Student Guide - V2

Trend Micro Vision One XDR
Training for Certified Professionals

Student Guide
Copyright © 2023 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,

or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: September 21, 2023

Courseware v2
Trend Vision One XDR Training for Certified Professionals ‐ Student Guide
Trend Vision One XDR

Training for Certified Professionals
Presented by: <trainer name>
Version 2, released September 21, 2023.

Lab exercises use the vapp VO – EN – CP – V2
1
Course Objectives
After completing this course, participants will be able to:
• Describe the benefits of an XDR solution
• Connect Trend Micro products to Trend Vision One
• Collect telemetry from endpoints, email, the Web, and the network
• Integrate third‐party products with Trend Vision One
• Interpret and navigate through Workbenches
• Use the Search tools to locate information in the data lakes
• Create Playbooks to streamline incident response activities
2 | ©2023 Trend Micro Inc.

• Describe the benefits of an XDR solution
• Connect Trend Micro products to Trend Vision One
• Collect telemetry from endpoints, email, the Web, and the network
• Integrate third‐party products with Trend Vision One
• Interpret and navigate through Workbenches
• Use the Search tools to locate information in the data lakes
• Create Playbooks to streamline incident response activities
2
Target Audience
The four columns in this graphic represent four stages of maturity for threat intelligence
programs within an organization.
The columns to the left highlight the groups with no, or little, threat intelligence
resources. The columns to the right are those who have developed strong threat
intelligence programs.
This course is geared to members of organization in the first two columns who are new
to, or have limited knowledge of, Trend Vision One.
This course is also beneficial to administrators responsible for performing initial setup
operations such as connecting products to Trend Vision One and enabling endpoint
sensors on devices.
This material is most useful for those who fall within group 1 and 2 in the displayed
chart, for example, those with no dedicated threat intelligence analysts.
3
XDR Focus
• Trend Vision One includes a wide variety
of powerful capabilities for security
operations teams to detect, investigate,
prioritize and respond to threats more
quickly
• This course focuses on the product’s
Extended Detection and Response
(XDR) capabilities
Trend Vision One includes a wide variety of powerful capabilities for security operations
teams to detect, investigate, prioritize and respond to threats more quickly.
This course focuses on the product’s Extended Detection and Response (XDR)
capabilities.
Other topics, such as risk, zero trust threat access and threat hunting will be addressed
in future course offerings.
4
Prerequisites
• We recommend you complete the following
e‐learning course on the Trend Micro
Education portal before attending this course:
Vision One Fundamentals
The Vision One Fundamentals e‐learning course on the Trend Micro Education portal is
recommended before taking this course.
If you complete this 45‐minute self‐paced session online, you will have foundation
knowledge to gain the most from this course.
5
Hands‐on Labs
Many of the lessons in this course are accompanied by hands‐on labs, delivered
through a cloud environment. Participants must register for a free 90‐day Trend Vision
One trial account as part of the hands‐on labs. It is not recommended that participants
use their own corporate Trend Vision One accounts.
6
The Trend Micro Education Portal is the centralized repository for all
Trend Micro training resources. Each class participant requires an
Education Portal account to access class‐related resources, including
self‐paced learning options, eBooks and the Certification Exam
7 Copyright 2023 Trend Micro Inc.
The Trend Micro Education Portal is the centralized repository for all Trend Micro
training resources. Each class participant requires an Education Portal account to access
class‐related resources, including the Certification Exam.
The portal is customized for your relationship with Trend Micro, for example, Customer,
Partner or Employee.
The portal gives you access to class‐related resources, including self‐paced learning
options, eBooks and the Certification Exam.
7
Trend Micro Education Portal

• Confirm your portal access before the last day of class
• Create an account and login based on your relationship with Trend Micro
− Customer Login
• https://success.trendmicro.com/sign-in
− Partner Login
• https://community-trendmicro.force.com/Gpartner/s
− Employee Login
• https://education.trendmicro.com/employee/learn/signin
You must create an account on the Education Portal before the last day of class. Access
the portal using the listed URLs based on your relationship with Trend Micro.
Then, you can log in at any time using the Portal with User ID and Password.
Make sure you can access the portal before the last day of class
8
Housekeeping
Review basic housekeeping for in‐classroom courses:

• Courseware yours to keep
• Silence cell phones
• Class schedule
• Emergency exits
• Washrooms
• Coffee room
• Lunch
• Class survey to complete online after course completion. Please complete and
provide comments. Very important to guide development of future training.
9
Introductions
Name?
Organization?
Role?
Experience with Trend Micro products?
Expectations for this class?
Please tell the class:

• Name
• Company
• The role you have with your organization
• Experience with Trend Micro products
• Expectations for this training class
10
Lesson 1:
XDR Concepts
This first module introduces some of the concepts related to Extended Detection and
Response (XDR).
11
Lesson Objectives
After completing this lesson, participants will be able to:
• Describe Extended Detection and Response (XDR)
• List the types of telemetry collected from devices in the infrastructure
• Describe how correlation is important to XDR
• Describe MITRE ATT&CK and how it is helpful

• Describe Extended Detection and Response (XDR)
• List the type of telemetry collected from devices in the infrastructure
• Describe how correlation is important to XDR
• Describe MITRE ATT&CK and how it is helpful
12
Servers
Email
Network
Endpoints
In many organizations, the broadened attack surface along with the volume and
complexity of threats have complicated the job of the security analyst. Investigating and
dealing with malware, threats and attacks is complicated even further by silos of
visibility. While Endpoint Detection and Response (EDR) functionality in desktop
security applications, like Trend Micro Apex One, can provide detailed visibility into
suspicious activities on endpoint computers, attacks rarely stayed siloed within the
endpoint environment. Malware can move throughout the environment, possibly
affecting servers, cloud workloads, email systems and more. If separate siloed views of
security alerts for network traffic analysis, server and cloud workloads, email and
endpoints are in place, it can be difficult for the security team to piece together
viewpoints of these silos to figure out what has happened and what areas were
affected by the attacks.
13
Servers
Email
Network
Endpoints
Security Analyst
Each of these silos of security details may be sending an overwhelming volume of alerts
without any context or correlation with other events. This makes it difficult to decide
what is important from the large number of log entries and see how alerts are related.
14
Servers
Email
Network
Endpoints
Attackers don’t stay in these silos. They move throughout the environment and then it’s
up to the security team to piece together viewpoints of the different silos to figure out
what happened.
15
Servers
Email
Network
Endpoints
An Extended Detection and Response (XDR) approach delivers faster detection and
response across the entire environment since it breaks down these different silos of
visibility and it tells a story of the attack without making the Security Operations team
dig through a huge collection of noisy alerts. XDR collects telemetry from endpoints,
servers in the data center or the cloud, email, and the network. Using artificial
intelligence, automation and big data analysis techniques, XDR builds a story view,
saving time for investigators tasked with protecting the organization from digital attack.
XDR finds attacks within the noise of alerts and telemetry with powerful detection
models. Security teams can detect threats faster, understand more easily what
happened and shut down an attack sooner. With correlated detection, better alerting,
and an ability to investigate leads, organizations are less likely to suffer bottom line
results in business risks.
16
Data from email

Data on servers
Data on mobile
Data on network
Data from Cloud Sandbox
Data on clients
Data lake
Data from Web sensor
Data from third parties
Data from Containers

Data from OT
How are we going to break down these silos of visibility through XDR?
Data collected different source in the environment will be stored in a centralized data
lake. From that collection of data, XDR analysis can be performed.
A data lake is a centralized repository that allows you to store all your structured and
unstructured data at any scale. You can store your data as‐is, without having to first
structure the data, and run different types of analytics—from dashboards and
visualizations to big data processing, real‐time analytics, and machine learning to guide
better decisions.
17
Telemetry
Security Events Activity
Generated by protection Internal system activities such as

modules such as anti‐ registry changes, user
malware, virtual creation/deletion, cronjobs and
patching/IPS, Web scheduled tasks, processes
reputation… starting/stopping, software
installed/removed…
Both security events and activity are required to build

a full story of an incident
Telemetry from all the different sources in the environment is collected in the data lake.
This telemetry includes:
Security Events are generated by protection modules hosted on the devices, such as
anti‐malware, virtual patching/IPS, Web reputation… etc. A Trend Micro‐managed
security agent is required on the devices to generate this information which is then
forwarded for storage.
Activity monitoring includes internal system activities such as registry changes, user
creation/deletion, cronjobs and scheduled tasks, processes starting/stopping, software
installed/removed, network connections to IPs or domains… etc. An endpoint sensor is
required to collect this data and forward for storage.
Simply dealing with security events generated by endpoint protection is just not
enough to get a full idea of what is happening in the environment.
18
Endpoint Sensor Telemetry Figures

• Frequency: every 5 minutes
• Data volume: 6 – 9 MB/day per agent
• Protocol: TCP
• Port: 443
• Local cache:
− Windows: 50 MB (in memory)
− Linux: 200 MB (in disk)
− MacOS: 200 MB (in memory)
Endpoint sensor telemetry from endpoints is continually collected as shown in this

slide.
A local cache will be used in cases where devices cannot communicate with the data
lake. The sensor continues to collect data when disconnected from the network, but
will forward this cached data once the connection is re‐established.
Source: https://success.trendmicro.com/solution/000286401
19
Each Piece Adds Value

Endpoint ‐ Most attacks involve
Email ‐ 94% of malware
users’ devices
• Who else received this email or a
similar threat? • Find threats hidden amongst
endpoint telemetry
• Are there compromised accounts
sending internal phishing emails? • What happened within the
endpoint? How did it propagate?
Network ‐ Sees EDR blind spots

Workloads/Containers ‐ Critical
(unmanaged; legacy, IoT, IIoT)
to business operations
• How is the attacker moving across
the organization? • High‐fidelity detections correlated
from different security controls and
• How is a threat communicating? activities to tell a whole story
• What happened within the
workload?
Why collect telemetry from various sources?
Email
Since the majority of malware enters through email, collect email telemetry if very
important. I can answer questions such as:
• Who else received this email or a similar threat?
• Are there compromised accounts sending internal phishing emails?
Endpoint
Since most attacks involve users’ computers, collecting telemetry from endpoint
computers if also important.
• It can help locate threats hidden amongst large amounts endpoint telemetry
• It can also help identify what happened within the endpoint and how the threat
propagated
Network
Network telemetry can help cover blind spots, for example, with unmanaged devices,
internet of things or operational technologies.
• Examining the network telemetry can help identify how an attacker is moving across
20
the organization
• How are they communicating outside the network
Workloads
Applications running on servers within the data center are critical to business
operations. Any compromise to these servers can severely hamper the business.
• Examining the detections from the Agents installed on the servers as well as other
activity data being collected from the servers can help paint a complete picture of
what is happening within the workloads.
20
Correlation
Tie together low‐level

events that seem benign or
insignificant on their own
to help uncover stealthy
attackers
How is Trend Vision One going to filter through the large amount on data within the
data lake?
Trend Vision One uses filters contained in the detection models to correlate events
within the activity data in the data lake using a variety of techniques including data
stacking, machine learning, expert rules, and more.
Low‐level activities that may seem benign, harmless or insignificant on their own may
reveal an attack when tied together to create a full story.
21
Correlation
• Detection models written by Trend Micro threat experts correlate
events
• Uses a variety of powerful analytic techniques including data
stacking, machine learning and expert rules
• Regular scanning of event and activity data in the data lake
Trend Vision One uses detection models written by Trend Micro threat experts
to correlate events within the security event and activity data in the data lake using a
variety of techniques including data stacking, machine learning and expert rules. These
automated and cross‐layer detection models tie together low‐level events that seem
benign or insignificant on their own to help uncover stealthy attackers.
This type of data analysis would be impossible to do manually due to the sheer volume
of data collected.
22
SIEM (Security Information and Event Management)
Security alerts,
(but not all events)
Phishing Email Word PowerShell Command AWS New Lateral

opened doc launched & Control Credentials container movement
opened check‐in Accessed created to container
To illustrate the value of Trend Vision One compared to Security Information and Event
Management (SIEM) or Endpoint Detection and Response (EDR) solutions, let's look at
an example of the types of data going to SIEM, EDR, and XDR.
In this example, a user opened a Word attachment through a phishing email.
This attachment:
• Launched PowerShell
• Connected to a Command & Control server
• Stole AWS credentials to open a new container to migrate to an existing container
In this case the Command & Control communication generated an alert which was sent
to the SIEM. This one alert may be lost in the sea of alerts going to the SIEM while at
the same time doesn't have enough data to provide full details of what is happening.
23
Collecting all endpoint activity, not just alerts

EDR (Endpoint Detection & Response)

opened check‐in Accessed created to container
With Endpoint Detection and Response, the security analyst has information of endpoint
activity related this attack, but this data is still missing the beginning and ending of this
story which occur before and after the endpoint.
24
Fewer, higher‐fidelity alerts that tells a story
XDR (Scanning all activity in data lake)

opened check‐in Compromised created to container
XDR through Trend Vision One goes further as it collects activity information from not
only the endpoints but also from email, containers, and network. To the SIEM, Trend
Vision One sends a single, high‐fidelity alert (referred to as a Workbench in Trend
Vision One) that tells the story of this attack from beginning to end.
The Splunk Add‐on for Vision One is like the Workbench List, it shows you the list of
Workbench/alerts that were triggered by XDR Security Analytics Engine (SAE) Detection
Models. Unlike regular syslog forwarding, the Splunk Add‐on calls the Vision One API to
get the list of workbenches.
This allows Vision one to:
• Fit within existing SIEM workflow
• Receive correlated, high‐fidelity alerts
• Help with triaging and narrowing down to the events that need attention and
escalating
• Enable analysts to be more efficient
25
Correlation is critical
Automation of Faster Faster

manual processes Investigations Response
There is no human alternative to the correlation capabilities of XDR. Collecting and

analyzing this data manually would require significant resources.
Having the process automated through the detection models ties activities and
detections together without any intervention by an analyst or administrator.
This enables faster investigations and detection of potential attacks, which in turn
enables a faster response.
26
LEGEND
Raw Known Suspicious High Quality
Activity Bad Activity Alert
Raw activity telemetry

and detection alerts
Filtered activity through machine

learning, data stacking, and expert rules
Correlated detections
Alerts to XDR console and/or SIEM

Manual
review/response
Automated response
XDR finds attacks within the noise of alerts and telemetry with powerful detection
models.
1) Raw activity telemetry is ingested from endpoint, server, cloud, email, network
2) Filters use a variety of techniques including data stacking, machine learning, expert
rules, etc., to find tactics, techniques, and correlated events
3) Detection models combine filters to surface attacks. Detection models are written
by Trend Micro threat experts and frequent updated/added
4) Detection model alerts are investigated and responded to by either your security
team or by Trend Micro‐Managed XDR personnel (MDR service).
27
Higher Confidence Detections without Alert Overload
5B Raw logs processed
22 M Filter hits
(Observed Attack Techniques)
116 Workbench alerts

(Alerts triggered by Detection Models)
7 Incidents
(Correlated Workbench alerts)
Company with 1000 devices
in a 7‐day period
Trend Micro investigated data across our customer base over a period of time and
distilled that down to highlight the effect correlation can have. Sifting through this large
number of log data will be difficult to sift through yourself.
28
Intelligence Sharing
Structured Threat Information Expression Trusted Automated Exchange of Suspicious Objects

Intelligence Information
An important facet of XDR is the ability to share threat information with others. Sharing
mechanisms available include:
• STIX
• TAXII
• Suspicious Objects
Trend Vision One will fortify its collection of data collected from within the
environment with data collected through intelligence sharing.
STIX/TAXII was developed from a need for a threat intelligence sharing standard. STIX
and TAXII are standards developed to improve the prevention and mitigation of cyber‐
attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that
information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine‐
readable and therefore easily automated.
STIX/TAXII aims to improve security measures in a few ways:
• Extend the capabilities of current threat intelligence sharing
• Balance response with proactive detection
• Encourage a holistic approach to threat intelligence
• The establishment of STIX/TAXII is an open, community‐driven effort that provides
29
free specifications to aid in the automated expression of cyber threat information.
Both possess an active community of developers and analysts.
29
• Open‐source format used to exchange
cyber threat intelligence
• Designed to improve collaborative threat
analysis, automated threat exchange,
automated detection and response, and
Structured Threat Information Expression
more
• STIX states the what of threat intelligence
STIX (Structured Threat Information eXpression) is a language and serialization format

used to exchange cyber threat intelligence (CTI). STIX enables organizations to share
cyber threat intelligence with one another in a consistent and machine‐readable
manner. Security communities can then better understand what computer‐based
attacks they are likely to see and better prepare for and/or respond to those attacks
with more speed and efficiency. STIX is designed to improve many different capabilities,
such as collaborative threat analysis, automated threat exchange, automated detection
and response, and more.
30
• Application protocol
for exchanging cyber threat intelligence
over HTTPS
• Designed to support the exchange of
cyber threat intelligence represented in
STIX
Trusted Automated Exchange of • TAXII defines how cyber threat
Intelligence Information
intelligence is relayed
• Trend Vision One can subscribe to TAXII
feeds from various organizations
TAXII (Trusted Automated Exchange of Intelligence Information) is an application layer

protocol for the communication of cyber‐threat intelligence in a simple and scalable
manner over HTTPS. TAXII enables organizations to share cyber threat intelligence by
defining a standard API that aligns with common sharing models.
TAXII is specifically designed to support the exchange of cyber threat intelligence

represented in STIX.
31
• Objects with the potential to expose
systems to danger or loss
− IP address
− Domain
− URL
− Hash
• Defined manually, through sandbox
analysis, or synchronized from an external
Suspicious Objects source
• Trend Vision One compiles its own
suspicious objects list and can synchronize
with other sources
Suspicious Objects are objects with the potential to expose systems to danger or loss,
including
• IP address
• Domain
• URL
• Hash
Suspicious Objects can be defined manually, through sandbox analysis, or synchronized

from external sources.
32
Organizations Using an XDR Approach
Are better protected Detect quicker Respond completely
Suffered half as many 2.2X more likely to 60% less likely to

successful attacks over detect a data breach report that attack re‐
the last 12 months /successful attack in a propagation has
few days or less been an issue.
The payoff provided by using an XDR solution is proven.
Research has shown that organizations using an XDR approach are better protected
and suffered half as many successful attacks over a one‐year period. Detection of
attacks is accelerated, and the organization is 2.2X more likely to detect a data breach
or successful attack in a few days or less. In addition, they are 60% less likely to report
that attack re‐propagation has been an issue.
Source: The XDR Payoff: Better Security Posture, ESG Research, Sep 2020
When you have the bigger picture, you can understand the full impact and not only
respond faster but more completely. There are fewer blind spots that allow for a
resurgence of attacks.
33
Faster, Better Detection and Protection
Trend Vision One can detect earlier with higher confidence detections.
34
You’ve been breached

• How did they get in?
• How are they moving around?
• What are they doing?
• How do we look for the attacker
inside our network?
We have all heard about situations where a company gets breached by an attack that
seemingly came out of no where. The company claimed to have had their defense
setup and were prepared for any attack. We also know that once a company becomes
breached, it is possible that an adversary or attacker is still lurking inside the network,
escalating privileges, and hiding within the network (for months even) before they
strike again to launch more attacks.
• How did they get in?
• How are they moving around?
• What are they doing?
• How do we look for the attacker inside our network?
Where do we even start?
It would be great if there was a database of attack behaviors that we could use to help
figure out how the attackers got into the network and what they might have done.
35
Adversarial Tactics, Techniques, and Common Knowledge
Knowledge base of adversary behavior
Based on real‐world observations
Free, open, and globally accessible

(attack.mitre.org)
Community‐driven
MITRE ATT&CK is such a database.
ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge.

