To activate your service, do the following:
- Log in to your Trend Vision One console using an Administrator account.
- In the navigation pane on the left, navigate to XDR Threat Investigation > Managed Services
Click the image to enlarge.
- On the pop-up window, click Get Started.
- Click Set up Now on the window that appears.
- Set up your contact information:
- Click Add Contact, fill in the necessary information, and then click Submit.
Multiple contacts can be added, depending on your organization's needs and requirements.
- Click on Save to apply the changes. For additional information, you can refer to Setting up your Contact Information for Trend Micro™ Managed Detection and Response (MDR)
- Click Add Contact, fill in the necessary information, and then click Submit.
- Configure the “Response Approval” section to define the actions that the MDR Team can take:
- Tick the Enable auto approval checkbox.
We recommend that all customers check the “Enable auto approval” button – this will allow your MDR team to take the necessary steps to investigate and mitigate threats
- Under Available Actions, expand either Critical or Recommended and select the response actions:
- For response actions that you want to be automatically approved, tick the box beside the response action.
- For response actions that you want to be manually approved, untick the box beside the response action. To facilitate thorough and timely analysis and response by your MDR team, it is highly recommended to check all boxes in this section.
- Under Scope of Actions, select either:
- “All endpoints in your environment”, with the ability to upload a list of endpoints which are excluded from MDR’s ability to automatically take actions, by checking the “Allow exceptions” box and importing a CSV file (template available within this UI). Please refer to Creating Exceptions list in Trend Vision One™ for more information on how to upload a list of exceptions to this section.
- “Selected endpoints”, again allowing you to import a CSV file with a list of endpoints for which actions can be carried out. The response actions you specified will be taken automatically on those selected endpoints. For other endpoints, your manual approval is required before the MDR operations team can take any response actions.
- You can switch between automatic and manual approval whenever needed by ticking or unticking the response action(s).
- To check the description of each response action, refer to Trend Micro™ Managed Detection and Response (MDR) Remote Response Actions
- To know the difference between manual and automatic approval, you can Compare Automatic Approval and Manual Approval for Trend Micro™ Managed Detection and Response Actions
- Next, enter the contacts you wish to be notified when MDR team perform, or request approval to perform, these response actions, in the “Notification Recipients” fields.
Note: in the “Email Recipients” field, two types of recipients are accepted: Trend Vision One user accounts and custom email addresses.- If a contact entered does not have a valid user account, or contains invalid characters, it will be greyed out.
- If a previously added contact becomes invalid (no longer has a Trend Vision One user account), it will be highlighted in red, and you will not be able to move to the next step until this is fixed.
- If an email address is manually typed into this field, MDR considers it an external email address and does not perform validation on it.
- If you see these errors, hover over the highlighted or greyed out email address for information about what is wrong with the contact.
Click the image to enlarge.
Mobile recipients should have the Trend Vision One Mobile app installed on their mobile phones to be able to receive notifications from the MDR team. - Click Save to apply the changes.
- Tick the Enable auto approval checkbox.
- Some informational prompts may appear to show you other features of Trend Vision One. Click Manage Contacts and OK to close the prompts.Closing the prompts will not affect any of the MDR Settings and configuration.
- Next, click on Cross-App Management.
- This first option allows you to automatically close any related workbenches to any resolved MDR cases. This means that your risk score will change to reflect MDR's response actions.
The second option allows you to synchronize MDR case information with ServiceNow ITSM. To integrate your Trend MDR cases with ServiceNow, refer to the article ServiceNow Integration with Trend Vision One™ MDR Case Management .
After completing these steps, your MDR Service is now activated.
For additional configuration for your MDR service, you may refer to the following KB Articles: