XDR has an ability to do detection and response across email, endpoints, servers, cloud workloads and network via a single XDR platform.
XDR sits on top of relevant Trend Micro products in a customers’ environment, and offers expert security analytics for alert correlation, and consolidated visibility and investigation of events across security layers, leading to earlier detection and faster response.
XDR offers a lot of capabilities such as early detection and response, getting greater context for greater understanding, etc. across multiple products. So if you use XDR, Trend Micro recommends to connect DDI to XDR to fully utilize XDR functionality.
There are 2 ways to connect DDI to XDR:
Scenario 1: XDR integration using Deep Discovery Director (DDD) On-Premises
- Prepare DDI and DDD On-Premises to integrate with XDR.
- DDD On-Premises can connect to Deed Discovery Director-Network Analytics SaaS (DDDNASaaS) which is located in Trend Micro Cloud side.
Scenario 2: XDR integration using Deep Discovery Director (DDD) Cloud
DDDNASaaS is also referred as “XDR Addon”, it provides advanced threat analysis for data correlations made between detections selected in DDD and other related events as they occur over time.
- Prepare DDI and connect it to DDD Cloud version which is located in Trend Micro Cloud side to integrate with XDR.
- DDD Cloud can connect to Deed Discovery Director-Network Analytics SaaS (DDDNASaaS) in the backend.
This article will show you how to configure DDI for the 1st scenario, which is to integrate DDI with XDR using DDD On-Premises.
For information about how to configure DDI for scenario 2, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate with XDR using Deep Discovery Director Cloud.
Configuration for Scenario 1: Integrating DDI with XDR using DDD On-Premises
Install Products (DDI and DDD).
Install the product versions which support integration with XDR investigation platform.
- DDI 5.6 SP1 or above
- DDD 5.1 SP1 with the latest hot fix or above.
If you use DDD 5.2, install it in consolidated mode with install base version.For the hot fix information, contact Trend Micro Technical Support.
Make sure both DDI and DDD has valid Activation Code.DDI Activation Code could be used for DDD as well.
Provision Deep Discover Director-Network Analytics as a Service (DDDNASaaS) from DDD.
On the DDD web console, go to Administration > Licenses, then enter XDR Addon (DDNASaaS) Activation Code.
DDNASaaS provision will be auto started and the following message will be observed from DDD web console.
Register DDI to DDD.
Move DDI to the Managed folder.
On DDD web console, go to Appliances > Directory, move DDI to managed or other customized folder.
Bind DDI to send network flow (activity data) to DDDNASaaS via DDD web console.
- On the DDD web console, go to Administration > Network Analytics then click on the Connected Sources tab.
- Select the DDI instance which you want to bind (default is Disabled). Click Configure to enable and bind selected DDI instance with DDDNASaaS.
Onboard DDD to XDR investigation platform.
Log on to the Trend Micro XDR console (https://portal.xdr.trendmicro.com/). Go to Product Connector and click Connect.
Copy the enrollment token from the Trend Micro XDR console.
Select Deep Discovery Director from the list. Select Connect Deep Discovery Director on-premises version, click on the Click to generate the enrollment token link to get the token.
Enrollment token will be appeared.
Paste the enrollment token to Deep Discovery Director.
Once above configuration and registration are completed, from XDR console, DDD, DDI, and XDR add-on status will be shown on the list.
- Allow some URLs and ports from your firewall. Refer to the KB article: URLs to be allowed through the firewall of Deep Discovery Inspector (DDI) 5.7.