This is a knowledge base of adversary behavior and attack techniques collected to help
organization understand how attackers work.
This information is based on real work observations. Researchers have examined
attacks and distilled their behavior down to identified tactics, techniques and
procedures.
This knowledge base is free and open to anyone. It can be accessed globally at
attack.mitre.org
Since this information if community driven, anyone can contribute to it. If you detect an
attack tactic, technique or procedure you feel has not been seen before you can
contribute and have it added to the list.
The ATT&CK framework is used as a foundation for the development of specific threat
models, and methodologies in the private sector, government, and the broader
cybersecurity community. It is widely used by both cyber security vendors and
customers in building out security programs and is used of Cyber Threat Intelligence
mapping
36
You can think of ATT&CK as an Encyclopedia of things that ATT&CK has seen an
adversary do!
Information that ATT&CK provides is based on real world observations – every single
one is linked back to a report that you can find out in the community.
ATT&CK relies on public reporting and does not claim to have all the answers. You too
can reach out to contribute (see the MITRE web site for details on how to contribute).
36
• Helps connect the dots of an attack

• Not focused on the tools and malware itself
− Focus on interactions and techniques used by APTs
and notable threats
• Comprehensive list of known adversary tactics and
techniques used during a cyberattack
MITRE ATT&CK helps connect the dots of an attack. It is not focused on the tools and
malware itself, but instead, it focuses on interactions and techniques used by APTs and
notable threats.
MITRE ATT&CK provides a comprehensive list of known adversary tactics and
techniques used during a cyberattack.
37
How does change things?
Malware‐centric versus Adversary‐centric
• Shows how an adversary might be running advanced

persistent threats (APT)
• Provides an indication of what might happen next
• Allows forward thinking for defensive strategies
MITRE ATT&CK focuses on the adversary, not the actual malware. It helps identify HOW
an adversary might be running attacks on your environment. Think of it as a playbook of
what an adversary will try to do. Once you understand what the adversary is trying to
do and what might happen next, it can help in the development of defensive strategies
for your organization.
38
Framework
Tactics Techniques Procedures

WHY? HOW? WHAT?
Initial Access, Spear phishing Sandworm was used,
Execution, Attachment, Non‐ PowerShell,
Credential Access, Standard Port, Keylogger, Mimikatz, and PsExec,
Command & Network Sniffing Conti, Emotet
Control
Threat actions/operations are classified as

Tactics, Techniques and Procedures (TTP)
Threat actions/operations are classified as TTPs : Tactics, Techniques and Procedures
Tactics
• Tactics are the adversary’s technical goals.
• Represents WHY, or the adversary’s objective when performing an action.
• There are 13 tactics in Enterprise (March 2023) : Reconnaissance, Resource
Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense
Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration,
Impact
Techniques
• Procedures are specific implementations of techniques.
• Represents HOW adversary will perform an action
• As March 2023 there are 250+ techniques
Example : Spearphishing Attachment, Data Destruction, Process Injection, Brute Force
…
A technique can be part of multiple Tactics
Procedures
39
• Describe the way adversaries or software implements a technique
• Represents WHAT are they doing?
• Examples
• APT12 has sent emails with malicious Microsoft Office documents and PDFs
attached
• APT32 has used macros, PowerShell scripts, COM scriptlets, and VBS
scripts.
39
Threat Informed Defense
• Know what you are up against

• Understand advanced persistent threats
and tools used
• Map out a possible attack by looking at
the Tactics and Techniques that have
been used
MITRE ATT&CK is founded on the concept of threat informed defense.
Knowing what enterprises are up against is a vital first step in preparing for and
responding to incidents and potential cyberattacks. In the past, threats were much
simpler, largely defined by the technologies they exploited. Now that enterprises lean
on more advanced network and data infrastructures, the attack surface and impact of
threats have grown.
To act, you need to understand the complexity and persistence of current threats. You
need to know what strategies cybercriminals are employing that take advantage of
industry trends and popular platforms. This is where MITRE comes in.
For your Incident Response teams, MITRE is what allows them to connect all the dots of
an attack rather than having to look at numerous amounts of possibly disparate
"detections" and "events" in the hopes of uncovering what an adversary's actions may
be against your organization. MITRE can tell you things about Adversary behaviors.
40
These behaviors are broken down by MITRE into Tactics, Techniques and Procedures
(TTPS), that were used in an attack against you. Tools in MITRE make it easier for you to
find out how an attack(s) is being carried out, who the players are, how they are getting
in. MITRE simplifies investigation and insight into an attack while providing the end goal
of preventing future attacks.
Much information has been created by the MITRE community, from the ATT&CK
framework to STIX and TAXII, to presentations on how vendors, blue teams, red teams,
and even customers are giving back to the Cyber Threat Intelligence Community. MITRE
is a great way to learn and understand threats better. You can follow Twitter, Blogs, and
MITRE Power Hour monthly conference to get started. The only problem is that once
you start learning and using MITRE for cybersecurity threat intelligence, the journey just
brings you deeper and deeper into the rabbit hole.
40
Click here to open in a browser window
The MITRE ATTACK matrix displays the Tactics and Techniques. https://attack.mitre.org
The tactics are listed in blue letter across the top, with the associated techniques in the
column below them. Click any technique to get a full description.
Your goal is to stay as close the left‐hand side of the matrix as possible as these are the
easiest to resolve.
41
Common Language Between Vendors
An important consideration is that MITRE ATT&CK creates a common language

between vendors. Since the tactics and techniques are standardized, all vendors using
MITRE ATT&CK will refer to an attack in a similar way.
42
Red Team versus Blue Team
ATTACKERS DEFENDERS
Uses ATT&CK to develop Uses ATT&CK to try and understand
a plan using multiple techniques the Red Team's tactics and counter
to test the strength of their target their attack strategy
Some organizations use the Red team/Blue team model to test their defenses. The Red
Team develops a strategy to link together several techniques from different columns to
test the defenses of their target. The Blue Team (the penetration testing term for
defenders) needs to understand the tactics and techniques in order to counter the Red
Team’s strategy.
43
How ATT&CK Can Help
Evaluate Ingest Guide threat Automate Classify malware

defensive tools threat intelligence hunting functions response behaviors
Create detection Train Blue/Red teams Assess your security Build threat
rules and run Red team posture models
exercises
ATT&CK help you to:

• Better identify, evaluate defensive tools: Will the security tools you are considering
implementing help prevent attacks described in the Mitre ATT&CK framework?
• Ingest threat intelligence: While your systems may not have been compromised, it is
helpful to understand what is affecting others.
• Guide threat hunting functions: The framework can provide direction on where to
look for evidence of an attack.
• Automate response: Once you understand what indicators you should be looking
for, you can use automation tools to simplify their discovery.
• Classify malware behaviors
• Create detection rules: Once you have information on how an attacker could get
access to your systems, you can create or better tune the detection rules applied to
your security products.
• Train blue/red teams and run read team exercises
• Assess your security posture: Once you understand the techniques used by
attackers, you can better determine if you are susceptible to this type of attack.
• Build threat models: Organizations can better evaluate how quickly they could
response in the case of attack.
44
MITRE Groups
• Sets of related intrusion activity that are tracked by a common name
− Represents a cluster of adversary activity
• Tracks what techniques and tools they are using (or have used in the
past)
• View the list at:
attack.mitre.org/groups/
Groups are sets of related intrusion activity that are tracked by a common name in the
security community. Analysts track clusters of activities using various analytic
methodologies and terms such as threat groups, activity groups, threat actors, intrusion
sets, and campaigns. Some groups have multiple names associated with similar
activities due to various organizations tracking similar activities by different names.
Organizations' group definitions may partially overlap with groups designated by other
organizations and may disagree on specific activity.
For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to
refer to any of the above designations for a cluster of adversary activity. The team
makes a best effort to track overlaps between names based on publicly reported
associations, which are designated as “Associated Groups” on each page (formerly
labeled “Aliases”), because we believe these overlaps are useful for analyst awareness.
We do not represent these names as exact overlaps and encourage analysts to do
additional research.
Groups are mapped to publicly reported technique use and original references are
included. The information provided does not represent all possible technique use by
Groups, but rather a subset that is available solely through open‐source reporting.
45
Groups are also mapped to reported software used, and technique use for that software
is tracked separately on each software page.
45
MITRE ATT&CK Best Practices

• When penetration testing, use real‐world
tactics from the Groups list
• Keep your team updated and fluent in
the ATT&CK techniques
• Use the ATT&CK matrices to find and fill
gaps in your defenses
• Be aware of the different
implementations of a certain technique
Here are some points to consider as you use MITRE ATT&CK as part of your overall data
security plans:
• Use the real‐world software and scenarios from the Groups list. If you can’t protect
against the known threats, there is no way you can stop the unknown threats.
• Socialize and share ATT&CK techniques as a common language for your security
teams.
• Identify gaps in your defenses with the ATT&CK matrices and implement solutions
for those gaps.
• Never assume that since you can defend against a technique in one way, you won’t
get dinged by a different implementation of that technique. Just because your anti‐
malware solution catches Mimikatz don’t assume it will also catch tnykttns – or
whatever variant of Mimikatz comes out next.
A good resource is available at https://www.varonis.com/blog/mitre‐attck‐framework‐

complete‐guide/
MITRE ATT&CK and Trend Vision One
Add the MITRE ATT&CK

MATRIX MAPPING widget to
the Security Dashboard app
You will see reference to MITRE ATT&CK tactics and techniques in many different places
in Trend Vision One.
You can add the MITRE ATT&CK MATRIX MAPPING widget to the Security Dashboard
app to display the observed attack techniques.
47
ATT&CK techniques listed in

Workbench app
Click technique number to link to
description on
attack.mitre.org web site
You can also view them in the observed ATT&CK techniques listed in Workbench app.
Click a technique number in the Highlights pane to link to description on
attack.mitre.org web site.
Workbenches are the alerts created from the automatic correlation of telemetry in the
data lake.
48
Tactics and Techniques

listed in Observed Attack
Techniques app
Tactics and Techniques that have been seen in your environment are listed in Observed
Attack Techniques app. This app displays the raw event data collected in the data lake
that correspond to MITRE ATT&CK techniques.
49
Locate specific Tactics

or Techniques through
the Search app
Analysts can locate specific tactics or techniques through the Search app.
50
Tactic details and

description in Incident
View
Tactic details and description are also displayed in the Workbench Incident View.
51
Tactics and Techniques listed

in Execution Profile
Finally, observed tactics and techniques are also listed in Execution Profiles.
52
Detection Time is Critical!

Late detection
High impact
1 in 4
Risk of a major breach in
the next 24 months
Early detection
Low impact
Time
Industry average Industry average Average cost
detection time for time to contain of a data
a breach a breach breach
The goal is the reduce the time it takes to detect a system breach. The longer it takes to
detect the attack, the higher the impact on the organization.
Lesson Review
1 2
Trend Vision One can collect What information is included in the
telemetry from which components of telemetry collected from components
your infrastructure? of your infrastructure?
3
How can the MITRE ATT&CK
framework help when dealing with
security incidents?
54
Lesson 2:
Trend Vision One
Now that we understand the basics of XDR, let’s examine how Trend Micro implements
XDR through Trend Vision One.
55
Lesson Objectives
• Describe the core capabilities of Trend Vision One
• Describe the Trend Vision One features used for XDR

• Describe the core capabilities of Trend Vision One
• Describe the Trend Vision One features used for XDR
56
Trend One is a unified cybersecurity platform that encompasses the solutions, services, and technology
capabilities that serve security and operations groups across multiple functions. It represents all what
Trend can do in support of an enterprise’s cyber security efforts by bringing everything together under a
common framework, delivering core competencies for security teams to bridge threat protection and
cyber risk management to drive greater security outcomes.
A reflection of Trend Micro's strategic shift to SaaS and a unified platform approach to solving customer
security challenges, Trend One enables business agility through the delivery of market‐leading security
capabilities for protecting cloud, endpoint, email, network, mobile and IoT environments. Trend One
consolidates multiple market‐leading security capabilities and deep integration with your IT
infrastructure. Trend One is packed with advanced native security capabilities for protecting cloud,
endpoint, email, IoT, OT and network.
Security professionals are empowered to continuously discover their ever‐changing attack surface,
understand and prioritize vulnerabilities, rapidly detect and respond to threats, and apply the right
security at the right time to mitigate risk. Built‐in security capabilities like industry‐leading XDR, risk
insights, and threat assessment combined with deep integration across the broader IT infrastructure
helps security operations teams manage the attack surface risk lifecycle more effectively with fewer
resources. With broad protection capabilities across the entire enterprise, Trend One empowers
organizations to be more agile and adapt quickly to new business and compliance needs, including
supporting security strategies like Zero Trust and helping to address cyber insurance requirements. With
unparalleled threat intelligence and vulnerability insights from our global threat research team and
expert services like managed XDR and incident response, Trend One is designed to help organizations to
57
improve cyber security outcomes.
The Trend One unified cybersecurity platform delivers advanced capabilities for protecting the enterprise,
including:
• Central visibility, continuous risk and threat assessment, and executive‐level dashboard reporting.
• In‐depth threat and vulnerability intelligence with XDR and risk insights combined with market‐leading
protection capabilities for securing cloud, endpoints, email, network, mobile and IOT environments.
• Native sensors for cloud, endpoint, email, network, and IoT environments combined with data from a
growing list of third‐party security products for maximum insights.
• Data and insights from Trend Micro's global threat research team, including in‐depth knowledge of
the latest threats, vulnerabilities, and cybercriminal activities.
• Common platform services like security engines and data analytics, combined with global SaaS
infrastructure for maximum protection and flexibility.
• Security services like Managed XDR, threat assessment, and incident response.
Ultimately, Trend One provides the foundation of technology and services necessary to function as an
integrated system that enables organizations to better understand, communicate, and mitigate cyber risk
across the enterprise.
57
Trend Vision One is a cloud‐native security operations platform, serving cloud, hybrid,
and on‐premises environments, combining Attack Surface Risk Management (ASRM),
Zero Trust Secure Access (ZTSA) and Extended Detection and Response (XDR)
capabilities in a single console to effectively manage cyber risk across an organization.
Trend Vision One integrates with Trend Micro's expansive protection solution portfolio
and industry‐leading global threat intelligence, in addition to a broad ecosystem of
purpose‐built and API‐driven third‐party integrations. This allows the security team to
ingest and analyze activity and detection telemetry across the user environment.
The platform’s native‐first, hybrid approach to XDR and ASRM benefits security teams
by delivering richer telemetry across security layers with full context and
understanding. This results in more proactive risk identification , more precise threat
detection and more efficient response.
Trend Vision One serves multiple security teams, from SOC analysts and threat hunters,
to IT operations, all the way to senior security leaders. It acts as the operations hub for
managing across the attack protection cycle, from assessing, anticipating and mitigating
cyber risks to preventing, detecting and responding the threats.
58
Data from email

Data on servers
Data on mobile
Data on network
Data from Cloud Sandbox
Data on clients
Data lake

Data from OT
Data collected from all the different points is stored in a data lake, from which analysis
operations can be performed.
For example, how does an event in an email account related to an event detected on
the network.
59
Trend Vision One Core Capabilities
Central Visibility
Industry‐leading Attack Surface Risk Zero Trust
across Trend and
XDR and EDR Management Secure Access
third‐party products
 Broadest native • Rapid attack  Secure access for internet  Risk, Attack,
XDR sensor surface discovery and private access Exposure Indices
coverage • Continuous risk  Continuous user and  API‐friendly
 Purpose‐built to assessment and identity assessment platform with
ingest, analyze and prioritization  Security Service broad and growing
act across multiple • Proactive risk and Edge/Secure Access integration
vectors threat remediation Service Edge with Zero ecosystem
Trust Network Access,
Secure Web Gateway, and
Cloud Access Service
Broker
60
Attack Surface Risk Management
Central Visibility
Dynamic Proactive
Rapid Discovery Across Trend and
Assessment Remediation
Third‐party Products
• Internal and external • Continuous • Intelligent, custom • Assess cyber risk,

attack surface individual asset risk guidance and correlate threat
discovery assessment, scoring instruction activity, and
• Go beyond devices and prioritization • Improve mean time automatically
with users, domains/IP, • Company‐wide Risk to discover and respond across
cloud apps, storage, Index and mean time to multiple vectors
containers, workloads, benchmarking recovery from a single
and Cloud Security against peers • Orchestrate and console
Posture Management automate risk and
threat response
with Security
Playbooks
Without the ability to identify unknown assets, security teams may prioritize
unmanaged, internal assets (inside the network, with no visibility) and unmanaged,
internet‐facing assets due to the high risk associated with it.
With Attack Surface Discovery, security teams can begin to see more of their
environment by identifying unknown assets in the wild.
Attack Surface Risk Management capabilities include:
Rapid Discovery
• Internal and external attack surface discovery
• Go beyond devices with users, domains/IP, cloud apps, storage, containers,
workloads, and Cloud Security Posture Management
Dynamic Assessment
• Continuous individual asset risk assessment, scoring and prioritization
• Company‐wide Risk Index and benchmarking against peers
Proactive Remediation
61
• Intelligent, custom guidance and instruction
• Improve mean time to discover and mean time to recovery
• Orchestrate and automate risk and threat response with Security Playbooks
Central Visibility across Trend and third‐party products

• Assess cyber risk, correlate threat activity, and automatically respond across multiple
vectors from a single console
61
Vulnerability Exposure
• Vulnerabilities detected Business Value
• Misconfigurations
• Asset importance
• Suspicious activity
• Impact of outage
• Suspicious data access
• Type of content
Security Controls Attack Surface

Risk Index
• Security policies implemented Asset Visibility
• Regulatory compliance
• Asset discovery
Threats • Asset influence
• Threat detections
• Detection from investigations
• Attack pressure
User/Device Cloud Infrastructure Internet‐Facing Security Product Network Security Product Operating
Activity and App Configurations Assets Configurations Inspection Detection Logs System/Application
Behavior Activity Vulnerabilities
Risk Factors
Attack surface discovery provides continuous risk assessment, analysis, and

prioritization
62
63
Zero Trust Secure Access
Previous state: Zero Trust:
Users and endpoints are Access is restricted until the

automatically allowed network and identity and device are verified
Internet access
Then, use continued assessment
during the session to determine if
access should still be granted
64
Do you have Do you have permission Should your identity/device Should you continue to have
credentials? to access this resource? have access to this resource? access?
Simple check of a matching Do their responsibilities require Could the identity and/or device be Is there new malicious activity on the
username / password. access to this resource? compromised? endpoint?
Hopefully with MFA enabled! Are they logging in from an Has the identity or device recently Has the user started sending phishing
approved location, at an been involved in risky behavior? emails out of their mailbox?
allowed time?
Does the device have good security Are there new signs of identity
Can you granularly control their controls in place? compromise?
usage? (for example, this user
can’t post on Twitter) Is the device littered with high‐risk
vulnerabilities?
65
66
Trend Vision One XDR
Correlated In‐depth investigation Built‐in response Advanced search

detection actions
Search using Visibility across

MITRE tactics Sweeping for Integration with security layers and
and techniques Indicators of other applications attack surface
Compromise
Trend Vision One XDR provides an extensive collection of features for detection and
response across security layers including the following:
Correlated Detection
Advanced detection models written by Trend Micro threat researchers correlate low‐
level activities within or across security layers to find undiscovered attacks. The
detection models, which generate the alert triggers, combine multiple rules and filters
using a variety of analysis techniques including data stacking and machine learning. You
can turn on and off individual models as appropriate for the organization's risk
tolerance and preferences.
In‐depth investigation
Analysts can view a list of alerts (referred to in Vision One as Workbenches) and drill
down for further visibility. Workbenches are the investigation results for a detection;
from here you can view the execution profile, identify the scope of impact and take
response actions. It is from here that analysts would prioritize and process the alerts,
and track what has been done (new, in progress, closed).
Analysts can understand the story of an attack with an interactive visual representation
of events. The Execution Profile Analysis displays the threat actions within an endpoint,
67
server, or cloud workload. The Network Analysis can replay network communications to
highlight details of an attacker's command and control communications or lateral
movement.
Built‐in response actions

Contextually aware response choices provide quick actions from within the platform.
Analysts can respond quickly by right‐clicking objects in the workbench or within threat
hunting search results to initiate and track endpoint, email, server, and network
responses.
Advanced search
Analysts can proactively search through endpoint, email, network, and cloud workload
activity data using a simple query builder. Perform indicator of compromise (IoC)
sweeping or create custom searches using multiple parameters or filter down into
things by adding additional search criteria. From a search result, the analyst can initiate
a response or generate an Execution Profile. The queries used for basic threat hunting
can be saved and reused.
MITRE ATT&CK Mapping

The mapping of threat techniques to the MITRE ATT&CK framework helps organizations
to quickly understand and communicate what is happening in your environment. MITRE
ATT&CK is a globally‐accessible knowledge base of adversary tactics and techniques
based on real‐world observations and is used as a foundation for the development of
specific threat models and methodologies in cybersecurity products and services.
Hyperlinks from the workbench link to documentation for the MITRE ATT&CK
framework.
Visit mitre.org for more information on the MITRE ATT&CK framework matrix.
Sweeping for indicators of compromise

Analysts can detect threats sooner with automatic searching of the environment with
indicators of compromise published by Trend Research or trusted third‐party sources.
When there is a detection, built‐in threat intelligence can help identify the associated
campaign, target platform, associated MITRE ATT&CK TTPs, and can even provide links
to related intelligence blog posts if available.
Integrations with other applications

Broaden the range of data collected by integrating Trend Vision One with other third‐
party applications.
Visibility across security layers and attack surface

Sensors installed on different devices in the environment collect telemetry across all
security layers. Trend Vision One is hosted and managed in the cloud by Trend Micro to
67
take advantage of cloud computing technologies and eliminate much of the overhead
associated with managing local hardware.
Trend Vision One is under constant development. New XDR features will be added over
time to complement the features that already exist in the product.
67
Trend Vision One is a Software as a Service product and is

available only online
https://portal.xdr.trendmicro.com
Login with the account of a user with administrative
privileges
Trend Vision One is a Software as a Service product and is available only online. Users
with appropriate permissions can login at:
https://portal.xdr.trendmicro.com
Login with the account of a user with administrative privileges
68
App categories
Toggle between
icons and app
names
Trend Vision One’s functionality comes from a collection of integrated apps. The app
categories are displayed in the left‐hand pane of the console.
A toggle at the bottom of the left‐hand frame can switch between app icons and names
to assist in the learning process.
69
Expand category to
view apps within
Expand any app category to view the apps within. New apps are being added over time
as new functionality is added.
70
App in Preview
Some apps will display in Preview. These are new apps that are in development. The
Trend Vision One development team is looking for feedback on implementation. Any
user can provide feedback from the Resource Center at the bottom of the left‐hand
frame.
71
Quick access to Trend

Vision One Resource
Center
Any user can provide feedback from the Resource Center.

Click Feature Request to contribute your feedback. Feature development is prioritized
by demand from customers and users.
72
Quick access to Online

Help and Support
Help and support resources can be accessed from the Help icon in the upper right‐hand
corner of the console.
73
Run common diagnostic
tests
A Self‐Diagnosis tool is available under Help and Support to troubleshoot using

common diagnostic tests.
74
Trend Vision One Apps

• Trend Vision One is under constant development
− Apps and interface can change
• Some items in Preview
− To solicit feedback
• Apps shown in this course were correct at the time of
publishing
− May be different that what you see today
Trend Vision One is constantly being updated with new apps and capabilities. The
descriptions of the apps described in this lesson were up to date at the time of
publishing of this material. There may have been changes to the user interface since
then.
75
Choose which app categories to

display in the menu
Click to pin the

category to the
menu
Click Customize your navigation to choose which app categories are displayed in the
menu. Click the Pin icon to add the app category. This allows customization of the
menu to simplify the display apps that are used by your organization.
76
Risk Insights
• Discover organizational assets that might be
exposed to attack by revealing overall risk index,
asset risks, ongoing attacks, and contributing risk
factors
• Ensure coverage by identifying unknown or unprotected

devices
• Highlights risky devices
Risk Insights can help discover organizational assets that might be exposed to attack by
revealing overall risk index, asset risks, ongoing attacks, and contributing risk factors
How can the Risk Insight apps help with XDR?

• Ensure coverage by identifying unknown or unprotected devices
• Highlights risky devices
77
Dashboards and Reports

• At‐a‐glance perspective into your organization's
overall cybersecurity strength
• Helps identify risk areas that should be addressed to reduce

the number of alerts and Workbenches to investigate
Dashboards and Reports apps provide an at‐a‐glance perspective into your

organization's overall cybersecurity strength.
How can the Dashboards and Reports apps help with XDR?
• Helps identify risk areas that should be addressed to reduce the number of
workbenches to investigate
78
XDR Threat Investigation
• Uncover events and the attack path across security
layers
• Enable analysis and visibility of telemetry from
endpoints, servers, email, network and the web
• Detects and provide actions against threats across all

security layers
• Workbenches created based on analysis using big data
techniques
XDR Threat Investigation apps provide a consolidated view to uncover events and the
attack path across security layers and includes the tools to enable analysis and visibility
of telemetry from endpoints, servers, email, network and the web.
How can the XDR Threat Investigation apps help with XDR?
• Detects and provide actions against threats across all security layers
• Workbenches created based on analysis using big data techniques
79
Threat Intelligence
• Integrate up‐to‐the‐minute intelligence reports
from Trend Micro and reliable third parties to help
identify threats
− Includes Suspicious Objects Management and Sandbox
Analysis reports
• Scans data lake regularly looking for potentially missed

objects or newly discovered threats
• Leverages experience of others
Threat Intelligence apps integrate up‐to‐the‐minute intelligence reports from Trend

Micro and reliable third parties to help you identify threats. This category includes
Suspicious Objects Management and Sandbox Analysis apps.
How can the Threat Intelligence apps help with XDR?

