Trend Micro XDR

Trend Micro™ XDR Complimentary Licenses Apex One Onboarding Handbook

P a g e I-1 | 31

Trend Micro™ XDR

Complimentary XDR Licenses for Apex One Onboarding Handbook


P a g e I-2 | 31

Trend Micro™ XDR

Trend Micro™ XDR collects and automatically correlates data across multiple security layers: email,

endpoints, servers, cloud workloads, and networks. Using advanced security analytics, it detects and

tracks attackers across one or more layers so security teams can quickly visualize the story of an

attack and respond faster and more confidently. The efficiency of XDR allows resource-constrained

security teams to do more with less and the Trend Micro™ Managed XDR service can augment teams

with expert threat hunting and investigation.

With the availability of Trend Micro™ XDR, we are offering Complimentary Licenses for all Apex

One customers of both On-Premise and SaaS versions who do not have a Trend Micro EDR (Endpoint

Sensor) license. This offer gives eligible customers our advanced XDR capabilities for 10% of their

total number of licensed Apex One endpoints so they can experience first-hand the value of the XDR

in improving threat detection and investigation for their organizations.

The purpose of this handbook is to help our Partners and Customers to “Onboard” XDR. This

document includes XDR software and system requirements, XDR Portal registration, XDR

deployment within their Windows endpoint environment, as well as step-by-step XDR Testing

procedures.

To learn more about Trend Micro™ XDR, please visit the our Trend Micro XDR Online Help.

https://docs.trendmicro.com/en-us/enterprise/trend-micro-xdr-online-help.aspx


P a g e I-3 | 31

Features and Benefits


P a g e I-4 | 31

Table of Contents

Trend Micro™ XDR.............................................................................................................. I-2

Features and Benefits ......................................................................................................... I-3

Table of Contents ............................................................................................................... I-4

I. Who is Eligible for this offer? ...................................................................................... I-5

II. Apex One XDR Onboarding Process ........................................................................... II-5

A. System Requirements ......................................................................................................... II-5

B. Apex One Software as a Service (SaaS) XDR Registration ..................................................... II-6

C. Apex One On-premise Server XDR Registration ................................................................. II-10

Phase 1: Upgrade Apex One On-premise Server to Patch 3.................................................. II-10

Phase 2: Register to XDR ...................................................................................................... II-14

D. XDR Deployment to Security Agent ................................................................................... II-17

III. XDR Testing Procedures .......................................................................................... III-20

A. Credential Dumping. ........................................................................................................ III-20

B. Lateral Movement after Credential Dumping. .................................................................. III-22

IV. Troubleshooting ...................................................................................................... IV-25

V. Frequently Asked Questions..................................................................................... V-27

VI. Contacting Trend Micro Technical Support ............................................................. VI-31


P a g e II-5 | 31

I. Who is Eligible for this offer?

Trend Micro™ XDR Complimentary Licenses are available for all

Apex One customers of both On-Premise and SaaS versions who

have more than 100 users and do not currently have an Endpoint

Sensor (EDR) license (customers with a previously expired license

are eligible.)

NOTE: Existing Apex One SaaS with Endpoint Sensor (now called

XDR Add-on: Apex One SaaS) and XDR for Users Suite customers

automatically have access to the full XDR platform at no added

charge.

For more information about our Complimentary XDR Licenses,

please visit the following link:

https://resources.trendmicro.com/Your-XDR-Access.html#who

II. Apex One XDR Onboarding Process

Review the System Requirements to successfully register your Trend Micro Apex One™ to Trend

Micro™ XDR. This chapter contains the following topics:

• System Requirements

• Apex One™ Software as a Service (SaaS) XDR Registration

• Apex One™ On-premise XDR Registration

• XDR Deployment to Security Agent

A. System Requirements

Trend Micro™ XDR for endpoints is only available for Apex One customers. Customers who are still

running OfficeScan (OSCE) XG version can upgrade to Apex One Patch 3 available in our Trend

Micro Download Center website.

IMPORTANT: Trend Micro will be ending support to OfficeScan XG in March 2021. For more

information about EOS/EOL Policy, you may refer to the following articles:

Supported Trend Micro Products/Versions

End-of-Life Trend Micro Products/Versions

You may also call our Trend Micro Technical Support Hotline for assistance in upgrading your

OfficeScan Server and agents.

