Overview

To view Trend Micro Vision One logs through the Logsign Unified SecOps Platform product, you will need to perform some configurations.

First, enter the link you have for Trend Micro Vision One. You are expected to be an authorized user who can access the management panel and take actions.

Prerequisites

• Logsign Unified SecOps Platform 6.3.34+ versions support this integration.

Configure On Trend Micro Vision One

We need to access the API Keys field from the area where our name is written in the upper right corner of the application that we log in with the administrator account. 

Then click on Add API Key and create an API.

You can type the API name in the Name section. You need to select SIEM as Role. You can select it to be indefinite in the Expiration Time section.

Save the API Key you created. You can only see it once.

Log into Logsign Unified SecOps Platform and then click on the Settings option in the top menu. In the window that opens, click on ‘Data Collection’ on the left side to view the sources you have added to Logsign Unified SecOps Platform. Click on the ’ + Device ’ option on the right side to begin the process of adding a source.

You need to write the API key you received in the Token section.

In the part that says url, you must enter the data written on the site where you log in to the application. 

As an example, I share the url information of the environment we use for testing below. It will be enough to add what is written in your own environment as seen.

https://api.{region}.xdr.trendmicro.com

The most important thing to pay attention to in the environment you use will be region.

The Api Type section shows the log type you want to pull.

I explain the difference between these two below.

Audit: Audit Logs are logs that record transactions and user activities in the system.

Workbench: Workbench Logs contains more security events and analysis related to threat and incident management.