision One
• Interpret and navigate through Workbenches
• Use the Search tools to locate information in the data lakes
• Create Playbooks to streamline incident response activities
2
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Target Audience
The four columns in this graphic represent four stages of maturity for threat intelligence
programs within an organization.
The columns to the left highlight the groups with no, or little, threat intelligence
resources. The columns to the right are those who have developed strong threat
intelligence programs.
This course is geared to members of organization in the first two columns who are new
to, or have limited knowledge of, Trend Vision One.
This course is also beneficial to administrators responsible for performing initial setup
operations such as connecting products to Trend Vision One and enabling endpoint
sensors on devices.
This material is most useful for those who fall within group 1 and 2 in the displayed
chart, for example, those with no dedicated threat intelligence analysts.
3
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
XDR Focus
• Trend Vision One includes a wide variety
of powerful capabilities for security
operations teams to detect, investigate,
prioritize and respond to threats more
quickly
• This course focuses on the product’s
Extended Detection and Response
(XDR) capabilities
Trend Vision One includes a wide variety of powerful capabilities for security operations
teams to detect, investigate, prioritize and respond to threats more quickly.
This course focuses on the product’s Extended Detection and Response (XDR)
capabilities.
Other topics, such as risk, zero trust threat access and threat hunting will be addressed
in future course offerings.
4
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Prerequisites
• We recommend you complete the following
e‐learning course on the Trend Micro
Education portal before attending this course:
The Vision One Fundamentals e‐learning course on the Trend Micro Education portal is
recommended before taking this course.
If you complete this 45‐minute self‐paced session online, you will have foundation
knowledge to gain the most from this course.
5
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Many of the lessons in this course are accompanied by hands‐on labs, delivered
through a cloud environment. Participants must register for a free 90‐day Trend Vision
One trial account as part of the hands‐on labs. It is not recommended that participants
use their own corporate Trend Vision One accounts.
6
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Trend Micro Education Portal is the centralized repository for all
Trend Micro training resources. Each class participant requires an
Education Portal account to access class‐related resources, including
self‐paced learning options, eBooks and the Certification Exam
The Trend Micro Education Portal is the centralized repository for all Trend Micro
training resources. Each class participant requires an Education Portal account to access
class‐related resources, including the Certification Exam.
The portal is customized for your relationship with Trend Micro, for example, Customer,
Partner or Employee.
The portal gives you access to class‐related resources, including self‐paced learning
options, eBooks and the Certification Exam.
7
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You must create an account on the Education Portal before the last day of class. Access
the portal using the listed URLs based on your relationship with Trend Micro.
Then, you can log in at any time using the Portal with User ID and Password.
Make sure you can access the portal before the last day of class
8
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Housekeeping
9
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Introductions
Name?
Organization?
Role?
Experience with Trend Micro products?
Expectations for this class?
10
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 1:
XDR Concepts
This first module introduces some of the concepts related to Extended Detection and
Response (XDR).
11
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Describe Extended Detection and Response (XDR)
• List the types of telemetry collected from devices in the infrastructure
• Describe how correlation is important to XDR
• Describe MITRE ATT&CK and how it is helpful
12
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Servers
Email
Network
Endpoints
In many organizations, the broadened attack surface along with the volume and
complexity of threats have complicated the job of the security analyst. Investigating and
dealing with malware, threats and attacks is complicated even further by silos of
visibility. While Endpoint Detection and Response (EDR) functionality in desktop
security applications, like Trend Micro Apex One, can provide detailed visibility into
suspicious activities on endpoint computers, attacks rarely stayed siloed within the
endpoint environment. Malware can move throughout the environment, possibly
affecting servers, cloud workloads, email systems and more. If separate siloed views of
security alerts for network traffic analysis, server and cloud workloads, email and
endpoints are in place, it can be difficult for the security team to piece together
viewpoints of these silos to figure out what has happened and what areas were
affected by the attacks.
13
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Servers
Email
Network
Endpoints
Security Analyst
14 | ©2023 Trend Micro Inc.
Each of these silos of security details may be sending an overwhelming volume of alerts
without any context or correlation with other events. This makes it difficult to decide
what is important from the large number of log entries and see how alerts are related.
14
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Servers
Email
Network
Endpoints
Attackers don’t stay in these silos. They move throughout the environment and then it’s
up to the security team to piece together viewpoints of the different silos to figure out
what happened.
15
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Servers
Email
Network
Endpoints
An Extended Detection and Response (XDR) approach delivers faster detection and
response across the entire environment since it breaks down these different silos of
visibility and it tells a story of the attack without making the Security Operations team
dig through a huge collection of noisy alerts. XDR collects telemetry from endpoints,
servers in the data center or the cloud, email, and the network. Using artificial
intelligence, automation and big data analysis techniques, XDR builds a story view,
saving time for investigators tasked with protecting the organization from digital attack.
XDR finds attacks within the noise of alerts and telemetry with powerful detection
models. Security teams can detect threats faster, understand more easily what
happened and shut down an attack sooner. With correlated detection, better alerting,
and an ability to investigate leads, organizations are less likely to suffer bottom line
results in business risks.
16
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Data on mobile
Data on network
Data on clients
Data lake
How are we going to break down these silos of visibility through XDR?
Data collected different source in the environment will be stored in a centralized data
lake. From that collection of data, XDR analysis can be performed.
A data lake is a centralized repository that allows you to store all your structured and
unstructured data at any scale. You can store your data as‐is, without having to first
structure the data, and run different types of analytics—from dashboards and
visualizations to big data processing, real‐time analytics, and machine learning to guide
better decisions.
17
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Telemetry
Telemetry from all the different sources in the environment is collected in the data lake.
This telemetry includes:
Security Events are generated by protection modules hosted on the devices, such as
anti‐malware, virtual patching/IPS, Web reputation… etc. A Trend Micro‐managed
security agent is required on the devices to generate this information which is then
forwarded for storage.
Activity monitoring includes internal system activities such as registry changes, user
creation/deletion, cronjobs and scheduled tasks, processes starting/stopping, software
installed/removed, network connections to IPs or domains… etc. An endpoint sensor is
required to collect this data and forward for storage.
Simply dealing with security events generated by endpoint protection is just not
enough to get a full idea of what is happening in the environment.
18
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
A local cache will be used in cases where devices cannot communicate with the data
lake. The sensor continues to collect data when disconnected from the network, but
will forward this cached data once the connection is re‐established.
Source: https://success.trendmicro.com/solution/000286401
19
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Email
Since the majority of malware enters through email, collect email telemetry if very
important. I can answer questions such as:
• Who else received this email or a similar threat?
• Are there compromised accounts sending internal phishing emails?
Endpoint
Since most attacks involve users’ computers, collecting telemetry from endpoint
computers if also important.
• It can help locate threats hidden amongst large amounts endpoint telemetry
• It can also help identify what happened within the endpoint and how the threat
propagated
Network
Network telemetry can help cover blind spots, for example, with unmanaged devices,
internet of things or operational technologies.
• Examining the network telemetry can help identify how an attacker is moving across
20
the organization
• How are they communicating outside the network
Workloads
Applications running on servers within the data center are critical to business
operations. Any compromise to these servers can severely hamper the business.
• Examining the detections from the Agents installed on the servers as well as other
activity data being collected from the servers can help paint a complete picture of
what is happening within the workloads.
20
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Correlation
How is Trend Vision One going to filter through the large amount on data within the
data lake?
Trend Vision One uses filters contained in the detection models to correlate events
within the activity data in the data lake using a variety of techniques including data
stacking, machine learning, expert rules, and more.
Low‐level activities that may seem benign, harmless or insignificant on their own may
reveal an attack when tied together to create a full story.
21
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Correlation
• Detection models written by Trend Micro threat experts correlate
events
• Uses a variety of powerful analytic techniques including data
stacking, machine learning and expert rules
• Regular scanning of event and activity data in the data lake
Trend Vision One uses detection models written by Trend Micro threat experts
to correlate events within the security event and activity data in the data lake using a
variety of techniques including data stacking, machine learning and expert rules. These
automated and cross‐layer detection models tie together low‐level events that seem
benign or insignificant on their own to help uncover stealthy attackers.
This type of data analysis would be impossible to do manually due to the sheer volume
of data collected.
22
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Security alerts,
(but not all events)
To illustrate the value of Trend Vision One compared to Security Information and Event
Management (SIEM) or Endpoint Detection and Response (EDR) solutions, let's look at
an example of the types of data going to SIEM, EDR, and XDR.
In this example, a user opened a Word attachment through a phishing email.
This attachment:
• Launched PowerShell
• Connected to a Command & Control server
• Stole AWS credentials to open a new container to migrate to an existing container
In this case the Command & Control communication generated an alert which was sent
to the SIEM. This one alert may be lost in the sea of alerts going to the SIEM while at
the same time doesn't have enough data to provide full details of what is happening.
23
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
With Endpoint Detection and Response, the security analyst has information of endpoint
activity related this attack, but this data is still missing the beginning and ending of this
story which occur before and after the endpoint.
24
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
XDR through Trend Vision One goes further as it collects activity information from not
only the endpoints but also from email, containers, and network. To the SIEM, Trend
Vision One sends a single, high‐fidelity alert (referred to as a Workbench in Trend
Vision One) that tells the story of this attack from beginning to end.
The Splunk Add‐on for Vision One is like the Workbench List, it shows you the list of
Workbench/alerts that were triggered by XDR Security Analytics Engine (SAE) Detection
Models. Unlike regular syslog forwarding, the Splunk Add‐on calls the Vision One API to
get the list of workbenches.
This allows Vision one to:
• Fit within existing SIEM workflow
• Receive correlated, high‐fidelity alerts
• Help with triaging and narrowing down to the events that need attention and
escalating
• Enable analysts to be more efficient
25
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Correlation is critical
26
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
LEGEND
Raw Known Suspicious High Quality
Activity Bad Activity Alert
Correlated detections
XDR finds attacks within the noise of alerts and telemetry with powerful detection
models.
1) Raw activity telemetry is ingested from endpoint, server, cloud, email, network
2) Filters use a variety of techniques including data stacking, machine learning, expert
rules, etc., to find tactics, techniques, and correlated events
3) Detection models combine filters to surface attacks. Detection models are written
by Trend Micro threat experts and frequent updated/added
4) Detection model alerts are investigated and responded to by either your security
team or by Trend Micro‐Managed XDR personnel (MDR service).
27
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
22 M Filter hits
(Observed Attack Techniques)
7 Incidents
(Correlated Workbench alerts)
Company with 1000 devices
in a 7‐day period
Trend Micro investigated data across our customer base over a period of time and
distilled that down to highlight the effect correlation can have. Sifting through this large
number of log data will be difficult to sift through yourself.
28
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Intelligence Sharing
An important facet of XDR is the ability to share threat information with others. Sharing
mechanisms available include:
• STIX
• TAXII
• Suspicious Objects
Trend Vision One will fortify its collection of data collected from within the
environment with data collected through intelligence sharing.
STIX/TAXII was developed from a need for a threat intelligence sharing standard. STIX
and TAXII are standards developed to improve the prevention and mitigation of cyber‐
attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that
information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine‐
readable and therefore easily automated.
STIX/TAXII aims to improve security measures in a few ways:
• Extend the capabilities of current threat intelligence sharing
• Balance response with proactive detection
• Encourage a holistic approach to threat intelligence
• The establishment of STIX/TAXII is an open, community‐driven effort that provides
29
free specifications to aid in the automated expression of cyber threat information.
Both possess an active community of developers and analysts.
29
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Intelligence Sharing
• Open‐source format used to exchange
cyber threat intelligence
• Designed to improve collaborative threat
analysis, automated threat exchange,
automated detection and response, and
Structured Threat Information Expression
more
• STIX states the what of threat intelligence
30
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Intelligence Sharing
• Application protocol
for exchanging cyber threat intelligence
over HTTPS
• Designed to support the exchange of
cyber threat intelligence represented in
STIX
Trusted Automated Exchange of • TAXII defines how cyber threat
Intelligence Information
intelligence is relayed
• Trend Vision One can subscribe to TAXII
feeds from various organizations
31
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Intelligence Sharing
• Objects with the potential to expose
systems to danger or loss
− IP address
− Domain
− URL
− Hash
• Defined manually, through sandbox
analysis, or synchronized from an external
Suspicious Objects source
• Trend Vision One compiles its own
suspicious objects list and can synchronize
with other sources
Suspicious Objects are objects with the potential to expose systems to danger or loss,
including
• IP address
• Domain
• URL
• Hash
32
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Research has shown that organizations using an XDR approach are better protected
and suffered half as many successful attacks over a one‐year period. Detection of
attacks is accelerated, and the organization is 2.2X more likely to detect a data breach
or successful attack in a few days or less. In addition, they are 60% less likely to report
that attack re‐propagation has been an issue.
Source: The XDR Payoff: Better Security Posture, ESG Research, Sep 2020
When you have the bigger picture, you can understand the full impact and not only
respond faster but more completely. There are fewer blind spots that allow for a
resurgence of attacks.
33
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One can detect earlier with higher confidence detections.
34
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
We have all heard about situations where a company gets breached by an attack that
seemingly came out of no where. The company claimed to have had their defense
setup and were prepared for any attack. We also know that once a company becomes
breached, it is possible that an adversary or attacker is still lurking inside the network,
escalating privileges, and hiding within the network (for months even) before they
strike again to launch more attacks.
• How did they get in?
• How are they moving around?
• What are they doing?
• How do we look for the attacker inside our network?
It would be great if there was a database of attack behaviors that we could use to help
figure out how the attackers got into the network and what they might have done.
35
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Community‐driven
The ATT&CK framework is used as a foundation for the development of specific threat
models, and methodologies in the private sector, government, and the broader
cybersecurity community. It is widely used by both cyber security vendors and
customers in building out security programs and is used of Cyber Threat Intelligence
mapping
36
You can think of ATT&CK as an Encyclopedia of things that ATT&CK has seen an
adversary do!
Information that ATT&CK provides is based on real world observations – every single
one is linked back to a report that you can find out in the community.
ATT&CK relies on public reporting and does not claim to have all the answers. You too
can reach out to contribute (see the MITRE web site for details on how to contribute).
36
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
MITRE ATT&CK helps connect the dots of an attack. It is not focused on the tools and
malware itself, but instead, it focuses on interactions and techniques used by APTs and
notable threats.
MITRE ATT&CK provides a comprehensive list of known adversary tactics and
techniques used during a cyberattack.
37
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
MITRE ATT&CK focuses on the adversary, not the actual malware. It helps identify HOW
an adversary might be running attacks on your environment. Think of it as a playbook of
what an adversary will try to do. Once you understand what the adversary is trying to
do and what might happen next, it can help in the development of defensive strategies
for your organization.
38
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Framework
Tactics
• Tactics are the adversary’s technical goals.
• Represents WHY, or the adversary’s objective when performing an action.
• There are 13 tactics in Enterprise (March 2023) : Reconnaissance, Resource
Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense
Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration,
Impact
Techniques
• Procedures are specific implementations of techniques.
