Integrate Trend Micro Vision One with Red Canary

1. Your Trend Vision One user must have admin level access to complete the following steps successfully.

2. Your Trend Vision One tenant must have one of the following licenses:

   1. Trend Vision One Endpoint Security - Essentials

   2. Trend Vision One Endpoint Security - Pro

3. Sufficient Trend Micro Vision One credits to enable the AWS S3 bucket connector. Please contact your Trend Micro account team if you do not have access to the AWS S3 bucket connector detailed in Step 2.

1. Record your Trend Micro Vision One Business ID.

   1. Navigate to the License Information section within your Trend Micro Vision One console.

   2. Copy the Business ID.
      

   3. Enter your Trend Micro Vision One Business ID into Red Canary.  

2. Create a user role to be used with your new API key.  Note: Red Canary is committed to accessing your environment using the fewest permissions required.

   1. Navigate to the User Roles page in the Trend Micro Portal and click Add Role.

   2. Enter the name red-canary-api for the role and click Permissions.

   3. Configure the following permissions:

      1. Platform Capabilities

         1. XDR Threat Investigation

            1. Workbench check the View, filter, and search and Modify alert details boxes.

            2. Search check the View, filter, and search box.

         2. Workflow and Automation

            1. Response Management check the View, filter, and search (Task list tab), Isolate endpoint, and Terminate process boxes.

            2. Third-party integrations check the View box.

      2. Security Functions

         1. Endpoint Security

            1. Endpoint Inventory check the View box.

      3. Settings

         1. Administration

            1. User Roles check the View box.

            2. API Keys check the View box.

   4. Role permissions should look like this when completed successfully.
      

3. Create a new API key for Red Canary to ingest telemetry and alerts.

   1. Navigate to the API Keys section within your Trend Micro Vision One console and click Add API Key.

   2. Name the API key red-canary and assign the user role created in step 1.2.

   3. Expiration Time should be set to “No expiration date.”

   4. Copy the newly created API key.

   5. Enter the API key into Red Canary.

1. Navigate to the AWS S3 Bucket Connector within your Trend Micro Vision One console.

   1. Click Workflow and Automation in the main menu on the left.

   2. Select Third-Party Integration.

   3. Click AWS S3 Bucket Connector.
      

2. In the Bucket name field, copy the bucket name listed from the in-line instructions in Red Canary.

3. In the Role ARN field, copy the Role ARN listed in the in-line instructions in Red Canary.

4. In the Data Transfer section, check the following boxes:

   1. Workbench alerts

   2. Activity data -> Scope: Endpoint

1. Click on the Business Name menu at the top right.

2. Select User Accounts.
   

3. Click Add User Account.

4. Select Local Account.
   

5. Enter the email listed in the in-line instructions in Red Canary into the Account field.

6. Select Auditor for the Role field.
   

7. Click Add.

8. Red Canary will accept the invite to finalize access.

Red Canary collects telemetry and alert data from Trend Micro Vision One. Vision One “Activity” data is what Red Canary considers to be telemetry, and “Workbench Alerts” are what Red Canary ingests as alerts. Both types of telemetry are required for a effective detection and investigations. In order to enable the AWS S3 bucket connector, Trend Micro Vision One customers must have sufficient credits. It takes credits to export data to an S3 bucket, so please contact your Trend Micro account team if you don’t have access to the AWS S3 bucket connector listed in Step 2.