Integrate Trend Vision One with Red Canary

1. Your Trend Vision One user must have admin level access to complete the following steps successfully.

2. Your Trend Vision One tenant must have one of the following licenses:

   1. Trend Vision One Endpoint Security - Essentials

   2. Trend Vision One Endpoint Security - Pro

3. Sufficient Trend Vision One credits to enable the AWS S3 bucket connector. Please contact your Trend Micro account team if you do not have access to the AWS S3 bucket connector detailed in Step 2.

   Note

   The 30 day trial version of TrendMicro is NOT sufficient for testing because of the Trend Vision One credits requirement.

1. Record your Trend Vision One Business ID.

   1. Navigate to the License Information section within your Trend Vision One console.

   2. Copy the Business ID.
      

   3. Enter your Trend Vision One Business ID into Red Canary.  

2. Create a user role to be used with your new API key.  Note: Red Canary is committed to accessing your environment using the fewest permissions required.

   1. Navigate to the User Roles page in the Trend Vision One console and click Add Role.

   2. Enter the name red-canary-api for the role and click Permissions.

   3. Configure the following permissions:

      1. Platform Capabilities

         1. XDR Threat Investigation

            1. Workbench check the View, filter, and search and Modify alert details boxes.

            2. Search check the View, filter, and search box.

         2. Workflow and Automation

            1. Response Management check the View, filter, and search (Task list tab), Isolate endpoint, and Terminate process boxes.

            2. Third-party integrations check the View box.

      2. Security Functions

         1. Endpoint Security

            1. Endpoint Inventory check the View box.

      3. Settings

         1. Administration

            1. User Roles check the View box.

            2. API Keys check the View box.

   4. Role permissions should look like this when completed successfully.
      

3. Create a new API key for Red Canary to ingest telemetry and alerts.

   1. Navigate to the API Keys section within your Trend Vision One console and click Add API Key.

   2. Name the API key red-canary and assign the user role created in step 1.2.

   3. Expiration Time should be set to “No expiration date.”

   4. Copy the newly created API key.

   5. Enter the API key into Red Canary.

1. Navigate to the AWS S3 Bucket Connector within your Trend Vision One console.

   1. Click Workflow and Automation in the main menu on the left.

   2. Select Third-Party Integration.

   3. Click AWS S3 Bucket Connector.
      

2. In the Bucket name field, copy the bucket name listed from the in-line instructions in Red Canary.

3. In the Role ARN field, copy the Role ARN listed in the in-line instructions in Red Canary.

4. In the Data Transfer section, check the following boxes:

   1. Workbench alerts

   2. Activity data -> Scope: Endpoint

1. Click on the Business Name menu at the top right.

2. Select User Accounts.
   

3. Click Add User Account.

4. Select Local Account.
   

5. Enter the email listed in the in-line instructions in Red Canary into the Account field.

6. Select Auditor for the Role field.
   

7. Click Add.

8. Red Canary will accept the invite to finalize access.

Red Canary collects telemetry and alert data from Trend Vision One. Vision One “Activity” data is what Red Canary considers to be telemetry, and “Workbench Alerts” are what Red Canary ingests as alerts. Both types of telemetry are required for a effective detection and investigations. In order to enable the AWS S3 bucket connector, Trend Vision One customers must have sufficient credits. It takes credits to export data to an S3 bucket, so please contact your Trend Micro account team if you don’t have access to the AWS S3 bucket connector listed in Step 2.

Error: Missing Required Permissions

Error Message: Trend Micro API Key : User role associated with the API key is missing one or more required permissions - please ensure that the provided key is correctly configured

If you receive this error message in Red Canary, it means the API key's associated user role in Trend Vision One does not have sufficient access. To resolve this, sign in to your Trend Vision One console and ensure the custom user role created for Red Canary has the following permissions enabled:

• Platform Capabilities > XDR Threat Investigation

  • Under Workbench, check the boxes for View, filter, and search and Modify alert details.

  • Under Search, check the box for View, filter, and search.

• Platform Capabilities > Workflow and Automation

  • Under Response Management, check the boxes for View, filter, and search (Task list tab), Isolate endpoint, and Terminate process.

  • Under Third-party integration, check the View box.

• Security Functions > Endpoint Security

  • Under Endpoint Inventory, check the View box.

• Settings > Administration

  • Under User Roles, check the View box.

  • Under API Keys, check the View box.

Error: Missing Pipeline Configurations

Error Message: Trend Micro API Key: Missing valid export pipeline configurations for telemetry configurations - please ensure that the required pipelines are configured correctly in your Trend Micro account

If you receive this error message in Red Canary, it means that the integration is not configured to send the correct telemetry and alert data to Red Canary. To fix this, you must configure the data export settings in Trend Vision One:

1. In your Trend Vision One console, go to the Data Transfer section.

2. Ensure the following boxes are checked:

   • Workbench alerts

   • Activity data (with the Scope set to Endpoint)