• Scans data lake regularly looking for potentially missed objects or newly
discovered threats
• Leverages experience of others
80
Workflow and Automation

• Includes apps to automate operations, integrate
with third‐party applications, view response actions
and configure Service Gateways
• Collect and analyze data from multiple sources to increase

visibility into your security
The Workflow and Automation apps automate operations, integrate with third‐party
applications, view response actions and configure Service Gateways.
How can the Workflow and Automation apps help with XDR?
• Collect and analyze data from multiple sources to increase visibility into your
security
81

• Implements contextual access control lists for
internal and SaaS applications to support Zero Trust
• Helps prevent unauthorized access to resources, reducing

the number of alerts and Workbenches created
Zero Trust Secure Access apps implements contextual access control lists for internal
and SaaS applications.
How can the Zero Trust Secure Access apps help with XDR?
• Helps prevent unauthorized access to resources, reducing the number of alerts and
Workbenches created
82
Assessment
• Scans cloud mailboxes and endpoints to find any
threats that may have evaded your existing security
solutions
− For example, Log4J assessment to discover the libraries and
determine if they can be exploited
• Ensures all devices are protected to reduce the number of

alerts and Workbenches created
Assessment apps scans cloud mailboxes and endpoints to find any threats that may
have evaded your existing security solutions.
How can the Assessment apps help with XDR?

• Ensures all devices are protected to reduce the number of alerts and Workbenches
created
83
Endpoint Security Operations

• Manage endpoint inventories and security policies
• Deploy endpoint sensors
• Verifies the coverage of endpoint sensors across Windows

and Mac clients, and Windows, Linux, AIX and Solaris servers
Endpoint Security Operations apps manage and deploy endpoint sensors.
How can the Endpoint Security Operations apps help with XDR?
• Verifies the coverage of endpoint sensors across Windows and Mac clients, and
Windows, Linux, AIX and Solaris servers
84
Cloud Security Operations

• Provides instant visibility into vulnerable containers
in cloud environments
• Address runtime threats and suspicious activity,

strengthening your cloud detection and response approach
Cloud Security Operations apps provides instant visibility into vulnerable containers in
the cloud environments
How can the Cloud Security Operations apps help with XDR?
• Address runtime threats and suspicious activity, strengthening your cloud detection
and response approach
85
Network Security Operations

• Manage and deploy network sensors
• Verifies the coverage of endpoint sensors on network

devices such as Deep Discovery Inspector and TippingPoint
Network Security Operations apps manage and deploy network sensors/
How can the Network Security Operations apps help with XDR?
• Verifies the coverage of sensors on network devices such as Deep Discovery
Inspector and TippingPoint
86
Email Security Operations

• Manage and deploy email sensors
• Verifies the coverage of endpoint sensors on Exchange and

Gmail accounts
Email Security Operations apps manage and deploy email sensors.
How can the Email Security Operations apps help with XDR?
• Verifies the coverage of endpoint sensors on Exchange and Gmail accounts
87
Mobile Security Operations

• Manage mobile devices and policies, including iOS
and Android
• Extends protection to user mobile devices, including

smartphones and tables
Mobile Security Operations apps manage mobile devices and policies.
How can the Mobile Security Operations apps help with XDR?
• Extends protection to user mobile devices, including smartphones and tables
88
Service Management
• Connect Trend Micro products and Cloud accounts
to Trend Vision One
• Connect products to receive security events details and

integrate endpoint inventories
Service Management apps connect Trend Micro products and cloud account to Trend
Vision One.
How can the Service Management apps help with XDR?

• Connect products to receive security events details
89
Administration
• Configure user accounts, roles, console settings,
license and credit details, and audit logs
• Configure Trend Vision One to best support XDR activities
Administration apps configure user accounts, roles, console settings, license and credit
details, and audit logs.
How can the Administration apps help with XDR?

• Configure Trend Vision One to best support XDR activities
90
Lesson Review
1 2
What are the core capabilities of Trend What are some of the Trend Vision
Vision One? One features that are useful for XDR?
3
Describe some of the benefits of Trend
Vision One XDR
91
Lesson 3:
Connecting Trend Micro Products
92
Lesson Objectives
• Connect Trend Micro product to collect security event data

• Connect Trend Micro product to collect security event data
93
Internal system activities

Generated by protection
such as registry changes,
modules such as anti‐
user creation/deletion,
malware, virtual
cronjobs and scheduled
patching/IPS, Web
tasks, processes
reputation…
starting/stopping, software
Connect products to receive security

events from managed products
We mentioned earlier that both security events and activity can be sent to the Trend
Micro data lake.
Connecting Trend Micro products enables security events collected by agents on the
endpoints managed by these products to be sent to the data lake.
In addition, Trend Vision One Endpoint Security can be enabled by connecting SaaS
endpoint products such as Endpoint & Workload Security and Apex One as a Service
and moving their inventories to Trend Vision One. This allows devices and policies to be
managed directly from the Trend Vision One console.
Important: You can install a sensor on an endpoint without connecting the product to
Trend Vision One. In this case, you will only collect activity data.
94
Product Instance App
• Connect existing Trend products to Trend Vision One
• Create new instances of standard endpoint or server and workload
protection
− Separates inventories of endpoints by instance
− Single Trend Vision One console to manage multiple instances of endpoint
security products
• Connecting products transfers all license information and relevant
product data to Trend Vision One
The Product Instance app connects existing Trend products to Vision One.
It also allow the creation of instances of standard endpoint protection (Apex one as a
Service) and server and workload protection (Endpoint & Workload Security).
This allows the separation of endpoint inventories by instance. One single Trend Vision
One console can be used to manage multiple instances of endpoint security products.
Connecting products transfers all license information and relevant product data to
Trend Vision One.
95
Select product
to connect
Expand Service Management and click the Product Instance app.

Click Add Existing Product and select the product from the Product Connection list.
96
Connecting Apex One as a Service
97
Connecting Apex One as a Service

• Connect existing Apex One as a Service instances to Trend
Vision One
• Collect security events from endpoints hosting an Apex One
Security Agent
− Policies must be enabled on Security Agent to enable security
features
• Optionally move the management of standard endpoint
protection from the Apex Central as a Service console to the
Standard Endpoint Protection app
− Create additional instances of endpoint protection
Connect Apex One as a Service to collect security events from endpoints hosting an
Apex One as a Service Security Agent.
Important: policies must be enabled on the Security Agents to enable the different
security features (anti‐malware, web reputation etc…)
Optionally move the management of standard endpoint security from the Apex Central
as a Service console to the Standard Endpoint Protection app
.
98
In the Product Instance app, click Add Existing Product.

In the right‐hand frame, select Trend Micro Apex One as a Service from the Product
Connection list.
99
An enrollment token is required to connect Apex One as a Service to Trend Vision One.
Click Click to generate the enrollment token.
Click the icon to copy the enrollment token and click Save.
100
Status displays as Pending until
enrollment token registered
The product status displays as Pending until enrollment token registered.
101
Provide the Trend Vision One‐
generated enrollment token
Log into Apex Central as a Service and click Trend Vision One > Integration Settings.
Paste the enrollment token from Trend Vision One and click Register.
102
Status displays as Connected
The registration process will take a couple of minutes. The status will display as
Connected when complete.
103
Endpoint inventory as displayed
in Apex Central
Before connecting Apex One as a Service to Trend Vision One, the endpoint inventory
can be viewed in the Apex Central as a Service or Apex One as a Server consoles.
104
Endpoint inventory as displayed
in Trend Vision One
Apex One as a Service instance

displayed
The inventory of endpoints managed by Apex Central as a Service is now displayed in

the Trend Vision One Endpoint Inventory app. Remediation actions can be applied to
the endpoints, but at this point the management of the devices and policy assignment
is still done in Apex Central as a Service.
The Trend Micro Apex One SaaS server is listed in the Connected Endpoint Protection
Management section of the middle pane. The directory structure from Apex One as a
Service is duplicated in the protection manager.
105
Optionally, update to Trend Vision One Endpoint
Security to move management of endpoints from
the Apex Central as a Service console to Trend
Vision One
Move the entire inventory or a selection of

endpoints for POC or trials
Optionally, update to Trend Vision One Endpoint Security to move management of

endpoints from the Apex Central as a Service console to Trend Vision One.
The entire inventory can be moved, or a selection of endpoints can be moved for POC
or trials before moving the rest of the inventory.
106
Click Trend Micro Apex One Saas in the product instance list. In the Update Solution
window, you have the option to update to Trend Vision One Endpoint Security by
moving your inventory.
Accept the license agreement and click I Agree to Update.
If interested in moving a subset of the inventory, click the Try the new Endpoint
Security before updating link to be redirected to Online Help articles on the process
107
Some important system considerations are displayed. Review the details and if you are
ready to proceed with moving the inventory of endpoints, click I understand how the
update will affect my system and agree to start the process, then Connect and
Transfer.
108
The status of Trend Micro Apex One SaaS will display as Updating. It will take a few
minutes to complete the operation.
109
Click Protection Manager in
the list to edit and add a
descriptive name
When complete, the name of the of the product will change to Standard Endpoint
Protection Manager. A protection manager reflects a collection of endpoints managed
by a single instance of a protection product.
Click the name in the list and you can change the display name.
110
Inventory of
endpoints displayed
for the selected
Protection Manager
The newly renamed protection manager is displayed in the Endpoint Inventory app
111
The Standard Endpoint Protection app is
used to create policies for endpoints using the
same method as in Apex Central as a Service
Once the product is connected and the inventory moved to Trend Vision One, all
management tasks previously done in Apex Central as a Service is now done in Trend
Vision One.
112
Once Apex One as a Service is connected to Trend Vision One, endpoint policy
management operations previously performed in Apex Central can now be performed
in Trend Vision One.
The menu structure of Apex Central is replicated in the Standard Endpoint Protection
Manager section of the Vision One console.
Note that some Apex One operations like Global Settings and Firewall remain in the
Apex One console which can still be accessed.
While feature parity is maintained in the move to Trend Vision One, to conform to GUI
standards, some items may move to other menus, or are available in different apps.
113
Apex One (on‐premises)
114
Connecting Apex One (on‐premises)

• Connect existing on‐premises installations of Apex One to Trend Vision
One
− Collect security events from endpoints hosting an Apex One Security Agent
− Policies must be enabled on Security Agent to enable security features
• Apex One must be connected to Apex Central
− Apex Central is the connection point into Trend Vision One
• Inventory of endpoints managed by Apex One are displayed in the
Endpoint Inventory app, but management remains in on‐premises Apex
One/Apex Central consoles
• Response actions can be applied to devices from the Endpoint Inventory
app
Connect Apex One (on‐premises) to collect security events from endpoints hosting an
Apex One Security Agent.
Important: policies must be enabled on the Security Agents to enable the different
security features (anti‐malware, web reputation etc…)
Apex One must be connected to Apex Central as Apex Central is the connection point
into Trend Vision One.
The inventory of endpoints managed by Apex One are displayed in the Endpoint
Inventory app, but management remains in on‐premises Apex One/Apex Central
consoles
Response actions can be applied to devices from the Endpoint Inventory app
115
In the Product Instance app, click Add Existing Product.

In the right‐hand frame, select Trend Micro Apex Central On‐Premises from the
Product Connection list.
116
An enrollment token is required to connect Apex Central to Trend Vision One.
117
Status displays as Pending until
enrollment token registered
The product status displays as Pending until enrollment token registered.
118
Provide the Trend Vision One‐
generated enrollment token
Log into Apex Central and click Trend Vision One > Integration Settings. Paste the
enrollment token from Trend Vision One and click Register.
119
Status displays as Connected
The registration process will take a couple of minutes. The status will display as
Connected when complete.
120
Optionally, click the name of the Apex Central instance in the Product Instance app and
type a display name to better identify this installation.
121
Open the Endpoint Inventory app, the Apex Central instance will be displayed in the
middle frame as a Connected Endpoint Protection Manager. Expand the folder
structure to view the endpoints in the specific groups.
122
Apex One‐managed endpoints are displayed in the Trend Vision One inventory, but
management of the endpoints remains in the on‐premises Apex One/Apex Central
consoles. However, some response actions, such as isolating the endpoint, running a
remote script and starting a remote shell session to the endpoint are available from the
Endpoint Inventory app.
123
Connecting Cloud One
124
Connecting Cloud One
• Connect multiple Cloud One services to Trend Vision One with one
enrollment token
125
In the Trend Vision One console, expand Service Management in the left‐hand pane
and click the Product Instance app.
Click Add Existing Product.
Select Trend Cloud One from the list.
126
Click to accept the Trend Micro agreement.

127
Trend Cloud One displays as
Pending
128
129
Log into Cloud One as an administrator with the appropriate permissions.

Click Integrations > Trend Vision One.
Click Register enrollment token.
Paste the enrollment token and click Register.
130
Multiple Trend Cloud One
services display as Connecting
131
Services Connected
132
Trend Cloud One displays as

Connected
133
Click to select which Cloud One
service to enable
134
Connecting Cloud One – Endpoint & Workload Security

• Connect existing Endpoint & Workload Security instances to Trend
Vision One
• Collect security events from servers and workloads hosting an Agent
− Policies must be enabled on Agent to enable security features
• Optionally move the management of server and workload security
from the Cloud One console to the Endpoint Security Operations
apps
− Multiple instances of Endpoint & Workload Security supported
− Each Endpoint & Workload Security instance separate from others
Connect existing Endpoint & Workload Security instances to Trend Vision One to collect
security events from clients and servers hosting an Agent.
Policies must be enabled on Agent to enable security features.
Optionally move the management of server and workload security from the Cloud One
console to the Endpoint Security Operations apps
Multiple instances of Endpoint & Workload Security supported
Each Endpoint & Workload Security instance separate from others
135
Server and workload inventory as
displayed in Endpoint & Workload
Security
136

displayed in Endpoint Inventory app
The inventory of endpoint servers and workloads are now displayed under the newly
created Server and Workload Protection Manager.
Remediation actions can be applied to the endpoints, but at this point the management
of the devices and policy assignment is still done in the Cloud One console.
The Trend Cloud One – Endpoint & Workload Security server is listed in the Connected
Endpoint Protection Management section of the middle pane. The group structure
from Endpoint & Workload Security is duplicated in the protection manager.
137
Optionally, update to Trend Vision One Endpoint
Security to move management of endpoints from
the Endpoint & Workload Security console to Trend
Vision One
Move the entire inventory or a selection of

endpoints for POC or trials
138
Click the name of the Endpoint & Workload Security instance. Click the Update
Solution tab, click to accept the license agreement and click I Agree to Update.
139
Some important system considerations are displayed. Review the details and if you are
ready to proceed with moving the inventory of endpoints, click I understand how the
update will affect my system and agree to start the process, then Connect and
Transfer.
140
Once connected, the instance name is listed. Name is now Server and Workload
Protection Manager ‐ <instance ID>.
Click Create Product Instance to create a new instance of a Server and Workload
Protection Manager.
141
142
143
144
The new instance is now listed in the Product Instance app.
145
When managing server and workloads in the Server & Workload Protection app, select
the instance you would like to make changes to from the list at the top of the page.
146
Once Endpoint & Workload Security is connected to Trend Vision One, endpoint policy
management operations previously performed in Cloud One can now be performed in
Trend Vision One.
The menu structure of Endpoint & Workload Security is replicated in the Server &
Workload Protection Manager section of the Vision One console.
147
Create policies for servers and workloads
managed by this Protection Manager using
the same method as in Endpoint &
Workload Security
148
Connecting Deep Security Software
149
Connecting Deep Security Software

• Collect security events from servers protected by Deep Security
hosting an Agent
− Policies must be enabled on Agent to enable security features
• Inventory of servers and workloads managed by Deep Security are
displayed in the Endpoint Inventory app, but management remains
in Deep Security console
• Response actions can be applied to devices from the Endpoint
Inventory app
Collect security events from servers protected by Deep Security hosting an Agent.
Policies must be enabled on Agent to enable security features, for example,
antimalware, web reputation etc…
Inventory of servers and workloads managed by Deep Security displayed in Endpoint

Inventory app, but management remains in Deep Security console.
Response actions, including isolate endpoint, run custom script and start remote shell
can be applied to devices from the Endpoint Inventory app
150
In the right‐hand frame, select Deep Security Software from the Product name list.
151
An enrollment token prompt is displayed. Click the link to generate the enrollment
token.
152
The enrollment token is displayed. Click the icon to copy the enrollment token to the
clipboard. Click Save.
153
Click Connect and Transfer. Licensing details for Deep Security are transferred to Trend
Vision One.
154
Deep Security Software is listed as Pending in the console. The enrollment token must
be registered in Deep Security Manager before the listed expiry date and time.
155
Log into Deep Security Manager as an administrator with appropriate privileges. Click
Administration > System Settings. On the Trend Vision One tab, click Register
enrollment token.
156
Paste in the token saved to the text document. Click Register.
157
A Registration Successful message is displayed. Note that Forward security events to

Trend Vision One is enabled.
158
The Deep Security instance is now listed as Connected in the Trend Vision One console.
You will also see the URL used by Deep Security.
Deep Security software is now configured to submit security event telemetry to the
Trend Vision One Data Lake.
Note that security events will be saved in the Deep Security database and will also be
forwarded to the data lake for analysis.
159
displayed in Endpoint Inventory app
In the Endpoint Inventory app, you will see you Deep Security instance listed under
Server & Workload Protection Management. Click the instance to view the inventory
of servers and workloads managed by Deep Security.
160
Deep Security‐managed servers and workloads are displayed in the Trend Vision One
inventory, but management of the endpoints remains in the Deep Security Manager
console However, some response actions, such as isolating the endpoint, running a
remote script and starting a remote shell session to the endpoint are available from the
Endpoint Inventory app.
161
Connecting Cloud App Security
162

• Collect security events from Microsoft Exchange and Gmail email
accounts protected by Cloud App Security
− Policies must be enabled in Cloud App Security to enable security features
• Provision service accounts before connecting to Trend Vision One
Trend Micro Cloud App Security is responsible for email protection on Exchange and
Gmail and collects security events from these. Policies must be enabled in Cloud App
Security to enable security features.
You must provision service accounts before connecting to Trend Vision One.
163
Cloud App Security and Trend

Vision One in the same licensing
account
Make sure that Trend Vision One and Cloud App Security are in the same licensing
account.
164
Provision service accounts before

connecting to Trend Vision One
You must provision either the Microsoft Exchange Online or Google Gmail service
accounts before connecting to Trend Vision One.
165
Provision service account for

Exchange Online
Hover over the Exchange Online service and click Provision.
166
Follow the listed steps:

• Grant permission for the Exchange API
• Grant permission to used the API to access the mailboxes
• Define which user mailboxes to synchronize, for example, by selecting groups or
individual mailboxes.
167
Provision service account for

Google Gmail
For Gmail, hover of the Gmail account and click Provision.
168
Install the Cloud App Security app for Gmail. Click the link to be forward to the Google
store to install the app.
169
Click to install the Cloud App security app on the Google account.
170
Click the link to grant the required permissions on the API to access the Gmail services.
171
Select the administrator account.
172
Click Allow to enable access to the Gmail services
173
Once the service are connected, you can connect Cloud App Security.
In the Trend Vision One console, expand Point Product Connection in the left‐hand
pane and click the Product Instanceapp. You will see a list of the products currently
registered with Trend Vision One. Click Connect.
In the right‐hand frame, select Cloud App Security from the Product name list. Select
the service to monitor by Trend Vision One (Microsoft Exchange or Google Gmail.)
Cloud App Security will now be listed as Connected in the Trend Vision One console.
174
Connecting a Service Gateway
175
Trend Vision One Service Gateway

• Optional component that enables connections to other
systems and devices through a collection of services
• Creates an infrastructure of sharing
• Serves as a proxy between on‐premises solutions (Trend
Micro or third party) and Trend Vision One
− Facilitates communication back to cloud services
• Creates a single update source for all products
Creates an infrastructure of sharing by allowing connections between Trend Vision One

and other Trend Micro or third‐party products.
Serves as a proxy between on‐premises solutions and facilitates communication back to
Smart Protection cloud services.
Creates a single local update source for all products
176
Trend Vision One Service Gateway
The Service Gateway is made up of two components:

Service Gateway Inventory: This application sits in the cloud and provides a list of the
Service Gateways in the environment. You could have multiple gateway for multiple
locations or data centers.
Virtual Appliance: Provides the service to the applications.
The Trend Vision One Service Gateway is provided as a VMware virtual appliance or
Microsoft Hyper‐V and can be downloaded from the Trend Vision One console.
Administrators install the virtual appliance, add the device to the Service Gateway
Inventory, then configure the service settings in the Trend Vision One console.
177
Service Gateway Services
ActiveUpdate Smart Protection Suspicious Object On‐premises Syslog Zero Trust

Services Exchange Directory Connector Secure Access On‐
Connection Premises Gateway
TippingPoint MISP Threat Connect Connect Forward TippingPoint

Log Forwarding Intelligence Rapid7 ‐ Nexpose Tenable Proxy Policy Mgmt
Connector Nessus Pro
A Service Gateway can help reduce network bandwidth in a hybrid network by serving
as a proxy between connected applications and Trend Vision One.
The Trend Vision One Service Gateway enables a variety of capabilities within the
infrastructure. Components and services installed on an as‐needed basis
ActiveUpdate: Service Gateways can serve on‐premises Trend Micro products with
pattern updates to reduce outgoing internet traffic. On‐premises products making use
of this capability include Apex One, Deep Security software and Deep Discovery
Inspector. This can eliminate the need for Apex One Update Agents or Deep Security
Relay Agents.
Smart Protection Services: Service Gateways allows on‐premises Trend Micro products
and services to integrate with Smart Protection Services, including:
• File Reputation
• Web Reputation
• Certified Safe Software
• Predictive Machine Learning
• Mobile App Reputation
178
Suspicious Object Exchange: When enabled, Trend Vision One can integrate with third‐
party applications, such as Blue Coat, Checkpoint, and Palo Alto Networks, through the
Service Gateway.
On‐premises Directory Connection: Once enabled, the Service Gateway can help send
objects and activity data from an on‐premises Active Directory server or OpenLDAP to
Trend Vision One. This service is required to set up Active Directory (on‐premises) and
OpenLDAP in the Third‐Party Integration app.
Syslog Connector: Enables sharing data from Trend Vision One with your local syslog
server.
Zero Trust Secure Access On‐Premises Gateway: Zero Trust Secure Access Internet
Access is a forward proxy service that protects end users from malicious activity on the
internet. In addition to the Cloud Gateway, the on‐premises gateway also provides a
flexible option to deploy one or more local on‐premises gateways in your organization's
network as a hybrid protection solution.
TippingPoint Log Forwarding: Service Gateways enables log forwarding from

