Enabling Correlation Events for Threat Investigations

Threat Investigations can correlate information from Endpoint Sensor, Cloud App Security, and Active Directory to display attack information about an endpoint, user account, and possible email attack vectors throughout your network.

Important:

  • You must properly configure Cloud App Security and Apex Central before being able to correlate email message information.

  • Apex Central only supports email correlation in Cloud App Security for Threat Investigations.

    For more information, see Cloud Service Integration.

  • Email correlation in Cloud App Security requires the following:

    • Additional licensing for Trend Micro Cloud App Security on your Customer Licensing Portal account.

    • Additional licensing for Apex One™ as a Service: Endpoint Sensor on your Customer Licensing Portal account.

  1. Ensure your Customer Licensing Portal account (https://clp.trendmicro.com/) includes Trend Micro Cloud App Security.

    • If your Customer Licensing Portal account already includes Cloud App Security, proceed to the following step.

    • If you do not have a valid Activation Code for Cloud App Security, contact your sales representative.

  2. Add Microsoft™ Exchange Online with Office 365 to Cloud App Security:
    1. On the Cloud App Security console, go to Administration > Service Account.
      Tip:

      You can open the Cloud App Security console from the Products/Services screen on the Customer Licensing Portal website (https://clp.trendmicro.com/).

    2. Click Add and select Exchange Online.
    3. Enable one of the following policies:

      • Default Exchange Policy ATP: Go to Advanced Threat Protection > Exchange Online Policies and set the policy status to ON.

      • Default Exchange Policy DLP: Go to Data Loss Prevention > Exchange Online Policies and set the policy status to ON.

      For more information about Cloud App Security, see the Cloud App Security Online Help at http://docs.trendmicro.com/en-us/enterprise/cloud-app-security.aspx.

  3. Generate an authentication token for the Cloud App Security Threat Investigation API:
    1. On the Cloud App Security console, go to Administration > Automation and Integration APIs.
    2. Click Add.

      The Add Authentication Token screen appears.

    3. Select the Email message check box for the Threat Investigation API type.
    4. Click Create Token.

      The generated authentication token appears on the Automation and Integration APIs screen.

  4. Configure cloud service settings on Apex Central:

    1. On the Apex Central console, go to Directories > Product Servers.

      The Product Servers screen appears.

    2. Click Cloud Service Settings.

      The Cloud Service Settings screen appears.

    3. Provide the following credentials:

      • Account: The user name used to activate the cloud service subscription on the Trend Micro Customer Licensing Portal (https://clp.trendmicro.com/)

      • Password: The password for the Customer Licensing Portal account

    4. Click OK.

      Apex Central registers your Customer Licensing Portal account and supported cloud services.

  5. Synchronize your Active Directory structure with Apex Central:
    1. On the Apex Central console, go to Administration > Settings > Active Directory and Compliance Settings.
    2. Click the Active Directory Settings tab.
    3. Select Enable Active Directory synchronization.
    4. Click Save.
    5. Download and run the Active Directory synchronization tool on the Active Directory server.
      Warning:

      Clicking Download the Active Directory synchronization tool will deactivate any previously downloaded Active Directory synchronization tools and stop synchronizing Active Directory servers configured using the deactivated tool.

      Important:

      Ensure that .NET Framework 4.6.1 is installed on the Windows endpoint before executing the tool.

      For more information, see Configuring Active Directory Synchronization.

  6. Enable Endpoint Sensor on Apex One Security Agents:
    1. On the Apex Central console, go to Policies > Policy Management.
    2. Select Apex One Security Agent from the Product drop-down list.
    3. Click Create.
    4. Type a policy name.
    5. Specify targets.
    6. Expand Additional Service Settings.
    7. Select the following check boxes:

      • Windows desktop

      • Windows Server platforms

    8. Expand Endpoint Sensor Settings.
    9. Select Enable Endpoint Sensor.
    10. Click Deploy.
  7. Configure Microsoft™ Outlook (outlook.exe) as the email client on each Security Agent endpoint.
Parent topic: Cloud Service Integration