Frequently Asked Questions (FAQs) about Co-Managed XDR

Product / Version includes:

Worry-Free Business Security Advanced10.0 , Worry-Free Business Security Services6.7 , Remote ManagerAll

Last updated: 2021/08/28

Solution ID: KA-0012116

Category: Configure

Summary

This article answers the common questions about the Co-Managed XDR.

EXPAND ALL

What is Worry-Free with Co-Managed XDR?

Worry-Free with Co-Managed XDR is a cross-product, cross-customer, and cross-partner detection and response service. This is co-managed by Trend Micro and MSPs. Worry-Free with Co-Managed XDR helps mitigate threats for customers while alleviating overburdened MSPs and elevating security offerings without a significant time and cost investment.

Benefits include the following:

Provides holistic threat visibility and correlation across endpoint and email, enabling proactive
containment and intelligent response by Trend Micro’s threat experts.
In addition to what Worry-Free XDR provides, it adds co-managed detection and response services for MSPs, along with:
- 24/7 threat experts: Cuts through the fog of constant alerts to isolate genuine threats in their earliest stages, providing MSPs with personalized remediation steps for their customers.
- Cross-customer analysis: The service automatically checks the MSPs customer base for the same threat and takes action to protect multiple customers at once.
- Cross-partner analysis: Threat analysts review similar threats across partners, especially those in the same industry, to provide proactive response.
- Incident response: Provides customized recommendations, or Trend Micro threat experts can conduct actions if authorized by MSPs.
- Monthly case activity summary report: Provides an executive view of incidents and threats detected and mitigated for the month.

What is the sensor being used?

The sensors being used for WFXDR are:

CAS for email sensor
EDR for endpoint sensor.

Is the global blocking of Noteworthy Object (URL/File) in real-time?

It is usually blocked after reclassification but the pattern update may take up to 12 hours. However, blocking Noteworthy Objects found on the ETA chain of the customer who triggered the alert can be real-time as it can be added to UDSO.

Can a newly spawn C&C Servers IP be blocked?

No because as of the moment the products associated with the service are mainly for endpoint and email only, however, the corresponding URL can be blocked by the service team or the product itself because of the behavior of the file trying to connect to it. If it is a zero-day URL, the service team could have it reclassified as Dangerous - C&C server so it will be blocked globally by WFBS alone. The IP address that you need to block on your firewall will be included in the report.

What are the requirements for investigation?

Cloud App Security (CAS) license, and Worry-Free Business Security Services (WFBS-SVC) + EDR license (Co-Managed XDR license) needs to be successfully provisioned.

What are the criteria's on how to trigger Noteworthy events on our customer/partner's end?

With WFBSS ETA on 4 categories: Virus, WTP, Machine Learning, Behavior Monitoring
Worry-Free Business Security Services can do correlation to get noteworthy event in 3 ways: EDR, CAS, and EDR+CAS. If a detection consists of suspicious object or unknown malicious object, detection will become a noteworthy event.

How does an investigation kick-off?

Investigation will kick off once we receive an email notification of a Noteworthy Event. An initial email will be sent to partner within an hour after we received the Noteworthy Event alert indicating that an investigation has started.

What are proactive actions that can be done by the Co-Managed XDR Service Team to mitigate the incident?

Proactive actions that can be performed are:

Quarantine an email
Block a user
Block a file or object
Kill a running process
Isolate endpoint
Run Agressive Scan
Collect ATTK and create a Damage Cleanup Tool

Can we use multiple emails on receiving the alert?

Yes, Trend Micro partners who avail Co-Managed XDR Service can specify which email addresses will receive the Alerts and Reports.

Can customers provide their own IOC file? Will the Security Analyst Team be able to sweep using those criteria? Can we provide this also as an additional service?

Yes, partners and customers can provide IOC file to Co-Managed XDR Service Team. Security Analyst Team can do the cross-customer sweeping for the partner and results will be provided to them.

How does the partner receive the Incident Report?

The Incident Report will be uploaded to their Remote Manager under Detection and Response > Reports

What are the other services offered by Co-Managed XDR Service Team?

DETECTION - 24x7 alert monitoring, Early detection & containment of potential threats or Early Warning Event Service.
INVESTIGATION - Threat source identification, Infection Chain/RCA, cross-product correlation analysis, cross-customer correlation analysis, cross-partner correlation analysis
REMEDIATION - Access to SEcurity Experts 24/7, remediation assistance
RESPONSE - Incident Report, Monthly Report, Policy Assessment Report, Incident Advisory with proactive IOC Assessment

What are the actions required from partners/customers during and after the incident?

Manual upload / confirmation of the existence of suspicious file
Manual upload of suspicious emails and manual release of emails
Worry Free Security Agent Manual/Aggressive Scan
Run clean up tool on the machine/s
Updating Worry Free Security Agent
System Modification/ Third Party Software Patching
Product best practice configuration
Verification of integrity of the software involved
Customer password reset
Customer advisory

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Frequently Asked Questions (FAQs) about Co-Managed XDR

What is Worry-Free with Co-Managed XDR?

What is the sensor being used?

Is the global blocking of Noteworthy Object (URL/File) in real-time?

Can a newly spawn C&C Servers IP be blocked?

What are the requirements for investigation?

What are the criteria's on how to trigger Noteworthy events on our customer/partner's end?

How does an investigation kick-off?

What are proactive actions that can be done by the Co-Managed XDR Service Team to mitigate the incident?

Can we use multiple emails on receiving the alert?

Can customers provide their own IOC file? Will the Security Analyst Team be able to sweep using those criteria? Can we provide this also as an additional service?

How does the partner receive the Incident Report?

What are the other services offered by Co-Managed XDR Service Team?

What are the actions required from partners/customers during and after the incident?

Frequently Asked Questions (FAQs) about Co-Managed XDR

Product / Version includes:

Summary

What is Worry-Free with Co-Managed XDR?

What is the sensor being used?

Is the global blocking of Noteworthy Object (URL/File) in real-time?

Can a newly spawn C&C Servers IP be blocked?

What are the requirements for investigation?

What are the criteria's on how to trigger Noteworthy events on our customer/partner's end?

How does an investigation kick-off?

What are proactive actions that can be done by the Co-Managed XDR Service Team to mitigate the incident?

Can we use multiple emails on receiving the alert?

Can customers provide their own IOC file? Will the Security Analyst Team be able to sweep using those criteria? Can we provide this also as an additional service?

How does the partner receive the Incident Report?

What are the other services offered by Co-Managed XDR Service Team?

What are the actions required from partners/customers during and after the incident?