TippingPoint Security Management System 5.5 Patch 1 and above to Trend Vision
One for correlation and analysis. Log forwarding from other products is coming.
MISP Threat Intelligence Connector: Service Gateways retrieve data from MISP to
generate custom MISP intelligence reports.
Rapid 7 – Nexpose: When enabled, this service allows the Service gateway to send
device and vulnerability data from the Rapid7 server to Trend Vision One.
Connect Nessus Pro: A Service Gateway service has been added to allow the connection
to Tenable Nessus Pro for incorporating vulnerability scan results.
Forward Proxy: Allows agents on endpoints with no direct access to the internet to use
the Service Gateway as a proxy to reach Trend Vision One.
TippingPoint Policy Management: When enabled, this service allows the network
Prevention app to modify TippingPoint policy configurations to mitigate CVEs.
Suspicious Object List Synchronization: Once enabled, the Service Gateway can send
the Suspicious Object List in the Threat Intelligence app to connected Trend Micro
products, which can also upload the Virtual Analyzer Suspicious Object List and reports
to the Service Gateway.
178
No additional license is required for the Service Gateway.
178
To begin the process of connecting the Service Gateway, you must first download the
Virtual Appliance.
Expand Workflow and Automation and click the Service Gateway Inventory app. Click
Download Virtual Appliance.
179
Download the image for the Service

Gateway virtual appliance
Copy the Registration Token
Download the appropriate version of the appliance and copy the registration token. The
token will be required later to enable the gateway.
180
Create a new virtual machine in VMware or

Hyper‐V using the downloaded image
Will be detected as CentOS 4/5 (64‐bit) or

later
Create a new virtual machine in VMware or Hyper‐V using the downloaded image.
The virtual appliance will be detected as CentOS 4/5 (64‐bit) or later.
181
Log into the Service Gateway virtual appliance

You will be prompted to change the default
password
Issue enable command to begin

configuration
Start the virtual machine. When prompted, login with the default username of admin
and default password of V1SG@2021. You will be prompted to change the default
admin password.
Type enable to enter configuration mode. The command prompt changes to #.
182

• Typical commands to configure and enable the Service Gateway
enable
configure network primary ipv4.static <interface>
<ip> <gateway> <dns1>
register <registration_token>
connect
exit
Hint: use PuTTY to connect to the Service Gateway using SSH to paste the registration token in the
register command
Commands you will need include:

enable
configure network primary ipv4.static <interface> <ip> <gateway> <dns1>
register <registration_token>
Connect
exit
Note that for the IP address you also need to add the CIDR. (for example,
192.168.4.8/24)
View the full list of CLI commands at:

https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐one/inventory‐
management_001/service‐gateway‐inve_001/getting‐started/deploying‐a‐service‐
/service‐gateway‐cli‐_001.aspx
183
Click icon under Action to

configure the Service
New Service Gateway listed in the inventory
Gateway
The new Service Gateway will be listed in the inventory. Click the gear icon under
Action to configure the Service Gateway.
184
Will be automatically updated

the next time you log in after
the indicated update time
Lists Trend Vision One
certificate details, used to
secure the connection with
theasService
Acts Gateway
an HTTPS proxy to
direct certain traffic from on‐
premises products to Trend
Vision One hosted services
The Service Gateway will be automatically updated the next time you log in after the
indicated update time.
The details of the digital certificate used to secure the connection between Trend
Vision One and the Service Gateway are displayed.
Cloud Service extension acts as an HTTPS proxy to direct certain
traffic from your on-premises products to Trend Vision One hosted
services
185
Click the Service Gateway in the list to enable

or disable the services it provides
Click the Service Gateway in the list to enable or disable the services it provides.
186
Click Manage Services to
enable services as needed
Click Manage Services
187
Click to download then

enable any additional services
provided by this Service
Gateway
Any services installed for the Service Gateway are listed. Click to download then enable
any additional services provided by this Service Gateway.
188
Some services may require the API

key to authenticate connections
between Trend Micro products and
the Service Gateway
Suspicious Object List Synchronization, Log Forwarding, and Forward Proxy services
require the API key to authenticate connections between Trend Micro products and the
Service Gateway. You can view the API key by clicking View API Key from the Service
Gateway Inventory list.
Click the Copy API key icon
189
Smart Protection Service through the Service Gateway

• Download and install the Smart Protection Services service
on the Service Gateway
• Update your Trend Micro products to use the Service
Gateway for Smart Protection Services
− Provide the IP address of Service Gateway under Locally installed
Smart Protection Server
For Trend Micro products to make Smart Protection queries against the Smart
Protection Server in the Service Gateway, configure the Smart Protection Server in your
product's console using the Service Gateway's setting.
The Trend Micro products that can make use of the Service Gateway for Smart
Protection Service are listed in the documentation at:
https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐one/common‐
apps/service‐gateway‐inve_001/service‐gateway‐sps‐.aspx
190
ActiveUpdate through the Service Gateway

• Download and install the ActiveUpdate service on the
Service Gateway
• A new URL must be provided to your on‐premises products
(Apex One, Deep Security, Deep Discovery Inspector) to use
the Service Gateway for ActiveUpdate
− URLs required by each product will be displayed in the Trend Vision
One console
The Service Gateway can also serve as a local ActiveUpdate server to reduce outgoing
internet traffic.
An updated URL must be provided to Apex One, Deep Security or Deep Discovery
Inspector to redirect to the Service Gateway for ActiveUpdate.
191
The Service Gateway is also used to enable

the third‐party integrations listed here
Third‐party integrations also take advantage of the Service Gateway.

The Service Gateway is required to enable the third‐party integrations listed in this
image.
192
Connecting Web Security
193
Connecting Web Security

• Collect and analyze web activities
− Determine the web applications and websites being
accessed by managed users and devices in and outside the
corporate network
• Serves as a data source for the Executive Dashboard app
Trend Micro can analyze web activities and determine the web applications and
websites being accessed by managed users and devices in and outside your corporate
network.
Web Security serves as a data source for the Executive Dashboard app.
Trend Vision One has an auto‐onboarding function that automatically connects Web
Security to Trend Vision One if both products are in the same licensing account.
194
Select Trend Micro Web Security from the Product name list.
195
Connecting Deep Discovery Inspector
196
Network Sensor
• Collect security events from the network
On‐premises Virtual Network Sensor

Deep Discovery Inspector (VMware or RHEL KVM)
An on‐premises Deep Discovery Inspector can act as the network sensor, or a virtual
network sensor can be used.
197
Network Inventory Service

• Network Inventory Service is the connector and entry point for Deep
Discovery Inspector and Network Inspector Devices to integrate with
Trend Vision One
• Allows you to manage network sensors from Trend Vision One
console
• Network Inventory Service includes Inventory and Network Analytic
service
The Network Inventory Service is the connector and entry point for Deep Discovery
Inspector and Network Inspector Devices to integrate with Trend Vision One.
It allows administrators to manage network sensors from Trend Vision One console.
Network Inventory Service includes the Inventory and Network Analytic service.
198
Expand Network Security Operations and click the Network Inventory app.
Click the Deep Discovery Inspector Appliances tab.
If a credit consumption message is displayed, clock Close.
199
Select New Appliance and deploy the

virtual appliance or Deployed Deep
Discovery Inspector and specify the
details of the on‐premises device
Select whether you are going to deploy a new Deep Discovery Inspector (by deploying
the virtual appliance) or connecting to an existing on‐premises Deep Discovery
Inspector device.
A new Deep Discovery Inspector can be deployed as a virtual appliance on Vmware or
Hyper‐V or as a virtual appliance on AWS.
In this example, we are connecting an existing Deep Discovery Inspector device. Select
the appropriate version number of the device and provide the device's IP address or
FQDN.
Click Go to be redirected to the Deep Discovery Inspector device.
200
Log into the Deep

Discovery Inspector
console
You are redirected to the Deep Discovery Inspector login page. Provide the credentials
for an administrator with the appropriate permissions.
201
Continue with the

registration
Click Continue to proceed with the registration.
202
Test the connection

to Trend Vision One
Once registration is successful, click Test Connection. If successful, continue the

process.
203
Connect Deep Discovery

Return to Network Inventory app
Inspector to a Service Gateway to
enable: Deep Discovery Inspector now
• ActiveUpdate online and connection is healthy
• Smart Protection Services
• Suspicious Object List
synchronization
Return to the Network Inventory app, the Deep Discovery Inspector device should be
displayed.
You can optionally connect Deep Discovery Inspector to a Service Gateway to enable
ActiveUpdate, Smart Protection Services, Suspicious Object List synchronization service
on the device.
Each Deep Discovery Inspector device requires a unique GUID to connect with Trend
Vision One
Each Deep Discovery Inspector device requires a unique license code to connect with
Trend Vision One
204
Finally, select the Deep Discovery Inspector device in the list and click Connect Service
Gateway.
205
206
Connecting TippingPoint SMS
207
Connecting TippingPoint SMS

• Enables detection and log sharing from TippingPoint SMS
• Provides suspicious object propagation to the network device
• Network Device Sharing allows Trend Vision One to display the
TippingPoint device inventory
• Requires Service Gateway and appropriate services enabled for
suspicious object sharing and network intrusion prevention data
sharing
Connecting the TippingPoint IPS device with Trend Vision One enables detection and
log sharing as well as suspicious object propagation to the network device. Network
Device sharing allows Trend Vision One to display the TippingPoint device inventory.
Note: Detection and log sharing requires SMS 5.5.0 Patch 1
This connection leverages the Service Gateway which acts as a proxy between Trend
Vision One and the TippingPoint device. The Service Gateway will poll Trend Vision One
on a regular basis to retrieve suspicious objects, and likewise, the TippingPoint
management console polls the Service Gateway for the same list. All supported objects,
including IPv4, IPv6, DNS and URL get stored in the SMS Reputation database, which
would then be synchronized with the device for potential enforcement through
blocking rules.
Network Device Sharing requires the Service Gateway API key.
208
Install the following Service
Gateway services:
• TippingPoint log forwarding
• Forward proxy
• TippingPoint policy
management
• Suspicious Object List
synchronization
Install the following Service Gateway services:
• TippingPoint log forwarding

• Forward proxy
• TippingPoint policy management
• Suspicious Object List synchronization
Note: ensure the device hosting the Service Gateway has sufficient resources to handle
the system requirements for the selected services.
209
210
The TippingPoint integration requires a Service Gateway. Expand Workflow and

Automation and click the Service Gateway Inventory app. If a Service Gateway is
installed, copy the API key. You might want to paste it into a text document for use
later.
211
Must connect TippingPoint SMS

to a Service Gateway for
suspicious object sharing and
network intrusion prevention
data sharing
If Network Device Sharing is
required, generate an enrollment
token to provide within
TippingPoint SMS
In the Trend Vision One console, expand Service Management in the left‐hand pane
and click the Product Instance app. You will see a list of the products currently
registered with Trend Vision One. Click Add Existing Product. Select TippingPoint
Security Management System.
The Connect Product pane described the process for connecting TippingPoint to the
Service Gateway. Each Service Gateway can only connect to one TippingPoint SMS
console. For customers with multiple TippingPoint SMS consoles, you must deploy
additional Service Gateways.
If Device Inventory Sharing is required, click Generate an enrollment token. This token
will be pasted into the TippingPoint console to allow the TippingPoint device details to
be displayed in the Trend Vision One console.
The “Integrating TippingPoint SMS” paragraph on the Product Connection windows is

outdated.
212
Copy the enrollment token to
provide within TippingPoint SMS
Copy the enrollment token to provide within TippingPoint SMS
213
TippingPoint SMS shows as
Pending in the Product Instance
list
TippingPoint SMS shows as Pending in the Product Instance list
214
In TippingPoint SMS Click

Administration > Trend Micro
Connections
Log into the TippingPoint SMS console and click Administration > Trend Micro
Connections.
215
If Device Inventory
Sharing is required,
enter the
Enter the Service
Enrollment Token
Gateway IP Address
and API Key to
connect the device
to TippingPoint and
Enable the required
test the connection
services provided by
TippingPoint
Click Configure.
• If Device Inventory Sharing is required, enter the Enrollment Token.
• Provide the Service Gateway IP Address and API Key.
• Enable Suspicious Object synchronization, Event and File Status Sharing and Device
Inventory Sharing as required.
Click Test Connection.
216
If the connection test is successful, click Save.
217
TippingPoint SMS now displays as connected
218
The TippingPoint devices are now displayed

on the Inventory tab of the Network
Intrusion Prevention app
Click the Network Intrusion Prevention app. On the Inventory tab, the TippingPoint
devices are displayed.
219
Configurations are Important

• View best practices documentation online
Products are secure on install but can always be tweaked be more secure based of
customers needs. View the best practices document at:
https://success.trendmicro.com/solution/1118282‐compilation‐of‐best‐practices‐while‐
using‐trend‐micro‐products‐for‐business
220
Demo:
221
Lesson Review
1 2
What is the benefit of connecting your What is the benefit of updating
Trend Micro products to Trend Vision endpoint SaaS products to Trend
One? Vision One Endpoint Security?
3
Why would you install a Trend Vision
One Service Gateway in your
environment?
222
Hands‐on Labs
Lab 1: Preparing the Trend Vision One Lab Environment
(page 1)
Your Tasks
• Register for a Trend Vision One trial and access the lab
virtual application
Estimated time to complete these labs: 20 minutes
223
Hands‐on Labs
Lab 2: Connecting Deep Security Software (page 17)
Your Tasks
• Register and connect Deep Security Software with your
instance of Trend Vision One
224
Hands‐on Labs
Lab 3: Deploying a Service Gateway (page 31)
Your Task
• Configure and activate the Service Gateway in the lab
environment
225
Lesson 4:
Installing Sensors
226
Lesson Objectives
• Describe the use of the Trend Vision One sensors
• Connect endpoint sensors
• Connect email sensors
• Connect network sensors
• Connect Web sensors

• Describe the use of the Trend Vision One sensors
• Create endpoint groups and policies
• Connect endpoint sensors
• Connect email sensors
• Connect network sensors
• Connect Web sensors
227
Enabling endpoint sensors
Internal system activities

Generated by protection
such as registry changes,
modules such as anti‐
user creation/deletion,
malware, virtual
cronjobs and scheduled
patching/IPS, Web
tasks, processes
reputation…
starting/stopping, software
Enable sensors to receive activity data

We mentioned earlier that both security events and activity were sent to the Trend
Micro data lake.
Connecting the product to Trend Vision One enables security events collected by agents
managed by that product to be sent to the data lake.
Enable sensors to collect activity data.
228
Sensors do not
provide any protection
Important note:
The sensors do not provide any protection. They are designed to forward activity data
to the data lake.
229
Connecting Endpoint Sensors
230
Displays a list of endpoint clients and servers and

the features enabled, for example, the Endpoint
Sensor and/or Advanced Risk Telemetry
The Endpoint Inventory app displays a list of client endpoint and servers and the
features enabled, for example, the Endpoint Sensor and/or Advanced Risk Telemetry.
231
Endpoint Basecamp
• Endpoint Basecamp acts as a plug‐in manager
− Mechanism to deploy endpoint applications
• Two applications deployed through Endpoint Basecamp
− Endpoint Sensor
− Advanced Risk Telemetry
How will the endpoint sensor get onto the endpoint?
Trend Micro Endpoint Basecamp is a program running on the endpoint to provide a

channel for Trend Micro to deploy endpoint applications. When a customer wants to
deploy more endpoint applications, Endpoint Basecamp will download the endpoint
application package from Trend Micro backend and install it. The customer does not
need to do another agent deployment for the new endpoint application.
You can think of Endpoint Basecamp as a plug‐in manager. It is the mechanism to
deploy endpoint applications.
There are currently two applications that can be installed through Endpoint Basecamp:
• Endpoint sensor
• Advanced Risk Telemetry
Trend Micro Endpoint Basecamp also provides the essential but lightweight common
functions to endpoint applications, which includes the following:
• Authentication: Trend Micro service and endpoint application can authenticate with
each other through Endpoint Basecamp's authentication mechanism.
• Application performance data: Endpoint Basecamp collects agent process
performance data and crash counts for further development enhancement.
232
Installing Endpoint Basecamp

• Included with current Apex One as a Service Security Agent installation
package
• Can be added to Deep Security Agent Deployment script
• Can be added through a script for Deep Security Agents already
deployed
• Can be downloaded and installed as a separate services package from
the Trend Vision One console
• Can be downloaded and installed from a package containing both the
security agent and Endpoint Basecamp from the Trend Vision One
console
You can install endpoint basecamp in different ways:

• Endpoint Basecamp is included with current Apex One as a Service Security Agent
installation packages created in Apex Central.
• Endpoint Basecamp can be installed through the Deep Security Agent Deployment
script.
• If the Deep Security Agents are already deployed, you can create a script to just
install Endpoint Basecamp.
• Can be downloaded and installed as a separate services package from the Trend
Vision One console, this is useful to install on machines already hosting a security
agent or on unmanaged endpoints or servers
• Can be downloaded and installed from a package containing both the security agent
and Endpoint Basecamp from the Trend Vision One console
233
Advanced Risk Telemetry

• Available on supported Windows operating systems
• Detects vulnerabilities on
− Windows
− Microsoft Office products
− Adobe Acrobat
− Chrome
• Identifies any high priority at‐risk vulnerabilities
• Results displayed in Operations Dashboard app
Trend Micro analyzes your environment to identify any high priority at‐risk
vulnerabilities in your corporation using global activity data, CVE information, and local
detection activity to produce customized vulnerability detection scores for each
endpoint.
Advanced risk telemetry is available on supported operating systems and detects

vulnerabilities on Windows, certain Microsoft Office products, Adobe Acrobat and
Google Chrome
Vulnerability detection produces customized vulnerability detection scores for each

endpoint.
The Operations Dashboard assesses endpoint data to determine which endpoints have
exploitable vulnerabilities and whether threat actors have already attempted to exploit
the at‐risk endpoints. After comparing the endpoint activity data and the global exploit
activity statistics, Operations Dashboard prioritizes your endpoints that require the
most urgent attention.
234
Endpoint Basecamp Services
The services included in the Endpoint Basecamp package will display under Windows
Services.
• Trend Micro Cloud Endpoint Telemetry Service
• Trend Micro Endpoint Basecamp
• Trend Micro Web Service Communicator
In this example, we have an unmanaged endpoint as the only services running are the
Endpoint Basecamp service.
235
Cloud One – Endpoint & Workload Security Activity Monitoring
• Activity Monitoring protection module can be enabled in policy to act

as an endpoint sensor
• Standalone Endpoint Sensor provides enhanced telemetry
• Connecting a standalone sensor overrides the Activity Monitoring
protection module
Activity Monitoring protection module can be enabled in policy to act as an endpoint

sensor, however the standalone Endpoint Sensor provides enhanced telemetry
236
Endpoint Inventory
Windows and Mac Windows and Mac Windows and Linux Windows and Linux Windows and Linux
client computers client computers servers hosting an servers hosting an servers without an
Connect sensor
hosting an Apex One
Install Endpoint
without an Apex One
Install Endpoint
Agent managed
Enable Activity
Agent managed
Install Endpoint
Agent
as a Service Basecamp
as a Service Basecamp
by Deep Security Monitoring
by Cloud One – or Basecamp
Security Agent Security Agent Software Endpoint & Workload
Install Endpoint Security
(or Apex One on‐premises)
Basecamp
Connect sensor
Connect sensor Connect sensor
Connect sensor
Endpoints managed in Endpoint Inventory can include the following variations:

• Windows and Mac client computers hosting an Apex One As a Service Security Agent
‐> Connect sensor
• Windows and Mac client computers without an Apex One or Apex One as a As a
Service Security Agent ‐> Install Endpoint Basecamp ‐> Connect sensor
• Windows and Linux servers hosting an Agent managed by Deep Security Software ‐>
Install Endpoint Basecamp ‐> Connect sensor
• Windows and Linux servers hosting an Agent managed by Cloud One – Endpoint &
Workload Security ‐> Enable the Activity Monitoring protection module OR install
endpoint basecamp and conenct a standalone sensor
• Windows and Linux servers without an Agent‐> Install Endpoint Basecamp ‐>
Connect sensor
237
For Apex One as a Service:

a
Endpoint Basecamp included in

Security Agent installation package
downloaded from Apex Central
For Apex One as a Service:
Endpoint Basecamp included in Security Agent installation package downloaded from

Apex Central. No need to install the Endpoint Basecamp services separately.
238
For Deep Security Software:

a
Endpoint Basecamp can be

included in agent
deployment script
If no Deep Security Agent is currently installed, Endpoint Basecamp can be included in

Agent deployment script once Trend Vision One is connected.
239
For Deep Security

Software:
a
An Endpoint Basecamp
installation script for
endpoints already hosting
an agent can be created in
Deep Security
Select the operating
system from the Platform
list
If a Deep Security Agent is already installed on an endpoint, an Endpoint Basecamp

installation script can be created in Deep Security once Trend Vision One is connected.
Select the operating system from the Platform list and save to file or copy to clipboard
and paste into your preferred deployment tool.
Note that Forward security events to Trend Vision One is enabled. Events collected
from protection modules will be sent to the data lake when this is enabled.
240
For Cloud One – Endpoint

& Workload Security:
a
Create policies with Activity

Monitoring enabled
*Endpoint sensor provides
enhanced telemetry *
Any servers hosting Agents with the Activity Monitoring protection module enabled in a
policy will forward activity telemetry to the data lake, however, the standalone
endpoint sensor provides enhanced telemetry.
241
Action is required on
this endpoint
In the Endpoing Inventory, an information icon is displayed for any endpoint requiring
attention.
242
Endpoint sensor is
recommended
Click to download
the Endpoint
Basecamp installer
The Recommended Action pane provides suggestions on things that can be done to
improve your security posture. In this case, no sensor was detected, the suggested
action it to install Endpoint Basecamp and it offers the option to download the package
for the selected endpoint.
243
Click to download
specific installer
packages
244
Create an installer containing both the
security agent and Endpoint Basecamp
Select type of endpoint, OS details,
and Protection Manager to report to
The Agent Installer window enabled the download of a package that installs both the
security agent for the endpoint type and OS AND Endpoint Basecamp.
You must select the type of endpoint (standard end user endpoints) or servers and
workloads. You must also select the operating system and what Protection Manager
the security agent will report to.
Download the package and run on the endpoints, both the correct security agent and
Endpoint Basecamp service will be installed on that device.
245
Download the Endpoint Basecamp only package

for the operating system
If the endpoint already has a security agent or is not managed by a Trend Micro
product, you can still collect activity data by installing the Endpoint Basecamp services
on the device and enabling the sensor.
Select the Endpoint Basecamp package for the operating system of the client or server
from the Agent Installer tab in the Endpoint Inventory app and download to a location
accessible by the endpoints.
246
Install the Endpoint Basecamp services

on the unmanaged clients or servers
Run the Endpoint Basecamp installer on the unmanaged computer requiring a sensor.
247
Uninstalling Endpoint Basecamp

• Uninstall tool available on request from Trend Micro Support
If Endpoint Basecamp must be removed from an endpoint, and Uninstall tool is

available on request from Trend Micro Support.
248
Setting Default Sensor Settings

• Apply security settings to your endpoints
automatically (standard endpoint, server &
workload or sensor only)
• Enable Endpoint Sensor to sends activity
data for state‐of‐the‐art threat detection
and alerting
• Enable Advanced Risk Telemetry to
analyzes endpoints for potential security
posture weaknesses and performs
vulnerability assessments
Apply security settings to your endpoints automatically (standard endpoint, server &
workload or sensor only)
Enable Endpoint Sensor to sends activity data for state‐of‐the‐art threat detection and
alerting
Enable Advanced Risk Telemetry to analyzes endpoints for potential security posture
weaknesses and performs vulnerability assessments
249
Configure sensor
settings for standard
endpoints
Configure sensor
settings for servers and
workloads
Configure sensor
settings for
unmanaged devices
In the Endpoint Inventory, click Settings and select Default Sensor Settings.
Configure for standard endpoints, servers and workloads and systems with a sensor
only (unmanaged).
250
Also configure global
sensor settings
251
Endpoint Basecamp on macOS
To enable Endpoint Sensor on the Mac, specific permissions must be configured. Once
the Mac endpoint is detected by Trend Vision One and the endpoint sensor application
is installed through Endpoint Basecamp, a Permissions window will be displayed on the
Mac and users can follow the directions to allow the required system extensions and
permissions.
252
Endpoint Activity Data Points

• Data fields collected by endpoint sensor
These are the data fields collected by the Endpoint Sensor.