For steps in how to upgrade to Trend Micro Apex One™ On-premise version, we highly

recommend that you review and follow the knowledgebase article below:

https://resources.trendmicro.com/Your-XDR-Access.html#who

https://www.trendmicro.com/en_us/business/products/downloads.html

https://www.trendmicro.com/en_us/business/products/downloads.html

https://success.trendmicro.com/solution/1105726

https://success.trendmicro.com/solution/1105727-list-of-end-of-life-eol-end-of-support-eos-trend-micro-products


P a g e II-6 | 31

https://success.trendmicro.com/solution/1122308-quick-migration-guide-for-trend-micro-apex-

one

B. Apex One Software as a Service (SaaS) XDR Registration

Apex One SaaS Customers who are eligible for the Trend Micro™ XDR Complimentary Licenses will

see the Trend Micro XDR blue banner notification when they login to the Apex Central SaaS Web

Console.

IMPORTANT: For Apex One SaaS, make sure that the July 15th, 2020 Apex One SaaS Maintenance

Hotfix is deployed to your endpoints. Refer to the Maintenance schedule for Trend Micro Apex

One™ as a Service in 2020 for more information about this patch. You may refer to the following

Article to learn how to deploy product patch and hotfixes to agents.

Controlling which agents will upgrade in OfficeScan/Apex One

To register Apex One SaaS to Trend Micro™ XDR, follow the steps below:

1. Log-in to your Customer Licensing Portal (https://clp.trendmicro.com/).

2. In the Software as a Service Offerings, open console of the Trend Micro Apex One™ as a

Service.

https://success.trendmicro.com/solution/1122308-quick-migration-guide-for-trend-micro-apex-one

https://success.trendmicro.com/solution/1122308-quick-migration-guide-for-trend-micro-apex-one

https://success.trendmicro.com/solution/1121835-maintenance-schedule-for-trend-micro-apex-one-as-a-service-in-2019


https://success.trendmicro.com/solution/1113015-controlling-which-agents-will-upgrade-in-officescan-apex-one

https://clp.trendmicro.com/


P a g e II-7 | 31

3. Click the “More Details” button to the open the Complimentary XDR Licenses page.

4. In the Complimentary XDR Licenses page, click the Get Trend Micro XDR Now to open the

XDR onboarding portal https://flywheel-us1.xdr.trendmicro.com/#/ to register your

account.

https://flywheel-us1.xdr.trendmicro.com/#/


P a g e II-8 | 31

NOTE: The Username will be auto populated to the CLP Account Login that was used to

open the Apex One SaaS Web Console and cannot be changed. However, you may change

the registered email address that will be used for sending XDR Related emails and alerts.

5. Fill in your CLP account password and click the confirm button to complete the XDR

registration.

6. Once your XDR account is created, you will see Start the Sample Data Tutorial that will

guide user to go through the most essential features of XDR.

7. After the tutorials, the user will lead to the Endpoint Inventory > Click Next.


P a g e II-9 | 31

8. Please read and select I Agree to the Terms of Service and click “Next”.

9. Click Get Started and wait for around 10-15 minutes for endpoints to be displayed on UI.

10. After the Endpoint Inventory has received the first Personally Identifiable Information (PII)

data reported, an email notification will be sent to the user as well as the prompt

notification will be displayed from notification center on upper right corner.


P a g e II-10 | 31

After successfully registering to Trend Micro XDR™, refer to D. XDR Deployment to

Security Agent of this document to enable XDR feature on endpoints.

C. Apex One On-premise Server XDR Registration

There are two phases when onboarding the XDR licenses: first is to install Apex One Patch 3, and

second is XDR Registration. These phases are outlined in more detail in this section.

Phase 1: Upgrade Apex One On-premise Server to Patch 3

1. Download and copy the Apex One Patch 3 installer to the Apex One server from the link

below:

Trend Micro Apex One™ Patch 3 Build 8378 is now available


2. On the Apex One server, execute the Patch 3 Installer.

3. Select “Yes” on the pop-up notification to proceed with the application of the patch.

4. Wait until the patch loading is finished.



P a g e II-11 | 31

5. Select “Accept” on the terms of license agreement then click “Next”.

6. A Pop-up regarding the collection of basic endpoint information will appear. Select “Yes”

to allow the XDR setup to proceed.

