Enabling Correlation Events for Threat Investigations

Procedure

1. Ensure your Customer Licensing Portal account (https://clp.trendmicro.com/) includes Trend Micro Cloud App Security.
   • If your Customer Licensing Portal account already includes Cloud App Security, proceed to the following step.
   • If you do not have a valid Activation Code for Cloud App Security, contact your sales representative.
2. Add Microsoft™ Exchange Online with Office 365 to Cloud App Security:
   1. On the Cloud App Security console, go to Administration → Service Account.

      Tip You can open the Cloud App Security console from the Products/Services screen on the Customer Licensing Portal website (https://clp.trendmicro.com/).

   2. Click Add and select Exchange Online.
   3. Enable one of the following policies:
      • Default Exchange Policy ATP: Go to Advanced Threat Protection → Exchange Online Policies and set the policy status to ON.
      • Default Exchange Policy DLP: Go to Data Loss Prevention → Exchange Online Policies and set the policy status to ON.

      For more information about Cloud App Security, see the Cloud App Security Online Help at http://docs.trendmicro.com/en-us/enterprise/cloud-app-security.aspx.
3. Generate an authentication token for the Cloud App Security Threat Investigation API:
   1. On the Cloud App Security console, go to Administration → Automation and Integration APIs.
   2. Click Add.
      The Add Authentication Token screen appears.
   3. Select the Email message check box for the Threat Investigation API type.
   4. Click Create Token.
      The generated authentication token appears on the Automation and Integration APIs screen.
4. Configure cloud service settings on Apex Central:
   1. On the Apex Central console, go to Directories → Product Servers.
      The Product Servers screen appears.
   2. Click Cloud Service Settings.
      The Cloud Service Settings screen appears.
   3. Provide the following credentials:
      • Account: The user name used to activate the cloud service subscription on the Trend Micro Customer Licensing Portal (https://clp.trendmicro.com/)
      • Password: The password for the Customer Licensing Portal account
   4. Click OK.
      Apex Central registers your Customer Licensing Portal account and supported cloud services.
5. Synchronize your Active Directory structure with Apex Central:
   1. On the Apex Central console, go to Administration → Settings → Active Directory and Compliance Settings.
   2. Click the Active Directory Settings tab.
   3. Select Enable Active Directory synchronization.
   4. Click Save.
   5. Download and run the Active Directory synchronization tool on the Active Directory server.

      WARNING Clicking Download the Active Directory synchronization tool will deactivate any previously downloaded Active Directory synchronization tools and stop synchronizing Active Directory servers configured using the deactivated tool.

      Important Ensure that .NET Framework 4.6.1 is installed on the Windows endpoint before executing the tool.

      For more information, see Configuring Active Directory Synchronization.
6. Enable Endpoint Sensor on Apex One Security Agents:
   1. On the Apex Central console, go to Policies → Policy Management.
   2. Select Apex One Security Agent from the Product drop-down list.
   3. Click Create.
   4. Type a policy name.
   5. Specify targets.
   6. Expand Additional Service Settings.
   7. Select the following check boxes:
      • Windows desktop
      • Windows Server platforms
   8. Expand Endpoint Sensor Settings.
   9. Select Enable Endpoint Sensor.
   10. Click Deploy.
7. Configure Microsoft™ Outlook (outlook.exe) as the email client on each Security Agent endpoint.