Requirements

• Trend Vision One:
  • Make sure you read the Suspicious Object Management article on the Trend Vision One documentation thoroughly to ensure a smooth process.

• Lumu License
  • An active Lumu Defender subscription

Configure Trend Vision One

Trend Vision One currently supports sending the Suspicious Object List to the following Trend Micro products and services:

• Endpoint Sensor agent
• Server & Workload Protection agent
• Standard Endpoint Protection agent
• Service Gateway
• Zero Trust Secure Access Internet Access
• Trend Cloud One - Endpoint & Workload Security
• Trend Micro Apex One as a Service
• Trend Micro Cloud App Security
• Trend Micro Deep Security
• Trend Micro Email Security

You can find the full reference of supported actions for each IOC type in the Trend Micro Suspicious object action document. Actions vary between different IOC types.

Create the integration user role

First, create a dedicated integration user role for the integration.

1. Log in on the Trend Vision One page.

2. Create a User Role with the minimum required permissions. To do so, navigate to the Administration section (the gear icon at the bottom of the left panel) and select User Roles.

3. Next, click on Add Role.

4. Fill in the Create custom role form information, start with the General information tab:

• Set a meaningful Role name.
• Set the Control flags as follows
  
• Set the Can be assigned to API keys attribute to Yes.
• Set the Can be assigned to user accounts attribute to No.
• Set a Role description.
• When finished, head to the Permissions tab.

5. In the Permissions tab, check the View, filter, and search, and the Manage lists and configure settings permissions, located under the Threat Intelligence section. When finished, click Save.

Once you have created the integration user role, you can continue with the following steps of the configuration.

Create an API key

With the user role created, continue with the creation of an API key.

1. Navigate to the Administration section (the gear icon in the left navigation pane) and select API Keys.

2. Click on Add API Key.

Fill in the Add API key form as follows:

• Give it a distinctive Name.
• Assign it the role created in step 2.
• Set the Expiration Time. Ensure you follow your organization’s guidelines regarding secure key management and rotation. You can leave the default value if you're not sure.
• Set the Status to active by enabling the toggle.
• When finished, click the Add button.
  

3. Copy and save the API key shown by Vision One. You will not be able to retrieve it later. This value will be needed for setting up the integration.

Lumu encrypts this information both in transit and at rest to ensure token confidentiality is maintained. This will remove token updating concerns from the integration maintenance process.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen. 

2. Locate the Trend Vision One integration in the available apps area and click to add, then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. Provide a meaningful Name. When selecting Threat Mappings, determine the specific threat mappings you want to push to Trend Vision One. Each threat indicator will be ranked according to its risk level associated with it. These are High, Medium, and Low. Select the option Include IP indicators to include IP addresses in your feed list.

If you leave Include IP indicators unselected, you won't be able to change it later, even in the editing process.

5. Fill in the required information for the account. Finally, click on the Activate button. Lumu will validate if the credentials provided are correct.

Please note the base URL you use to log in into the XDR portal. Based on it, you need to select the regional domain. Your base URL looks like https://portal.[region.]xdr.trendmicro.com.

6. With the integration active, the Lumu Portal will display its details.

It's crucial to inform you that the actions may vary depending on the locally configured product. For further details, please refer to the Suspicious Object Actions article in the Trend Micro documentation.

Keep in mind the info panel when editing the configuration. The changes on threat mappings will only apply to new incidents, past incidents will not be updated to the new settings.

Once the integration is activated, the Suspicious Object Management section will be updated with confirmed compromises found by Lumu within the preceding 3 days.