• Represents HOW adversary will perform an action
• As March 2023 there are 250+ techniques
Example : Spearphishing Attachment, Data Destruction, Process Injection, Brute Force
…
A technique can be part of multiple Tactics
Procedures
39
• Describe the way adversaries or software implements a technique
• Represents WHAT are they doing?
• Examples
• APT12 has sent emails with malicious Microsoft Office documents and PDFs
attached
• APT32 has used macros, PowerShell scripts, COM scriptlets, and VBS
scripts.
39
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Knowing what enterprises are up against is a vital first step in preparing for and
responding to incidents and potential cyberattacks. In the past, threats were much
simpler, largely defined by the technologies they exploited. Now that enterprises lean
on more advanced network and data infrastructures, the attack surface and impact of
threats have grown.
To act, you need to understand the complexity and persistence of current threats. You
need to know what strategies cybercriminals are employing that take advantage of
industry trends and popular platforms. This is where MITRE comes in.
For your Incident Response teams, MITRE is what allows them to connect all the dots of
an attack rather than having to look at numerous amounts of possibly disparate
"detections" and "events" in the hopes of uncovering what an adversary's actions may
be against your organization. MITRE can tell you things about Adversary behaviors.
40
These behaviors are broken down by MITRE into Tactics, Techniques and Procedures
(TTPS), that were used in an attack against you. Tools in MITRE make it easier for you to
find out how an attack(s) is being carried out, who the players are, how they are getting
in. MITRE simplifies investigation and insight into an attack while providing the end goal
of preventing future attacks.
Much information has been created by the MITRE community, from the ATT&CK
framework to STIX and TAXII, to presentations on how vendors, blue teams, red teams,
and even customers are giving back to the Cyber Threat Intelligence Community. MITRE
is a great way to learn and understand threats better. You can follow Twitter, Blogs, and
MITRE Power Hour monthly conference to get started. The only problem is that once
you start learning and using MITRE for cybersecurity threat intelligence, the journey just
brings you deeper and deeper into the rabbit hole.
40
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The MITRE ATTACK matrix displays the Tactics and Techniques. https://attack.mitre.org
The tactics are listed in blue letter across the top, with the associated techniques in the
column below them. Click any technique to get a full description.
Your goal is to stay as close the left‐hand side of the matrix as possible as these are the
easiest to resolve.
41
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
42
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
ATTACKERS DEFENDERS
Uses ATT&CK to develop Uses ATT&CK to try and understand
a plan using multiple techniques the Red Team's tactics and counter
to test the strength of their target their attack strategy
Some organizations use the Red team/Blue team model to test their defenses. The Red
Team develops a strategy to link together several techniques from different columns to
test the defenses of their target. The Blue Team (the penetration testing term for
defenders) needs to understand the tactics and techniques in order to counter the Red
Team’s strategy.
43
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Create detection Train Blue/Red teams Assess your security Build threat
rules and run Red team posture models
exercises
44 | ©2023 Trend Micro Inc.
44
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
MITRE Groups
• Sets of related intrusion activity that are tracked by a common name
− Represents a cluster of adversary activity
• Tracks what techniques and tools they are using (or have used in the
past)
• View the list at:
attack.mitre.org/groups/
Groups are sets of related intrusion activity that are tracked by a common name in the
security community. Analysts track clusters of activities using various analytic
methodologies and terms such as threat groups, activity groups, threat actors, intrusion
sets, and campaigns. Some groups have multiple names associated with similar
activities due to various organizations tracking similar activities by different names.
Organizations' group definitions may partially overlap with groups designated by other
organizations and may disagree on specific activity.
For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to
refer to any of the above designations for a cluster of adversary activity. The team
makes a best effort to track overlaps between names based on publicly reported
associations, which are designated as “Associated Groups” on each page (formerly
labeled “Aliases”), because we believe these overlaps are useful for analyst awareness.
We do not represent these names as exact overlaps and encourage analysts to do
additional research.
Groups are mapped to publicly reported technique use and original references are
included. The information provided does not represent all possible technique use by
Groups, but rather a subset that is available solely through open‐source reporting.
45
Groups are also mapped to reported software used, and technique use for that software
is tracked separately on each software page.
45
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Here are some points to consider as you use MITRE ATT&CK as part of your overall data
security plans:
• Use the real‐world software and scenarios from the Groups list. If you can’t protect
against the known threats, there is no way you can stop the unknown threats.
• Socialize and share ATT&CK techniques as a common language for your security
teams.
• Identify gaps in your defenses with the ATT&CK matrices and implement solutions
for those gaps.
• Never assume that since you can defend against a technique in one way, you won’t
get dinged by a different implementation of that technique. Just because your anti‐
malware solution catches Mimikatz don’t assume it will also catch tnykttns – or
whatever variant of Mimikatz comes out next.
You will see reference to MITRE ATT&CK tactics and techniques in many different places
in Trend Vision One.
You can add the MITRE ATT&CK MATRIX MAPPING widget to the Security Dashboard
app to display the observed attack techniques.
47
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You can also view them in the observed ATT&CK techniques listed in Workbench app.
Click a technique number in the Highlights pane to link to description on
attack.mitre.org web site.
Workbenches are the alerts created from the automatic correlation of telemetry in the
data lake.
48
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Tactics and Techniques that have been seen in your environment are listed in Observed
Attack Techniques app. This app displays the raw event data collected in the data lake
that correspond to MITRE ATT&CK techniques.
49
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Analysts can locate specific tactics or techniques through the Search app.
50
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Tactic details and description are also displayed in the Workbench Incident View.
51
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Finally, observed tactics and techniques are also listed in Execution Profiles.
52
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Early detection
Low impact
Time
Industry average Industry average Average cost
detection time for time to contain of a data
a breach a breach breach
The goal is the reduce the time it takes to detect a system breach. The longer it takes to
detect the attack, the higher the impact on the organization.
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
Trend Vision One can collect What information is included in the
telemetry from which components of telemetry collected from components
your infrastructure? of your infrastructure?
3
How can the MITRE ATT&CK
framework help when dealing with
security incidents?
54
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 2:
Trend Vision One
Now that we understand the basics of XDR, let’s examine how Trend Micro implements
XDR through Trend Vision One.
55
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Describe the core capabilities of Trend Vision One
• Describe the Trend Vision One features used for XDR
56
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend One is a unified cybersecurity platform that encompasses the solutions, services, and technology
capabilities that serve security and operations groups across multiple functions. It represents all what
Trend can do in support of an enterprise’s cyber security efforts by bringing everything together under a
common framework, delivering core competencies for security teams to bridge threat protection and
cyber risk management to drive greater security outcomes.
A reflection of Trend Micro's strategic shift to SaaS and a unified platform approach to solving customer
security challenges, Trend One enables business agility through the delivery of market‐leading security
capabilities for protecting cloud, endpoint, email, network, mobile and IoT environments. Trend One
consolidates multiple market‐leading security capabilities and deep integration with your IT
infrastructure. Trend One is packed with advanced native security capabilities for protecting cloud,
endpoint, email, IoT, OT and network.
Security professionals are empowered to continuously discover their ever‐changing attack surface,
understand and prioritize vulnerabilities, rapidly detect and respond to threats, and apply the right
security at the right time to mitigate risk. Built‐in security capabilities like industry‐leading XDR, risk
insights, and threat assessment combined with deep integration across the broader IT infrastructure
helps security operations teams manage the attack surface risk lifecycle more effectively with fewer
resources. With broad protection capabilities across the entire enterprise, Trend One empowers
organizations to be more agile and adapt quickly to new business and compliance needs, including
supporting security strategies like Zero Trust and helping to address cyber insurance requirements. With
unparalleled threat intelligence and vulnerability insights from our global threat research team and
expert services like managed XDR and incident response, Trend One is designed to help organizations to
57
improve cyber security outcomes.
The Trend One unified cybersecurity platform delivers advanced capabilities for protecting the enterprise,
including:
• Central visibility, continuous risk and threat assessment, and executive‐level dashboard reporting.
• In‐depth threat and vulnerability intelligence with XDR and risk insights combined with market‐leading
protection capabilities for securing cloud, endpoints, email, network, mobile and IOT environments.
• Native sensors for cloud, endpoint, email, network, and IoT environments combined with data from a
growing list of third‐party security products for maximum insights.
• Data and insights from Trend Micro's global threat research team, including in‐depth knowledge of
the latest threats, vulnerabilities, and cybercriminal activities.
• Common platform services like security engines and data analytics, combined with global SaaS
infrastructure for maximum protection and flexibility.
• Security services like Managed XDR, threat assessment, and incident response.
Ultimately, Trend One provides the foundation of technology and services necessary to function as an
integrated system that enables organizations to better understand, communicate, and mitigate cyber risk
across the enterprise.
57
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One is a cloud‐native security operations platform, serving cloud, hybrid,
and on‐premises environments, combining Attack Surface Risk Management (ASRM),
Zero Trust Secure Access (ZTSA) and Extended Detection and Response (XDR)
capabilities in a single console to effectively manage cyber risk across an organization.
Trend Vision One integrates with Trend Micro's expansive protection solution portfolio
and industry‐leading global threat intelligence, in addition to a broad ecosystem of
purpose‐built and API‐driven third‐party integrations. This allows the security team to
ingest and analyze activity and detection telemetry across the user environment.
The platform’s native‐first, hybrid approach to XDR and ASRM benefits security teams
by delivering richer telemetry across security layers with full context and
understanding. This results in more proactive risk identification , more precise threat
detection and more efficient response.
Trend Vision One serves multiple security teams, from SOC analysts and threat hunters,
to IT operations, all the way to senior security leaders. It acts as the operations hub for
managing across the attack protection cycle, from assessing, anticipating and mitigating
cyber risks to preventing, detecting and responding the threats.
58
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Data on mobile
Data on network
Data on clients
Data lake
Data collected from all the different points is stored in a data lake, from which analysis
operations can be performed.
For example, how does an event in an email account related to an event detected on
the network.
59
Trend Vision One Core Capabilities
Central Visibility
Industry‐leading Attack Surface Risk Zero Trust
across Trend and
XDR and EDR Management Secure Access
third‐party products
Broadest native • Rapid attack Secure access for internet Risk, Attack,
XDR sensor surface discovery and private access Exposure Indices
coverage • Continuous risk Continuous user and API‐friendly
Purpose‐built to assessment and identity assessment platform with
ingest, analyze and prioritization Security Service broad and growing
act across multiple • Proactive risk and Edge/Secure Access integration
vectors threat remediation Service Edge with Zero ecosystem
Trust Network Access,
Secure Web Gateway, and
Cloud Access Service
Broker
60
Attack Surface Risk Management
Central Visibility
Dynamic Proactive
Rapid Discovery Across Trend and
Assessment Remediation
Third‐party Products
Without the ability to identify unknown assets, security teams may prioritize
unmanaged, internal assets (inside the network, with no visibility) and unmanaged,
internet‐facing assets due to the high risk associated with it.
With Attack Surface Discovery, security teams can begin to see more of their
environment by identifying unknown assets in the wild.
Rapid Discovery
• Internal and external attack surface discovery
• Go beyond devices with users, domains/IP, cloud apps, storage, containers,
workloads, and Cloud Security Posture Management
Dynamic Assessment
• Continuous individual asset risk assessment, scoring and prioritization
• Company‐wide Risk Index and benchmarking against peers
Proactive Remediation
61
• Intelligent, custom guidance and instruction
• Improve mean time to discover and mean time to recovery
• Orchestrate and automate risk and threat response with Security Playbooks
61
Vulnerability Exposure
• Vulnerabilities detected Business Value
• Misconfigurations
• Asset importance
• Suspicious activity
• Impact of outage
• Suspicious data access
• Type of content
• Threat detections
• Detection from investigations
• Attack pressure
User/Device Cloud Infrastructure Internet‐Facing Security Product Network Security Product Operating
Activity and App Configurations Assets Configurations Inspection Detection Logs System/Application
Behavior Activity Vulnerabilities
Risk Factors
62
63 | ©2023 Trend Micro Inc.
63
Zero Trust Secure Access
Previous state: Zero Trust:
64
Zero Trust Secure Access
Do you have Do you have permission Should your identity/device Should you continue to have
credentials? to access this resource? have access to this resource? access?
Simple check of a matching Do their responsibilities require Could the identity and/or device be Is there new malicious activity on the
username / password. access to this resource? compromised? endpoint?
Hopefully with MFA enabled! Are they logging in from an Has the identity or device recently Has the user started sending phishing
approved location, at an been involved in risky behavior? emails out of their mailbox?
allowed time?
Does the device have good security Are there new signs of identity
Can you granularly control their controls in place? compromise?
usage? (for example, this user
can’t post on Twitter) Is the device littered with high‐risk
vulnerabilities?
65
66 | ©2023 Trend Micro Inc.
66
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One XDR provides an extensive collection of features for detection and
response across security layers including the following:
Correlated Detection
Advanced detection models written by Trend Micro threat researchers correlate low‐
level activities within or across security layers to find undiscovered attacks. The
detection models, which generate the alert triggers, combine multiple rules and filters
using a variety of analysis techniques including data stacking and machine learning. You
can turn on and off individual models as appropriate for the organization's risk
tolerance and preferences.
In‐depth investigation
Analysts can view a list of alerts (referred to in Vision One as Workbenches) and drill
down for further visibility. Workbenches are the investigation results for a detection;
from here you can view the execution profile, identify the scope of impact and take
response actions. It is from here that analysts would prioritize and process the alerts,
and track what has been done (new, in progress, closed).
Analysts can understand the story of an attack with an interactive visual representation
of events. The Execution Profile Analysis displays the threat actions within an endpoint,
67
server, or cloud workload. The Network Analysis can replay network communications to
highlight details of an attacker's command and control communications or lateral
movement.
Advanced search
Analysts can proactively search through endpoint, email, network, and cloud workload
activity data using a simple query builder. Perform indicator of compromise (IoC)
sweeping or create custom searches using multiple parameters or filter down into
things by adding additional search criteria. From a search result, the analyst can initiate
a response or generate an Execution Profile. The queries used for basic threat hunting
can be saved and reused.
67
take advantage of cloud computing technologies and eliminate much of the overhead
associated with managing local hardware.
Trend Vision One is under constant development. New XDR features will be added over
time to complement the features that already exist in the product.
67
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One is a Software as a Service product and is available only online. Users
with appropriate permissions can login at:
https://portal.xdr.trendmicro.com
68
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
App categories
Toggle between
icons and app
names
69 Copyright 2023 Trend Micro Inc.
Trend Vision One’s functionality comes from a collection of integrated apps. The app
categories are displayed in the left‐hand pane of the console.
A toggle at the bottom of the left‐hand frame can switch between app icons and names
to assist in the learning process.
69
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Expand category to
view apps within
Expand any app category to view the apps within. New apps are being added over time
as new functionality is added.