7. Select “Install”.


P a g e II-12 | 31

8. Wait for the patch installer to finish loading.

9. Select ‘Yes’ on the Pop-up regarding the ‘certificate backup’.

10. Wait for the patch to finish loading.

11. Once the patch installer is successful, click “OK”.


P a g e II-13 | 31

12. Log in to the Apex One Web console and you should be able to see the Trend Micro XDR

Blue Banner.

13. Click the “More Details” button to open the Complimentary XDR Licenses offer.


P a g e II-14 | 31

14. Deploy the Apex One Patch 3 to the agents. You may refer to the following Article to learn

how to deploy product patch and hotfixes to agents.

Controlling which agents will upgrade in OfficeScan/Apex One

If you encounter any issue when installing Apex One Patch 3, refer to the III. Troubleshooting

section of this handbook.

Phase 2: Register to XDR

After successfully upgrading the management server to the Apex One Patch 3, a blue banner

just below the tab menu will appear for the Trend Micro XDR.

Follow the steps below to register your Apex One Server to Trend Micro™ XDR:

1. Click the “More Details” button to the open the Complimentary XDR Licenses page.

2. Click the Get Trend Micro XDR Now and it will redirect you to onboarding portal

https://flywheel-us1.xdr.trendmicro.com/#/ to setup your account.

https://success.trendmicro.com/solution/1113015-controlling-which-agents-will-upgrade-in-officescan-apex-one

https://flywheel-us1.xdr.trendmicro.com/#/


P a g e II-15 | 31

3. Provide the following information to create a Trend Micro™ XDR account.

• Username

• Password

• Contact email

Note: Use Contact email that has not been registered to Trend Micro™ XDR before. Click

“Confirm” button for system to create your XDR account.

INFORMATION: The Already have a Trend Micro Account, pertains to your company's

Trend Micro Customer Licensing (CLP) Account that is used to manage your Trend Micro

Licenses and SaaS solutions.

4. Once your XDR account is created, you will see Start the Sample Data Tutorial that will

guide user to go through the most essential features of XDR.


P a g e II-16 | 31

5. After the tutorials, the user will lead to the Endpoint Inventory > Click Next.

6. Please read and select I Agree to the Terms of Service and click “Next”.


P a g e II-17 | 31

7. Click Get Started and wait for around 10-15 minutes for endpoints to be displayed on UI.

8. After the Endpoint Inventory has received the first Personally Identifiable Information (PII)

data reported, an email notification will be sent to the user as well as the prompt

notification will be displayed from notification center on upper right corner.

After successfully registering to Trend Micro™ XDR, refer to D. XDR Deployment to

Security Agent of this document to enable XDR feature on endpoints.

D. XDR Deployment to Security Agent

After registering your Apex One Server to Trend Micro™ XDR, you can now deploy and enable the

XDR feature to your chosen endpoints.

IMPORTANT: For Apex One On-premise, only endpoints with the Apex One Patch 3 deployed can

report to Trend Micro™ XDR. For Apex One SaaS, make sure that the July 15th, 2020 Apex One SaaS

Maintenance Hotfix is deployed to your endpoints. Refer to the Maintenance schedule for Trend

Micro Apex One™ as a Service in 2020 for more information about this patch.




P a g e II-18 | 31

Follow the steps below to enable XDR feature to Security Agents.

1. In Trend Micro XDR console, go to Endpoint Inventory > Available endpoints, to show

existing Apex One Server computer(s) environment with number of free remaining license

displayed.

2. Click View Recommended Endpoints to Enable XDR Now or select the agent under the

Available endpoints list.

3. The selected agent will move to Installing to endpoint tab for about 10 to 15 minutes.


P a g e II-19 | 31

4. If installation is successful, the agent will move automatically to the Reporting to XDR tab.

5. Agent successfully enabled XDR if the Endpoint Sensor is showing as enabled in the Security

Agent Console via the system tray icon.

a. Logon to the agent where you enabled XDR.

b. Go to the system tray and look for the Trend Micro Security Agent blue icon.

c. Right-click the Security Agent icon and select Open Security Agent Console.

d. Make sure that the Endpoint Sensor is showing as green.


