To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

Requirements

• Trend Vision One 
• Make sure you read the Suspicious Object Management article on the Trend Micro documentation thoroughly to ensure a smooth process.
• Endpoint Sensor agent
• Server & Workload Protection agent
• Standard Endpoint Protection agent
• Service Gateway
• Zero Trust Secure Access Internet Access
• Trend Cloud One - Endpoint & Workload Security
• Trend Micro Apex One as a Service
• Trend Micro Cloud App Security
• Trend Micro Deep Security
• Trend Micro Email Security

• Lumu License
• An active Lumu Defender subscription  

Configure Trend Vision One

1. Log in on the Trend Vision One page.

2. Create an User Role with the minimum required permissions. To do so, navigate to the Administration section, click on User Roles.

Next, click on Add Role. 

Set a meaningful name and description.

Now, enable the following permissions to save the configuration:

• Threat Intelligence: Suspicious Object Management
  

• XDR threat Investigation: Search - View, filter, and search
  

• Workflow And Automation: Response Management - View, filter, and search - Add to block List
  

3. Navigate to the Administration section and click on the API Keys option to create the credentials for API use.

4. Click on Add API Key.

5. Create a personal API Key with a meaningful Name, and the Role that we just created. Set the expiration date that best suits your needs. Keep in mind that you will need to update your integration credentials accordingly.

6. This window will open. Save your API Key in a secure place.

Lumu encrypts this information both in transit and at rest to ensure token confidentiality is maintained. This will remove token updating concerns from the integration maintenance process.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen. 

2. Locate the Trend Vision One integration in the available apps area and click to add, then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. To activate the integration, click on the activate button. After reading the instructions, provide a meaningful Name. When selecting Threat Mappings, determine the specific threat mappings you want to push to Trend Vision One. Each threat indicator will be ranked according to its risk level associated with it. These are High, Medium, and Low. Select the option Include IP indicators to include IP addresses in your feed list.

If you leave Include IP indicators unselected, you won't be able to change it later, even in the editing process.

By completing these steps, you have configured the integration and enhanced your threat management capabilities. Go ahead and click the “Next” button to finalize the process.

5. Fill in the required information, the Regional Domain, and the API Key for that account. Finally, click on the Activate button. Lumu will validate if the credentials provided are correct.

Please note the base URL you use to log in into the XDR portal. Based on it, you need to select the regional domain. Your base URL looks like https://portal.[region.]xdr.trendmicro.com.

 Select the regional domain fitting the region in your base URL.

6. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration

It's crucial to inform you that the actions may vary depending on the locally configured product. For further details, please refer to the Suspicious Object Actions article in the Trend Micro documentation.

Keep in mind the info panel when editing the configuration. The changes on threat mappings will only apply to new incidents, past incidents will not be updated to the new settings.

Once the integration is activated, the Suspicious Object Management section will be updated with confirmed compromises found by Lumu within the preceding 3 days.