70
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
App in Preview
Some apps will display in Preview. These are new apps that are in development. The
Trend Vision One development team is looking for feedback on implementation. Any
user can provide feedback from the Resource Center at the bottom of the left‐hand
frame.
71
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
72
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Help and support resources can be accessed from the Help icon in the upper right‐hand
corner of the console.
73
Run common diagnostic
tests
74
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One is constantly being updated with new apps and capabilities. The
descriptions of the apps described in this lesson were up to date at the time of
publishing of this material. There may have been changes to the user interface since
then.
75
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click Customize your navigation to choose which app categories are displayed in the
menu. Click the Pin icon to add the app category. This allows customization of the
menu to simplify the display apps that are used by your organization.
76
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Risk Insights
• Discover organizational assets that might be
exposed to attack by revealing overall risk index,
asset risks, ongoing attacks, and contributing risk
factors
Risk Insights can help discover organizational assets that might be exposed to attack by
revealing overall risk index, asset risks, ongoing attacks, and contributing risk factors
77
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
How can the Dashboards and Reports apps help with XDR?
• Helps identify risk areas that should be addressed to reduce the number of
workbenches to investigate
78
XDR Threat Investigation
• Uncover events and the attack path across security
layers
• Enable analysis and visibility of telemetry from
endpoints, servers, email, network and the web
XDR Threat Investigation apps provide a consolidated view to uncover events and the
attack path across security layers and includes the tools to enable analysis and visibility
of telemetry from endpoints, servers, email, network and the web.
How can the XDR Threat Investigation apps help with XDR?
• Detects and provide actions against threats across all security layers
• Workbenches created based on analysis using big data techniques
79
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Threat Intelligence
• Integrate up‐to‐the‐minute intelligence reports
from Trend Micro and reliable third parties to help
identify threats
− Includes Suspicious Objects Management and Sandbox
Analysis reports
80
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Workflow and Automation apps automate operations, integrate with third‐party
applications, view response actions and configure Service Gateways.
How can the Workflow and Automation apps help with XDR?
• Collect and analyze data from multiple sources to increase visibility into your
security
81
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Zero Trust Secure Access apps implements contextual access control lists for internal
and SaaS applications.
How can the Zero Trust Secure Access apps help with XDR?
• Helps prevent unauthorized access to resources, reducing the number of alerts and
Workbenches created
82
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Assessment
• Scans cloud mailboxes and endpoints to find any
threats that may have evaded your existing security
solutions
− For example, Log4J assessment to discover the libraries and
determine if they can be exploited
Assessment apps scans cloud mailboxes and endpoints to find any threats that may
have evaded your existing security solutions.
83
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
How can the Endpoint Security Operations apps help with XDR?
• Verifies the coverage of endpoint sensors across Windows and Mac clients, and
Windows, Linux, AIX and Solaris servers
84
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Cloud Security Operations apps provides instant visibility into vulnerable containers in
the cloud environments
How can the Cloud Security Operations apps help with XDR?
• Address runtime threats and suspicious activity, strengthening your cloud detection
and response approach
85
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
How can the Network Security Operations apps help with XDR?
• Verifies the coverage of sensors on network devices such as Deep Discovery
Inspector and TippingPoint
86
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
How can the Email Security Operations apps help with XDR?
• Verifies the coverage of endpoint sensors on Exchange and Gmail accounts
87
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
How can the Mobile Security Operations apps help with XDR?
• Extends protection to user mobile devices, including smartphones and tables
88
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Service Management
• Connect Trend Micro products and Cloud accounts
to Trend Vision One
Service Management apps connect Trend Micro products and cloud account to Trend
Vision One.
89
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Administration
• Configure user accounts, roles, console settings,
license and credit details, and audit logs
Administration apps configure user accounts, roles, console settings, license and credit
details, and audit logs.
90
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What are the core capabilities of Trend What are some of the Trend Vision
Vision One? One features that are useful for XDR?
3
Describe some of the benefits of Trend
Vision One XDR
91
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 3:
Connecting Trend Micro Products
92
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Connect Trend Micro product to collect security event data
93
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
We mentioned earlier that both security events and activity can be sent to the Trend
Micro data lake.
Connecting Trend Micro products enables security events collected by agents on the
endpoints managed by these products to be sent to the data lake.
In addition, Trend Vision One Endpoint Security can be enabled by connecting SaaS
endpoint products such as Endpoint & Workload Security and Apex One as a Service
and moving their inventories to Trend Vision One. This allows devices and policies to be
managed directly from the Trend Vision One console.
Important: You can install a sensor on an endpoint without connecting the product to
Trend Vision One. In this case, you will only collect activity data.
94
Product Instance App
• Connect existing Trend products to Trend Vision One
• Create new instances of standard endpoint or server and workload
protection
− Separates inventories of endpoints by instance
− Single Trend Vision One console to manage multiple instances of endpoint
security products
• Connecting products transfers all license information and relevant
product data to Trend Vision One
The Product Instance app connects existing Trend products to Vision One.
It also allow the creation of instances of standard endpoint protection (Apex one as a
Service) and server and workload protection (Endpoint & Workload Security).
This allows the separation of endpoint inventories by instance. One single Trend Vision
One console can be used to manage multiple instances of endpoint security products.
Connecting products transfers all license information and relevant product data to
Trend Vision One.
95
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Select product
to connect
96
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
97
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Connect Apex One as a Service to collect security events from endpoints hosting an
Apex One as a Service Security Agent.
Important: policies must be enabled on the Security Agents to enable the different
security features (anti‐malware, web reputation etc…)
Optionally move the management of standard endpoint security from the Apex Central
as a Service console to the Standard Endpoint Protection app
.
98
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
99
100 | ©2023 Trend Micro Inc.
An enrollment token is required to connect Apex One as a Service to Trend Vision One.
Click the icon to copy the enrollment token and click Save.
100
Status displays as Pending until
enrollment token registered
101
Provide the Trend Vision One‐
generated enrollment token
Log into Apex Central as a Service and click Trend Vision One > Integration Settings.
Paste the enrollment token from Trend Vision One and click Register.
102
Status displays as Connected
The registration process will take a couple of minutes. The status will display as
Connected when complete.
103
Endpoint inventory as displayed
in Apex Central
Before connecting Apex One as a Service to Trend Vision One, the endpoint inventory
can be viewed in the Apex Central as a Service or Apex One as a Server consoles.
104
Endpoint inventory as displayed
in Trend Vision One
The Trend Micro Apex One SaaS server is listed in the Connected Endpoint Protection
Management section of the middle pane. The directory structure from Apex One as a
Service is duplicated in the protection manager.
105
Optionally, update to Trend Vision One Endpoint
Security to move management of endpoints from
the Apex Central as a Service console to Trend
Vision One
The entire inventory can be moved, or a selection of endpoints can be moved for POC
or trials before moving the rest of the inventory.
106
107 | ©2023 Trend Micro Inc.
Click Trend Micro Apex One Saas in the product instance list. In the Update Solution
window, you have the option to update to Trend Vision One Endpoint Security by
moving your inventory.
Accept the license agreement and click I Agree to Update.
If interested in moving a subset of the inventory, click the Try the new Endpoint
Security before updating link to be redirected to Online Help articles on the process
107
108 | ©2023 Trend Micro Inc.
Some important system considerations are displayed. Review the details and if you are
ready to proceed with moving the inventory of endpoints, click I understand how the
update will affect my system and agree to start the process, then Connect and
Transfer.
108
109 | ©2023 Trend Micro Inc.
The status of Trend Micro Apex One SaaS will display as Updating. It will take a few
minutes to complete the operation.
109
Click Protection Manager in
the list to edit and add a
descriptive name
When complete, the name of the of the product will change to Standard Endpoint
Protection Manager. A protection manager reflects a collection of endpoints managed
by a single instance of a protection product.
Click the name in the list and you can change the display name.
110
Inventory of
endpoints displayed
for the selected
Protection Manager
The newly renamed protection manager is displayed in the Endpoint Inventory app
111
The Standard Endpoint Protection app is
used to create policies for endpoints using the
same method as in Apex Central as a Service
Once the product is connected and the inventory moved to Trend Vision One, all
management tasks previously done in Apex Central as a Service is now done in Trend
Vision One.
112
113 | ©2023 Trend Micro Inc.
Once Apex One as a Service is connected to Trend Vision One, endpoint policy
management operations previously performed in Apex Central can now be performed
in Trend Vision One.
The menu structure of Apex Central is replicated in the Standard Endpoint Protection
Manager section of the Vision One console.
Note that some Apex One operations like Global Settings and Firewall remain in the
Apex One console which can still be accessed.
While feature parity is maintained in the move to Trend Vision One, to conform to GUI
standards, some items may move to other menus, or are available in different apps.
113
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
114
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Connect Apex One (on‐premises) to collect security events from endpoints hosting an
Apex One Security Agent.
Important: policies must be enabled on the Security Agents to enable the different
security features (anti‐malware, web reputation etc…)
Apex One must be connected to Apex Central as Apex Central is the connection point
into Trend Vision One.
The inventory of endpoints managed by Apex One are displayed in the Endpoint
Inventory app, but management remains in on‐premises Apex One/Apex Central
consoles
Response actions can be applied to devices from the Endpoint Inventory app
115
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
116
117 | ©2023 Trend Micro Inc.
Click the icon to copy the enrollment token and click Save.
117
Status displays as Pending until
enrollment token registered
118
Provide the Trend Vision One‐
generated enrollment token
Log into Apex Central and click Trend Vision One > Integration Settings. Paste the
enrollment token from Trend Vision One and click Register.
119
Status displays as Connected
The registration process will take a couple of minutes. The status will display as
Connected when complete.
120
121 | ©2023 Trend Micro Inc.
Optionally, click the name of the Apex Central instance in the Product Instance app and
type a display name to better identify this installation.
121
122 | ©2023 Trend Micro Inc.
Open the Endpoint Inventory app, the Apex Central instance will be displayed in the
middle frame as a Connected Endpoint Protection Manager. Expand the folder
structure to view the endpoints in the specific groups.
122
123 | ©2023 Trend Micro Inc.
Apex One‐managed endpoints are displayed in the Trend Vision One inventory, but
management of the endpoints remains in the on‐premises Apex One/Apex Central
consoles. However, some response actions, such as isolating the endpoint, running a
remote script and starting a remote shell session to the endpoint are available from the
Endpoint Inventory app.
123
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
124
Connecting Cloud One
• Connect multiple Cloud One services to Trend Vision One with one
enrollment token
125
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
In the Trend Vision One console, expand Service Management in the left‐hand pane
and click the Product Instance app.
Click Add Existing Product.
126
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click the icon to copy the enrollment token and click Save.
127
Trend Cloud One displays as
Pending
128
129 | ©2023 Trend Micro Inc.
129
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
130
Multiple Trend Cloud One
services display as Connecting
131
Services Connected
132
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
133
Click to select which Cloud One
service to enable
134
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Connect existing Endpoint & Workload Security instances to Trend Vision One to collect
security events from clients and servers hosting an Agent.
Policies must be enabled on Agent to enable security features.
Optionally move the management of server and workload security from the Cloud One
console to the Endpoint Security Operations apps
Multiple instances of Endpoint & Workload Security supported
Each Endpoint & Workload Security instance separate from others
135
Server and workload inventory as
displayed in Endpoint & Workload
Security
136
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The inventory of endpoint servers and workloads are now displayed under the newly
created Server and Workload Protection Manager.
Remediation actions can be applied to the endpoints, but at this point the management
of the devices and policy assignment is still done in the Cloud One console.
The Trend Cloud One – Endpoint & Workload Security server is listed in the Connected
Endpoint Protection Management section of the middle pane. The group structure
from Endpoint & Workload Security is duplicated in the protection manager.
137
Optionally, update to Trend Vision One Endpoint
Security to move management of endpoints from
the Endpoint & Workload Security console to Trend
Vision One
138
139 | ©2023 Trend Micro Inc.
Click the name of the Endpoint & Workload Security instance. Click the Update
Solution tab, click to accept the license agreement and click I Agree to Update.
139
140 | ©2023 Trend Micro Inc.
Some important system considerations are displayed. Review the details and if you are
ready to proceed with moving the inventory of endpoints, click I understand how the
update will affect my system and agree to start the process, then Connect and
Transfer.
140
141 | ©2023 Trend Micro Inc.
Once connected, the instance name is listed. Name is now Server and Workload
Protection Manager ‐ <instance ID>.
Click Create Product Instance to create a new instance of a Server and Workload
Protection Manager.
141
142 | ©2023 Trend Micro Inc.
142
143 | ©2023 Trend Micro Inc.
143
144 | ©2023 Trend Micro Inc.
144
145 | ©2023 Trend Micro Inc.
145
146 | ©2023 Trend Micro Inc.
When managing server and workloads in the Server & Workload Protection app, select
the instance you would like to make changes to from the list at the top of the page.
146
147 | ©2023 Trend Micro Inc.
Once Endpoint & Workload Security is connected to Trend Vision One, endpoint policy
management operations previously performed in Cloud One can now be performed in
Trend Vision One.
The menu structure of Endpoint & Workload Security is replicated in the Server &
Workload Protection Manager section of the Vision One console.
147
Create policies for servers and workloads
managed by this Protection Manager using
the same method as in Endpoint &
Workload Security
148
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
149
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Collect security events from servers protected by Deep Security hosting an Agent.
Policies must be enabled on Agent to enable security features, for example,
antimalware, web reputation etc…
Response actions, including isolate endpoint, run custom script and start remote shell
can be applied to devices from the Endpoint Inventory app
150
151 | ©2023 Trend Micro Inc.
In the right‐hand frame, select Deep Security Software from the Product name list.
151
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
An enrollment token prompt is displayed. Click the link to generate the enrollment
token.
152
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The enrollment token is displayed. Click the icon to copy the enrollment token to the
clipboard. Click Save.
153
154 | ©2023 Trend Micro Inc.
Click Connect and Transfer. Licensing details for Deep Security are transferred to Trend
Vision One.
154
155 | ©2023 Trend Micro Inc.
Deep Security Software is listed as Pending in the console. The enrollment token must
be registered in Deep Security Manager before the listed expiry date and time.
155
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Log into Deep Security Manager as an administrator with appropriate privileges. Click
Administration > System Settings. On the Trend Vision One tab, click Register
enrollment token.
156
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
157
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
158
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Deep Security instance is now listed as Connected in the Trend Vision One console.
You will also see the URL used by Deep Security.
Deep Security software is now configured to submit security event telemetry to the
Trend Vision One Data Lake.
Note that security events will be saved in the Deep Security database and will also be
forwarded to the data lake for analysis.
159
Server and workload inventory as
displayed in Endpoint Inventory app
In the Endpoint Inventory app, you will see you Deep Security instance listed under
Server & Workload Protection Management. Click the instance to view the inventory
of servers and workloads managed by Deep Security.
160
161 | ©2023 Trend Micro Inc.