P a g e III-20 | 31

If you encounter issue when enabling Trend Micro™ XDR on agents, refer to the III.

Troubleshooting section of this handbook.

III. XDR Testing Procedures

After successfully registering to Trend Micro™ XDR and deploying XDR to Apex One Security Agents,

we will now test it to make sure that your XDR-enabled agent is able to send Activity Data to the XDR

Data Lake.

In this section, you will learn how to trigger Security Analytic Engine (SAE) detection model to

receive alerts in XDR Portal and use the Investigation Workbench to perform Root Cause Analysis

when the following events happen:

• Credential Dumping.

• Lateral Movement after Credential Dumping.

A. Credential Dumping.

Actions Steps a. Check Endpoint Sensor

is enabled.

1. Find one agents/client with enabled.

b. Type suspicious command to trigger Credential Dumping Rule.

1. Run the Command Prompt as an administrator. 2. Run the command

"C:\Windows\System32\reg.exe save hklm\sam c:\temp\sam.save" NOTE: Just ignore any error that might appear.

c. Check Telemetry received.

NOTE: telemetry send to server every 5 minutes in SaaS environment.

1. Logon to XDR web console and go to Search tab.


P a g e III-21 | 31

2. Change search criteria to “File name” and type “reg.exe”. Then click Search.

3. The following display will show.

d. Open alert to check details.

Credentials Dumping alert details.

e. Check the Execution Profile (Root Cause Analysis Chain)

1. Right click from the execution icon. 2. Select "Check Execution Profile".

NOTE: If RCA is not available when alert is triggered, workbench will hide the execution profile menu.


P a g e III-22 | 31

3. The detailed analysis chain will be shown on the console if it can be generated successfully.

NOTE: The triggered alerts/workbench links could be found from workbench web page.

B. Lateral Movement after Credential Dumping.

Actions Steps a. Check Endpoint Sensor

is enabled.

1. Find one agents/client with enabled.

b. Type suspicious command to trigger Credential Dumping Rule.

1. Run the Command Prompt as an administrator. 2. Run the command

"C:\Windows\System32\reg.exe save hklm\sam c:\temp\sam.save" NOTE: Just ignore any error that might appear.

c. Type mstsc command to trigger RDP.

1. Run the Command "C:\Windows\system32\mstsc.exe" to lunch the Remote

Desktop Connection program. 2. Type the IP of any endpoint with username and password you know. 3. Make sure your RDP connection can be established successfully.


P a g e III-23 | 31

d. Check Telemetry received.

NOTE: telemetry send to server every 5 minutes in SaaS environment.

4. Logon to XDR web console and go to Search tab.

5. Change search criteria to “File name” and type “reg.exe”. Then click Search.

6. The following display will show.

e. Check Alert from Workbench

1. Logon to XDR web console and workbench for XDR Alerts. 2. Check if any Credential Dumping alert and Lateral Movement after Credential

Dumping or not.

NOTE: Please notice the alerts might come from different time, the Lateral Movement after Credential Dumping comes late.

f. Open alert to check details.

Credentials Dumping alert details.


P a g e III-24 | 31

Lateral Movement after Credential Dumping alert details.

g. Check the Execution Profile (Root Cause Analysis Chain)

1. Right click from the execution icon. 2. Select "Check Execution Profile".

NOTE: If RCA is not available when alert is triggered, workbench will hide the execution profile menu.

3. The detailed analysis chain will be shown on the console if it can be generated successfully.


P a g e IV-25 | 31

NOTE: The triggered alerts/workbench links could be found from workbench web page.

IV. Troubleshooting

Category Issue Description (Possible Causes)

Recommendation | Logs to Collect

Patch Server Installation

Unable to Install Apex One Patch 3

Recommendation 1. Make sure the installer is not corrupted. Check the file size and

compare to the one uploaded in Download Center. 2. Run the installer as administrator. 3. If the installation failed, check c:\tmpatch.log and search for the

keyword "Failed." Normally, the common error would look like this:

4. In this sample log, rename C:\Program Files (x86)\Trend

Micro\OfficeScan\PCCSRV\Web_OSCE\Web_Console\CGI\CGIOCommon.dll to CGIOCommon.dll.bak.