Click the link on the slide to link to the Online Help topic with these details.
We will see more about the General fields in a later lesson.
253
Credit Usage ‐ Endpoints
Client/Server endpoint sensors

require 20 credits per device for 30
days of data retention
Each endpoint sensor requires 20 credits per device for the default 30 days of data
retention. Data can be saved for longer period, but credit usage will be higher.
254
Take advantage of the Risk Insights app and tools to

identify endpoints that are not currently reporting
activity or are missing crucial protection modules
It is important to have sensors on all devices to ensure full coverage of activities.

Take advantage of the Risk Insights apps and tools to identify endpoints that are not
currently reporting activity or are missing crucial protection modules. In this example,
we can see that of the 600 endpoints detected in the environment, 588 have no
security agent protection. You will improve your analysis with full coverage.
In this example, you can also see that of the 600 discovered endpoints, 589 don’t have
endpoint sensors deployed. You can improve protection of these endpoints by adding a
security agent with appropriate policies to protect it from various threats and malware.
255
Demo:
Installing Endpoint Sensors
256
Enabling Email Sensors
257
Cloud App Security has already been connected

and the Exchange Online service deployed
Once Cloud App Security had been connected to Trend Vision One, you can access the
Email Account Inventory app. There is a tab for each email account type (Exchange
Online and Gmail).
258
Email Activity Data Points

• Data fields collected by email sensor
These are the data fields collected by the Email Sensor.

Click the link to view the Online Help topic on this subject
259
Credit Usage ‐ Email
Email sensors require three credits per

email account for 180 days of data
retention
Email sensors require three credits per email account for 180 days of data retention.
260
Enabling Network Sensors
261
Enabling Network Sensors

• Provision a Deep Discovery Inspector device (if not already available)
• Connect Deep Discovery Inspector to Trend Vision One
• Install and configure a Service Gateway if ActiveUpdate, Smart
Protection Services or Suspicious Object List Synchronization are
required
• Connect Deep Discovery Inspector to the Service Gateway
The network sensor is enabled when Deep Discovery Inspector is connected. Not
additional steps are required.
262
Network Activity Data Points

• Data fields collected by network sensor
These are the data fields collected by the Network Sensor.

Click the link to view the Online Help topic on this subject.
263
Credit Usage – Network Sensors
Network sensors require 25,000

credits per Gbps of data transfer for
180 days of data retention
Network sensors require 25,000 credits per Gbps of data transfer for 180 days of data
retention.
264
Enabling Web Sensors
265
Enabling Web Sensor

• Serves as a data source for Activities and behaviors, Cloud App
Activity and Threat detection in the Executive Dashboard app
• Requires Trend Micro Web Security to be added through the Product
Instance app
Serves as a data source for Activities and behaviors, Cloud App Activity and Threat
detection in the Executive dashboard.
Requires Trend Micro Web Security to be added through the Product Instance app.
266
In the Executive Dashboard app, click Data Source. In the Trend Micro Security Services
category, click Trend Micro Web Security. In the right‐hand pane, click to enable the
Web sensor. (Trend Micro Web Security must be added through the Product Instance
app first)
267
Web Activity Data Points

• Data fields collected by Web sensor
These are the data fields collected by the Web Sensor. We will see more about the
General fields in a later lesson.
268
Lesson Review
1 2
What is the purpose of Trend Micro What is the purpose of the Advanced
Endpoint Basecamp? Risk Telemetry components
3
How is Endpoint Basecamp installed on
endpoints managed by Deep Security? Apex One
as a Service? Apex One (on‐premises)? Cloud One
‐ Endpoint & Workload Security?
269
Hands‐on Labs
Lab 4: Deploying Endpoint Sensors (page 37)
Your Task
• Configure the Windows computers in the lab environment to
report their security events and/or activity data to Trend
Vision One
270
Lesson 5:
Integrating with
Third‐Party Applications
271
Lesson Objectives
• List and describe the different third‐party integrations available with
Trend Vision One related to XDR
• Connect third‐party applications to Trend Vision One

• List the different third‐party integrations available with Trend Vision
One
• Connect third‐party applications to Trend Vision One
272
Integrating with Third‐Party Applications

• Extend the scope of data collected on Trend Micro‐
monitored devices
• Collect and analyze data from multiple sources and increase
visibility into your security
• May require Service Gateway as a proxy between Trend
Vision One and the third‐party application or an add‐on
from the vendor’s web store
Why would we want to connect to third-party applications within Trend Vision

One?
Trend Vision One enables connections to key third-party applications, allowing

you to analyze data from multiple sources and increase visibility into your
security. Data collected from connected third‐party data sources extends the scope of
data beyond what is collected on Trend Micro‐monitored devices.
Some integrations require a Service Gateway to act as a proxy between Trend Vision
One and the third‐party application. Some integration may also require that you
download an add‐on from the third‐party vendors web site.
273
Trend Vision One provides integrations for various categories of functionality. These are
the integrations that provide data beneficial to XDR functionality in Trend Vision One.
Integrations are continually being added to Trend Vision One.
274
Additional integrations will be added over time
Expand Workflow and Automation and click the Third‐Party Integration app to view
the available integration and to perform the required connection steps.
Click the listed integrations to configure. You can also limit the display by clicking the
categories, vendors or associated apps.
275
Breach and Attack Simulation

• Simulate attacks on endpoints and verify
attack information by pulling events from
Trend Vision One
Cymulate Picus Security SafeBreach BAS AttackIQ BAS
Simulate attacks on endpoints and verify attack information by pulling events from
Trend Vision One
276
Cloud Services
• Compiles usage and activities on Office 365 apps
including OneDrive, SharePoint, Outlook and Teams
• Requires Azure AD integration
• Provides data for Risk Insights
Office 365
Grant Trend Micro permission to access Office 365 usage reports and useful data about
people and documents they interact with in order to gain deeper insight regarding the
Microsoft 365 resources your users’ access, and the behaviors that contribute to users'
risk analyses.
Through Azure AD integration, you gain access to the following insightful reports:
‐ OneDrive activity and usage
‐ SharePoint activity and usage
‐ Outlook activity and usage
‐ Teams activity and usage
Configuring Office 365 as a data source also requires that you configure Azure AD as a
data source.
277
Firewall and Network Protection

• Synchronize suspicious object information between
Trend Vision One and various third‐party firewall
• Strengthens the security measures within the
environment by moving the blocking of suspicious
objects to the network perimeter
• Requires a connection to a Service Gateway
FortiGate Palo Alto Panorama ProxySG and Check Point

Next‐Generation Advanced Secure Gateway Open Platform
Firewall for Security (OPSEC)
Integrating with third‐parties such as Palo Alto, Broadcom, Check Point, MISP and
Fortinet enables the distribution of suspicious object data from between Trend Vision
One. Synchronizing this suspicious object information between Trend Vision One and
various third‐party products strengthens the security measures within the environment.
278
Third‐party firewalls may be limited to

blocking based on their supported object
types
Third‐party firewalls may be limited to blocking based on their supported object types.
For example, the FortiGate device supports the blocking of IP address, domain, URLs
and hashes. Other devices may supported a different set of objects.
279
IT Service Management
• Allows Trend Vision One to send
Workbench alerts as service tickets to be
managed in the ServiceNow portal
ServiceNow ITSM
This integration allows Trend Vision One to send Workbench alerts as service tickets to
be managed in the ServiceNow portal.
.
280
Identity and Access Management

• Monitor sign‐in attempts, enable/disable user
account, force sign out, force password reset
• Discover devices, user accounts, and/or cloud apps
• Feed user and device activity logs (for account
compromise), cloud app activity, and/or anomaly
detections
Azure Active Directory On‐premises Okta Open LDAP

Active Directory
Integrating with third‐party Identity and Access Management solutions such as Azure
Active Directory, on‐premises Active Directory, OpenLDAP and Okta enables the
following capabilities in Trend Vision One:
• Monitor sign‐in attempts, enable/disable user account, force sign out, force
password reset
• Discover devices, user accounts, and/or cloud apps
• Feed user and device activity logs (for account compromise), cloud app activity,
and/or anomaly detections
281
Security Information and Event Management (SIEM)

• Enables Workbench alert sharing with SIEM products
for unified management of the event information
• May require a connector downloaded from the
vendor store
Azure Sentinel QRadar Splunk LogRhythm Elastic Securonix

Security
Integrating with third‐party SIEM and products such as Splunk, Azure Sentinel, IBM
QRadar, enables Workbench alert sharing for unified management of the event
information. View Trend Vision One Observed Attack Techniques and Workbenches
directly from the SIEM.
282
Download the add‐on from the vendor’s

online store
Provide Trend Vision One Endpoint URL and
Authentication token to the add‐on
To integrate with the SIEM, download the Trend Vision One add‐on from the vendors’
web site (in the example, from the Splunkbase web store). Provide the Trend Vision
One Endpoint URL and Authentication token to the add‐on.
283
Security Orchestration, Automation and Response (SOAR)

• Automates the incident response process by gathering
alerts, managing cases, and responding to the alerts
generated by the SIEM
• Helps create adaptive, automated incident response
workflows
• May require a connector downloaded from the vendor
store
Chronicle SOAR IBM Cloud PAK Cortex XSOAR Splunk SOAR

For Security
SOAR technologies enable organizations to collect data that is being monitored by the
security operations team, for example, alerts from the SIEM system. These
technologies help define, prioritize and drive standardized incident response activities.
SOAR tools allow an organization to define incident analysis and response procedures
in a digital workflow.
SIEM aggregates and correlates data from multiple security systems to generate alerts
while SOAR acts as the remediation and response engine to those alerts.
SIEM collects and aggregates security data sourced from integrated platforms logging
data ‐ firewalls, network appliances, intrusion detection and prevention systems, etc. ‐
then correlates data across devices, categorizes, and analyzes incidents before issuing
alerts. The alerts are identified by using sophisticated analytical techniques and
machine learning, which require fine tuning. This leaves a lot of alerts for a security
team or SOC to prioritize and remediate; a difficult, time‐consuming process.
SOAR, on the other hand, is designed to help security teams automate the response
process by gathering alerts, managing cases, and responding to the endless alerts
generated by SIEM. With SOAR, security teams can integrate with security alerts and
create adaptive, automated incident response workflows.
284
Threat Intelligence
• Integrate indicator of compromise (IoC) and suspicious
object data from trusted third‐party intelligence
sources
• Subscribe to TAXII feeds from third‐parties
Cyborg Security – HUNTER Platform NetSkope Cloud

Threat Exchange
Anomali AlienVault Pickupstix.io Qradar on Cloud MITRE.org MISP
Trend Vision One can also integrate indicator of compromise (IoC) and suspicious object
data from trusted third‐party intelligence sources. Trend Vision One can subscribe to
TAXII feeds from third‐party sources such as Anomali, AlienVault, Pickupstix.io and
mitre.org for threat information sharing. In addition, Trend Vision One can integrate
with QRadar on Cloud though STIX‐Shifter for collaborative threat sharing and analysis.
By keeping up to date on indicators of compromise, Trend Vision One can detect attacks
and act quickly to prevent breaches from occurring and limit damage by stopping
attacks in earlier stages.
Trend Vision One also enables transfer of suspicious object data to and retrieval of
threat intelligence data from the MISP threat sharing platform through a Service
Gateway. MISP is a Linux solution that allows an organization to share IoCs and
suspicious objects. This category also includes suspicious object sharing from Cyborg
Security and Netskope.
285
Vulnerability Management
• Enables Trend Vision One to discover devices
and feed device vulnerability scan results
• Serves as a data source for Risk Insights
Qualys Tenable Nessus Pro Tenable.io Rapid7 ‐ InsightVM / Nexpose
Integrating with third‐party products such as Qualys, Nessus Pro and Tenable.io enables
Trend Vision One to discovers devices and feed device vulnerability scan results.
The integrations provide access to the following insightful reports:

‐ Operating systems with highly exploitable CVEs
‐ Applications with highly exploitable CVEs
286
Web Access
• Extends the scope of visualization in the organization
and improve detail when measuring risk
• Use Trend Micro Risk Insights for Splunk to extract
Web log data from third‐party firewall and Web
gateway products through Splunk
FortiGate ProxySG Zscaler

Cisco Umbrella
Risk Insights for Splunk

Palo Alto Panorama Forcepoint Cisco
Web Security Meraki
The Trend Micro Risk Insights for Splunk app connects your Splunk data with Trend
Micro data lakes revealing web access footprints based on Firewall and Web Gateway
activity.
Data analysis capabilities currently support the following product sources:

Network Firewalls:
• Palo Alto
• Fortinet FortiGate
• Cisco Meraki
Web Gateways:
• Forcepoint Web Security
• Zscaler
• Cisco Umbrella SIG
• Symantec ProxySG
287
The Trend Vision One API can enable integrations

beyond what is available natively in the platform
If an integration is required and is not available within the native features of Trend
Vision One, the API can be used.
288
Best Practice
• Connect as many data sources as possible to improve the quality and
breadth of collected data
289
Demo:
Connecting Third‐Party Products
290
Lesson Review
1 2
What are some of the reasons for What is the benefit of synchronizing
suspicious object information between
integrating third‐party products with Trend Vision One and third‐party firewall
Trend Vision One? products?
3 4
What is the benefit of integrating
What is the purpose of the Trend
third‐party threat intelligence with
Micro Risk Insights for Splunk app?
Trend Vision One?
291
Hands‐on Lab
Lab 5: Connecting Third‐Party Products (page 47)
Your Task
• Connect the on‐premises Active Directory in the lab
environment to Trend Vision One to collect information for
risk assessments and remediation actions
292
Lesson 6:
Using the XDR
Threat Investigation Apps
At this point, we’ve connected some Trend Micro products, connected some third‐party
applications and have enabled sensors on some devices in our environnent.
It’s time to see what Vision One is telling us.
293
Lesson Objectives
• View raw event and activity data
• Describe the use of Workbenches
• Navigate within Workbenches
• Perform actions on objects from within Workbenches

• View raw event and activity data
• Describe the use of Workbenches
• Navigate within Workbenches
• Perform actions on objects from within Workbenches
294
Data from email

Data on servers
Data on mobile
Have we
Data on network
collected any
Data from Cloud Sandbox events or
Data on clients
Data lake
activities of
interest?

Data from OT
Data collected from all the different points is collected in a data lake. From that
collection of data, analysis can be performed.
For example, how does an event in an email account related to the an event detected
on the network.
295
XDR Threat Investigation Apps

• Enable visibility and analysis that is difficult or impossible to achieve
otherwise
− Global threat intelligence combined with expert detection rules maximize the power of
AI and analytical models
• Create prioritized alerts based on an expert alert schema to interpret
data in a standard and meaningful way
• Display a consolidated view to uncover events and the attack path across
security layers
• Guide investigations to understand the impact and identify the path to
resolution
Trend Vision One collects and correlates data across email, endpoint, servers, cloud
workloads, and networks, enabling visibility and analysis that is difficult or impossible
to achieve otherwise.
Global threat intelligence combined with expert detection rules continually updated
from our threat experts maximize the power of AI and analytical models.
Detection models create prioritized alerts based on an expert alert schema to interpret
data in a standard and meaningful way.
A consolidated view to uncover events and the attack path across security layers.
Guide investigations to understand the impact and identify the path to resolution.
296
XDR Threat Investigation Apps
Detection Model Management

Workbench
View the list of detection models
Displays alerts
Searchtriggered by
created by Trend Micro threat
detection
Observedmodels and enables
Attack Techniques
Construct analysts
query strings to pinpoint
investigation Targeted
and response
AttacktoDetection
each
Displays
data theand
oralert
objectsindividual
in the events
data
incident lake
detected Managed
Analyzesinyour
yourForensics
Services
Smart and Analysis
Protection
environment thatNetwork data to
determine
Allows if certain
may trigger
analysts andan indicatorstosignal
alert
responders reactan ongoing
more quickly
Augment your team with a Trend
attack,potential
enablingincidents,
timely prevention,
conduct investigation,
compromise and
Micro‐managed detection and
assessments, mitigation actions
responsethreat
servicehunting, and monitoring
XDR apps provide a consolidated view to uncover events and the attack path across
security layers and includes the tools to enable analysis and visibility of telemetry from
endpoints, servers, email, network and the web
Detection Models: the Detection Models screen lists all the detection models
that Trend Vision One provides. The detection models, which generate the alert
triggers, combine multiple rules and filters using a variety of analysis techniques
including data stacking and machine learning. Moreover, Trend Micro regularly refines
and adds detection models and filters to improve threat detection capabilities and
reduce false positive alerts.
Workbench: Displays alerts triggered by detection models and incidents that groups
related alerts and enables you to further investigate and respond to each alert and
incident.
Search: Construct query strings to pinpoint data or objects in the data lake. It provides
different search methods, filters and a query language to identify, categoriuze and
retrieve data.
Observed Attack Techniques : The Observed Attack Techniques app displays the
individual events detected in your environment that may trigger an alert and any
related MITRE information.
297
Trend Vision One detects events through use of granular detection filters that make up
the detection models that trigger alerts. Events that Trend Vision One lists on the
Observed Attack Techniques screen do not necessarily result in a Workbench alert. You
can use the data in the Trend Vision One app to further investigate Workbench alerts
and evaluate individual detections.
Targeted Attack Detection: Targeted Attack Detection analyzes your Smart Protection
Network data to determine if certain indicators signal an ongoing attack, enabling you
to take timely prevention, investigation, and mitigation actions against targeted attack
campaigns. The analysis helps detect targeted attacks, identify the attack campaign, and
provide steps to mitigate the attack. If an attack is not occurring, Targeted Attack
Detection provides recommended actions to harden your environment against future
potential attacks. The app displays information about your organization's attack
exposure for a specific period.
Forensics and Analysis: Allows analysts and responders to react more quickly potential
incidents, conduct compromise assessments, threat hunting, and monitoring
Managed XDR: Augment your team with the expertly managed detection and response
service. Backed by a team of highly qualified security analysts, Trend Micro Managed
XDR is a flexible 24/7 service that provides advanced threat detection, investigation, and
response.
297
Viewing Raw Event and Activity Data

• Raw events and activity data from all endpoints and devices
listed in the Observed Attack Techniques app
• Each entry displays corresponding MITRE ATT&CK tactics and
techniques
• Raw events are not necessarily malicious but can help an
investigation by providing a whole picture of system activity
• An entry here does not necessarily result in the creation of a
Workbench
The Observed Attack Techniques app displays the individual events or activites
detected in your environment that may trigger an alert and any related MITRE
information.
Trend Vision One detects events through use of granular detection filters that make up
the detection models that trigger alerts. Events that Trend Vision One lists on the
Observed Attack Techniques screen do not necessarily result in a Workbench alert. You
can use the data in the Trend Vision One app to further investigate Workbench alerts
and evaluate individual detections.
298
Data Retention
• Retention policies purge data once it is no longer needed
− Retains collected raw information for 30 days by default
− Customer can purchase extended storage option (max of 365 days offered)
• Retains alert workbenches for 180 days
• All data is deleted upon license expiration + 30‐day grace period
Trend Vision One applies retention policies that purge data once it is no longer needed
for the purpose for which it was collected.
• Trend Vision One retains the collected raw information for 30 days by default, unless
the customer purchases extended storage at extra cost (max of 365 days offered).
• It also generates and retains alert workbenches for 180 days to give customers the
information for investigation/reporting
• All data is deleted upon license expiration + 30‐day grace period
299
Expand XDR Threat Investigation and click the Observed Attack Techniques app.
300
Expand any listed entry to view its details.
301
Use filters to limit the

display of raw entries
You can filter the display of Observed Attack Techniques with the filters along the top of
the display.
302
Click any entry in the Tactic or Technique columns to open the attack.mitre.org page
with a description of the item.
303
Filtering Raw Event and Activity Data

