Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Endpoint Detection and Response (EDR) enhanced features in Trend Micro Vision One

    • Updated:
    • 5 Apr 2021
    • Product/Version:
    • Trend Micro Vision One All
    • Platform:
    • N/A
Summary

Starting from the 2021 March maintenance, Apex One as a Service will be migrating Endpoint Detection and Response (EDR) related features to Trend Micro Vision One for a better user experience.

This article provides the entire migration scope in detail.

Details
Public

Schedule

DateChanges
24 Feb 2021Apex One as a Service will show a bell icon as a heads-up for this migration
2021 March maintenanceApex One as a Service EDR related menu items will be re-directed to Trend Micro Vision One

Change Scope

The following menu items will be redirected to Trend Micro Vision One:

Menu items in
Apex One as a Service
Corresponding App in
Trend Micro Vision One

Response > Historical Investigation

Historical Investigation

Search App icon search app icon

Search

Dashboard > Threat Investigation > Quick Investigation widget

Quick Investigation widget

Contents in this widget will be refreshed with a redirection message and redirection link to Trend Micro Vision One Search app.

Dashboard > Threat Investigation > Attack Discovery Detections widget

Attack Discovery Detections widget

Contents in this widget will be refreshed with a redirection message and redirection link to Trend Micro Vision One Observed Attack Technique app.
Directories > Users/Endpoints (click detection name under Threats column) > Analyze ImpactThis menu button will be removed from UI. Customers are advised to use Trend Micro Vision One Search app.
Directories > Users/Endpoints (click detection name under Threats column) > Analyze ImpactThis menu button will be removed from UI. Customers are advised to use Trend Micro Vision One Search app.
Threat Intel > Virtual Analyzer Suspicious Objects > Analyze Impact
Threat Intel > Custom Intelligence > User-Defined Suspicious Objects > Analyze Impact
Live Investigation > Investigation Results (click objects in Root Cause Chain) > Add to Historical Investigation List
Live Investigation > Investigation Results (click objects in Root Cause Chain) > Start a Historical Investigation
Live Investigation > Investigation Results > Root Cause Analysis > Affected Endpoints

Affected Endpoints

Affected Endpoints

 
When performing a search, by default Apex One as a Service will look for all stored data; in the Trend Micro Vision One Search app, the default search period is 7 days. Customers may manually adjust it to get the best search result.
 

An API will be revoked after this change takes place.

APINote
AssessmentIt will return the following error after the March maintenance:
"error code -103002. Unable to get the accessible servers"

The Customer will need to use Trend Micro Vision One API (Search) to rewrite their tasks.

  • What will be the management impact or change?

    • Only EDR-related menu items will be redirect to Trend Micro Vision One for better user experience
    • The rest of the features (e.g. Virus Scan, Behavior Monitoring...etc) will continue to be managed by the existing menu.
  • Will my data be moved to other countries? ie if the data center previously used was in Australia, will it stay in Australia after migration?

    This migration is only focused on the UI/menu items (Phase I) and agent binaries (Phase II), the data center will not be changed.

    However, in the following situations, the customer's data was provisioned in the US site since the regional data lake was not ready then:

    • Customers who provisioned Apex One as a Service in the Singapore data center before August 2020.
    • Customers who provisioned Apex One as a Service in the Australia data center before October 2020.
    • Customers who provisioned Apex One as a Service in the India data center before December 2020

    Customers who meet the criteria may contact Trend Micro Technical Support to migrate their data.

  • I cannot single-sign-on (SSO) to Vision One, what could be the root cause?

    In Apex Central, only CLP account can be used for SSO to Vision One service, for customers who need to access Vision One via other accounts, please refer to the KB article: Create local account that can SSO to Trend Micro Vision One for detailed instructions.

  • Will my data be moved to other countries? ie if the data center previously used was in Australia, will it stay in Australia after migration?

    This migration is only focused on UI / menu items (Phase I) and agent binaries (Phase II), the data center will not be changed.

  • I’m using hybrid management structure (i.e. using on-premises Apex Central to manage Apex One SaaS agents), will this change impact my operation?

    Yes, customers who are using hybrid management model may only get on-premises agent investigation/sweeping results after this change has been made. Apex One SaaS agent investigation/sweeping should use Trend Micro Vision One instead.