Deep Security‐managed servers and workloads are displayed in the Trend Vision One
inventory, but management of the endpoints remains in the Deep Security Manager
console However, some response actions, such as isolating the endpoint, running a
remote script and starting a remote shell session to the endpoint are available from the
Endpoint Inventory app.
161
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
162
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Micro Cloud App Security is responsible for email protection on Exchange and
Gmail and collects security events from these. Policies must be enabled in Cloud App
Security to enable security features.
You must provision service accounts before connecting to Trend Vision One.
163
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Make sure that Trend Vision One and Cloud App Security are in the same licensing
account.
164
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You must provision either the Microsoft Exchange Online or Google Gmail service
accounts before connecting to Trend Vision One.
165
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
166
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
167
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
168
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Install the Cloud App Security app for Gmail. Click the link to be forward to the Google
store to install the app.
169
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click to install the Cloud App security app on the Google account.
170
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click the link to grant the required permissions on the API to access the Gmail services.
171
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
172
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
173
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Once the service are connected, you can connect Cloud App Security.
In the Trend Vision One console, expand Point Product Connection in the left‐hand
pane and click the Product Instanceapp. You will see a list of the products currently
registered with Trend Vision One. Click Connect.
In the right‐hand frame, select Cloud App Security from the Product name list. Select
the service to monitor by Trend Vision One (Microsoft Exchange or Google Gmail.)
Cloud App Security will now be listed as Connected in the Trend Vision One console.
174
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
175
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
176
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Trend Vision One Service Gateway is provided as a VMware virtual appliance or
Microsoft Hyper‐V and can be downloaded from the Trend Vision One console.
Administrators install the virtual appliance, add the device to the Service Gateway
Inventory, then configure the service settings in the Trend Vision One console.
177
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
A Service Gateway can help reduce network bandwidth in a hybrid network by serving
as a proxy between connected applications and Trend Vision One.
The Trend Vision One Service Gateway enables a variety of capabilities within the
infrastructure. Components and services installed on an as‐needed basis
ActiveUpdate: Service Gateways can serve on‐premises Trend Micro products with
pattern updates to reduce outgoing internet traffic. On‐premises products making use
of this capability include Apex One, Deep Security software and Deep Discovery
Inspector. This can eliminate the need for Apex One Update Agents or Deep Security
Relay Agents.
Smart Protection Services: Service Gateways allows on‐premises Trend Micro products
and services to integrate with Smart Protection Services, including:
• File Reputation
• Web Reputation
• Certified Safe Software
• Predictive Machine Learning
• Mobile App Reputation
178
Suspicious Object Exchange: When enabled, Trend Vision One can integrate with third‐
party applications, such as Blue Coat, Checkpoint, and Palo Alto Networks, through the
Service Gateway.
On‐premises Directory Connection: Once enabled, the Service Gateway can help send
objects and activity data from an on‐premises Active Directory server or OpenLDAP to
Trend Vision One. This service is required to set up Active Directory (on‐premises) and
OpenLDAP in the Third‐Party Integration app.
Syslog Connector: Enables sharing data from Trend Vision One with your local syslog
server.
Zero Trust Secure Access On‐Premises Gateway: Zero Trust Secure Access Internet
Access is a forward proxy service that protects end users from malicious activity on the
internet. In addition to the Cloud Gateway, the on‐premises gateway also provides a
flexible option to deploy one or more local on‐premises gateways in your organization's
network as a hybrid protection solution.
MISP Threat Intelligence Connector: Service Gateways retrieve data from MISP to
generate custom MISP intelligence reports.
Rapid 7 – Nexpose: When enabled, this service allows the Service gateway to send
device and vulnerability data from the Rapid7 server to Trend Vision One.
Connect Nessus Pro: A Service Gateway service has been added to allow the connection
to Tenable Nessus Pro for incorporating vulnerability scan results.
Forward Proxy: Allows agents on endpoints with no direct access to the internet to use
the Service Gateway as a proxy to reach Trend Vision One.
TippingPoint Policy Management: When enabled, this service allows the network
Prevention app to modify TippingPoint policy configurations to mitigate CVEs.
Suspicious Object List Synchronization: Once enabled, the Service Gateway can send
the Suspicious Object List in the Threat Intelligence app to connected Trend Micro
products, which can also upload the Virtual Analyzer Suspicious Object List and reports
to the Service Gateway.
178
No additional license is required for the Service Gateway.
178
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
To begin the process of connecting the Service Gateway, you must first download the
Virtual Appliance.
Expand Workflow and Automation and click the Service Gateway Inventory app. Click
Download Virtual Appliance.
179
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Download the appropriate version of the appliance and copy the registration token. The
token will be required later to enable the gateway.
180
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Create a new virtual machine in VMware or Hyper‐V using the downloaded image.
The virtual appliance will be detected as CentOS 4/5 (64‐bit) or later.
181
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Start the virtual machine. When prompted, login with the default username of admin
and default password of V1SG@2021. You will be prompted to change the default
admin password.
182
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hint: use PuTTY to connect to the Service Gateway using SSH to paste the registration token in the
register command
Note that for the IP address you also need to add the CIDR. (for example,
192.168.4.8/24)
183
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The new Service Gateway will be listed in the inventory. Click the gear icon under
Action to configure the Service Gateway.
184
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Service Gateway will be automatically updated the next time you log in after the
indicated update time.
The details of the digital certificate used to secure the connection between Trend
Vision One and the Service Gateway are displayed.
Cloud Service extension acts as an HTTPS proxy to direct certain
traffic from your on-premises products to Trend Vision One hosted
services
185
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click the Service Gateway in the list to enable or disable the services it provides.
186
Click Manage Services to
enable services as needed
187
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Any services installed for the Service Gateway are listed. Click to download then enable
any additional services provided by this Service Gateway.
188
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Suspicious Object List Synchronization, Log Forwarding, and Forward Proxy services
require the API key to authenticate connections between Trend Micro products and the
Service Gateway. You can view the API key by clicking View API Key from the Service
Gateway Inventory list.
Click the Copy API key icon
189
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
For Trend Micro products to make Smart Protection queries against the Smart
Protection Server in the Service Gateway, configure the Smart Protection Server in your
product's console using the Service Gateway's setting.
The Trend Micro products that can make use of the Service Gateway for Smart
Protection Service are listed in the documentation at:
https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐one/common‐
apps/service‐gateway‐inve_001/service‐gateway‐sps‐.aspx
190
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Service Gateway can also serve as a local ActiveUpdate server to reduce outgoing
internet traffic.
An updated URL must be provided to Apex One, Deep Security or Deep Discovery
Inspector to redirect to the Service Gateway for ActiveUpdate.
191
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
192
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
193
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Micro can analyze web activities and determine the web applications and
websites being accessed by managed users and devices in and outside your corporate
network.
Web Security serves as a data source for the Executive Dashboard app.
Trend Vision One has an auto‐onboarding function that automatically connects Web
Security to Trend Vision One if both products are in the same licensing account.
194
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Select Trend Micro Web Security from the Product name list.
195
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
196
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Network Sensor
• Collect security events from the network
An on‐premises Deep Discovery Inspector can act as the network sensor, or a virtual
network sensor can be used.
197
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Network Inventory Service is the connector and entry point for Deep Discovery
Inspector and Network Inspector Devices to integrate with Trend Vision One.
It allows administrators to manage network sensors from Trend Vision One console.
Network Inventory Service includes the Inventory and Network Analytic service.
198
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Expand Network Security Operations and click the Network Inventory app.
Click the Deep Discovery Inspector Appliances tab.
If a credit consumption message is displayed, clock Close.
199
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Select whether you are going to deploy a new Deep Discovery Inspector (by deploying
the virtual appliance) or connecting to an existing on‐premises Deep Discovery
Inspector device.
A new Deep Discovery Inspector can be deployed as a virtual appliance on Vmware or
Hyper‐V or as a virtual appliance on AWS.
In this example, we are connecting an existing Deep Discovery Inspector device. Select
the appropriate version number of the device and provide the device's IP address or
FQDN.
200
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You are redirected to the Deep Discovery Inspector login page. Provide the credentials
for an administrator with the appropriate permissions.
201
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
202
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
203
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Return to the Network Inventory app, the Deep Discovery Inspector device should be
displayed.
You can optionally connect Deep Discovery Inspector to a Service Gateway to enable
ActiveUpdate, Smart Protection Services, Suspicious Object List synchronization service
on the device.
Each Deep Discovery Inspector device requires a unique GUID to connect with Trend
Vision One
Each Deep Discovery Inspector device requires a unique license code to connect with
Trend Vision One
204
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Finally, select the Deep Discovery Inspector device in the list and click Connect Service
Gateway.
205
206 | ©2023 Trend Micro Inc.
206
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
207
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Connecting the TippingPoint IPS device with Trend Vision One enables detection and
log sharing as well as suspicious object propagation to the network device. Network
Device sharing allows Trend Vision One to display the TippingPoint device inventory.
This connection leverages the Service Gateway which acts as a proxy between Trend
Vision One and the TippingPoint device. The Service Gateway will poll Trend Vision One
on a regular basis to retrieve suspicious objects, and likewise, the TippingPoint
management console polls the Service Gateway for the same list. All supported objects,
including IPv4, IPv6, DNS and URL get stored in the SMS Reputation database, which
would then be synchronized with the device for potential enforcement through
blocking rules.
208
Install the following Service
Gateway services:
• TippingPoint log forwarding
• Forward proxy
• TippingPoint policy
management
• Suspicious Object List
synchronization
Note: ensure the device hosting the Service Gateway has sufficient resources to handle
the system requirements for the selected services.
209
210 | ©2023 Trend Micro Inc.
210
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
211
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
In the Trend Vision One console, expand Service Management in the left‐hand pane
and click the Product Instance app. You will see a list of the products currently
registered with Trend Vision One. Click Add Existing Product. Select TippingPoint
Security Management System.
The Connect Product pane described the process for connecting TippingPoint to the
Service Gateway. Each Service Gateway can only connect to one TippingPoint SMS
console. For customers with multiple TippingPoint SMS consoles, you must deploy
additional Service Gateways.
If Device Inventory Sharing is required, click Generate an enrollment token. This token
will be pasted into the TippingPoint console to allow the TippingPoint device details to
be displayed in the Trend Vision One console.
212
Copy the enrollment token to
provide within TippingPoint SMS
213
TippingPoint SMS shows as
Pending in the Product Instance
list
214
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Log into the TippingPoint SMS console and click Administration > Trend Micro
Connections.
215
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
If Device Inventory
Sharing is required,
enter the
Enter the Service
Enrollment Token
Gateway IP Address
and API Key to
connect the device
to TippingPoint and
Enable the required
test the connection
services provided by
TippingPoint
Click Configure.
• If Device Inventory Sharing is required, enter the Enrollment Token.
• Provide the Service Gateway IP Address and API Key.
• Enable Suspicious Object synchronization, Event and File Status Sharing and Device
Inventory Sharing as required.
Click Test Connection.
216
217 | ©2023 Trend Micro Inc.
217
218 | ©2023 Trend Micro Inc.
218
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click the Network Intrusion Prevention app. On the Inventory tab, the TippingPoint
devices are displayed.
219
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Products are secure on install but can always be tweaked be more secure based of
customers needs. View the best practices document at:
https://success.trendmicro.com/solution/1118282‐compilation‐of‐best‐practices‐while‐
using‐trend‐micro‐products‐for‐business
220
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Connecting Trend Micro Products
221
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What is the benefit of connecting your What is the benefit of updating
Trend Micro products to Trend Vision endpoint SaaS products to Trend
One? Vision One Endpoint Security?
3
Why would you install a Trend Vision
One Service Gateway in your
environment?
222
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 1: Preparing the Trend Vision One Lab Environment
(page 1)
Your Tasks
• Register for a Trend Vision One trial and access the lab
virtual application
223
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 2: Connecting Deep Security Software (page 17)
Your Tasks
• Register and connect Deep Security Software with your
instance of Trend Vision One
224
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 3: Deploying a Service Gateway (page 31)
Your Task
• Configure and activate the Service Gateway in the lab
environment
225
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 4:
Installing Sensors
226
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Describe the use of the Trend Vision One sensors
• Connect endpoint sensors
• Connect email sensors
• Connect network sensors
• Connect Web sensors
227
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
We mentioned earlier that both security events and activity were sent to the Trend
Micro data lake.
Connecting the product to Trend Vision One enables security events collected by agents
managed by that product to be sent to the data lake.
228
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Sensors do not
provide any protection
Important note:
The sensors do not provide any protection. They are designed to forward activity data
to the data lake.
229
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
230
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Endpoint Inventory app displays a list of client endpoint and servers and the
features enabled, for example, the Endpoint Sensor and/or Advanced Risk Telemetry.
231
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Endpoint Basecamp
• Endpoint Basecamp acts as a plug‐in manager
− Mechanism to deploy endpoint applications
• Two applications deployed through Endpoint Basecamp
− Endpoint Sensor
− Advanced Risk Telemetry
Trend Micro Endpoint Basecamp also provides the essential but lightweight common
functions to endpoint applications, which includes the following:
• Authentication: Trend Micro service and endpoint application can authenticate with
each other through Endpoint Basecamp's authentication mechanism.
• Application performance data: Endpoint Basecamp collects agent process
performance data and crash counts for further development enhancement.
232
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
233
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Micro analyzes your environment to identify any high priority at‐risk
vulnerabilities in your corporation using global activity data, CVE information, and local
detection activity to produce customized vulnerability detection scores for each
endpoint.
The Operations Dashboard assesses endpoint data to determine which endpoints have
exploitable vulnerabilities and whether threat actors have already attempted to exploit
the at‐risk endpoints. After comparing the endpoint activity data and the global exploit
activity statistics, Operations Dashboard prioritizes your endpoints that require the
most urgent attention.
234
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The services included in the Endpoint Basecamp package will display under Windows
Services.
• Trend Micro Cloud Endpoint Telemetry Service
• Trend Micro Endpoint Basecamp
• Trend Micro Web Service Communicator
In this example, we have an unmanaged endpoint as the only services running are the
Endpoint Basecamp service.
235
Cloud One – Endpoint & Workload Security Activity Monitoring
236
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Endpoint Inventory
Windows and Mac Windows and Mac Windows and Linux Windows and Linux Windows and Linux
client computers client computers servers hosting an servers hosting an servers without an
Connect sensor
hosting an Apex One
Install Endpoint
without an Apex One
Install Endpoint
Agent managed
Enable Activity
Agent managed
Install Endpoint
Agent
as a Service Basecamp
as a Service Basecamp
by Deep Security Monitoring
by Cloud One – or Basecamp
Security Agent Security Agent Software Endpoint & Workload
Install Endpoint Security
(or Apex One on‐premises)
Basecamp
Connect sensor
Connect sensor Connect sensor
Connect sensor
237
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
238
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
239
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
An Endpoint Basecamp
installation script for
endpoints already hosting
an agent can be created in
Deep Security
Select the operating
system from the Platform
list
Note that Forward security events to Trend Vision One is enabled. Events collected
from protection modules will be sent to the data lake when this is enabled.
