XDR has an ability to do detection and response across email, endpoints, servers, cloud workloads and network via a single XDR platform.
XDR sits on top of relevant Trend Micro products in a customers’ environment, and offers expert security analytics for alert correlation, and consolidated visibility and investigation of events across security layers, leading to earlier detection and faster response.
XDR offers a lot of capabilities such as early detection and response, getting greater context for greater understanding, etc. across multiple products. So if you use XDR, Trend Micro recommends to connect DDI to XDR to fully utilize XDR functionality.
There are 2 ways to connect DDI to XDR:
Scenario 1: XDR integration using Deep Discovery Director (DDD) On-Premises
- Prepare DDI and DDD On-Premises to integrate with XDR.
- DDD On-Premises can connect to Deed Discovery Director-Network Analytics SaaS (DDDNASaaS) which is located in Trend Micro Cloud side.
Scenario 2: XDR integration using Deep Discovery Director (DDD) Cloud
DDDNASaaS is also referred as “XDR Addon”, it provides advanced threat analysis for data correlations made between detections selected in DDD and other related events as they occur over time.
- Prepare DDI and connect it to DDD Cloud version which is located in Trend Micro Cloud side to integrate with XDR.
- DDD Cloud can connect to Deed Discovery Director-Network Analytics SaaS (DDDNASaaS) in the backend.
This article will show you how to configure DDI for the 2nd scenario, which is to integrate DDI with XDR using DDD Cloud.
For information about how to configure DDI for scenario 2, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate with XDR using Deep Discovery Director On-Premises.
Configuration for Scenario 2: Integrating DDI with XDR using DDD Cloud
Install the products. Versions DDI 5.6 SP1 or above, which supports integration with XDR investigation platform.
Make sure DDI has valid AC.
Provision DDD Cloud and DDDNASaaS (XDR Addon) from the XDR console.
Log on to the Trend Micro XDR console(https://portal.xdr.trendmicro.com/), go to Product Connector and click Connect.
- Select Deep Discovery from the Product name: field. Choose Request a Deep Discovery Director cloud version.
Enter the XDR Addon Activation Code and wait for the provision to be completed.
XDR console shows Provisioning status during the provision.
After the provision completed, Connection Status shows Connected.Provisioning sometimes take 10 minutes.
Get the DDD cloud logon info.
Click the bell icon to get the DDD cloud URL and logon info. Such information will also be sent to the local accounts’ email boxes.
Get the DDD cloud token.
On the DDD cloud web console, go to Help then copy the DDD cloud token.
Register DDI to DDD.
- On DDI web console, go to Administration > Integrated Products/Services > Deep Discovery Director.
For server type, select the Cloud version then click Register.
Paste the DDD cloud token just copied, and click Register.
Once registration is completed, log on to the DDD cloud web console then go to Appliances > Directory and click Move to move DDI to a managed or other customized folder.
Bind DDI to DDDNASaaS.
Bind DDI to send network flow (activity data) to DDDNASaaS.
- On the DDD Cloud web console, go to Administration > Network Analytics. Go to the Connected Sources tab.
- Select the DDI instance which you want to bind (default is Disabled).
Click Configure to enable and bind the selected DDI instance with DDDNASaaS.
Under the status column, click on the toggle button to Enable then click Save.While there is no limit on the number of Deep Discovery Inspector appliances you can enable, their total combined Bandwidth cannot exceed the available Bandwidth capacity.
Check the Deep Discovery onboarding status from XDR.
On the Trend Micro XDR console, go to Product Connector and check the Deep Discovery onboarding status.
Once the configuration and registration are completed, DDD cloud, DDI, and DDDNASaaS (XDR Addon) entries should be shown on the list.
- Allow some URLs and ports from your firewall. Refer to the knowledgebase article: URLs to be allowed through the firewall of Deep Discovery Inspector (DDI) 5.7.