Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions (FAQs) about Co-Managed XDR

    • Updated:
    • 23 Jul 2021
    • Product/Version:
    • Remote Manager
    • Worry-Free Business Security Advanced 10.0
    • Platform:

This article answers the common questions about the Co-Managed XDR.


Worry-Free with Co-Managed XDR is a cross-product, cross-customer, and cross-partner detection and response service. This is co-managed by Trend Micro and MSPs. Worry-Free with Co-Managed XDR helps mitigate threats for customers while alleviating overburdened MSPs and elevating security offerings without a significant time and cost investment.

Benefits include the following:

  • Provides holistic threat visibility and correlation across endpoint and email, enabling proactive
  • containment and intelligent response by Trend Micro’s threat experts.
  • In addition to what Worry-Free XDR provides, it adds co-managed detection and response services for MSPs, along with:
    • 24/7 threat experts: Cuts through the fog of constant alerts to isolate genuine threats in their earliest stages, providing MSPs with personalized remediation steps for their customers.
    • Cross-customer analysis: The service automatically checks the MSPs customer base for the same threat and takes action to protect multiple customers at once.
    • Cross-partner analysis: Threat analysts review similar threats across partners, especially those in the same industry, to provide proactive response.
    • Incident response: Provides customized recommendations, or Trend Micro threat experts can conduct actions if authorized by MSPs.
    • Monthly case activity summary report: Provides an executive view of incidents and threats detected and mitigated for the month.

The sensors being used for WFXDR are:

  • CAS for email sensor
  • EDR for endpoint sensor.
It is usually blocked after reclassification but the pattern update may take up to 12 hours. However, blocking Noteworthy Objects found on the ETA chain of the customer who triggered the alert can be real-time as it can be added to UDSO.
No because as of the moment the products associated with the service are mainly for endpoint and email only, however, the corresponding URL can be blocked by the service team or the product itself because of the behavior of the file trying to connect to it. If it is a zero-day URL, the service team could have it reclassified as Dangerous - C&C server so it will be blocked globally by WFBS alone. The IP address that you need to block on your firewall will be included in the report.
Cloud App Security (CAS) license, and Worry-Free Business Security Services (WFBS-SVC) + EDR license (Co-Managed XDR license) needs to be successfully provisioned.
  • With WFBSS ETA on 4 categories: Virus, WTP, Machine Learning, Behavior Monitoring
  • Worry-Free Business Security Services can do correlation to get noteworthy event in 3 ways: EDR, CAS, and EDR+CAS. If a detection consists of suspicious object or unknown malicious object, detection will become a noteworthy event.
Investigation will kick off once we receive an email notification of a Noteworthy Event. An initial email will be sent to partner within an hour after we received the Noteworthy Event alert indicating that an investigation has started.

Proactive actions that can be performed are:

  • Quarantine an email
  • Block a user
  • Block a file or object
  • Kill a running process
  • Isolate endpoint
  • Run Agressive Scan
  • Collect ATTK and create a Damage Cleanup Tool
Yes, Trend Micro partners who avail Co-Managed XDR Service can specify which email addresses will receive the Alerts and Reports.
Yes, partners and customers can provide IOC file to Co-Managed XDR Service Team. Security Analyst Team can do the cross-customer sweeping for the partner and results will be provided to them.
The Incident Report will be uploaded to their Remote Manager under Detection and Response > Reports
  • DETECTION - 24x7 alert monitoring, Early detection & containment of potential threats or Early Warning Event Service.
  • INVESTIGATION - Threat source identification, Infection Chain/RCA, cross-product correlation analysis, cross-customer correlation analysis, cross-partner correlation analysis
  • REMEDIATION - Access to SEcurity Experts 24/7, remediation assistance
  • RESPONSE - Incident Report, Monthly Report, Policy Assessment Report, Incident Advisory with proactive IOC Assessment
  • Manual upload / confirmation of the existence of suspicious file
  • Manual upload of suspicious emails and manual release of emails
  • Worry Free Security Agent Manual/Aggressive Scan
  • Run clean up tool on the machine/s
  • Updating Worry Free Security Agent
  • System Modification/ Third Party Software Patching
  • Product best practice configuration
  • Verification of integrity of the software involved
  • Customer password reset
  • Customer advisory
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.