240
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Any servers hosting Agents with the Activity Monitoring protection module enabled in a
policy will forward activity telemetry to the data lake, however, the standalone
endpoint sensor provides enhanced telemetry.
241
Action is required on
this endpoint
In the Endpoing Inventory, an information icon is displayed for any endpoint requiring
attention.
242
Endpoint sensor is
recommended
Click to download
the Endpoint
Basecamp installer
The Recommended Action pane provides suggestions on things that can be done to
improve your security posture. In this case, no sensor was detected, the suggested
action it to install Endpoint Basecamp and it offers the option to download the package
for the selected endpoint.
243
Click to download
specific installer
packages
244
Create an installer containing both the
security agent and Endpoint Basecamp
Select type of endpoint, OS details,
and Protection Manager to report to
The Agent Installer window enabled the download of a package that installs both the
security agent for the endpoint type and OS AND Endpoint Basecamp.
You must select the type of endpoint (standard end user endpoints) or servers and
workloads. You must also select the operating system and what Protection Manager
the security agent will report to.
Download the package and run on the endpoints, both the correct security agent and
Endpoint Basecamp service will be installed on that device.
245
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
If the endpoint already has a security agent or is not managed by a Trend Micro
product, you can still collect activity data by installing the Endpoint Basecamp services
on the device and enabling the sensor.
Select the Endpoint Basecamp package for the operating system of the client or server
from the Agent Installer tab in the Endpoint Inventory app and download to a location
accessible by the endpoints.
246
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Run the Endpoint Basecamp installer on the unmanaged computer requiring a sensor.
247
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
248
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Apply security settings to your endpoints automatically (standard endpoint, server &
workload or sensor only)
Enable Endpoint Sensor to sends activity data for state‐of‐the‐art threat detection and
alerting
Enable Advanced Risk Telemetry to analyzes endpoints for potential security posture
weaknesses and performs vulnerability assessments
249
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Configure sensor
settings for standard
endpoints
Configure sensor
settings for servers and
workloads
Configure sensor
settings for
unmanaged devices
In the Endpoint Inventory, click Settings and select Default Sensor Settings.
Configure for standard endpoints, servers and workloads and systems with a sensor
only (unmanaged).
250
Also configure global
sensor settings
251
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
To enable Endpoint Sensor on the Mac, specific permissions must be configured. Once
the Mac endpoint is detected by Trend Vision One and the endpoint sensor application
is installed through Endpoint Basecamp, a Permissions window will be displayed on the
Mac and users can follow the directions to allow the required system extensions and
permissions.
252
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
253
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Each endpoint sensor requires 20 credits per device for the default 30 days of data
retention. Data can be saved for longer period, but credit usage will be higher.
254
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
255
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Installing Endpoint Sensors
256
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
257
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Once Cloud App Security had been connected to Trend Vision One, you can access the
Email Account Inventory app. There is a tab for each email account type (Exchange
Online and Gmail).
258
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
259
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Email sensors require three credits per email account for 180 days of data retention.
260
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
261
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The network sensor is enabled when Deep Discovery Inspector is connected. Not
additional steps are required.
262
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
263
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Network sensors require 25,000 credits per Gbps of data transfer for 180 days of data
retention.
264
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
265
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Serves as a data source for Activities and behaviors, Cloud App Activity and Threat
detection in the Executive dashboard.
Requires Trend Micro Web Security to be added through the Product Instance app.
266
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
In the Executive Dashboard app, click Data Source. In the Trend Micro Security Services
category, click Trend Micro Web Security. In the right‐hand pane, click to enable the
Web sensor. (Trend Micro Web Security must be added through the Product Instance
app first)
267
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
These are the data fields collected by the Web Sensor. We will see more about the
General fields in a later lesson.
268
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What is the purpose of Trend Micro What is the purpose of the Advanced
Endpoint Basecamp? Risk Telemetry components
3
How is Endpoint Basecamp installed on
endpoints managed by Deep Security? Apex One
as a Service? Apex One (on‐premises)? Cloud One
‐ Endpoint & Workload Security?
269
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 4: Deploying Endpoint Sensors (page 37)
Your Task
• Configure the Windows computers in the lab environment to
report their security events and/or activity data to Trend
Vision One
270
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 5:
Integrating with
Third‐Party Applications
271
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• List and describe the different third‐party integrations available with
Trend Vision One related to XDR
• Connect third‐party applications to Trend Vision One
272
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Some integrations require a Service Gateway to act as a proxy between Trend Vision
One and the third‐party application. Some integration may also require that you
download an add‐on from the third‐party vendors web site.
273
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One provides integrations for various categories of functionality. These are
the integrations that provide data beneficial to XDR functionality in Trend Vision One.
Integrations are continually being added to Trend Vision One.
274
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Expand Workflow and Automation and click the Third‐Party Integration app to view
the available integration and to perform the required connection steps.
Click the listed integrations to configure. You can also limit the display by clicking the
categories, vendors or associated apps.
275
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Simulate attacks on endpoints and verify attack information by pulling events from
Trend Vision One
276
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Cloud Services
• Compiles usage and activities on Office 365 apps
including OneDrive, SharePoint, Outlook and Teams
• Requires Azure AD integration
• Provides data for Risk Insights
Office 365
Grant Trend Micro permission to access Office 365 usage reports and useful data about
people and documents they interact with in order to gain deeper insight regarding the
Microsoft 365 resources your users’ access, and the behaviors that contribute to users'
risk analyses.
Through Azure AD integration, you gain access to the following insightful reports:
‐ OneDrive activity and usage
‐ SharePoint activity and usage
‐ Outlook activity and usage
‐ Teams activity and usage
Configuring Office 365 as a data source also requires that you configure Azure AD as a
data source.
277
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Integrating with third‐parties such as Palo Alto, Broadcom, Check Point, MISP and
Fortinet enables the distribution of suspicious object data from between Trend Vision
One. Synchronizing this suspicious object information between Trend Vision One and
various third‐party products strengthens the security measures within the environment.
278
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Third‐party firewalls may be limited to blocking based on their supported object types.
For example, the FortiGate device supports the blocking of IP address, domain, URLs
and hashes. Other devices may supported a different set of objects.
279
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
IT Service Management
• Allows Trend Vision One to send
Workbench alerts as service tickets to be
managed in the ServiceNow portal
ServiceNow ITSM
This integration allows Trend Vision One to send Workbench alerts as service tickets to
be managed in the ServiceNow portal.
.
280
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Integrating with third‐party Identity and Access Management solutions such as Azure
Active Directory, on‐premises Active Directory, OpenLDAP and Okta enables the
following capabilities in Trend Vision One:
• Monitor sign‐in attempts, enable/disable user account, force sign out, force
password reset
• Discover devices, user accounts, and/or cloud apps
• Feed user and device activity logs (for account compromise), cloud app activity,
and/or anomaly detections
281
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Integrating with third‐party SIEM and products such as Splunk, Azure Sentinel, IBM
QRadar, enables Workbench alert sharing for unified management of the event
information. View Trend Vision One Observed Attack Techniques and Workbenches
directly from the SIEM.
282
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
To integrate with the SIEM, download the Trend Vision One add‐on from the vendors’
web site (in the example, from the Splunkbase web store). Provide the Trend Vision
One Endpoint URL and Authentication token to the add‐on.
283
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
SOAR technologies enable organizations to collect data that is being monitored by the
security operations team, for example, alerts from the SIEM system. These
technologies help define, prioritize and drive standardized incident response activities.
SOAR tools allow an organization to define incident analysis and response procedures
in a digital workflow.
SIEM aggregates and correlates data from multiple security systems to generate alerts
while SOAR acts as the remediation and response engine to those alerts.
SIEM collects and aggregates security data sourced from integrated platforms logging
data ‐ firewalls, network appliances, intrusion detection and prevention systems, etc. ‐
then correlates data across devices, categorizes, and analyzes incidents before issuing
alerts. The alerts are identified by using sophisticated analytical techniques and
machine learning, which require fine tuning. This leaves a lot of alerts for a security
team or SOC to prioritize and remediate; a difficult, time‐consuming process.
SOAR, on the other hand, is designed to help security teams automate the response
process by gathering alerts, managing cases, and responding to the endless alerts
generated by SIEM. With SOAR, security teams can integrate with security alerts and
create adaptive, automated incident response workflows.
284
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Threat Intelligence
• Integrate indicator of compromise (IoC) and suspicious
object data from trusted third‐party intelligence
sources
• Subscribe to TAXII feeds from third‐parties
Trend Vision One can also integrate indicator of compromise (IoC) and suspicious object
data from trusted third‐party intelligence sources. Trend Vision One can subscribe to
TAXII feeds from third‐party sources such as Anomali, AlienVault, Pickupstix.io and
mitre.org for threat information sharing. In addition, Trend Vision One can integrate
with QRadar on Cloud though STIX‐Shifter for collaborative threat sharing and analysis.
By keeping up to date on indicators of compromise, Trend Vision One can detect attacks
and act quickly to prevent breaches from occurring and limit damage by stopping
attacks in earlier stages.
Trend Vision One also enables transfer of suspicious object data to and retrieval of
threat intelligence data from the MISP threat sharing platform through a Service
Gateway. MISP is a Linux solution that allows an organization to share IoCs and
suspicious objects. This category also includes suspicious object sharing from Cyborg
Security and Netskope.
285
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Vulnerability Management
• Enables Trend Vision One to discover devices
and feed device vulnerability scan results
• Serves as a data source for Risk Insights
Integrating with third‐party products such as Qualys, Nessus Pro and Tenable.io enables
Trend Vision One to discovers devices and feed device vulnerability scan results.
286
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Web Access
• Extends the scope of visualization in the organization
and improve detail when measuring risk
• Use Trend Micro Risk Insights for Splunk to extract
Web log data from third‐party firewall and Web
gateway products through Splunk
The Trend Micro Risk Insights for Splunk app connects your Splunk data with Trend
Micro data lakes revealing web access footprints based on Firewall and Web Gateway
activity.
287
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
If an integration is required and is not available within the native features of Trend
Vision One, the API can be used.
288
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Best Practice
• Connect as many data sources as possible to improve the quality and
breadth of collected data
289
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Connecting Third‐Party Products
290
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What are some of the reasons for What is the benefit of synchronizing
suspicious object information between
integrating third‐party products with Trend Vision One and third‐party firewall
Trend Vision One? products?
3 4
What is the benefit of integrating
What is the purpose of the Trend
third‐party threat intelligence with
Micro Risk Insights for Splunk app?
Trend Vision One?
291
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Lab
Lab 5: Connecting Third‐Party Products (page 47)
Your Task
• Connect the on‐premises Active Directory in the lab
environment to Trend Vision One to collect information for
risk assessments and remediation actions
292
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 6:
Using the XDR
Threat Investigation Apps
At this point, we’ve connected some Trend Micro products, connected some third‐party
applications and have enabled sensors on some devices in our environnent.
It’s time to see what Vision One is telling us.
293
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• View raw event and activity data
• Describe the use of Workbenches
• Navigate within Workbenches
• Perform actions on objects from within Workbenches
294
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Data on mobile
Have we
Data on network
collected any
Data from Cloud Sandbox events or
Data on clients
Data lake
activities of
Data from Web sensor
interest?
Data from third parties
Data collected from all the different points is collected in a data lake. From that
collection of data, analysis can be performed.
For example, how does an event in an email account related to the an event detected
on the network.
295
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One collects and correlates data across email, endpoint, servers, cloud
workloads, and networks, enabling visibility and analysis that is difficult or impossible
to achieve otherwise.
Global threat intelligence combined with expert detection rules continually updated
from our threat experts maximize the power of AI and analytical models.
Detection models create prioritized alerts based on an expert alert schema to interpret
data in a standard and meaningful way.
A consolidated view to uncover events and the attack path across security layers.
Guide investigations to understand the impact and identify the path to resolution.
296
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
XDR apps provide a consolidated view to uncover events and the attack path across
security layers and includes the tools to enable analysis and visibility of telemetry from
endpoints, servers, email, network and the web
Detection Models: the Detection Models screen lists all the detection models
that Trend Vision One provides. The detection models, which generate the alert
triggers, combine multiple rules and filters using a variety of analysis techniques
including data stacking and machine learning. Moreover, Trend Micro regularly refines
and adds detection models and filters to improve threat detection capabilities and
reduce false positive alerts.
Workbench: Displays alerts triggered by detection models and incidents that groups
related alerts and enables you to further investigate and respond to each alert and
incident.
Search: Construct query strings to pinpoint data or objects in the data lake. It provides
different search methods, filters and a query language to identify, categoriuze and
retrieve data.
Observed Attack Techniques : The Observed Attack Techniques app displays the
individual events detected in your environment that may trigger an alert and any
related MITRE information.
297
Trend Vision One detects events through use of granular detection filters that make up
the detection models that trigger alerts. Events that Trend Vision One lists on the
Observed Attack Techniques screen do not necessarily result in a Workbench alert. You
can use the data in the Trend Vision One app to further investigate Workbench alerts
and evaluate individual detections.
Targeted Attack Detection: Targeted Attack Detection analyzes your Smart Protection
Network data to determine if certain indicators signal an ongoing attack, enabling you
to take timely prevention, investigation, and mitigation actions against targeted attack
campaigns. The analysis helps detect targeted attacks, identify the attack campaign, and
provide steps to mitigate the attack. If an attack is not occurring, Targeted Attack
Detection provides recommended actions to harden your environment against future
potential attacks. The app displays information about your organization's attack
exposure for a specific period.
Forensics and Analysis: Allows analysts and responders to react more quickly potential
incidents, conduct compromise assessments, threat hunting, and monitoring
Managed XDR: Augment your team with the expertly managed detection and response
service. Backed by a team of highly qualified security analysts, Trend Micro Managed
XDR is a flexible 24/7 service that provides advanced threat detection, investigation, and
response.
297
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Observed Attack Techniques app displays the individual events or activites
detected in your environment that may trigger an alert and any related MITRE
information.
Trend Vision One detects events through use of granular detection filters that make up
the detection models that trigger alerts. Events that Trend Vision One lists on the
Observed Attack Techniques screen do not necessarily result in a Workbench alert. You
can use the data in the Trend Vision One app to further investigate Workbench alerts
and evaluate individual detections.
298
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Data Retention
• Retention policies purge data once it is no longer needed
− Retains collected raw information for 30 days by default
− Customer can purchase extended storage option (max of 365 days offered)
• Retains alert workbenches for 180 days
• All data is deleted upon license expiration + 30‐day grace period
Trend Vision One applies retention policies that purge data once it is no longer needed
for the purpose for which it was collected.
• Trend Vision One retains the collected raw information for 30 days by default, unless
the customer purchases extended storage at extra cost (max of 365 days offered).
• It also generates and retains alert workbenches for 180 days to give customers the
information for investigation/reporting
• All data is deleted upon license expiration + 30‐day grace period
299
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Expand XDR Threat Investigation and click the Observed Attack Techniques app.
300
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
301
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You can filter the display of Observed Attack Techniques with the filters along the top of
the display.
302
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click any entry in the Tactic or Technique columns to open the attack.mitre.org page
with a description of the item.
303
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Filters correlate events within the event and activity data in the data lake using a variety
of techniques including data stacking, machine learning, expert rules, and more.
Detection models written by Trend Micro threat experts combine these filters to
identify attack behaviors. These automated and cross‐layer detection models tie
together low‐level events to find stealthy attackers. Detection models are frequently
updated/added by Trend Micro.
304
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Detection Model Management app lists all the models created by Trend Micro
threat experts. List is updated regularly as new models are developed.
305
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Detection Models tab lists all the current models. Columns listed include:
Severity
The severity level Trend Vision One assigns to the model depends on the type of event
and MITRE information. The available severity levels include:
• Critical: This event exhibits strong evidence of compromise for targeted attacks,
Advanced Persistent Threats (APTs), or cybercrime operations
• High: This event exhibits highly suspicious indicators associated with targeted
attacks, APTs, or cybercrime operations
• Medium: This event exhibits suspicious indicators possibly associated with malware
infections, policy violations, or cybercrime operations
• Low: This event exhibits mildly suspicious indicators useful for security monitoring or
threat hunting
Model
Each model is identified by a unique name, assigned by the Trend Micro threat experts.
Description
A short description of the detection model is displayed for information purposes.
306
Applicable products
The products to which this detection model applies
Last Updated
The date and time which Trend Micro last updated the model
Status
Trend Vision One automatically enables the alert triggers for supported products in your
environment. Any model can be disabled by clicking the status icon
306
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Each detection model uses one or more filters to detect suspicious behaviors or events
based on associated MITRE techniques and reported threat indicators. You can further
check specific detection filters that triggered an alert in the alert details of the
Workbench app.
Add an object to exceptions if you want to exclude the object value from being
detected by the current detection filter. As a result, Trend Vision One matches the
exception based on the object value, the data field associated with the value, and the
related detection filter.
307
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Workbenches
• Displays alerts triggered by detection models
− Correlated events and activities
• Requires your attention for further
evaluation
− Does not necessarily mean that your systems have
been compromised
• Analysts can investigate through an in‐depth
root cause and impact analysis
− Help understand the alert extent and severity and
determine further actions to respond to the alerts
Workbenches are alerts triggered by detection models. These are the correlated events
and activities.
The creation of a workbench does not necessarily mean that your systems have been
compromised, but they do require your attention for further evaluation.
Analysts can investigate through an in‐depth root cause and impact analysis which will
help understand the alert extent and severity and determine further actions to respond
to the alerts.
308
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Workbench Alert View tab displays alerts that you can investigate through an in‐
depth root cause and impact analysis to understand the alert extent and severity and
further determine actions to respond to the alerts
309
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Workbench Incident View tab displays incidents that group related alerts to help
you quickly identify and mitigate potential system breaches in your network
environment.
Trend Vision One creates incidents to group related alerts using advanced alert
correlation and machine learning techniques.
You can view detailed incident data on each tab to further investigate and mitigate a
potential security breach in your network environment.
310
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Workbench Alerting
Trend Vision One will send out an alert email to the specified administrators or analysts
when a workbench is automatically created. Click the link to be brought directly to the
workbench in the console, or log into the console and go to the Workbench app.
311
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
312
Impact Score
Displays the number of entities that the alert affects within the company network.
Data Source
Displays the product that is providing the data to the Workbench app
Created
Displays the date and time Trend Vision One generated the alert.
Associated incident
Any incident associated with the alert is displayed in this column. Click the incident ID to
be brought to the Incident View. From there, you can see how the alerts within this
incident are related.
312
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Timeline
Summary
Timeline of the alert
General details about the
details
Workbench
Observable Graph
Highlights
Graphical representation
of the alert details Lists MITRE ATT&CK tactics and
techniques used along with affected
objects
313
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
314
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One provides a context menu that provides actions that can be applied to
objects in the Workbench directly related to the console location and object type.
To access the context menu, right‐click anywhere on the Trend Vision One console.
315
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Workbench Actions
• Context menu provides actions related to the console location and
object type
− Response actions
− Advanced analysis actions
− Search actions
− General actions
Right mouse clicking objects displays a context‐sensitive menu providing actions related
to the console location and object type. These include:
• Response actions
• Advanced analysis actions
• Search actions
• General actions
316
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Actions on
files and
processes
Object‐specific actions allow you to directly respond to threats without leaving the
Trend Vision One console.
You can take specific actions on events or objects found on the Trend Vision One
console. After triggering a response, the Response Management app creates a task and
sends the command to the target.
317
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Actions on
suspicious
objects
You can take preventive blocking measures on suspicious objects that may pose a
security risk to your network using context menus on the Trend Vision One console.
Add to Block List: Adds File SHA‐1, URL, IP address, or Domain objects to the User‐
Defined Suspicious Objects List, which blocks the objects on subsequent detections.
Remove from Block List: Removes the File SHA‐1, URL, IP address, or Domain object
added to the User‐Defined Suspicious Objects List through the Add to Block List
response.
318
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Actions on
email
messages
Quarantine Message: Moves the selected email message to the quarantine folder and
allows you to quarantine the message from all affected mailboxes.
Delete Message: Deletes the selected email message from the selected mailboxes.
Restore Message: After determining that a quarantined message is not malicious, you
can restore the message by clicking Restore message on the task context menu.
319
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Actions on
endpoints
Isolate Endpoint: Disconnects the target endpoint from the network, except for
communication with the managing Trend Micro server product.
Restore Connection: Restores network connectivity to an endpoint that already
applied the Isolate Endpoint action.
Start Remote Shell Session: Connects to a monitored endpoint and allows you to
execute remote commands or a custom script file for investigation.
Run Remote Custom Script: Connects to a monitored endpoint and executes a
previously uploaded PowerShell or Bash script file.
320
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Actions for
account
enforcement
Disable User Account: Signs the user out of all active application and browser sessions
of the user account. It may take a few minutes for the process to complete. Users are
prevented from signing in any new session.
Enable User Account: Allows the user to sign into new application and browser
sessions. It may take a few minutes for the process to complete.
Force Sign Out: Signs the user out of all active application and browser sessions of the
user account. It may take a few minutes for the process to complete. Users are not
prevented from immediately signing back in the closed sessions or signing in new
sessions.
Force Password Reset: Signs the user out of all active application and browser sessions
and forces the user to create a new password during the next sign‐in attempt. It may
take a few minutes for the process to complete.
321
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Actions for
advanced
analysis
You can further investigate workbench data using context menus to access to execution
profiles and network analytics reports.
Check Execution Profile: Visualizes objects and events using a dynamic and interactive
chain view.
Check Network Analytics Report: Shows network correlations of the selected node and
other related objects.
322
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Context menus provide additional search options that you can access during an
investigation, after encountering objects or data that you want to further explore.
323
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Context menus provide additional search options that you can access during an
investigation, after encountering objects or data that you want to further explore.
324
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
General
actions
325
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One creates incidents to group related alerts using advanced alert
correlation and machine learning techniques. Incidents associate multiple related
(correlated) Workbenches to build a more complex picture of a sequence of events.
326
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
327
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Incident Timeline tab displays the date and time of each detection from associated
alerts.
You can click Incident‐based Execution Profile in the upper right corner to check the
root cause, lifecycle, and impact scope of an incident.
328
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Impact Scope tab displays the list of entities affected by the incident
329
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Highlighted Objects tab displays the list of highlighted objects from the associated
alerts. Trend Vision One analyzes highlighted objects to correlate alerts.
You can select one or more highlighted objects and choose a response action to take on
the objects.
330
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Execution Profile
• Investigation tool that displays the
sequence of events leading to the
execution of the matched object
− Also known as Root Cause Analysis
• Visualizes objects and events using a
dynamic and interactive chain view, instead
of static analysis results
• Switch between Chain and Timeline views
The Execution Profile visualizes objects and events using a dynamic and interactive
chain view, instead of static analysis results.
331
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Execution Profile can be viewed from 4 locations in the Trend Vision One console:
332
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Observed Attack Techniques tab in the Execution Profile lists the individual events
detected in your environment and related MITRE information. You can click View event
to further check the event details in the Observed Attack Techniques app.
Note: Under Observed Attack Techniques, only detection filters at Critical, High, and
Medium risk levels are listed based on the objects available in the current analysis
chain.
Aggregates multiple analysis chains that visualize objects and events for interactive
investigations.
333
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You can click any node to view the detailed profile and check related events of the
object. The initial analysis chain shows the most critical events as a baseline and allows
you to add more events to the chain if necessary.
334
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Endpoints tab lists the affected endpoints and highlighted objects of the alert.
335
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Timeline view displays the events associated with an incident in chronological
order.
By default, only the first observed events of an incident are highlighted. You can use the
left and right arrow ( < or >) to progress through the attack step‐by‐step.
336
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Network Analytics
• Shows network correlations
between the trigger object selected
in Observable Graph and other
related objects
• Only available after connecting and
properly configuring Deep
Discovery Inspector
The Network Analytics Report shows network correlations between the trigger object
selected in Observable Graph and other related objects.
The Network Analytics Report is only available after connecting and properly
configuring Deep Discovery Inspector.
337
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The icon indicates a Network Analytics Report is available for this object.
338
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
339
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Each correlation graph contains one or more lines that correlate malicious or suspicious
activity between a source and destination.
• Each correlation line represents one or more transactions between two hosts
• The thickness of the line is proportional to the number of transactions occurring
between the hosts
• Correlation lines can be between an internal host and external server or between
two internal hosts (lateral movement)
• Each correlation line is labeled with the protocols used in transactions between the
hosts. An arrow within the correlation line indicates the direction of the
transactions, from source to destination
• Correlation lines involving email senders are labeled as Suspicious Email Activity
340
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Certified Web
Safe Software Reputation
Smart Feedback
The Targeted Attack Detection capabilities in Trend Vision One requires that Predictive
Machine Learning, Behavior Monitoring and Smart Feedback be enabled.
• Predictive Machine Learning: Protects your network from new, previously
unidentified, or unknown threats through advanced file feature analysis and
heuristic process monitoring.
• Behavior Monitoring: Continuously monitors endpoints for unusual modifications to
the operating system or on installed software.
• Smart Feedback: Shares threat information with the Smart Protection Network,
allowing Trend Micro to rapidly identify and address new threats.
Targeted Attack Detection analyzes your Smart Protection Network data to determine if
certain indicators signal an ongoing attack, enabling you to take timely prevention,
investigation, and mitigation actions against targeted attack campaigns. The analysis
341
helps detect targeted attacks, identify the attack campaign, and provide steps to
mitigate the attack. If an attack is not occurring, Targeted Attack Detection provides
recommended actions to harden your environment against future potential attacks.
The app displays information about your organization's attack exposure for a specific
period. This information is influenced by the following factors:
• Security features enabled on Trend Micro‐management servers that you have
connected to Trend Vision One
• endpoint sensors installed and enabled in your environment
• Attack campaigns monitored and analyzed by Trend Micro threat experts
341
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Attack Exposure frame reviews the overall risk level of your environment and any
ongoing attacks.
• High Risk and Medium Risk: Agents in your environment found attack indicators for
one or more ongoing attack campaigns.
• Low Risk: Agents in your environment did not find any attack indicators.
Ratings are based on Smart Protection Network data analyzed within a specific period.
Your organization's rating may change when:
• Connecting management servers and enabling security features.
• Enabling Smart Feedback.
• Installing and enabling endpoint sensors.
• Updates to the app which include information on new attack campaigns or attack
indicators.
342
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Review Security Features and endpoint sensors to provide coverage and visibility for
discovering attack indicators. The Security Features and endpoint sensors sections
provide an overview of feature coverage within your environment.
Enabling Smart Feedback and endpoint sensors improves attack visibility. Enabling
Predictive Machine Learning and Behavior Monitoring enhance security capability.
Targeted Attack Detection displays coverage as a percentage. For security features, this
is the percentage of management servers in your environment with the feature
enabled. For endpoint sensors, the app calculates the percentage according to the
number of sensors enabled versus how many sensors you can enable according to your
product license or available credits. Increasing coverage provides more data from
across your network, allowing for more accurate analysis and monitoring of your
environment.
343
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Attack Phases frame displays a quick overview of the progress of ongoing targeted
attacks and affected endpoints.
This section displays information about attacker activity for four phases that precede
command‐and‐control communication. Find out if attackers are attempting to gain or
maintain their foothold on your network, or if data exfiltration or some form of system
impact may soon occur.
Click on the desktop or server icons on each phase to view endpoints affected during
the attack phase.
• Initial Access: An attacker has gained access or is attempting to gain access to your
environment. If successful, attackers may attempt to move to the next attack phase.
• Persistence: An attacker is attempting to maintain or increase access to your
environment. If successful, attackers may attempt to load malicious payloads onto
your environment, such as bots and malware, which may remain dormant in your
environment even if the attacker stops.
• Credential Access: An attacker has obtained or is attempting to obtain account
credentials within your environment. Data exfiltration or some form of system
impact may occur soon. Attackers may attempt to interrupt, manipulate, steal, or
344
destroy critical assets.
• Lateral Movement: An attacker is expanding or attempting to expand the attack
scope within your environment. Data exfiltration or some form of system impact may
soon occur. Attackers may interrupt, manipulate, steal, or destroy your critical assets.
• Impact: A targeted attack of high severity which reaches the final attack phase may
cause significant damage within your environment. This section estimates the overall
impact of the ongoing campaign according to attack indicators and affected
endpoints.
344
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Risk Management Guidance frame displays the top recommended actions to
harden your defenses, investigate attack scope, and monitor your environment. The
recommended actions vary depending on factors including which security features are
enabled, security feature configurations, and the type of threat present in your
environment.
Prevention and Containment tab: Prevent the spread of new and ongoing attacks by
hardening your defenses and mitigate ongoing or potential attacks. Suggestions are
provided.
345
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Monitoring and
Investigation
Monitoring and Investigation tab: Increase visibility and monitor new or ongoing
attacks.
This section provides steps to further investigate the scope of ongoing attacks, monitor,
and search for attack indicators in your environment.
346
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Attack Scope frame allows you to view affected endpoints in your environment and
information about monitored attack campaigns.
Endpoints
Displays an overview of endpoints affected by ongoing attack campaigns.
Click the total number to view details about each affected endpoint.
347
Sort the list by changing View to Management server, Severity, or Recommended
actions.
Campaigns
Trend Micro threat researchers monitor and analyze attack campaigns affecting
organizations around the world. Their research provides context to detected attack
indicators and allows Trend Vision One to predict possible next steps by attackers. You
can use the information to identify other potentially compromised assets and to
mitigate the risk posed by each campaign.
Tags indicate regions, platforms, and industries the campaign affects the most.
A red icon next to the campaign name indicates the app found attack indicators for that
campaign in your environment.