5. Delete c:\tmpatch.log. 6. Run the installer again. If same issue occurs, check c:\tmpatch.log

again. Logs to Collect

• C:\tmpatch.log • C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Log\

OfcHotfixToolDebug.log

XDR Onboarding

Trend Micro XDR blue banner, not appearing in the Console.

Recommendation 1. On Apex One Server, verify if the Endpoint Basecamp Executable file

exists in %PROGRAMFILES%\Trend Micro\Apex One\PCCSRV\Pccnt\Common\EndpointBaseCamp.exe.


P a g e IV-26 | 31

• The EndpointBaseCamp.exe may not have been downloaded by the Apex One Server.

• This can happen in Apex One On-premise due to DNS resolution issue to of flywheel.xdr.trendmicro.com.

2. From the Apex One Server, verify if you can access https://flywheel.xdr.trendmicro.com.

3. Perform ‘nslookup’ to flywheel.xdr.trendmicro.com and verify if hostname resolution works.

4. If hostname resolution works and you are able to access https://flywheel.xdr.trendmicro.com from Apex One Server, perform the following: a. Open command prompt as Admin and change directory to

%PROGRAMFILES%\Trend Micro\Apex One\PCCSRV. b. Type the following command.

SVRSVCSETUP.exe -PrepareXBCpatch -AcceptXBCPII no

Verify if you can now see the Trend Micro XDR blue banner. Logs to Collect From the Apex One server, collect:

• C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Private\ofcserver.ini

• C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Log\ ofcdebug.log

XDR Agent Deployment

Issues enabling XDR Agent.

a. An error occurred when trying to enable the XDR on an agent.

• It is possible that the target agent has Standalone.

b. Endpoint not showing

on the Recommended Endpoints' list.

• It is possible that the XDR Basecamp (XBC) agent service did not launch.

Recommendation a. An error occurred when trying to enable the XDR on an agent.

1. Open command prompt and use the following commands to verify

if Standalone still exists. sc query TMESC sc query TMESE

2. If the above services still exist even when on “STOPPED” state,

please contact Trend Micro Technical Support for assistance in manual removal of the Standalone.

b. Endpoint not showing on the Recommended Endpoints' list.

INFORMATION: The Recommended Endpoints dialog box will only display the top 25 from the "Available endpoints" list at the time of click.

https://flywheel.xdr.trendmicro.com/

https://flywheel.xdr.trendmicro.com/


P a g e V-27 | 31

1. On the problem agent, go to %PROGRAMFILES%\Trend Micro\Security Agent.

2. Double-click the EndpointBasecamp.exe.

3. Verify if the agent started showing in the Recommended

Endpoints List.

Logs to Collect From the affected agent, collect the following:

• Registry Copy of [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]

• Ofcdebug.log (https://success.trendmicro.com/solution/1055118-manually-enabling-debug-mode-on-the-server-and-clients-in-officescan-apex-one).

XDR Activity Data

Unable to see Activity Data in XDR Search.

• XDR-related traffic blocked by Network Firewall or Web Proxy.

• It is possible that the XDR Basecamp (XBC) agent service did not launch.

Recommendation 1. Allow XDR-related traffic. Please refer to the Trend Micro

Knowledgebase article below: URLs to be allowed through the firewall of Trend Micro XDR

2. Launch the XDR Basecamp (XBC) agent service by going to %PROGRAMFILES%\Trend Micro\Security Agent and then double-click the EndpointBasecamp.exe file.

Logs to Collect From the affected agent, collect the following:

• Registry Copy of [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]

• Diagnostic Log

(https://success.trendmicro.com/solution/1055229).

V. Frequently Asked Questions

1. What is XDR?

• For Trend, XDR refers to the ability to do detection and response across Email,

Endpoint, Server, Cloud Workloads and Network via our single XDR platform or our

managed XDR service. Trend Micro is the first to deliver XDR across all these vectors.

• X refers to the multiple layers. XDR extends beyond the endpoint, so we are using

the XDR term to differentiate from EDR.

https://success.trendmicro.com/solution/1055118-manually-enabling-debug-mode-on-the-server-and-clients-in-officescan-apex-one






P a g e V-28 | 31

• XDR sits on top of relevant Trend products in a customers’ environment, and offers

expert security analytics for alert correlation, and consolidated visibility and

investigation of events across security layers, leading to earlier detections and faster

response.

