Trend Micro Vision One has an ability to do detection and response across email, endpoints, servers, cloud workloads and network via a single Trend Micro Vision One platform.
Trend Micro Vision One sits on top of relevant Trend Micro products in a customers’ environment, and offers expert security analytics for alert correlation, and consolidated visibility and investigation of events across security layers, leading to earlier detection and faster response.
Recommendation
Trend Micro Vision One offers a lot of capabilities such as early detection and response, getting greater context for greater understanding, etc. across multiple products. So if you use Trend Micro Vision One, Trend Micro recommends to connect DDI to Trend Micro Vision One to fully utilize Trend Micro Vision One functionality.
Configuration
There are 2 ways to connect DDI to Trend Micro Vision One:
-
Scenario 1: Trend Micro Vision One integration using Deep Discovery Director (DDD) On-Premises
- Prepare DDI and DDD On-Premises to integrate with Trend Micro Vision One.
- DDD On-Premises can connect to Deed Discovery Director-Network Analytics SaaS (DDDNASaaS) which is located in Trend Micro Cloud side.
-
Scenario 2: Trend Micro Vision One integration using Deep Discovery Director (DDD) Cloud
- Prepare DDI and connect it to DDD Cloud version which is located in Trend Micro Cloud side to integrate with Trend Micro Vision One.
- DDD Cloud can connect to Deed Discovery Director-Network Analytics SaaS (DDDNASaaS) in the backend.
DDDNASaaS is also referred as “Trend Micro Vision One Addon”, it provides advanced threat analysis for data correlations made between detections selected in DDD and other related events as they occur over time.
This article will show you how to configure DDI for the 1st scenario, which is to integrate DDI with Trend Micro Vision One using DDD On-Premises.
For information about how to configure DDI for scenario 2, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate with Trend Micro Vision One using Deep Discovery Director Cloud.
Configuration for Scenario 1: Integrating DDI with Trend Micro Vision One using DDD On-Premises
-
Install Products (DDI and DDD).
Install the product versions which support integration with Trend Micro Vision One investigation platform.
- DDI 5.6 SP1 or above
- DDD 5.1 SP1 with the latest hot fix or above.
If you use DDD 5.2, install it in consolidated mode with install base version.
-
Make sure both DDI and DDD has valid Activation Code.
DDI Activation Code could be used for DDD as well. -
Provision Deep Discover Director-Network Analytics as a Service (DDDNASaaS) from DDD.
On the DDD web console, go to Administration > Licenses, then enter Trend Micro Vision One Addon (DDNASaaS) Activation Code.
DDNASaaS provision will be auto started and the following message will be observed from DDD web console.
-
Register DDI to DDD.
-
Move DDI to the Managed folder.
On DDD web console, go to Appliances > Directory, move DDI to managed or other customized folder.
-
Bind DDI to send network flow (activity data) to DDDNASaaS via DDD web console.
- On the DDD web console, go to Administration > Network Analytics then click on the Connected Sources tab.
- Select the DDI instance which you want to bind (default is Disabled). Click Configure to enable and bind selected DDI instance with DDDNASaaS.
-
Onboard DDD to Trend Micro Vision One investigation platform.
Log on to the Trend Micro Trend Micro Vision One console (https://portal.Trend Micro Vision One.trendmicro.com/). Go to Product Connector and click Connect.
-
Copy the enrollment token from the Trend Micro Trend Micro Vision One console.
Select Deep Discovery Director from the list. Select Connect Deep Discovery Director on-premises version, click on the Click to generate the enrollment token link to get the token.
Enrollment token will be appeared.
-
Paste the enrollment token to Deep Discovery Director.
-
Once above configuration and registration are completed, from Trend Micro Vision One console, DDD, DDI, and Trend Micro Vision One add-on status will be shown on the list.
- Allow some URLs and ports from your firewall. Refer to the KB article: URLs to be allowed through the firewall of Deep Discovery Inspector (DDI) 5.7.