347
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Forensics and Analysis app allows analysts and responders to react more quickly
potential incidents, conduct compromise assessments, threat hunting, and monitoring.
348
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
After an incident, collect evidence for further analysis with specialized tools with the
Incident Response Evidence Collection playbook. Incident Response evidence collection
can help support the incident response process.
Create a case, import evidence, and analyze with a highly customizable investigation
tool. Collect evidence from potentially compromised endpoints online with the Incident
Response Evidence Collection playbook or offline with the Trend Micro Forensic Tool.
Live Query can quickly run triage commands or trigger supported investigation tools to
isolate affected endpoints. Helps triage potentially compromised endpoints.
349
350 | ©2023 Trend Micro Inc.
Forensics evidence can be collected by clicking Collect Evidence from the Packages tab,
or it will be added automatically to this tab when the Collect Evidence Playbook is run.
350
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Response Management
• Take actions and track the actions taken on the environment using
the Trend Vision One console
• View the response task status and command details
The Response Management app allow the analyst to take actions and track the actions
that have been taken on your environment using the Trend Vision One console.
After triggering a response to an event or object, you can view the response task status
and command details in the Response Management app.
351
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One tracks and provides feedback on the actions taken on endpoints,
email messages, and network events. After triggering a response to an event or object,
you can view the response task status and command details in the Response
Management table.
The Task status indicates whether the managing server was able to successfully receive
and execute the command. If the command target is a Security Agent, the Task status
does not necessarily indicate whether the target Security Agent or object successfully
executed the command.
If the task status is Queued or Unsuccessful you can click the Resend command icon to
immediately send the exact same command to the managing server.
Depending on the action taken, additional actions may be available by clicking the
options buttons at the end of the row
352
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Custom Scripts tab displays a list of scripts that have been run on devices in the
environment and the user that ran them.
353
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Navigating within Workbenches
354
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Managed Services
While Trend Vision One provides a wide range of tools for detecting and responding to
attacks and threats, some organization do not have the resources to handle these
activities.
355
techniques. They also use additional threat data which cannot be shared publicly.
• 24x7 Monitoring and Detection: 24x7 staffing is difficult for many organizations.
With Managed Services, security analysts provide 24x7 monitoring and detection. If
an incident is found and is of serious concern, investigators around the world can
work on the investigation around the clock while keeping your data in the MDR node
of your locality. Analysts will develop a detailed response plan and, with your
permission, can take responsive actions through the Trend Micro products.
• Rapid Investigation and Mitigation: Detailed response plans are generated to deal
with the threats in your organization and remote actions can be performed through
Trend Micro products.
355
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Managed Services
Proactive Reactive
Managed Services includes 24x7 monitoring to look at all the alerts and prioritize which
threats need to be handled first, and possibly some initial impact analysis (for example,
is a file malicious on other protected systems). For these activities there is automated
analysis and intelligence gathering ‐ threat experts get involved early in the process, to
take actions as early as possible to detect and respond. Sometimes they dive into the
investigation and analysis.
Gathering additional information can determine vulnerabilities, understand what else
may have been downloaded, or if the original threat has mutated and spread. The
analyst investigates to determine the full root cause analysis and potential impact to
the affected customer.
They also works with the customer on the response:
• Initiate response or provide tools to help quarantine, isolate endpoints, kill process
etc.
• Provide report to customer about event
• Provide recommendations
• Automatically generate a pattern and share
Once the incident has been cleared, Trend Micro will continually sweep the enterprise
to ensure they are clean. In some cases, we may use that IoC to sweep other MDR
customers to ensure they do not have the same attack happening.
356
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Customers can go one step further and subscribe to Trend Service One.
Service One consolidates Trend Micro services, to help customers through their
experience. Whether a customer is looking to augment their team, add 24/7 support,
or interested in taking a more proactive approach to detection investigation and
response with a dedicated team of experts on their side, Trend Micro can help.
Benefits include:
• Priority support case handling, FAST Track – dedicated Service Manager / CSM / TAM
• Targeted Attack Detection; proactive, predictive, qualified ATTACK alerts ‐ guided
actions
• Full Managed XDR support
• On‐demand educations via education portal, best practices, admin and operational
guides
• Health Checks on Trend Micro products
• Guaranteed access to Incident Response team, with included engagement
357
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
358
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The Request List tab displays a list of requests submitted by the Managed Services
operations team for taking response actions.
Managed Services sends response action requests for your manual approval if you
disable auto approval. You can choose either of the following ways to deal with the
response action requests:
• Approve or reject a request directly in the email notification without accessing the
Trend Vision One console
• Get an overview of all requests and manage one or more requests on the Request
List tab of the Managed Services app
359
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
View your MDR incident and monthly reports from this tab
360
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Configure MDR settings from this tab. Settings allow you to specify general information
and settings for your organization.
Contact Information: Make sure you add at least one contact during the initial setup.
The Managed Services operations team may contact the phone number you specified
in an emergency. By default, the first contact you add serves as the primary contact. If
there is only one contact, the only contact must allow both alert and report
notifications.
Be aware of the following when specifying an email address:
• The email address is mandatory for the primary contact.
• The email address is mandatory if you set a contact to receive report notifications
only.
• Each contact must have a unique email address.
361
required for every response action. Trend Vision One sends email notifications for each
response action to request your manual approval before execution.
Asset Management: Maintain an asset list to provide a centralized view of your critical
assets to the Managed Services operations team. Create a CSV file that contains your
asset information and click Import Assets. A sample CSV file is provided to illustrate the
required format.
361
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What are some of the actions that can
What is a Trend Vision One
be applied to objects within a
Workbench? How are they created?
Workbench?
3
Describe Targeted Attack Detection
362
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 6: Creating a Workbench Example 1 (page 55)
Your Task
• Copy a malware file to the SERVER‐03 computer in the lab
environment and examine the resulting Workbench
363
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 7: Creating a Workbench Example 2 (page 59)
Your Task
• Run a script file on SERVER‐03 computer in the lab
environment and examine the resulting Workbench
364
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 7:
Sharing Threat Intelligence
365
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Describe how Threat Intelligence is used in Trend Vision One
366
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
What is going on in the world in terms of cyber security? What vulnerabilities are
showing up around the world? There are many sources of information available, such
as web sites, blogs, podcasts, but it can be very time consuming to keep up to the
minute on threats showing up all over the globe.
Threat Intelligence helps in that we can integrate information from sources around the
globe into the Trend Vision One console, then scan the data lake for these indicators of
compromise.
Trend Vision One can take advantage of what other companies, organizations and
government have discovered in their systems, and we can share with others as well.
367
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Threat Intelligence
• Trend Vision One integrates up‐to‐the‐minute intelligence
from Trend Micro and reliable third parties to help you
identify threats
• Sweeps the environment for indicators of compromise and
suspicious objects
− Verify sweeping results for further investigation and analysis
Threat Intelligence provides Trend Vision One with access to various sources of threat
information, including Trend Micro and other reliable third‐party sources.
Trent Micro Vision One sweeps the information in the data lake against these indicators
compromise looking for matches.
If you are worried about false positives when incorporating third party threat
intelligence, set the action to Log initially until you validate the information provided by
the source.
368
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Threat Intelligence
Threat Intelligence leverages valuable indicators of potential threats from both curated
intelligence reports and your custom reports. Trend Vision One supports automatic
sweeping (once per day for 7 days) tasks based on curated intelligence and manual
sweeping tasks against custom intelligence to search your environment for IoCs. If there
are indicator matches, you can check the sweeping results for further investigation and
analysis.
Curated intelligence reports: Gather and integrate curated threat intelligence from
internal and external sources.
Custom intelligence reports: Build custom intelligence by importing your own reports
and retrieving data from third‐party intelligence sources. This includes
• STIX and CSV files: Subscribe to TAXII feeds to receive STIX files containing IoC
information or download and import STIX or CSV files from a trusted sources.
• MISP: MISP Threat Sharing is an open‐source threat intelligence platform. The
project develops utilities and documentation for more effective threat intelligence,
by sharing indicators of compromise. There are several organizations who run MISP
instances.
369
Suspicious objects: Consolidates suspicious object information based on input from
different sources.
Note: For suspicious objects added through third‐party intelligence and manual
operations, the maximum limit is 10,000 for each object type. For suspicious objects
from Sandbox, the maximum limit is 25,000 for each object type.
369
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Micro gathers and integrates curated threat intelligence from internal and
external sources.
If you turn on Auto Sweeping for a source type, Trend Vision One generates a
scheduled sweep and runs once every day for 7 consecutive days based on each new
report from the source.
Auto Sweeping supports a limited number of indicators per day.
A maximum of 50,000 indicators is allowed per day for Auto Sweeping. The quota limit
is shared by Auto Sweeping tasks triggered for:
• Curated reports from external sources
• Custom reports produced by third‐party intelligence
If the total number of indicators reaches the daily quota limit for Auto Sweeping, you
can trigger Manual Sweeping when necessary.
370
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
In the Intelligence Reports app, click the Curated tab to view the reports provided by
Trend Micro. Click the Source list to identify which external sources from which Trend
Vision One will retrieve the curated intelligence reports
371
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
On the Curated tab, click Auto Sweeping and select the report sources to sweep
against.
372
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Build custom intelligence reports by retrieving data from trusted third‐party intelligence
sources. Make sure source is trustworthy!
You can select a custom intelligence report to initiate a manual sweep based on
identified indicators.
Note:
A maximum of 10,000 indicators is allowed per day for Manual Sweeping.
373
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
374
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click the icon at the end of an entry line to initiate a manual sweep for any custom
report.
375
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click Add and select the method for adding the custom intelligence source.
376
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
STIX files
Manually import the STIX file and specify the actions for any suspicious objects in the
file. Only v 2.0 and 2.1 are supported.
377
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
CSV files
Manually import a properly formatted CVS file and specify the actions for any
suspicious objects in the file.
378
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
379
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Provide the details of the TAXII server, including version, URL, authentication and
polling criteria.
380
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Expand any collections within the feed. You can extract and block suspicious objects
from any collections on that TAXII server , or you can enable auto sweeps.
381
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Selecting MISP as the source redirects you to the Third‐Party Integration app to
configure the integration. Integrating with MIPS requires a connection to a Service
Gateway.
382
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Suspicious Objects
110110011….. 011000001…..
Domain SHA‐1 hash (160 bits) SHA‐256 hash (256 bits)
192.168.45.68 sender@acme.com
IP address Sender address
https://shopping.badsite.com
URL
383 | ©2023 Trend Micro Inc.
383
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Moves
blocking to
the
perimeter
Trend Vision One consolidates suspicious object information based on input from
different sources. Trend Vision One currently supports sending the consolidated
Suspicious Object List to Apex One as a Service, Cloud App Security, Cloud One –
Endpoint & Workload Security and Deep Security software if they are connected
properly or to a Service Gateway that enables connections to on‐premises Trend Micro
products like Deep Discovery Inspector, Deep Discovery Analyzer and TippingPoint, or
some third‐party applications within the network.
Trend Vision One consolidates suspicious object information based on input from
different sources:
• Manual submission: Objects can be submitted manually by an administrator within
a managed product, from the Trend Vision One console or through the API.
• Third‐party intelligence: Suspicious object information can be extracted from CSV or
STIX files imported from external sources.
• Sandbox analysis: Objects displaying suspicious characteristics are submitted to a
sandbox environment for evaluation and if the object is confirmed to risky, it is
added to the Suspicious Objects List. A license for Cloud Sandbox is required to
enable this method of submission.
• Service Gateway integration: Trend Vision One allows the coordination of suspicious
384
object data between it and on‐premises Trend Micro products such as Deep
Discovery Inspector, Deep Discovery Analyzer and TippingPoint through a Service
Gateway. Trend Vision One can also send suspicious object data to on‐premises
firewall products such as Palo Alto, Broadcom, Check Point, and Fortinet through a
Service Gateway.
Synchronizing suspicious objects with firewall device allows the blocking operations to
be moved to the perimeter. Actions can be set in the firewall devices upon detection of
suspicious object details retrieved from Trend Vision One.
384
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Objects can be added to the Suspicious Objects List through a few different methods:
385
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Manual Submission
• Add objects from Trend Vision One console
• Select the type of object
− Malicious domain
− File hash using SHA‐1
− File hash using SHA‐256
− IP address
− Sender address
− URL
• Identify attributes
− Risk level
− Action (log, block/quarantine)
− Expiry
Identify attributes
• Risk level
• Action (log, block/quarantine)
• Expiry
386
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Manual Submission
Add suspicious object details,
along with the Risk level, Action
and Expiration
387
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
388
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
389
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Suspicious objects can also be extracted from manually imported STIX files. You can
specify the actions for any suspicious objects in the file.
390
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Suspicious Objects can be extracted from any collections on a TAXII server. Auto Sweeps
can also be run on those objects.
391
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Suspicious Objects can be extracted from any collections on a TAXII server. Auto Sweeps
can also be run on those objects.
392
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Sandbox Analysis
• Manual or automatic submission of
suspicious items for analysis in a
secure sandbox environment
− Apply credits for sample submission
• Connected products receive details of
suspicious objects and will perform
defined action
− Log, Block/Quarantine
Objects can be submitted for analysis manually or automatic from managed products
(Deep Security Software, Apex One (on‐premises), Apex one as a Service, Cloud App
Security.
Objects can also be submitted manually from Trend Vision One, for example, by right‐
mouse clicking an object in a Workbench.
Submitted samples are kept for four days.
393
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Suspicious Activities
Activity is monitored within the sandbox environment for activities such as those listed
here.
394
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Report includes:
• Risk rating
• Suspicious Object (SO)
• SHA1
• Notable characteristics
• Detection name
• True file type
• FilterCRC
395
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
396
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
+ Deep Discovery
Analyzer Apex Central
+ Cloud
Sandbox
Deep Security can participate in Trend Micro Threat Intelligence through two different
sources:
• Using heuristic detection, Deep Security can identify document files that are
deemed suspicious and submit them automatically to Deep Discovery Analyzer for
analysis. If the analysis indicates that a particular file does contain malware, Deep
Discovery will provide the information to Trend Micro Apex Central. Through Apex
Central, an action for this malware can be specified and any Trend Micro product can
subscribe to the suspicious object list from Apex Central to remediate threats.
• If Deep Security has been integrated with Trend Vision One and a license for the
Cloud Sandbox is available, Deep Security can submit files to the Cloud Sandbox for
analysis. If the analysis indicates that a particular file does contain malware, Cloud
Sandbox will provide the information to Trend Vision One Suspicious Object
Management app where an action for this malware can be specified. Any Trend
Micro product registered with Trend Vision One can subscribe to the suspicious
object list to remediate threats.
Threat Intelligence allows multiple Trend Micro products to share threat information
and analysis across multiple layers of protection critical to defending against advanced
threats.
397
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
A license for Cloud Sandbox (Sandbox as a Service) is required for Deep Security
Software to use Trend Vision One Threat Intelligence instead of a physical Deep
Discovery Analyzer device and Apex Central.