• XDR enables better context and deeper analysis, so customers can respond more

effectively and efficiently to threats, minimizing the severity and scope of a breach

on the organization.

2. Is XDR another product?

• Yes, “Trend Micro XDR” is the solution name for the new XDR platform available to

customers that enhances and consolidates detection, investigation and response

capabilities across email, endpoints, servers, cloud workloads and networks.

• Depending on the Trend products a customer has/buys, they can leverage the XDR

platform across one or more of the available layers. They do not have to buy every

associated product to gain value. They will get the value of more, richer detection

and investigation with just a single layer (like endpoint via this offer as example). Of

course, the more layers they employ, the more sources there are to correlate and

analyze, and the better the insight the customer will obtain.

3. Does XDR work with Trend products only, or can it be integrated with other products?

• For right now, we are focusing on integrating Trend Micro products into XDR. In the

future, we will start integrating with 3rd party solutions.

• The priority is on Trend products because our portfolio breadth enables us to offer a

comprehensive solution with our own native products.

• We have integration with SIEM. XDR provides the advantage of sending fewer,

prioritized alerts to SIEM based on the correlation and analysis of the data from the

Trend products in the environment. This reduces the noise for security analysts and

helps them to narrow in on what is critical.

4. What is the difference/relationship between XDR and SIEM?

• Organizations use SIEMs to collect logs and alerts from multiple solutions and stores

them for compliance. While it allows companies to bring together a lot of

information from multiple places for centralized visibility, the reality is that it results

in an overwhelming number of individual alerts, that are difficult to sort through to

understand what is critical and needs attention. Correlating and connecting all the

logs of information to gain a view of the bigger picture is challenging, if not

impossible to do.

• Conversely, XDR collects activity and detection data from multiple Trend Micro

products and correlates the data, applying AI and expert analytics to provide context

rich alerts, which can be further investigated in the XDR platform and/or can be sent

to a company’s SIEM solution depending on the customer’s processes and

preferences. XDR also enables response actions across multiple product which is not

a function of a SIEM.

• XDR does not replace the SIEM, but instead can augment the SIEM, reducing the

amount of effort required by security analysts to analyze alerts and logs from the

Trend products.


P a g e V-29 | 31

5. What size of company is the target for XDR?

• XDR is available down to 250 user organizations, but the solution is ideally targeted

to mid-size to large enterprises (500+ users).

• The Managed XDR service is a great option for organizations who want the benefits

of XDR but may not have the internal resources to fully capitalize in-house, or who

need to augment their resources for 24x7 alert monitoring , and threat hunting and

investigation.

6. Where is my customers’ data stored? Will it be compliant with GDPR?

• Yes, Trend Micro complies with GDPR requirements.

• XDR leverages data stored in secure Trend Micro data lakes.

• Data from individual organizations is carefully protected from any cross-

contamination with any other organizations’ data.

• Data lakes are in both the US and Europe for data residency compliance.

7. How does XDR relate to Worry-Free?

• Trend Micro XDR is an enterprise solution ideally targeted to enterprises with 500+

users.

• Worry-Free services have added XDR-related capabilities for SMB organizations

(namely the ability to connect endpoint and email) but this is separate to the

broader XDR enterprise offering. The XDR platform will not integrate with Worry-

Free.

• Likewise, Worry-Free services have introduced a Managed XDR service sold to MSPs,

but again, this is separate to our enterprise Managed XDR service, and our

enterprise Managed XDR service is not available for Worry-Free customers

8. XDR is going to be another console; how will that work with Apex Central and other product

consoles?

• XDR is the single console for integrated detection and response across multiple

layers.

• There are SAML capabilities for direct login between the XDR console and the other

product consoles, including Apex Central.

• As a rule, the different consoles serve different users. The XDR console will be used

primarily by SOC analysts, whereas the individual products consoles would be used

by analysts in specific areas, whether that is cloud and data center, network, or IT

security. The XDR console is intended to provide centralized visibility and

investigation across security layers and individual products.

9. What is the difference between XDR and Managed XDR capabilities?

• Managed XDR is the renamed Trend Micro MDR service

• Analogy: XDR is like providing tools for you to monitor and fix your car. Managed

XDR is like providing a trained automotive service technician to monitor and fix your

car if you do not have the expertise or time to do it yourself.

