Configuration for Trend Micro Vision One integration using DDD On-Premises

Summary

Trend Micro Vision One has an ability to do detection and response across email, endpoints, servers, cloud workloads and network via a single Trend Micro Vision One platform.

Trend Micro Vision One sits on top of relevant Trend Micro products in a customers’ environment, and offers expert security analytics for alert correlation, and consolidated visibility and investigation of events across security layers, leading to earlier detection and faster response.

Recommendation

Trend Micro Vision One offers a lot of capabilities such as early detection and response, getting greater context for greater understanding, etc. across multiple products. So if you use Trend Micro Vision One, Trend Micro recommends to connect DDI to Trend Micro Vision One to fully utilize Trend Micro Vision One functionality.

Configuration

There are 2 ways to connect DDI to Trend Micro Vision One:

Scenario 1: Trend Micro Vision One integration using Deep Discovery Director (DDD) On-Premises
- Prepare DDI and DDD On-Premises to integrate with Trend Micro Vision One.
- DDD On-Premises can connect to Deep Discovery Director-Network Analytics SaaS (DDDNASaaS) which is located in Trend Micro Cloud side.
Scenario 2: Trend Micro Vision One integration using Network Inventory Service
- Prepare DDI and connect it to Network Inventory Service which is provided on Trend Micro Vision One to integrate with Trend Micro Vision One.
- Network Inventory Service can connect to Deep Discovery Director-Network Analytics SaaS (DDDNASaaS) in the backend.
DDDNASaaS is also referred as “XDR Addon”, it provides advanced threat analysis for data correlations made between detections selected in DDD and other related events as they occur over time.

This article will show you how to configure DDI for the 1st scenario, which is to integrate DDI with Trend Micro Vision One using DDD On-Premises.

For information about how to configure DDI for scenario 2, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate with Trend Micro Vision One using Network Inventory Service.

Details

Configuration for Scenario 1: Integrating DDI with Trend Micro Vision One using DDD On-Premises

Prepare DDI and DDD On-Premises to integrate with Trend Micro Vision One .

Use supported products version to integrate with Trend Micro Vision One investigation platform:
- DDI 5.7 SP3 or above
- DDD 5.2 Patch 1 or above
For DDD 5.2, Install it in consolidated mode with Install base version.
Make sure both DDI and DDD has valid Activation Code.

DDI Activation Code could be used for DDD as well.
Provision Deep Discover Director-Network Analytics as a Service (DDDNASaaS) from DDD.
1. On the DDD web console, go to Administration > Licenses, then enter XDR Addon Activation Code.
  
  DDNASaaS provision will be auto started and the following message will appear on the DDD web console.
  
  Provisioning for Deep Discovery Director - Network Analytics as a Service is in progress...
2. After the provision is completed, following message will be observed.
  
  Deep Discovery Director - Network Analytics as a Service is ready. Go to Administration > Network Analytics > Connected Sources to configure connected data sources.
Register DDI to DDD.
1. On the DDD web console, go to Help, copy the API key.
2. On the DDI web console, go to Administration > Integrated Products/Services > Deep Discovery Director, select On-premises version for Server type, enter the DDD server address, DDD API key, and click Register.
Move DDI to the Managed folder.

On DDD web console, go to Appliances > Directory, move DDI to managed or other customized folder.
Bind DDI to send network flow (activity data) to DDDNASaaS via DDD web console.
1. On the DDD web console, go to Administration > Network Analytics then click on the Connected Sources tab.
2. Select the DDI instance which you want to bind (default is Disabled). Click Configure to enable and bind selected DDI instance with DDDNASaaS.
3. You will see the status is enabled.
Onboard DDD to Trend Micro Vision One investigation platform.
1. Log on to the Trend Micro Vision One console. Go to INVENTORY MANAGEMENT > Network Inventory.
2. The Connect Network Sensors window appears. Select Deep Discovery Director on-premises version then click Next.
3. The Confirmation message window appears. Click Finish.
4. On the Connect Network Sensor window, select 5.2 Patch 1 and above on Deep Discovery Director versions field drop down list, and specify DDD IP address, Click Go.
5. You will be redirected to DDD Web console, and confirmation message appear, click Continue.
6. In Administration > Trend Micro Vision One page, and you can see the registration has been completed successfully.
Go back to the Trend Micro Vision One Console, you may see Connect Network Sensor window is kept open, click Cancel once then reload the page. You will see that DDI is registered as a Network Sensor.