Trend Vision One Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Trend Vision One is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Trend Vision One users to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the Trend Vision One integration to search for security detections involving specific hostnames, host GUIDs, domains, IP addresses, file hashes, email senders and subjects, usernames, process names, and process arguments. Trend Vision One can also be used through Cisco XDR to isolate hosts from the network and block many kinds of observables, including file hashes, email senders, and network resources such as IP addresses, domains, and URLs.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Trend Vision One integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Trend Vision One integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Trend Vision One integration in Cisco XDR.

You can perform the following tasks after you integrate Trend Vision One with Cisco XDR:

  • Investigations - Start a new investigation into any combination of hostnames, host GUIDs, domains, IP addresses, file hashes, email senders and subjects, usernames, process names, and process arguments, and the results will include any records of them found in your Trend Vision One. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Trend Vision One has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Trend Vision One. Available actions include isolating hosts from the network and blocking file hashes, email senders, and network resources such as IP addresses, domains, and URLs.

  • Assets - View devices as reported by Trend Vision One. For more information, including how to filter the view to only the reports from Trend Vision One, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for Trend Vision One can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Trend Vision One can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - TheTrend Vision One target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Trend Vision One and is included in the Cisco Managed Incident Playbook can be used to contain incident: assets (devices), contain incident: file hashes, and validate eradicated hosts and unquarantine assets. See Containment and Recovery on the Response page.