398
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
After connecting Deep Security Software with Trend Vision One, click Administration >
System Settings. On the Threat Intelligence tab, select Trend Vision One from the
Submit suspicious file to list and the Compare objects against Suspicious Objects List.
399
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Update Deep Security policies to enable automatic submission and retrieval of the
Suspicious Objects List.
400
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Files can be submitted manually for sandbox analysis from the Identified Files tab for
any device
401
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
402
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Create a policy with sample submission enabled. Any endpoints using this policy will
submit any suspicious file to the Cloud Sandbox for analysis.
403
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
• Cloud One – Endpoint & Workload Security can use the Trend Vision
One‐managed Suspicious Objects List, but does not contribute to it
− No manual or automatic submissions
Cloud One – Endpoint & Workload Security can use the Trend Vision One‐managed
Suspicious Objects List, but does not contribute to it, but there are no manual or
automatic submissions.
404
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
405
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
406
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Submit for Sandbox Analysis is available on the right‐mouse button menu in the Trend
Vision One console for any appropriate objects.
407
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Expand Threat Intelligence and click the Suspicious Object Management app. The
detected items are listed on the Suspicious Object List tab. Click any object to view its
details.
408
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
From the Suspicious Object Details frame, update the risk level, action and expiry as
well as any description.
409
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Alternately, you can delete, change Action, update Expiry or add to Exceptions by
selecting an item in the list.
410
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Sandbox analysis requires 50 credits per daily submission for 180 days of data
retention.
For example, if you want to submit 5 files each day for analysis, you credit usage is 250
credits.
You can submit objects up to the daily reserve until allocated credits expire. For
example, if you allocate 50 credits for a daily reserve of one, you can perform one
submission per day until the credits expire.
The daily reserve sets the maximum number of objects you can analyze each day.
Objects with a "Not analyzed" risk level do not count toward the daily reserve.
Submissions available resets each day at 00:00 (UTC).
411
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Check Point
Open Platform MISP
for Security (OPSEC)
412 | ©2023 Trend Micro Inc.
The Service Gateway is used a connector to third‐parties for suspicious object sharing
• FortiGate Next‐Generation Firewall
• Palo Alto Panorama
• Broadcom ProxySG and Advanced Secure Gateway
• Check Point Open Platform for Security (OPSEC)
• MISP
412
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
For each third‐party firewall integration, enable integration, define data transfer
parameters and connect to a Service Gateway
413
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
For MISP integration, define the transfer and retrieval parameters. Select the options to
extract and block suspicious objects details from third‐party intelligence.
Objects are transferred to, and retrieved from, MISP using tagging data.
Create the appropriate tags in your MISP server.
414
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Exception List
• Objects that are considered safe can be added to the Exception List
− Connected products do not act on the object
• Objects are excluded from the Suspicious Object List during the next
synchronization and will not be added as a suspicious object in the
future
You can select objects that are considered safe and add them to the Exception List.
When a connected product detects a suspicious object in the Exception List, the
connected product considers the object as safe and does not act on the object.
Trend Vision One excludes the object from the Suspicious Object List during the next
synchronization and will not add it as a suspicious object in the future.
415
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
If you know the details of the item to add to the Exception List, they can be manually
added. Click Add.
416
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Select the method and provide the details of the item to add to the Exception List.
417
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Alternately, select an item from the Suspicious Objects List and click Add to Exception
List.
418
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Campaign
Overview
Provides a
summary of the
regions and
Impact Scope industries
Displays device and accounts Campaigncurrently
List
affected by this threat campaign and experiencing
Lists currently
when it was last seen active campaigns
active threats
419 Copyright 2023 Trend Micro Inc.
The Campaign Intelligence app collects and organizes information about active threat
campaigns.
The Campaign List frame displays the names of currently active threats, along with the
threat type and date of the most recent data update.
Campaign Overview frame contains a summary of the industries and regions affected
by the different campaigns.
The Impact Scope frame displays any devices or accounts containing matched
indicators of the selected threat.
419
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Integrating Threat Intelligence
420
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What are the different methods for
What are the different kinds of
adding objects to the Trend Vision One
suspicious objects?
Suspicious Objects List?
3
What are the actions that can be taken
on suspicious objects?
421
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 8: Adding a Third‐Party Intelligence Source (page 63)
Your Task
• Connect a third‐party source for collecting threat
intelligence
422
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 9: Creating a Custom Intelligence Report (page 67)
Your Task
• Create a Custom Intelligence Report using a CSV file
423
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 8:
Searching the Data Lake
424
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Search the data lake using simple and complex searches
425
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Search App
• Construct query strings to pinpoint the data
or objects in the data lake
• Provides different search methods, filters,
and a query language to identify, categorize,
and retrieve results
• Enables historical investigation of the data
(not a live query)
• Save and reuse queries
• Create Watchlists for saved queries
The Search app allows the analyst to construct query strings to pinpoint the data or
objects in the data lake. It provides different search methods, filters, and a query
language to identify, categorize, and retrieve results.
The app enables historical investigation of the data as this is not a live query of the
endpoints, email accounts, network etc.
You can save and reuse queries that you build, and you can also create Watchlists for
saved queries.
426
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Search App
• Not all products share the same database fields
− Activity Data – Search endpoint, email, network, web, mobile and secure
access telemetry data
− Detection Data – Search product detections logs
− General Search – Search common fields from telemetry and detection data
• Supports full/partial match, wildcards and logical operators
Not all products share the same database fields, so you may have to try several
different criteria options to locate the exact data you want:
• Activity Data – Search endpoint, email and network telemetry data
• Detection Data – Search product detections logs
• General Search – Search common fields from telemetry and detection data
For details on General search mapping, view the following support document:
https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐one/xdr‐
part/search‐app/data‐mapping‐intro/data‐mapping‐sdl.aspx
Supports full/partial match, wildcards and logical operators
When a search string includes a double quote (") or backslash (\), you must use the
backslash escape character "\" to indicate that the special character is part of the
search criteria and not special mark‐up
427
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
428
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Data related to the different sensors is collected into selectable Search Methods. Make
your selection from the list.
Use the General search method to search all data from your connected products using
normalized search criteria. Fields in General searches map to fields by other names in
other search methods.
429
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
General Endpoint Activity Data Message Activity Data Network Activity Data Web Activity Data Detection Data
Data fields available for General searches correspond to fields in other types of
searches. A few examples are shown in this table.
For full details, visit: https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐
one/common‐apps/search‐app/data‐mapping‐intro/data‐mapping‐sdl.aspx or click
button on the slide.
For example, if you search using Domain Name in General searches, it will look at
hostName in Endpoint Activity Data, source_domain in Message Activity Data, domain
in Network Activity Data, requestBase in Web Activity Data and a selection of fields in
Detection Data.
430
431 | ©2023 Trend Micro Inc.
431
432 Copyright 2023 Trend Micro Inc.
432
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The data fields available for Detection searches are shown here.
433
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The data fields available for Email Activity searches are shown here.
434
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The data fields available for Endpoint Activity searches are shown here.
435
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The data fields available for Network Activity searches are shown here.
436
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The data fields available for Secure Access Activity searches are shown here.
437
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The data fields available for Web Activity searches are shown here.
438
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Simple search does not support Message Activity Data or Network Activity Data.
To search both the Endpoint Activity Data and Detections, select the General search
method. Select either Endpoint Activity Data or Detections to search a specific set of
data.
When using the Simple Search method, take note of the following limitations:
Ensure that the use of the space character exactly matches the results that you want. A
double space within the search string omits any results that only include one space
character in the same location.
The performance of the search decreases when using multiple logical operators.
Enclose the search string in double quotation marks (“ ”) for exact match
439
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
When using the Simple Search method, take note of the following limitations:
Ensure that the use of the space character exactly matches the results that you want. A
double space within the search string omits any results that only include one space
character in the same location.
The performance of the search decreases when using multiple logical operators.
Enclose the search string in double quotation marks (“ ”) for exact match
440
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
441
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
442
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Partial match: Provides all results that contain the search string in any data field
endpointName:win
Full match: Provides all results for the specified field that contain the exact search
string specified
endpointName:”win‐0QPRAOEPK5A”
Logical operator‐Multiple fields: Provides all results that match the requirements
specified for multiple fields using the AND, OR, NOT operators
“sshd” AND dst:8.8.8.8 AND dpt:53
443
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Logical operator‐Multiple values: Provides all results that match the requirements
specified for multiple values in the same field using the AND, OR, NOT operators
For example: eventName:DEEP_PACKET_INSPECTION AND (ruleID:1008610 OR
ruleID:1011242 OR ruleID:1005177)
Wildcard usage: Provides results that match the field values substituting a * wildcard
character
For example, endpointName: john*
Returns all results that contain john as the first four characters in the endpoint name,
for example john, john_doe, johndoe, johnd
444
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
445
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
446
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
447
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
448
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Search Tips
• Use “ ” to searching for empty fields
− objectCmd:“”
• Search for two or more values
− endpointHostName:("devwks1001" OR "agent1010")
− endpointIp:(192.168.10.41 OR 192.168.1.54 OR 192.168.1.42)
• Search for URLs
− url:“https://ca75-1.winshipway.com”
− url:https://*.winshipway.com
− url:winshipway.com
449
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Search Tips
• Exact match only for hashes
− file_sha1:"5e7677272b112b90777900f5dd8bad5bd8152002“
− Cloud App Security only supports SHA1
− Network Security does not support MD5
• Search for malware types or family
− malName:Trojan
− malName:Trojan.MSIL.SHELLMA.AA
− malName:(Trojan.MSIL* OR Backdoor.MSIL*)
450
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Search Tips
• Take advantage of MITRE ATT&CK tactics and techniques
− tags:(T1059 OR T1064)
• Take advantage of CVE numbers
− ruleName:CVE-2019-0708
− ruleName:CVE-2
• Search for tools or software
− FileFullPath:rclone.exe OR URL:(downloads.rclone.org OR
"https://github.com/rclone/*")
451
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Save query to
use another time
or to create a
Watchlist
452
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
453
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
454
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Watchlists
• Automatically executes the saved query's criteria every 15 minutes
on the latest data available
• After finding new data matches, the Search app sends an email
notification to the configured recipients in the Notifications app
A Watchlist automatically executes the saved query's criteria every 15 minutes on the
latest data available . After finding new data matches, the Search app sends an email
notification to the configured recipients in the Notifications app
455
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Locating Data Using Searches
456
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
How will the results differ when
How do General searches differ from
running a search using the string
other search methods?
“server” and server?
3
What is the purpose of a Watchlist?
457
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 10: Running Searches (page 73)
Your Task
• Create search queries to locate the specified details in the
Trend Vision One Data Lake
458
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson 9:
Responding to Incidents
Using Security Playbooks
459
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Objectives
After completing this lesson, participants will be able to:
• Create playbooks
• Run playbooks manually
• Download the results from playbooks
460
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Security Playbooks
• Streamline incident response activities
through automation
• Playbooks based on pre‐built templates
− Easier to adopt
− Modify to set parameters and actions
Playbooks are based on pre‐built templates, but you can customize the template to
personalize, for example to set parameters and actions.
461
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Security Playbooks
Action
Playbooks use a flowchart‐style formatting. The system will move through each step of
the playbook, verify the conditions and perform the actions.
Approvals can be included as well as notifications.
462
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trigger
463
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Condition
Define conditions to indicate what the playbook is looking for, for example
• Locate Endpoints with certain operating system
• Locate CVEs with certain risk level
• Exploit attempt detected
And many more.
464
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Decision
The playbook can send a notification to an analysts or administrator if certain items are
located. The playbook can also specify the method for the notification, for example, by
sending an email notification or by creating a ticket in your ticketing system (for
example, ServiceNow). In this scenario, you must have created the integration with
ServiceNow in the Third‐party Integration app.
The playbook can branch based on the results of an approval request. If the request is
approved, one path can be taken, if rejected a different path can be taken.
465
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Action
In the Playbook, you must define what actions will be taken when certain conditions
are met. These actions can include:
• Sending a notification
• Running a script
• Notifying an administrator or analyst of results
• Collecting files
• Quarantining messages
• Adding objects to the block list
And many more
466
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
End
The analyst can then view the result of the execution or download the execution
results. The results file is encrypted, the password for the file is displayed in the results.
467
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Security Playbook templates are provided by Trend Micro and Playbooks are added to
the list on a regular basis.
The templates themselves can not be modified, but you can create a Playbook from the
template and modify the parameters of that version.
468
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Here is an example of the Run Custom Script template. (It has been modified to show
the entire string of events on one screen.
Click Create Playbook from Template to create an editable version in which you can
modify its parameters.
469
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
You can also click the file icon in the Templates list to create an editable version
470
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
The template has been converted into an editable playbook. The exclamation mark icon
indicated that the node must be edited to specify parameters.
Click the gear icon to configure the nodes, for example, to set the trigger.
471
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Edit the node to set the conditions. In this example, the playbook will locate Windows
endpoint in the IP address range.
472
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Edit this node to specify the notification parameters. In the example, the recipients will
receive an email notification that an approval is required to run a custom script.
473
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
474
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Edit this mode to specify the action settings, in this example, which script will be run
once approval has been provided.
475
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Edit this node to provide details of the results of the script. The script has run, and
information has been collected. The administrator or analyst can log into the playbook
and view the results of the script.
476
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Click enable to make the playbook active and save the parameters.
477
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Since the trigger was set to manual, an administrator or analyst can log into the console
and run the playbook at any time. In the execution counts column, we can see that the
playbook has not been run yet.
478
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
If approval was
required, click
Approve or Reject
The Execution Results tab show that the script was run. From here,
analysts/administrators can Approve or Reject the execution of an operation and
download the results of a Playbook script.
479
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
If the script
generated a
result, download
the file with the
details
If the script generated a result, download the file with the details.
The results file is encrypted. The password is displayed in the Download Result frame.
Paste the password into the unarchiving application.
480
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Demo:
Creating and
Running Security Playbooks
481
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Lesson Review
1 2
What is the purpose of a Security What methods are available to trigger
Playbook? the execution of a Security Playbook?
482
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Hands‐on Labs
Lab 11: Creating Security Playbooks (page 75)
Your Task
• Create security playbooks to automate certain operations in
Trend Vision One
483
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Resources
484
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Education Resources
There are several learning resources on the Trend Micro Education portal. Log into your
account to view the options.
485
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Certification Exam
Log into the portal and locate the Vision One XDR Certified Professionals course
486
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Certification Exam
Click the exam in the course content list. Start Learning Now to start the timer.
487
Certification Exam
Once successful, you can download your completion certificate and digital badge
488
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Additional Resources
Online Help Center
https://docs.trendmicro.com/en-us/enterprise/trend-vision-one.aspx
Automation Center for samples of scripts, code snippets and more resources for
developers (https://automation.trendmicro.com/xdr/home)
489
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Course Survey
Trend Micro Education Classroom Survey
www.surveymonkey.com/r/TrendMicroTraining
VERY IMPORTANT
490
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
491