• Correlating and filtering events creates associations with other events
− Creates a story of what happened across security layers
• Detection models tie together low‐level events to find stealthy
attackers
− Uses a variety of techniques including data stacking, machine learning, expert
rules, and more
Filters correlate events within the event and activity data in the data lake using a variety
of techniques including data stacking, machine learning, expert rules, and more.
Detection models written by Trend Micro threat experts combine these filters to
identify attack behaviors. These automated and cross‐layer detection models tie
together low‐level events to find stealthy attackers. Detection models are frequently
updated/added by Trend Micro.
304
Detection Model Management app lists all the

models created by Trend Micro threat experts. List is
updated regularly as new models are developed
Custom models also now supported in Preview
The Detection Model Management app lists all the models created by Trend Micro
threat experts. List is updated regularly as new models are developed.
305
Critical: This event exhibits strong evidence of

compromise for targeted attacks, Advanced
Persistent Threats (APTs), or cybercrime operations
! High: This event exhibits highly suspicious indicators

associated with targeted attacks, APTs, or cybercrime
operations Trend Vision One automatically
The Severity level Trend Vision enables the alert triggers for
Each model is identified
A shortbydescription
a of the
One assigns to the model Medium: This event exhibits suspicious
Lists the products
indicators
Thesupported
date to which
and products
time this
Trend
in your
unique name, assigned
detection bymodel
thewith malware
possibly associated is displayed for
infections, policy
depends on the type of eventviolations, or cybercrime operationsMicro
detection model applies
lastenvironment
updated the model
Trend Micro threat analysts
information purposes
and MITRE information
Any
Low: This event exhibits mildly suspicious model can be disabled
indicators
useful for security monitoring or threat hunting
The Detection Models tab lists all the current models. Columns listed include:
Severity
The severity level Trend Vision One assigns to the model depends on the type of event
and MITRE information. The available severity levels include:
• Critical: This event exhibits strong evidence of compromise for targeted attacks,
Advanced Persistent Threats (APTs), or cybercrime operations
• High: This event exhibits highly suspicious indicators associated with targeted
attacks, APTs, or cybercrime operations
• Medium: This event exhibits suspicious indicators possibly associated with malware
infections, policy violations, or cybercrime operations
• Low: This event exhibits mildly suspicious indicators useful for security monitoring or
threat hunting
Model
Each model is identified by a unique name, assigned by the Trend Micro threat experts.
Description
A short description of the detection model is displayed for information purposes.
306
Applicable products
The products to which this detection model applies
Last Updated
The date and time which Trend Micro last updated the model
Status
Trend Vision One automatically enables the alert triggers for supported products in your
environment. Any model can be disabled by clicking the status icon
306
Exclude an object value from being

detected by the current detection filter
An exception is a combination of an object value, a detection filter, and a data field.
Each detection model uses one or more filters to detect suspicious behaviors or events
based on associated MITRE techniques and reported threat indicators. You can further
check specific detection filters that triggered an alert in the alert details of the
Workbench app.
Add an object to exceptions if you want to exclude the object value from being
detected by the current detection filter. As a result, Trend Vision One matches the
exception based on the object value, the data field associated with the value, and the
related detection filter.
307
Workbenches
• Displays alerts triggered by detection models
− Correlated events and activities
• Requires your attention for further
evaluation
− Does not necessarily mean that your systems have
been compromised
• Analysts can investigate through an in‐depth
root cause and impact analysis
− Help understand the alert extent and severity and
determine further actions to respond to the alerts
Workbenches are alerts triggered by detection models. These are the correlated events
and activities.
The creation of a workbench does not necessarily mean that your systems have been
compromised, but they do require your attention for further evaluation.
Analysts can investigate through an in‐depth root cause and impact analysis which will
help understand the alert extent and severity and determine further actions to respond
to the alerts.
308
Displays alerts that you can investigate to

understand the alert extent and severity
and determine response actions
The Workbench Alert View tab displays alerts that you can investigate through an in‐
depth root cause and impact analysis to understand the alert extent and severity and
further determine actions to respond to the alerts
309
Groups related alerts using advanced alert

correlation and machine learning
techniques
The Workbench Incident View tab displays incidents that group related alerts to help
you quickly identify and mitigate potential system breaches in your network
environment.
Trend Vision One creates incidents to group related alerts using advanced alert
correlation and machine learning techniques.
You can view detailed incident data on each tab to further investigate and mitigate a
potential security breach in your network environment.
310
Workbench Alerting
Trend Vision One will send out an alert email to the specified administrators or analysts
when a workbench is automatically created. Click the link to be brought directly to the
workbench in the console, or log into the console and go to the Workbench app.
311
Displays the current

A unique status
identifier of the
for the alert
alert. or the
Click The ID ofthe
Displays thenumber
incident
Displays theof thatand
date is associated
time
The overall severity assigned
Displays the to the
detection
The alert
model that
severity The product
triggered
assigned to the that is providing the
investigation
Workbenchtriggered in the Workbench
ID to view summary of the with the
entities alert.
that
Trend Click
the
Vision an
alert
One incident ID tothe
generated view
the alertthat triggereddata
model the to the Workbench app
alert
event detailed information
affects alert
New
In Progress
Closed
Close – False Positive
Fields listed in Alert view include:

Status
Displays the current status of the alert or investigation triggered in the Workbench,
including:
• New
• In Progress
• Closed
• Close ‐ False Positive
Score
The overall severity assigned to the alert. Trend Vision One calculates the score based
on the severity of the matched detection model and the number of endpoints
concerned by the detection.
Workbench ID
A unique identifier for the alert. Click the Workbench ID to view the summary of the
event.
Model
Displays the detection model that triggered the alert.
Model Severity
The severity assigned to a model that triggered the alert is displayed.
312
Impact Score
Displays the number of entities that the alert affects within the company network.
Data Source
Displays the product that is providing the data to the Workbench app
Created
Displays the date and time Trend Vision One generated the alert.
Associated incident
Any incident associated with the alert is displayed in this column. Click the incident ID to
be brought to the Incident View. From there, you can see how the alerts within this
incident are related.
312
Timeline
Summary
Timeline of the alert
General details about the
details
Workbench
Observable Graph
Highlights
Graphical representation
of the alert details Lists MITRE ATT&CK tactics and
techniques used along with affected
objects
The panes within the Workbench view are shown here.
313
Observable Graph Symbols
URL Server Endpoint Multiple User

endpoints
File CLI command IP/Domain Process
Icons are used to represent the elements in the Observable Graph.
314
Context‐sensitive menu with all

actions available for that object
Context‐sensitive menu with all

actions available for that object
Trend Vision One provides a context menu that provides actions that can be applied to
objects in the Workbench directly related to the console location and object type.
To access the context menu, right‐click anywhere on the Trend Vision One console.
315
Workbench Actions
• Context menu provides actions related to the console location and
object type
− Response actions
− Advanced analysis actions
− Search actions
− General actions
Right mouse clicking objects displays a context‐sensitive menu providing actions related
to the console location and object type. These include:
• Response actions
• Advanced analysis actions
• Search actions
• General actions
316
Workbench Response Actions
Actions on
files and
processes
Terminate Process Collect File Submit for

Sandbox Analysis
Object‐specific actions allow you to directly respond to threats without leaving the
Trend Vision One console.
You can take specific actions on events or objects found on the Trend Vision One
console. After triggering a response, the Response Management app creates a task and
sends the command to the target.
Actions on Files and Processes

Terminate Process: Terminates the active process and allows you to terminate the
process on all affected endpoints.
Collect File: Compresses the selected file on the endpoint in a password‐protected
archive and then sends the archive to the Response Management app.
Submit for Sandbox Analysis: Submits the selected file objects for automated analysis
in a sandbox, a secure virtual environment.
317
Actions on
suspicious
objects
Add to Block List Remove from

Block List
You can take preventive blocking measures on suspicious objects that may pose a
security risk to your network using context menus on the Trend Vision One console.
Add to Block List: Adds File SHA‐1, URL, IP address, or Domain objects to the User‐
Defined Suspicious Objects List, which blocks the objects on subsequent detections.
Remove from Block List: Removes the File SHA‐1, URL, IP address, or Domain object
added to the User‐Defined Suspicious Objects List through the Add to Block List
response.
318
Actions on
email
messages
Quarantine Restore Delete Message

Message Message
Quarantine Message: Moves the selected email message to the quarantine folder and
allows you to quarantine the message from all affected mailboxes.
Delete Message: Deletes the selected email message from the selected mailboxes.
Restore Message: After determining that a quarantined message is not malicious, you
can restore the message by clicking Restore message on the task context menu.
319
Actions on
endpoints
Isolate Restore Start Remote Run Remote

Endpoint Endpoint Shell Session Custom Script
Isolate Endpoint: Disconnects the target endpoint from the network, except for
communication with the managing Trend Micro server product.
Restore Connection: Restores network connectivity to an endpoint that already
applied the Isolate Endpoint action.
Start Remote Shell Session: Connects to a monitored endpoint and allows you to
execute remote commands or a custom script file for investigation.
Run Remote Custom Script: Connects to a monitored endpoint and executes a
previously uploaded PowerShell or Bash script file.
320
Actions for
account
enforcement
Disable User Enable User Force Force

Account Account Sign Out Password Reset
Disable User Account: Signs the user out of all active application and browser sessions
of the user account. It may take a few minutes for the process to complete. Users are
prevented from signing in any new session.
Enable User Account: Allows the user to sign into new application and browser
sessions. It may take a few minutes for the process to complete.
Force Sign Out: Signs the user out of all active application and browser sessions of the
user account. It may take a few minutes for the process to complete. Users are not
prevented from immediately signing back in the closed sessions or signing in new
sessions.
Force Password Reset: Signs the user out of all active application and browser sessions
and forces the user to create a new password during the next sign‐in attempt. It may
take a few minutes for the process to complete.
321
Workbench Advanced Analysis Actions
Actions for
advanced
analysis
Check Execution Profile Check Network

Analytics Report
You can further investigate workbench data using context menus to access to execution
profiles and network analytics reports.
Check Execution Profile: Visualizes objects and events using a dynamic and interactive
chain view.
Check Network Analytics Report: Shows network correlations of the selected node and
other related objects.
322
Workbench Search Actions

New Search: match field and value
New Search: match CLICommand
New Search: extend time
Actions for
New Search: Endpoint Activity Data +/‐ 10 min
search
Add Filter: field IS value
Add Filter: field IS NOT value
Add Filter: field is EMPTY
Context menus provide additional search options that you can access during an
investigation, after encountering objects or data that you want to further explore.
New Search: match field and value

New Search: match CLICommand
New Search: extend time
New Search: Endpoint Activity Data +/‐ 10 min
Add Filter: field IS value
Add Filter: field IS NOT value
Add Filter: field is EMPTY
323
Workbench Search Actions

Add Filter: field EXISTS
Add Filter: field DOES NOT EXIST
VirusTotal
Actions for
Google search
Search <object>
Context menus provide additional search options that you can access during an
investigation, after encountering objects or data that you want to further explore.
Add Filter: field EXISTS

Add Filter: field DOES NOT EXIST
VirusTotal (searches the VirusTotal.com database for details on a piece of malware)
Google
Search <object>
324
Workbench General Actions
General
actions
Copy to Check Risk Insights Show Add to View

Clipboard Assessment Detailed Exceptions Event
Profile
General actions include basic operations to perform on the selected object.
Copy to Clipboard: Copies selected item to the clipboard.

Check Risk Insights Assessment: redirects to Operations Dashboard with this item
displayed.
Show Detailed Profile: Displays the Detailed profile pane in the Workbench.
Add to Exceptions: Adds the selected item to the Exceptions tab in the Detection
Model Management app.
View Event: Click View event to further check the event details in the Observed Attack
Techniques app.
325
Click any Incident ID to view the

alerts (Workbenches) that make up
the incident
Trend Vision One creates incidents to group related alerts using advanced alert
correlation and machine learning techniques. Incidents associate multiple related
(correlated) Workbenches to build a more complex picture of a sequence of events.
Groups all objects involved in the story of this incident:

• Users
• Servers/Endpoints
• CLI commands
• Processes
• Files
• IP addresses
• Domains
• etc
326
Click any Workbench ID to go

directly to the alert details
How are these alerts related?
The Alerts tab displays detailed information of associated alerts.

The Score is calculated based on the highest severity of any of the detection models
matched, the overall impact scope of all related alerts, and the overall MITRE tactic and
technique coverage.
A description of the incident as well as the MITRE tactics seen in the alerts is provided
for further information
You can use the Status, Created, and Model drop‐down lists and the search fields to
filter the entries.
The Relationship column displays the reason an alert is associated with an incident. (for
example, affects same endpoint, found a similar hash etc…)
327
Incident Timeline tab shows order

(date and time) in which the alerts
were created
The Incident Timeline tab displays the date and time of each detection from associated
alerts.
You can click Incident‐based Execution Profile in the upper right corner to check the
root cause, lifecycle, and impact scope of an incident.
328
Impact Scope shows the affected

endpoints and accounts
The Impact Scope tab displays the list of entities affected by the incident
329
Highlighted Objects lists objects

from the associated alerts
The Highlighted Objects tab displays the list of highlighted objects from the associated
alerts. Trend Vision One analyzes highlighted objects to correlate alerts.
You can select one or more highlighted objects and choose a response action to take on
the objects.
330
Execution Profile
• Investigation tool that displays the
sequence of events leading to the
execution of the matched object
− Also known as Root Cause Analysis
• Visualizes objects and events using a
dynamic and interactive chain view, instead
of static analysis results
• Switch between Chain and Timeline views
An Execution Profile is an investigation tool that displays the sequence of events

leading to the execution of the matched object. This is sometimes called a Root Cause
Analysis.
The Execution Profile visualizes objects and events using a dynamic and interactive
chain view, instead of static analysis results.
331
Viewing an Execution Profile
Execution Profile can be viewed from 4 locations in the Trend Vision One console:
• From the Highlights pane in the Workbench
• From the Workbench context menu
• From the Search App context menu
• From Observed Attack Techniques
332
Lists the individual events detected

in your environment and related
Visualizes objects and events for MITRE information
interactive investigations
The Observed Attack Techniques tab in the Execution Profile lists the individual events
detected in your environment and related MITRE information. You can click View event
to further check the event details in the Observed Attack Techniques app.
Note: Under Observed Attack Techniques, only detection filters at Critical, High, and
Medium risk levels are listed based on the objects available in the current analysis
chain.
Aggregates multiple analysis chains that visualize objects and events for interactive
investigations.
333
Can click any node in the display to view the

detailed profile and check related events of the
object
You can click any node to view the detailed profile and check related events of the
object. The initial analysis chain shows the most critical events as a baseline and allows
you to add more events to the chain if necessary.
334
Lists the affected endpoints and

highlighted objects of the alert
The Endpoints tab lists the affected endpoints and highlighted objects of the alert.
335
Switch to Timeline View to Use the arrows to progress

displays the events associated with an through the attack step‐by‐
incident in chronological order step
The Timeline view displays the events associated with an incident in chronological
order.
By default, only the first observed events of an incident are highlighted. You can use the
left and right arrow ( < or >) to progress through the attack step‐by‐step.
336
Network Analytics
• Shows network correlations
between the trigger object selected
in Observable Graph and other
related objects
• Only available after connecting and
properly configuring Deep
Discovery Inspector
The Network Analytics Report shows network correlations between the trigger object
selected in Observable Graph and other related objects.
The Network Analytics Report is only available after connecting and properly
configuring Deep Discovery Inspector.
337
Icon indicates a Network Analytics

Report is available for this object
The icon indicates a Network Analytics Report is available for this object.
338
View and playback the timeline for the

Visual representation of the correlations
correlated events
made between objects
Summary and high‐level

overview of the correlated
Details about each transaction represented in
event
the correlation graph, and each detected
Indicator of Compromise
The Network Analytics Report consists of three main sections.

Summary
The Summary section displays the severity, the number of detected internal hosts and
Indicators of Compromise (IOCs), and the attack patterns, and provides a high‐level
overview of the malicious activity of the correlated event.
Correlation Graph
The Correlation Graph section provides a visual representation of correlations made
between the suspicious object selected in Trend Vision One and other related objects.
Transaction and IOC Details
The Transaction and IOC Details section provides details about each transaction
represented in the correlation graph, and each detected Indicator of Compromise (IOC).
Transactions are listed from oldest transaction at the top to the most recent transaction
at the bottom. Listed transactions might have occurred in a single day or might span
several months, depending on the correlations found by Deep Discovery Director ‐
Network Analytics. IOCs are listed from oldest first seen at the top to the most recent
first seen at the bottom.
339
Each correlation line

The thickness of the line is
represents one or more
proportional
Correlationtolines
the number
can be of
transactions between two
Each transactions
between occurring
an internal
correlation host and
hostsline is labeled
between
external the
server orhosts
between
with the protocols used in
two internal hosts
transactions between(lateral
the
hosts movement)
and the direction
Hover the mouse of the image and click to play button.
Each correlation graph contains one or more lines that correlate malicious or suspicious
activity between a source and destination.
• Each correlation line represents one or more transactions between two hosts
• The thickness of the line is proportional to the number of transactions occurring
between the hosts
• Correlation lines can be between an internal host and external server or between
two internal hosts (lateral movement)
• Each correlation line is labeled with the protocols used in transactions between the
hosts. An arrow within the correlation line indicates the direction of the
transactions, from source to destination
• Correlation lines involving email senders are labeled as Suspicious Email Activity
340
Targeted Attack Detection

Predictive Census
Machine Learning
File Reputation Behavior

(Smart Scan) Monitoring
Certified Web
Safe Software Reputation
Smart Feedback
The Smart Protection Network is a next‐generation cloud‐client content security

infrastructure designed to protect customers from security risks and web threats. These
services mines data around the clock and across the globe to ensure that you are
always protected. Trend Micro products use this advanced detection analytics
mechanism to immediately stamp out attacks before they can harm you.
The Targeted Attack Detection capabilities in Trend Vision One requires that Predictive
Machine Learning, Behavior Monitoring and Smart Feedback be enabled.
• Predictive Machine Learning: Protects your network from new, previously
unidentified, or unknown threats through advanced file feature analysis and
heuristic process monitoring.
• Behavior Monitoring: Continuously monitors endpoints for unusual modifications to
the operating system or on installed software.
• Smart Feedback: Shares threat information with the Smart Protection Network,
allowing Trend Micro to rapidly identify and address new threats.
Targeted Attack Detection analyzes your Smart Protection Network data to determine if
certain indicators signal an ongoing attack, enabling you to take timely prevention,
investigation, and mitigation actions against targeted attack campaigns. The analysis
341
helps detect targeted attacks, identify the attack campaign, and provide steps to
mitigate the attack. If an attack is not occurring, Targeted Attack Detection provides
recommended actions to harden your environment against future potential attacks.
The app displays information about your organization's attack exposure for a specific
period. This information is influenced by the following factors:
• Security features enabled on Trend Micro‐management servers that you have
connected to Trend Vision One
• endpoint sensors installed and enabled in your environment
• Attack campaigns monitored and analyzed by Trend Micro threat experts
By enabling Smart Feedback, Behaviour Monitoring, and Predictive Machine Learning,

Trend Micro can use the data shared through these features to identify and address new
threats such as Log4J, Sunburst, RYUK, Lockbit & Nefilim.
341
Did Agents in your

environment find attack
indicators for one or more
ongoing attack campaigns
The Attack Exposure frame reviews the overall risk level of your environment and any
ongoing attacks.
• High Risk and Medium Risk: Agents in your environment found attack indicators for
one or more ongoing attack campaigns.
• Low Risk: Agents in your environment did not find any attack indicators.
* Targeted Attack Detection requires enabling Smart Feedback on your management

servers to begin analyzing your environment. Enable Smart Feedback on your
management servers.
Ratings are based on Smart Protection Network data analyzed within a specific period.
Your organization's rating may change when:
• Connecting management servers and enabling security features.
• Enabling Smart Feedback.
• Installing and enabling endpoint sensors.
• Updates to the app which include information on new attack campaigns or attack
indicators.
342
Enable Smart Feedback and endpoint

sensors to improve attack visibility
Enable Predictive Machine Learning

and Behavior Monitoring to enhance
security capabilities
Review Security Features and endpoint sensors to provide coverage and visibility for
discovering attack indicators. The Security Features and endpoint sensors sections
provide an overview of feature coverage within your environment.
Important: Targeted Attack Detection requires enabling Smart Feedback on

management servers to begin analyzing your Smart Protection Network data.
Enabling Smart Feedback and endpoint sensors improves attack visibility. Enabling
Predictive Machine Learning and Behavior Monitoring enhance security capability.
Targeted Attack Detection displays coverage as a percentage. For security features, this
is the percentage of management servers in your environment with the feature
enabled. For endpoint sensors, the app calculates the percentage according to the
number of sensors enabled versus how many sensors you can enable according to your
product license or available credits. Increasing coverage provides more data from
across your network, allowing for more accurate analysis and monitoring of your
environment.
343
Gives an overview of the progress of ongoing

targeted attacks and affected endpoints
The Attack Phases frame displays a quick overview of the progress of ongoing targeted
attacks and affected endpoints.
This section displays information about attacker activity for four phases that precede
command‐and‐control communication. Find out if attackers are attempting to gain or
maintain their foothold on your network, or if data exfiltration or some form of system
impact may soon occur.
Click on the desktop or server icons on each phase to view endpoints affected during
the attack phase.
• Initial Access: An attacker has gained access or is attempting to gain access to your
environment. If successful, attackers may attempt to move to the next attack phase.
• Persistence: An attacker is attempting to maintain or increase access to your
environment. If successful, attackers may attempt to load malicious payloads onto
your environment, such as bots and malware, which may remain dormant in your
environment even if the attacker stops.
• Credential Access: An attacker has obtained or is attempting to obtain account
credentials within your environment. Data exfiltration or some form of system
impact may occur soon. Attackers may attempt to interrupt, manipulate, steal, or
344
destroy critical assets.
• Lateral Movement: An attacker is expanding or attempting to expand the attack
scope within your environment. Data exfiltration or some form of system impact may
soon occur. Attackers may interrupt, manipulate, steal, or destroy your critical assets.
• Impact: A targeted attack of high severity which reaches the final attack phase may
cause significant damage within your environment. This section estimates the overall
impact of the ongoing campaign according to attack indicators and affected
endpoints.
344
Prevention and Containment
Provides steps to harden your

defenses and mitigate ongoing
or potential attacks
The Risk Management Guidance frame displays the top recommended actions to
harden your defenses, investigate attack scope, and monitor your environment. The
recommended actions vary depending on factors including which security features are
enabled, security feature configurations, and the type of threat present in your
environment.
Prevention and Containment tab: Prevent the spread of new and ongoing attacks by
hardening your defenses and mitigate ongoing or potential attacks. Suggestions are
provided.
345
Monitoring and
Investigation
Provides steps to further

investigate the scope of
ongoing attacks, monitor,
and search for attack
indicators in your
environment
Monitoring and Investigation tab: Increase visibility and monitor new or ongoing
attacks.
This section provides steps to further investigate the scope of ongoing attacks, monitor,
and search for attack indicators in your environment.
346
View affected endpoints in

your environment and
information about monitored
attack campaigns
The Attack Scope frame allows you to view affected endpoints in your environment and
information about monitored attack campaigns.
Endpoints
Displays an overview of endpoints affected by ongoing attack campaigns.
Click the total number to view details about each affected endpoint.
• Endpoint: GUID of agent installed on the affected endpoint or IP address of the

affected endpoint
• Severity: highest severity security event the app observed on the endpoint
• Reasons: the type of malicious behavior the app observed on the endpoint
• Recommended actions: recommended steps to mitigate risk
• Management server: Host name and IP address of the server that manages the
affected endpoint
• First observed: timestamp of when the app first observed an attack indicator or
event on the endpoint
You can filter the list by endpoint and attack phase.
347
Sort the list by changing View to Management server, Severity, or Recommended
actions.
Campaigns
Trend Micro threat researchers monitor and analyze attack campaigns affecting
organizations around the world. Their research provides context to detected attack
indicators and allows Trend Vision One to predict possible next steps by attackers. You
can use the information to identify other potentially compromised assets and to
mitigate the risk posed by each campaign.
Tags indicate regions, platforms, and industries the campaign affects the most.
A red icon next to the campaign name indicates the app found attack indicators for that
campaign in your environment.
347
Forensics and Analysis