  • Which account can I use to log into Trend Micro Vision One? While I try to access Trend Micro Vision One app, the log in page asks me for an ID/Password. How do I create that account?

    Only the Customer Licensing Portal (CLP) account can do a single sign-on to Vision One console but not native Apex One SaaS local accounts. Refer to the KB article: Creating a Trend Micro Vision One account that can be used to Single Sign-On (SSO) to and from Apex One as a Service for the details if you need to use a local account to sign into the Vision One console.

  • I've purchased a 60-day EDR data retention plan in Apex One as a Service. Will this migration cause any impact when using Trend Micro Vision One?

    No. Existing data retention plan will be kept the same in Trend Micro Vision One. However, in case you haven't started using Trend Micro Vision One, by default, only data after March 1st will be available in Trend Micro Vision One for search. Please contact Trend Micro Technical Support if you need to search for data prior to March 1st.

  • Can I use the previous Apex One as a Service EDR features after this migration?

    Apex One EDR related features will be redirected and enhanced in Trend Micro Vision One apps. For Detailed use cases, refer to the following table:

    #Function in
    Apex One as a Service
    How to do that
    in Trend Micro Vision One
    Relevant UI on
    Apex One as a Service
    Relevant UI on
    Trend Micro Vision One
    1

    Users can do a sweep by user-defined criteria to find related endpoints through Historical Investigation.

    • Users can check the mapped events in details.
    Users can do a sweep by user-defined criteria to find related events through Search App.Historical InvestigationSearch App
    2Users can do a sweep by uploaded IOC file to find related endpoints through Historical Investigation.

    User can do a sweep by user-defined criteria to find related events through Search App.

     
    User would need to parse IOCs files to see what criteria shall be used for sweeping.
     
    Historical InvestigationSearch App
    3Based on the sweeping result from historical investigation, users can select the endpoint to be investigated, and then click Generate Root Cause Results to generate a report for further investigation.According to the results of Search App, users can right-click the field to be investigated, and then click Check Execution Profile for further investigation.Historical Investigation > Generate Root Cause ResultsSearch App > Check Execution Profile
    4Based on the sweeping result from historical investigation, users can select endpoints and isolate them for mitigating impact.According to the results of Search App, users can right-click the corresponding field to isolate the endpoint for mitigating impact.Historical Investigation > Isolate EndpointSearch App > Isolate Endpoint
    5Users can check the generated Root Cause Results through Root Cause Analysis Results.User can use Saved Queries to keep searching criteria and use it to generate execution profiles afterwards.Historical Investigation > Root Cause Analysis ResultsSearch App > Saved Queries
    6Users can perform response actions from the Root Cause Analysis report, such as isolating endpoints, terminating objects, and adding suspicious objects.Users can perform response actions from search result in Search App > right-click menu.Root Cause Analysis reportExecution Profile report
    7Check Attack Discovery detection logs from Log Query

    Check Attack Discovery detection log from Observed Attack Techniques

    • Users can also search Attack Discovery detection log through the Search App.
    Log Query > Attack Discovery
    • Observed Attack Techniques
    • Search App
    8Users can do assessment impact by user-defined criteria to find related endpoints through Quick Investigation widget of Threat Investigation tab on the Dashboard.Users can do a sweep by user-defined criteria to find related events through Search App.Dashboard > Threat Investigation > Quick InvestigationSearch App
    9Check Attack Discovery detection from Attack Discovery Detection widget of Threat Investigation tab of Dashboard.

    Check Attack Discovery detection log from Observed Attack Techniques.

    • User can also search Attack Discovery detection log through Search App
    Dashboard > Threat Investigation > Attack Discovery Detection
    • Observed Attack Techniques
    • Search App
    10Users can do assess impact by file hash of the detection log to find related endpoints through Attack Discovery Detection widget of Threat Investigation tab of DashboardUsers can do sweeping by user-defined criteria to find related events through Search App.Dashboard > Threat Investigation > Attack Discovery DetectionSearch App
    11Users can do impact assessment through User-Defined Suspicious Objects of Custom Intelligence.

    User can do a sweep by user-defined criteria to find related events through Search App.

     
    User would need to use User-Defined Suspicious Object as a search criteria for sweeping.
     
    Custom Intelligence > User-Defined Suspicious ObjectsSearch App
Premium
Internal
Partner
Rating:
Category:
Update
Solution Id:
000285577
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.