• It provides:

i. Managed XDR delivered by Trend Incident Response Experts

ii. 24x7 critical alerting and monitoring

iii. Root cause and impact analysis


P a g e V-30 | 31

iv. Incident prioritization and investigation

v. Response and recommendations on remediation and preventative measures

vi. Incident reporting and executive reporting on security posture

• Managed XDR can be sold on top of email, endpoint, server, cloud workloads, and

network protection products.

• Even with in-house XDR capabilities, the Managed XDR service offers customers

tremendous additional value. There are many use-cases for employing an MDR

service; customer relies on the service because they lack the resources or tools to do

it themselves, or they may want to supplement in-house activities: augment

detections, added threat expertise/intelligence, proactive threat hunting and regular

IOC sweeping

10. How does XDR differ from Endpoint Sensor alone?

• Overall, XDR offers additive detection and investigative functions.

• XDR offers brand new detection rules.

o XDR takes endpoint detections and other activity data and does cross-

correlation and applies additional cloud analytics to do more sophisticated

detection.

o XDR detection capabilities focuses on things the individual products will

not/cannot see.

o One of the values of XDR is correlated detections, which is based on rules

that look for different behaviors across security layers.

o Detection rules and models are pushed out regularly for ongoing

improvement and value

• Additional response options.

o XDR can offer more advanced response options, for example, using XDR with

Apex One SaaS and Cloud App Security, you can quarantine a malicious

email directly from the console. This is a key differentiating feature over

competitors, even from those that claim integrated endpoint-email

detection and response.

• Single detection and response for endpoints and servers/cloud workloads.

o There is now an option for optimized server and cloud workload EDR via the

Cloud One-Workload Security XDR Add-on.

o This provides a consolidated detection and investigation option for servers

and endpoints in single place.

o This offers the best of both worlds in that a customer can have separate

protection which is recommended for servers/cloud workloads and

endpoints, but then bring them together for detection, investigation and

response which is where the value lies in combining these vectors and

addressing them in a single solution.

11. Does an existing Endpoint Sensor SaaS customer get XDR capabilities?

• Existing Apex One SaaS with Endpoint Sensor (now called XDR Add-on: Apex One

SaaS) and XDR for Users Suite customers automatically have access to the full XDR

platform at no added charge.

12. Is XDR available for on-prem endpoint customers?


P a g e VI-31 | 31

• XDR is only available as a cloud-only offering because the volume of storage and

processing capacity required for the XDR data lake and AI/Data Analytics, can only

be accomplished in the cloud.

• Through the offer above, Apex One on-prem customers can experience XDR. On-

prem customers can choose to enable their endpoint agent to send endpoint activity

data to the XDR data lake and can gain access to XDR SaaS platform. In this scenario,

their EPP capability remains on-prem, but their EDR/XDR function is cloud-based.

• This initiative allows Apex One on-prem customers to trial XDR for 10% of their user

base for the length of their contract.

13. Do the free XDR licenses offer the same thing as a full XDR license?

• Free licenses will provide access to XDR detection features (Automated correlation

and automated sweeping), XDR Investigation features (workbench and search), but

NO access to XDR Response features (Endpoint isolation, Quarantine/Delete email,

File collection)

• As well, the free licenses are for endpoints only. Any customer interested in

leveraging the XDR platform for servers and cloud workloads, email, or networks,

will require an XDR add-on license for the respective product.

14. How to find out the company ID if troubleshooting/escalation is needed?

• Trend Micro XDR → Login Account (Top Right Corner) Account Setting →Company

name and Company ID.

• Trend Micro XDR → Help → Send Feedback

• Trend Micro XDR Support Portal

• Browser debug tool and check the context

VI. Contacting Trend Micro Technical Support

To know more about Trend Micro™ XDR and for technical assistance, you may call our Trend Micro

Technical Support Hotlines or submit a support request case via Business Support Portal.

https://success.trendmicro.com/contact-support-asia-pacific

https://success.trendmicro.com/contact-support-asia-pacific

https://success.trendmicro.com/

Trend Micro XDR

Documents

Transcript of Trend Micro XDR