• Allows analysts and responders to react more quickly potential
incidents, conduct compromise assessments, threat hunting, and
monitoring
• Currently in preview, soliciting feedback
The Forensics and Analysis app allows analysts and responders to react more quickly
potential incidents, conduct compromise assessments, threat hunting, and monitoring.
348
Forensics and Analysis
Incident Investigation Live Query to Add key evidence

Response Console help triage to your
Evidence (create case, compromised investigation
Collection import evidence, endpoints timeline
playbook to analyze)
collect evidence
After an incident, collect evidence for further analysis with specialized tools with the
Incident Response Evidence Collection playbook. Incident Response evidence collection
can help support the incident response process.
Create a case, import evidence, and analyze with a highly customizable investigation
tool. Collect evidence from potentially compromised endpoints online with the Incident
Response Evidence Collection playbook or offline with the Trend Micro Forensic Tool.
Live Query can quickly run triage commands or trigger supported investigation tools to
isolate affected endpoints. Helps triage potentially compromised endpoints.
Highlight suspicious records collected by the Incident Response Evidence Collection

playbook. Add key evidence to your investigation timeline to help you gain insight into
the context of your case.
349
Forensics evidence can be collected by clicking Collect Evidence from the Packages tab,
or it will be added automatically to this tab when the Collect Evidence Playbook is run.
350
Response Management
• Take actions and track the actions taken on the environment using
the Trend Vision One console
• View the response task status and command details
The Response Management app allow the analyst to take actions and track the actions
that have been taken on your environment using the Trend Vision One console.
After triggering a response to an event or object, you can view the response task status
and command details in the Response Management app.
351
Unsuccessful: An error or time‐out occurred

when attempting to send the command to the
managing server, the Security Agent is offline for
more than 24 hours, or the command execution
timed out
Successful: The managing server successfully

received the command
In progress: Trend Vision One sent the

The Status and
TheTask
Operation
ID of the
being
command applied
to the toThe user
managing The that
The
server last
and triggered
date and
islocation
waiting for the
time
in the that Vision
Trend the
The Target for the command
command applied to an anobject
object
for a response command
TrendOneVision One console
console received
where the user
Queued: The managing server queued data regarding
triggered
the thethe task
response
command because the Security Agent was
offline
Pending approval: Command is paused awaiting

approval
Rejected: Command was rejected
Trend Vision One tracks and provides feedback on the actions taken on endpoints,
email messages, and network events. After triggering a response to an event or object,
you can view the response task status and command details in the Response
Management table.
The Task status indicates whether the managing server was able to successfully receive
and execute the command. If the command target is a Security Agent, the Task status
does not necessarily indicate whether the target Security Agent or object successfully
executed the command.
If the task status is Queued or Unsuccessful you can click the Resend command icon to
immediately send the exact same command to the managing server.
Depending on the action taken, additional actions may be available by clicking the
options buttons at the end of the row
352
Displays scripts that have been run on

devices in the environment
The Custom Scripts tab displays a list of scripts that have been run on devices in the
environment and the user that ran them.
353
Demo:
Navigating within Workbenches
354
Managed Services
Expert Threat Hunting 24x7 Monitoring and Detection Rapid Investigation
Pain points when dealing with cyberthreats:

• Lack of people, skills, team perhaps in transition
• Low bandwidth to deal with alerts and issues
• In great need of all service available or compliment of skills
• Just moved from other products, from other vendors
• Lack of skilled cybersecurity qualified people
• Strong need of extra pair of hands and eyes
• Bad experiences with threats and ransomware
While Trend Vision One provides a wide range of tools for detecting and responding to
attacks and threats, some organization do not have the resources to handle these
activities.
Trend Micro's Managed Services can help by providing:

• Expert Threat Hunting: Trend Micro Managed Services takes advantage of the
cutting‐edge techniques provided by Vision One with verification and enrichment by
Trend Micro threat experts who understand our products inside and out. They can
verify false positives with enrichment and take advantage of experimental
355
techniques. They also use additional threat data which cannot be shared publicly.
• 24x7 Monitoring and Detection: 24x7 staffing is difficult for many organizations.
With Managed Services, security analysts provide 24x7 monitoring and detection. If
an incident is found and is of serious concern, investigators around the world can
work on the investigation around the clock while keeping your data in the MDR node
of your locality. Analysts will develop a detailed response plan and, with your
permission, can take responsive actions through the Trend Micro products.
• Rapid Investigation and Mitigation: Detailed response plans are generated to deal
with the threats in your organization and remote actions can be performed through
Trend Micro products.
355
Managed Services
Proactive Reactive
Alert Monitoring Initial Analysis Investigation Response
24/7 alert monitoring Determine if an alert Initiate product

Evaluate the impact
and correlation is noteworthy or not response, deliver
of the incident within
global protection
the organization
updates
If the alert is relevant,

determine if the host
Interpret the root Provide remediation
has any history of
cause chain, and recommendations,
abuse
determine threat create clean-up
Regular sweeping
profile toolkits (if required)
for new IOCs
Hunting for new Perform advanced Monitor infection for

IOAs investigation reoccurrence
Managed Services includes 24x7 monitoring to look at all the alerts and prioritize which
threats need to be handled first, and possibly some initial impact analysis (for example,
is a file malicious on other protected systems). For these activities there is automated
analysis and intelligence gathering ‐ threat experts get involved early in the process, to
take actions as early as possible to detect and respond. Sometimes they dive into the
investigation and analysis.
Gathering additional information can determine vulnerabilities, understand what else
may have been downloaded, or if the original threat has mutated and spread. The
analyst investigates to determine the full root cause analysis and potential impact to
the affected customer.
They also works with the customer on the response:
• Initiate response or provide tools to help quarantine, isolate endpoints, kill process
etc.
• Provide report to customer about event
• Provide recommendations
• Automatically generate a pattern and share
Once the incident has been cleared, Trend Micro will continually sweep the enterprise
to ensure they are clean. In some cases, we may use that IoC to sweep other MDR
customers to ensure they do not have the same attack happening.
356
Trend Service One
Customers can go one step further and subscribe to Trend Service One.
Service One consolidates Trend Micro services, to help customers through their
experience. Whether a customer is looking to augment their team, add 24/7 support,
or interested in taking a more proactive approach to detection investigation and
response with a dedicated team of experts on their side, Trend Micro can help.
Benefits include:
• Priority support case handling, FAST Track – dedicated Service Manager / CSM / TAM
• Targeted Attack Detection; proactive, predictive, qualified ATTACK alerts ‐ guided
actions
• Full Managed XDR support
• On‐demand educations via education portal, best practices, admin and operational
guides
• Health Checks on Trend Micro products
• Guaranteed access to Incident Response team, with included engagement
357
Comparing Managed Services to Service One
358
Displays a list of requests submitted by

the Managed Services operations
team for taking response actions
The Request List tab displays a list of requests submitted by the Managed Services
operations team for taking response actions.
Managed Services sends response action requests for your manual approval if you
disable auto approval. You can choose either of the following ways to deal with the
response action requests:
• Approve or reject a request directly in the email notification without accessing the
Trend Vision One console
• Get an overview of all requests and manage one or more requests on the Request
List tab of the Managed Services app
359
View your Managed Services incident

and monthly reports
View your MDR incident and monthly reports from this tab
360
Configure contact details, approvals

and view a list of assets
Configure MDR settings from this tab. Settings allow you to specify general information
and settings for your organization.
Contact Information: Make sure you add at least one contact during the initial setup.
The Managed Services operations team may contact the phone number you specified
in an emergency. By default, the first contact you add serves as the primary contact. If
there is only one contact, the only contact must allow both alert and report
notifications.
Be aware of the following when specifying an email address:
• The email address is mandatory for the primary contact.
• The email address is mandatory if you set a contact to receive report notifications
only.
• Each contact must have a unique email address.
Response approval: Configure response approval settings to specify how response

actions proceed before execution.
Click the Enable auto approval check box to automatically approve certain response
actions the Managed Services operations team takes based on investigations.
Clearing the check box disables auto approval, which means your manual approval is
361
required for every response action. Trend Vision One sends email notifications for each
response action to request your manual approval before execution.
Asset Management: Maintain an asset list to provide a centralized view of your critical
assets to the Managed Services operations team. Create a CSV file that contains your
asset information and click Import Assets. A sample CSV file is provided to illustrate the
required format.
361
Lesson Review
1 2
What are some of the actions that can
What is a Trend Vision One
be applied to objects within a
Workbench? How are they created?
Workbench?
3
Describe Targeted Attack Detection
362
Hands‐on Labs
Lab 6: Creating a Workbench Example 1 (page 55)
Your Task
• Copy a malware file to the SERVER‐03 computer in the lab
environment and examine the resulting Workbench
363
Hands‐on Labs
Lab 7: Creating a Workbench Example 2 (page 59)
Your Task
• Run a script file on SERVER‐03 computer in the lab
environment and examine the resulting Workbench
364
Lesson 7:
Sharing Threat Intelligence
365
Lesson Objectives
• Describe how Threat Intelligence is used in Trend Vision One

• Describe how Threat Intelligence is used in Trend Vision One
366
What vulnerabilities/threats/attacks are showing up around the world?
What is going on in the world in terms of cyber security? What vulnerabilities are
showing up around the world? There are many sources of information available, such
as web sites, blogs, podcasts, but it can be very time consuming to keep up to the
minute on threats showing up all over the globe.
Threat Intelligence helps in that we can integrate information from sources around the
globe into the Trend Vision One console, then scan the data lake for these indicators of
compromise.
Trend Vision One can take advantage of what other companies, organizations and
government have discovered in their systems, and we can share with others as well.
367
Threat Intelligence
• Trend Vision One integrates up‐to‐the‐minute intelligence
from Trend Micro and reliable third parties to help you
identify threats
• Sweeps the environment for indicators of compromise and
suspicious objects
− Verify sweeping results for further investigation and analysis
Threat Intelligence provides Trend Vision One with access to various sources of threat
information, including Trend Micro and other reliable third‐party sources.
Trent Micro Vision One sweeps the information in the data lake against these indicators
compromise looking for matches.
If you are worried about false positives when incorporating third party threat
intelligence, set the action to Log initially until you validate the information provided by
the source.
368
Threat Intelligence
Curated Custom Suspicious Sandbox

intelligence intelligence objects analysis
reports reports
STIX files CSV files MISP
Threat Intelligence leverages valuable indicators of potential threats from both curated
intelligence reports and your custom reports. Trend Vision One supports automatic
sweeping (once per day for 7 days) tasks based on curated intelligence and manual
sweeping tasks against custom intelligence to search your environment for IoCs. If there
are indicator matches, you can check the sweeping results for further investigation and
analysis.
Curated intelligence reports: Gather and integrate curated threat intelligence from
internal and external sources.
Custom intelligence reports: Build custom intelligence by importing your own reports
and retrieving data from third‐party intelligence sources. This includes
• STIX and CSV files: Subscribe to TAXII feeds to receive STIX files containing IoC
information or download and import STIX or CSV files from a trusted sources.
• MISP: MISP Threat Sharing is an open‐source threat intelligence platform. The
project develops utilities and documentation for more effective threat intelligence,
by sharing indicators of compromise. There are several organizations who run MISP
instances.
369
Suspicious objects: Consolidates suspicious object information based on input from
different sources.
Sandbox analysis: Sandbox analysis adds suspicious objects when it determines

possible threats for consolidation and synchronization. Sandbox assigns risk level based
on analysis results.
Note: For suspicious objects added through third‐party intelligence and manual
operations, the maximum limit is 10,000 for each object type. For suspicious objects
from Sandbox, the maximum limit is 25,000 for each object type.
369
Curated Intelligence Reports

• Trend Micro gathers and integrates curated threat intelligence from
internal and external sources
• Enable Auto Sweeping for a source type
− Sweeps Endpoint Activity Data once every day for seven consecutive days
based on each new report from the source
− Auto Sweeping supports a limited number of indicators per day
Trend Micro gathers and integrates curated threat intelligence from internal and
external sources.
If you turn on Auto Sweeping for a source type, Trend Vision One generates a
scheduled sweep and runs once every day for 7 consecutive days based on each new
report from the source.
Auto Sweeping supports a limited number of indicators per day.
A maximum of 50,000 indicators is allowed per day for Auto Sweeping. The quota limit
is shared by Auto Sweeping tasks triggered for:
• Curated reports from external sources
• Custom reports produced by third‐party intelligence
If the total number of indicators reaches the daily quota limit for Auto Sweeping, you
can trigger Manual Sweeping when necessary.
370
Enable the external

sources from which
to retrieve curated
reports
In the Intelligence Reports app, click the Curated tab to view the reports provided by
Trend Micro. Click the Source list to identify which external sources from which Trend
Vision One will retrieve the curated intelligence reports
371
On the Curated tab, click Auto Sweeping and select the report sources to sweep
against.
372
Custom Intelligence Reports

• Build custom intelligence reports by retrieving threat data from
trusted third‐party intelligence sources
• Select a custom intelligence report to initiate a manual sweep based
on identified indicators
Build custom intelligence reports by retrieving data from trusted third‐party intelligence
sources. Make sure source is trustworthy!
You can select a custom intelligence report to initiate a manual sweep based on
identified indicators.
Note:
A maximum of 10,000 indicators is allowed per day for Manual Sweeping.
373
In the Intelligence Reports app, click the Custom tab.
374
Initiate a manual sweep for any

custom report
Click the icon at the end of an entry line to initiate a manual sweep for any custom
report.
375
Click Add and select the method

for adding the custom
intelligence source
Click Add and select the method for adding the custom intelligence source.
376
STIX files
Manually import the STIX file

(v2.0 and v2.1) and specify the
actions for any suspicious
objects in the file
Manually import the STIX file and specify the actions for any suspicious objects in the
file. Only v 2.0 and 2.1 are supported.
377
CSV files
Manually import a properly

formatted CSV file and specify
the actions for any suspicious
objects in the file
Manually import a properly formatted CVS file and specify the actions for any
suspicious objects in the file.
378
Selecting TAXII Feed redirects

to the Third‐Party Integration
app
Selecting TAXII Feed redirects to the Third‐Party Integration app.
379
Provide the details of the TAXII

server, including version, URL,
authentication and polling
criteria
Some common TAXII feeds include:

• mitre.org
• pickupstix.io
• anomali.com
• alienvault.com
Provide the details of the TAXII server, including version, URL, authentication and
polling criteria.
380
Extract and block

suspicious objects
from any collections
on that TAXII server
and click to run auto
sweeps
Expand any collections within the feed. You can extract and block suspicious objects
from any collections on that TAXII server , or you can enable auto sweeps.
381
Selecting MISP redirects to the

Requires a connection to a Third‐Party Integration app to
Service Gateway configure the integration
Selecting MISP as the source redirects you to the Third‐Party Integration app to
configure the integration. Integrating with MIPS requires a connection to a Service
Gateway.
382
Suspicious Objects
110110011….. 011000001…..
Domain SHA‐1 hash (160 bits) SHA‐256 hash (256 bits)
192.168.45.68 sender@acme.com
IP address Sender address
https://shopping.badsite.com
URL
A suspicious object is a known malicious or potentially malicious domain, file hash

using SHA‐1, file hash using SHA‐256, IP address, sender address, or URL.
383
Suspicious Objects Management
Moves
blocking to
the
perimeter
Trend Vision One consolidates suspicious object information based on input from
different sources. Trend Vision One currently supports sending the consolidated
Suspicious Object List to Apex One as a Service, Cloud App Security, Cloud One –
Endpoint & Workload Security and Deep Security software if they are connected
properly or to a Service Gateway that enables connections to on‐premises Trend Micro
products like Deep Discovery Inspector, Deep Discovery Analyzer and TippingPoint, or
some third‐party applications within the network.
Trend Vision One consolidates suspicious object information based on input from
different sources:
• Manual submission: Objects can be submitted manually by an administrator within
a managed product, from the Trend Vision One console or through the API.
• Third‐party intelligence: Suspicious object information can be extracted from CSV or
STIX files imported from external sources.
• Sandbox analysis: Objects displaying suspicious characteristics are submitted to a
sandbox environment for evaluation and if the object is confirmed to risky, it is
added to the Suspicious Objects List. A license for Cloud Sandbox is required to
enable this method of submission.
• Service Gateway integration: Trend Vision One allows the coordination of suspicious
384
object data between it and on‐premises Trend Micro products such as Deep
Discovery Inspector, Deep Discovery Analyzer and TippingPoint through a Service
Gateway. Trend Vision One can also send suspicious object data to on‐premises
firewall products such as Palo Alto, Broadcom, Check Point, and Fortinet through a
Service Gateway.
Synchronizing suspicious objects with firewall device allows the blocking operations to
be moved to the perimeter. Actions can be set in the firewall devices upon detection of
suspicious object details retrieved from Trend Vision One.
384
Adding to Suspicious Objects List
Manual Extracted from Sandbox Analysis

Threat Intelligence
Objects can be added to the Suspicious Objects List through a few different methods:
• Manually through the Trend Vision One console

• Extracted from threat intelligence, including custom intelligence reports, TAXII feeds
or MISP
• Sandbox analysis: manual or automatic submission in managed products, manual
submission from Trend Vision One, or synchronized from Deep Discovery Analyzer
385
Manual Submission
• Add objects from Trend Vision One console
• Select the type of object
− Malicious domain
− File hash using SHA‐1
− File hash using SHA‐256
− IP address
− Sender address
− URL
• Identify attributes
− Risk level
− Action (log, block/quarantine)
− Expiry
When suspicious objects are submitted manually:
Select the type of object

• Malicious domain
• File hash using SHA‐1
• File hash using SHA‐256
• IP address
• Sender address
• URL
Identify attributes
• Risk level
• Action (log, block/quarantine)
• Expiry
386
Manual Submission
Add suspicious object details,
along with the Risk level, Action
and Expiration
387
Extracted from Third‐Party Intelligence

• Extract suspicious objects from custom
intelligence reports
Use Third‐Party Intelligence to extract suspicious objects from custom intelligence

reports.
388
Extract suspicious objects from

custom intelligence reports
389
Extract suspicious objects in STIX

files
Suspicious objects can also be extracted from manually imported STIX files. You can
specify the actions for any suspicious objects in the file.
390
Extract and block

suspicious objects
from any collections
on that TAXII server
and click to run auto
sweeps
Suspicious Objects can be extracted from any collections on a TAXII server. Auto Sweeps
can also be run on those objects.
391
Extract and block suspicious

objects from the MISP feed
and select to run auto sweeps
Suspicious Objects can be extracted from any collections on a TAXII server. Auto Sweeps
can also be run on those objects.
392
Sandbox Analysis
• Manual or automatic submission of
suspicious items for analysis in a
secure sandbox environment
− Apply credits for sample submission
• Connected products receive details of
suspicious objects and will perform
defined action
− Log, Block/Quarantine
Objects can be submitted for analysis manually or automatic from managed products
(Deep Security Software, Apex One (on‐premises), Apex one as a Service, Cloud App
Security.
Objects can also be submitted manually from Trend Vision One, for example, by right‐
mouse clicking an object in a Workbench.
Submitted samples are kept for four days.
393
Suspicious Activities
Activity is monitored within the sandbox environment for activities such as those listed
here.
394
View details of the analysis by

downloading the Sandbox
Analysis Report (PDF format)
Reports are kept in Trend Vision One for 180 days.
Report includes:
• Risk rating
• Suspicious Object (SO)
• SHA1
• Notable characteristics
• Detection name
• True file type
• FilterCRC
395
Products Supporting Sandbox Analysis

• Deep Security Software
• Apex One as a Service
• Cloud App Security
• Trend Vision One
• Cloud One – Endpoint & Workload Security (does not contribute,
uses results only)
Trend Micro products supporting Sandbox Analysis include:

• Deep Security Software
• Apex One as a Service
• Cloud App Security
• Trend Vision One
• Cloud One – Endpoint & Workload Security (does not contribute, uses results only)
396
Sandbox Analysis from Deep Security Software
+ Deep Discovery
Analyzer Apex Central
+ Cloud
Sandbox
Deep Security can participate in Trend Micro Threat Intelligence through two different
sources:
• Using heuristic detection, Deep Security can identify document files that are
deemed suspicious and submit them automatically to Deep Discovery Analyzer for
analysis. If the analysis indicates that a particular file does contain malware, Deep
Discovery will provide the information to Trend Micro Apex Central. Through Apex
Central, an action for this malware can be specified and any Trend Micro product can
subscribe to the suspicious object list from Apex Central to remediate threats.
• If Deep Security has been integrated with Trend Vision One and a license for the
Cloud Sandbox is available, Deep Security can submit files to the Cloud Sandbox for
analysis. If the analysis indicates that a particular file does contain malware, Cloud
Sandbox will provide the information to Trend Vision One Suspicious Object
Management app where an action for this malware can be specified. Any Trend
Micro product registered with Trend Vision One can subscribe to the suspicious
object list to remediate threats.
Threat Intelligence allows multiple Trend Micro products to share threat information
and analysis across multiple layers of protection critical to defending against advanced
threats.
397
A license for Cloud Sandbox (Sandbox as a

Service) is required for Deep Security Software to
use Trend Vision One Threat Intelligence instead
of a physical Deep Discovery Analyzer device and
Apex Central
A license for Cloud Sandbox (Sandbox as a Service) is required for Deep Security
Software to use Trend Vision One Threat Intelligence instead of a physical Deep
Discovery Analyzer device and Apex Central.
398
Select Trend Vision One

for Sandbox Analysis
and subscribing to the
Suspicious Objects List
After connecting Deep Security Software with Trend Vision One, click Administration >
System Settings. On the Threat Intelligence tab, select Trend Vision One from the
Submit suspicious file to list and the Compare objects against Suspicious Objects List.
399
Update Deep Security

policies to enable
automatic submission to
and retrieval of the
Suspicious Objects List
Update Deep Security policies to enable automatic submission and retrieval of the
Suspicious Objects List.
400
Files can be submitted

manually for sandbox
analysis from the
Identified Files tab for
any device
Files can be submitted manually for sandbox analysis from the Identified Files tab for
any device
401
Sandbox Analysis from Apex One as a Service

• Requires license for Cloud Sandbox
• Policy must be distributed to endpoint computers to submit samples
for analysis
402
Create a policy with sample submission enabled. Any endpoints using this policy will
submit any suspicious file to the Cloud Sandbox for analysis.
403
Sandbox Analysis from Cloud One ‐ Endpoint & Workload Security
• Cloud One – Endpoint & Workload Security can use the Trend Vision
One‐managed Suspicious Objects List, but does not contribute to it
− No manual or automatic submissions
Cloud One – Endpoint & Workload Security can use the Trend Vision One‐managed
Suspicious Objects List, but does not contribute to it, but there are no manual or
automatic submissions.
404
405
Sandbox Analysis from Cloud App Security
406
Submit object for Sandbox

Analysis from within the Trend
Vision One console
Submit for Sandbox Analysis is available on the right‐mouse button menu in the Trend
Vision One console for any appropriate objects.
407
Click any object in the list to

view its details
Expand Threat Intelligence and click the Suspicious Object Management app. The
detected items are listed on the Suspicious Object List tab. Click any object to view its
details.
408
Update the Risk level,

Action and Expiry
From the Suspicious Object Details frame, update the risk level, action and expiry as
well as any description.
409
Alternately, delete, change

Action, update Expiry or add
to Exceptions by selecting an
item in the list
Alternately, you can delete, change Action, update Expiry or add to Exceptions by
selecting an item in the list.
410
Credit Usage – Sandbox Analysis
Sandbox Analysis requires 50

credits per daily submission for
180 days of data retention
(for example, a submission limit of five
files per day uses 250 credits)
Sandbox analysis requires 50 credits per daily submission for 180 days of data
retention.
For example, if you want to submit 5 files each day for analysis, you credit usage is 250
credits.
You can submit objects up to the daily reserve until allocated credits expire. For
example, if you allocate 50 credits for a daily reserve of one, you can perform one
submission per day until the credits expire.
The daily reserve sets the maximum number of objects you can analyze each day.
Objects with a "Not analyzed" risk level do not count toward the daily reserve.
Submissions available resets each day at 00:00 (UTC).
411
Suspicious Objects Sharing with Third‐Party Products

• Service Gateway used as a connector to third‐parties for suspicious
object sharing
FortiGate Palo Alto Panorama ProxySG and

Next‐Generation Advanced Secure Gateway
Firewall
Check Point
Open Platform MISP
for Security (OPSEC)
The Service Gateway is used a connector to third‐parties for suspicious object sharing
• FortiGate Next‐Generation Firewall
• Palo Alto Panorama
• Broadcom ProxySG and Advanced Secure Gateway
• Check Point Open Platform for Security (OPSEC)
• MISP
412
For each third‐party integration, enable

integration, define data transfer parameters
and connect to a Service Gateway
For each third‐party firewall integration, enable integration, define data transfer
parameters and connect to a Service Gateway
413
Extract Suspicious Objects

details from third‐party
intelligence
For MISP integration, define the transfer and retrieval parameters. Select the options to
extract and block suspicious objects details from third‐party intelligence.
Objects are transferred to, and retrieved from, MISP using tagging data.
Create the appropriate tags in your MISP server.
414
Exception List
• Objects that are considered safe can be added to the Exception List
− Connected products do not act on the object
• Objects are excluded from the Suspicious Object List during the next
synchronization and will not be added as a suspicious object in the
future
You can select objects that are considered safe and add them to the Exception List.
When a connected product detects a suspicious object in the Exception List, the
connected product considers the object as safe and does not act on the object.
Trend Vision One excludes the object from the Suspicious Object List during the next
synchronization and will not add it as a suspicious object in the future.
415
If you know the details of the item to add to the Exception List, they can be manually
added. Click Add.
416
Select the Method and

provide its details
Select the method and provide the details of the item to add to the Exception List.
417
Alternately, select an item from the Suspicious Objects List and click Add to Exception
List.
418
Campaign
Overview
Provides a
summary of the
regions and
Impact Scope industries
Displays device and accounts Campaigncurrently
List
affected by this threat campaign and experiencing
Lists currently
when it was last seen active campaigns
active threats
The Campaign Intelligence app collects and organizes information about active threat
campaigns.
Campaign Intelligence is an always up‐to‐date information resource for active

campaigns, security threats, and software vulnerabilities, curated by Trend Micro threat
experts. A campaign is a set of malicious activities carried out by a threat actor to
target an organization, region, or industry. Campaigns typically use specific techniques
(TTPs) and can be identified by threat types such as intrusion sets, ransomware, APT
attacks, or software vulnerabilities.
The Campaign List frame displays the names of currently active threats, along with the
threat type and date of the most recent data update.
Campaign Overview frame contains a summary of the industries and regions affected
by the different campaigns.
The Impact Scope frame displays any devices or accounts containing matched
indicators of the selected threat.
419
Demo:
Integrating Threat Intelligence
420
Lesson Review
1 2
What are the different methods for
What are the different kinds of
adding objects to the Trend Vision One
suspicious objects?
Suspicious Objects List?
3
What are the actions that can be taken
on suspicious objects?
421
Hands‐on Labs
Lab 8: Adding a Third‐Party Intelligence Source (page 63)
Your Task
• Connect a third‐party source for collecting threat
intelligence
422
Hands‐on Labs
Lab 9: Creating a Custom Intelligence Report (page 67)
Your Task
• Create a Custom Intelligence Report using a CSV file
423
Lesson 8:
Searching the Data Lake
424
Lesson Objectives
• Search the data lake using simple and complex searches

• Search the data lake using simple and complex searches
425
Search App
• Construct query strings to pinpoint the data
or objects in the data lake
• Provides different search methods, filters,
and a query language to identify, categorize,
and retrieve results
• Enables historical investigation of the data
(not a live query)
• Save and reuse queries
• Create Watchlists for saved queries
The Search app allows the analyst to construct query strings to pinpoint the data or
objects in the data lake. It provides different search methods, filters, and a query
language to identify, categorize, and retrieve results.
The app enables historical investigation of the data as this is not a live query of the
endpoints, email accounts, network etc.
You can save and reuse queries that you build, and you can also create Watchlists for
saved queries.
426
Search App
• Not all products share the same database fields
− Activity Data – Search endpoint, email, network, web, mobile and secure
access telemetry data
− Detection Data – Search product detections logs
− General Search – Search common fields from telemetry and detection data
• Supports full/partial match, wildcards and logical operators
Not all products share the same database fields, so you may have to try several
different criteria options to locate the exact data you want:
• Activity Data – Search endpoint, email and network telemetry data
• Detection Data – Search product detections logs
• General Search – Search common fields from telemetry and detection data
For details on General search mapping, view the following support document:
https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐one/xdr‐
part/search‐app/data‐mapping‐intro/data‐mapping‐sdl.aspx
Supports full/partial match, wildcards and logical operators
When a search string includes a double quote (") or backslash (\), you must use the
backslash escape character "\" to indicate that the special character is part of the
search criteria and not special mark‐up
427
Select Search Method Click Search

Set time range
Type query details
(which data collection)(or <enter>)
Results are displayed
A typical search flow:

1. Select the Search Method (which collection of data will Search look through)
2. Type your query, using simple or complex syntax
3. Set your time period
4. Click Search or hit the ,enter> key
The entries in the data lake that matched the query are displayed.
428
Use the General search method to search all data

from your connected products using normalized
search criteria
Fields in General searches map to fields by other
names in other search methods
Data related to the different sensors is collected into selectable Search Methods. Make
your selection from the list.
Use the General search method to search all data from your connected products using
normalized search criteria. Fields in General searches map to fields by other names in
other search methods.
429
General Search Docs
General Endpoint Activity Data Message Activity Data Network Activity Data Web Activity Data Detection Data
DomainName hostName source_domain domain requestBase hostName

interestedHost
objectDomain
shost
dhost
denyListHost
IPv4 endpointIp source_ip ip dst src
objectIp src dst
dst interestedIp
src endpointIp
peerIp
denyListIp
FileSHA1 objectFileHashSha1 mail_attachments file_sha1 fileHash fileHash

parentFileHashSha1 attachmentFileHash
processFileHashSha1 attachmentFileHashSha1
srcFileHashSha1 compressedFileHash
denyListFileHash
objectFileHashSha1
oldFileHash
Data fields available for General searches correspond to fields in other types of
searches. A few examples are shown in this table.
For full details, visit: https://docs.trendmicro.com/en‐us/enterprise/trend‐micro‐vision‐
one/common‐apps/search‐app/data‐mapping‐intro/data‐mapping‐sdl.aspx or click
button on the slide.
For example, if you search using Domain Name in General searches, it will look at
hostName in Endpoint Activity Data, source_domain in Message Activity Data, domain
in Network Activity Data, requestBase in Web Activity Data and a selection of fields in
Detection Data.
430
Use the Observed Attack Techniques search method
431
432
The data fields available for Detection searches are shown here.
433
The data fields available for Email Activity searches are shown here.
434
The data fields available for Endpoint Activity searches are shown here.
435
The data fields available for Network Activity searches are shown here.
436
The data fields available for Secure Access Activity searches are shown here.
437
The data fields available for Web Activity searches are shown here.
438
Simple Search Syntax

• Partial match: Provides all results that contain the search string in
any data field
− john: Returns all results that contain john as part of the data string in any
data field
• Exact match: Provides all results that contain the exact search
string in any data field
− “john”: Returns all results that contain the exact string “john” in any data
field
Simple search does not support Message Activity Data or Network Activity Data.
To search both the Endpoint Activity Data and Detections, select the General search
method. Select either Endpoint Activity Data or Detections to search a specific set of
data.
When using the Simple Search method, take note of the following limitations:
Ensure that the use of the space character exactly matches the results that you want. A
double space within the search string omits any results that only include one space
character in the same location.
The performance of the search decreases when using multiple logical operators.
Enclose the search string in double quotation marks (“ ”) for exact match
439
Simple Search Syntax

• Operators: AND, OR, NOT
− john_d AND credit: Only returns results in which the data
contains both john_d and credit in any field
(example: objectUser=john_doe;
fileName=creditcard.txt)
When using the Simple Search method, take note of the following limitations:
Ensure that the use of the space character exactly matches the results that you want. A
double space within the search string omits any results that only include one space
character in the same location.
The performance of the search decreases when using multiple logical operators.
Enclose the search string in double quotation marks (“ ”) for exact match
440
441
442
Complex Search Syntax

• Partial match: Provides all results for the specified field that contain the
partial search string
− endpointName:win
• Full match: Provides all results for the specified field that contain the
exact search string specified
− endpointName:”win-0QPRAOEPK5A”
• Logical operator‐Multiple fields: Provides all results that match the
requirements specified for multiple fields using the AND, OR, NOT
operators
− “sshd” AND dst:8.8.8.8 AND dpt:53
Partial match: Provides all results that contain the search string in any data field
endpointName:win
Full match: Provides all results for the specified field that contain the exact search
string specified
endpointName:”win‐0QPRAOEPK5A”
Logical operator‐Multiple fields: Provides all results that match the requirements
specified for multiple fields using the AND, OR, NOT operators
“sshd” AND dst:8.8.8.8 AND dpt:53
Logical operator‐Multiple fields:

Search all occurrences where sshd connected to IP address 8.8.8.8 on DNS port (53) for
a DNS query.
443

• Logical operator‐Multiple values: Provides all results that match
the requirements specified for multiple values in the same field
using the AND, OR, NOT operators
− eventName:DEEP_PACKET_INSPECTION AND (ruleID:1008610
OR ruleID:1011242 OR ruleID:1005177)
• Wildcard usage: Provides results that match the field values
substituting a * wildcard character
− endpointName:john*
− Returns all results that contain john as the first four characters in the
endpoint name, for example john, john_doe, johndoe,johnd
Logical operator‐Multiple values: Provides all results that match the requirements
specified for multiple values in the same field using the AND, OR, NOT operators
For example: eventName:DEEP_PACKET_INSPECTION AND (ruleID:1008610 OR
ruleID:1011242 OR ruleID:1005177)
Wildcard usage: Provides results that match the field values substituting a * wildcard
character
For example, endpointName: john*
Returns all results that contain john as the first four characters in the endpoint name,
for example john, john_doe, johndoe, johnd
444

• Searched terms are not case sensitive, but Operators and
Fieldnames are
445
446
447
448
Search Tips
• Use “ ” to searching for empty fields
− objectCmd:“”
• Search for two or more values
− endpointHostName:("devwks1001" OR "agent1010")
− endpointIp:(192.168.10.41 OR 192.168.1.54 OR 192.168.1.42)
• Search for URLs
− url:“https://ca75-1.winshipway.com”
− url:https://*.winshipway.com
− url:winshipway.com
449
Search Tips
• Exact match only for hashes
− file_sha1:"5e7677272b112b90777900f5dd8bad5bd8152002“
− Cloud App Security only supports SHA1
− Network Security does not support MD5
• Search for malware types or family
− malName:Trojan
− malName:Trojan.MSIL.SHELLMA.AA
− malName:(Trojan.MSIL* OR Backdoor.MSIL*)
450
Search Tips
• Take advantage of MITRE ATT&CK tactics and techniques
− tags:(T1059 OR T1064)
• Take advantage of CVE numbers
− ruleName:CVE-2019-0708
− ruleName:CVE-2
• Search for tools or software
− FileFullPath:rclone.exe OR URL:(downloads.rclone.org OR
"https://github.com/rclone/*")
451
Save query to
use another time
or to create a
Watchlist
Search queries can be saved and retrieved at a later date.
452
453
Run the saved query

Add this query to the or open in another
Watchlist window to modify its
details
454
Watchlists
• Automatically executes the saved query's criteria every 15 minutes
on the latest data available
• After finding new data matches, the Search app sends an email
notification to the configured recipients in the Notifications app
A Watchlist automatically executes the saved query's criteria every 15 minutes on the
latest data available . After finding new data matches, the Search app sends an email
notification to the configured recipients in the Notifications app
455
Demo:
Locating Data Using Searches
456
Lesson Review
1 2
How will the results differ when
How do General searches differ from
running a search using the string
other search methods?
“server” and server?
3
What is the purpose of a Watchlist?
457
Hands‐on Labs
Lab 10: Running Searches (page 73)
Your Task
• Create search queries to locate the specified details in the
Trend Vision One Data Lake
458
Lesson 9:
Responding to Incidents
Using Security Playbooks
459
Lesson Objectives
• Create playbooks
• Run playbooks manually
• Download the results from playbooks

• Create playbooks
• Run playbooks manually
• Download the results from playbooks
460
Security Playbooks
• Streamline incident response activities
through automation
• Playbooks based on pre‐built templates
− Easier to adopt
− Modify to set parameters and actions
Security playbooks can streamline incident response activities through automation,

allowing the organization to response more efficiently.
This feature is particularly handy in organizations with small teams as some of the tasks
related to dealing with incidents can be run automatically.
Playbooks are based on pre‐built templates, but you can customize the template to
personalize, for example to set parameters and actions.
461
Security Playbooks
Trigger Condition Decision Action End
Action
Playbooks use a flowchart‐style formatting. The system will move through each step of
the playbook, verify the conditions and perform the actions.
Approvals can be included as well as notifications.
462
Trigger
• What causes the Playbook to execute?

− Manual triggering by analyst/administrator
− Scheduled execution
− Specified condition has been met
Triggers define the mechanism causing the Playbook to execute.

They can be manually triggering by an analyst or administrator, scheduled or they can
run automatically when a specified condition has been met.
463
Condition
• What are we looking for?

− Endpoints with certain operating system
− CVEs with certain risk level
− Exploit attempt detected
− …
Define conditions to indicate what the playbook is looking for, for example
• Locate Endpoints with certain operating system
• Locate CVEs with certain risk level
• Exploit attempt detected
And many more.
464
Decision
• Triggers branching of actions

− Require notification (YES or NO)
− How to notify (EMAIL or CREATE TICKET)
− Request approval
• Approve: take one path
• Reject: take a different path
The playbook can branch down different paths.
The playbook can send a notification to an analysts or administrator if certain items are
located. The playbook can also specify the method for the notification, for example, by
sending an email notification or by creating a ticket in your ticketing system (for
example, ServiceNow). In this scenario, you must have created the integration with
ServiceNow in the Third‐party Integration app.
The playbook can branch based on the results of an approval request. If the request is
approved, one path can be taken, if rejected a different path can be taken.
465
Action
• What action should be taken?

− Send notification
− Run script
− Notify of results
− Collect file
− Quarantine message
− Add object to block list
− …
In the Playbook, you must define what actions will be taken when certain conditions
are met. These actions can include:
• Sending a notification
• Running a script
• Notifying an administrator or analyst of results
• Collecting files
• Quarantining messages
• Adding objects to the block list
And many more
466
End
• Terminate execution of the Playbook

− View the execution results
− Download execution results
The End step terminates the execution of the playbook.
The analyst can then view the result of the execution or download the execution
results. The results file is encrypted, the password for the file is displayed in the results.
467
Security Playbook templates are provided

by Trend Micro
New templates added to the list regularly
Security Playbook templates are provided by Trend Micro and Playbooks are added to
the list on a regular basis.
The templates themselves can not be modified, but you can create a Playbook from the
template and modify the parameters of that version.
468
Security Playbook templates are not editable

Click Create Playbook from Template to create an editable version
Here is an example of the Run Custom Script template. (It has been modified to show
the entire string of events on one screen.
Click Create Playbook from Template to create an editable version in which you can
modify its parameters.
469
Alternately, click the icon on the Templates

list to create an editable version
You can also click the file icon in the Templates list to create an editable version
470
Playbook in editing mode
Indicates this node must be

edited to specify parameters
The template has been converted into an editable playbook. The exclamation mark icon
indicated that the node must be edited to specify parameters.
Click the gear icon to configure the nodes, for example, to set the trigger.
471
Edit the node to set the conditions. In this example, the playbook will locate Windows
endpoint in the IP address range.
472
Edit this node to specify the notification parameters. In the example, the recipients will
receive an email notification that an approval is required to run a custom script.
473
In this node, you can specify if manual approval is required.
474
Supported scripts include

PowerShell and bash
Edit this mode to specify the action settings, in this example, which script will be run
once approval has been provided.
475
Edit this node to provide details of the results of the script. The script has run, and
information has been collected. The administrator or analyst can log into the playbook
and view the results of the script.
476
Click enable to make the playbook active and save the parameters.
477
Since the trigger was set to manual, an administrator or analyst can log into the console
and run the playbook at any time. In the execution counts column, we can see that the
playbook has not been run yet.
478
If approval was
required, click
Approve or Reject
The Execution Results tab show that the script was run. From here,
analysts/administrators can Approve or Reject the execution of an operation and
download the results of a Playbook script.
479
If the script
generated a
result, download
the file with the
details
If the script generated a result, download the file with the details.
The results file is encrypted. The password is displayed in the Download Result frame.
Paste the password into the unarchiving application.
480
Demo:
Creating and
Running Security Playbooks
481
Lesson Review
1 2
What is the purpose of a Security What methods are available to trigger
Playbook? the execution of a Security Playbook?
482
Hands‐on Labs
Lab 11: Creating Security Playbooks (page 75)
Your Task
• Create security playbooks to automate certain operations in
Trend Vision One
483
Resources
484
Education Resources
…and more to come

There are several learning resources on the Trend Micro Education portal. Log into your
account to view the options.
485
Certification Exam
Log into the portal and locate the Vision One XDR Certified Professionals course
486
Certification Exam
Click the exam in the course content list. Start Learning Now to start the timer.
487
Certification Exam
Once successful, you can download your completion certificate and digital badge
488
Additional Resources
Online Help Center
https://docs.trendmicro.com/en-us/enterprise/trend-vision-one.aspx
Trend Vision One Automation Center

https://automation.trendmicro.com/xdr/home
In‐product Resource Center

Link to documentation within the portal (Online Help Center) or visit

https://docs.trendmicro.com/en-us/enterprise/trend-micro-
vision-one.aspx
Automation Center for samples of scripts, code snippets and more resources for
developers (https://automation.trendmicro.com/xdr/home)
489
Course Survey
Trend Micro Education Classroom Survey
www.surveymonkey.com/r/TrendMicroTraining
Comments and suggestions welcome and appreciated

Help guide development of future training offerings
VERY IMPORTANT
Complete online survey. This helps guide development of training.
490
Thank you for attending
491

Student Guide - V2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Student Guide - V2

Uploaded by

Copyright:

Available Formats

Trend Micro Vision One XDR

Training for Certified Professionals

No part of this publication may be reproduced, photocopied, stored in a retrieval system,

Released: September 21, 2023

Trend Vision One XDR

Version 2, released September 21, 2023.

2 | ©2023 Trend Micro Inc.

After completing this course, participants will be able to:

3 | ©2023 Trend Micro Inc.

4 | ©2023 Trend Micro Inc.

Vision One Fundamentals

5 | ©2023 Trend Micro Inc.

6 | ©2023 Trend Micro Inc.

7 Copyright 2023 Trend Micro Inc.

Trend Micro Education Portal

8 | ©2023 Trend Micro Inc.

9 | ©2023 Trend Micro Inc.

Review basic housekeeping for in‐classroom courses:

10 | ©2023 Trend Micro Inc.

Please tell the class:

12 | ©2023 Trend Micro Inc.

After completing this lesson, participants will be able to:

13 | ©2023 Trend Micro Inc.

15 | ©2023 Trend Micro Inc.

16 | ©2023 Trend Micro Inc.

Data from email

Data from Cloud Sandbox

Data from Web sensor

Data from third parties

Data from Containers

17 | ©2023 Trend Micro Inc.

Security Events Activity

Generated by protection Internal system activities such as

Both security events and activity are required to build

Endpoint Sensor Telemetry Figures

19 | ©2023 Trend Micro Inc.

Endpoint sensor telemetry from endpoints is continually collected as shown in this

Each Piece Adds Value

Network ‐ Sees EDR blind spots

20 | ©2023 Trend Micro Inc.

Why collect telemetry from various sources?

Tie together low‐level

21 | ©2023 Trend Micro Inc.

22 | ©2023 Trend Micro Inc.

SIEM (Security Information and Event Management)

Phishing Email Word PowerShell Command AWS New Lateral

23 | ©2023 Trend Micro Inc.

SIEM (Security Information and Event Management)

Collecting all endpoint activity, not just alerts

Phishing Email Word PowerShell Command AWS New Lateral

24 | ©2023 Trend Micro Inc.

SIEM (Security Information and Event Management)

Fewer, higher‐fidelity alerts that tells a story

XDR (Scanning all activity in data lake)

Phishing Email Word PowerShell Command AWS New Lateral

25 | ©2023 Trend Micro Inc.

Automation of Faster Faster

26 | ©2023 Trend Micro Inc.

There is no human alternative to the correlation capabilities of XDR. Collecting and

Raw activity telemetry

Filtered activity through machine

Alerts to XDR console and/or SIEM

27 | ©2023 Trend Micro Inc.

Higher Confidence Detections without Alert Overload