Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=vision-one-overview

Trend Micro Vision One integration

API Endpoint

You can integrate Trend Micro Vision One with Sophos Central so that it sends data to Sophos for analysis.

This page gives you an overview of the integration.

Trend Micro Vision One product overview

Trend Micro Vision One is a cloud-based security operations platform that combines ASM and XDR in a single console to manage cyber risk across cloud, hybrid, and on-premises environments. It offers powerful risk insights, earlier threat detection, and integrates with an extensive protection platform and global threat intelligence to provide comprehensive asset inventory and risk assessment, resulting in precise and efficient threat management.

Sophos documents

Integrate Trend Micro Vision One

What we ingest

Sample alerts seen by Sophos:

  • A command using net.exe or sc.exe has been executed to stop a service.
  • Attempts to monitor or capture transmitted data were detected on the network.
  • A hacking tool, which is generally used for cracking computer and network security or by system administrators to test security, was detected and blocked on an endpoint.
  • A suspicious file with double extensions was created.
  • An account attempted to upload a file containing a malicious URL and triggered file quarantine, which may indicate lateral movement after account compromise.

Alerts ingested in full

We ingest two endpoints from Vision One:

  • Workbench:"api/v3.0/workbench/alerts"
  • Observed attack techniques: "api/v3.0/oat/detections"

Filtering

We filter the results to confirm the format only. We do not drop any alerts.

Sample threat mappings

{"alertType": "A Windows System Utility was executed to start a service.", "threatId": "TA0002", "threatName": "Execution"}
{"alertType": "A non browser application is connecting to a legitimate cloud provider, potentially using them as CnC.", "threatId": "TA0011", "threatName": "Command and Control"}
{"alertType": "A website that attempts to defraud a person or group after first gaining their confidence, used in the classical sense of trust was detected and blocked.", "threatId": "T1566", "threatName": "Phishing"}

Vendor documentation

Get workbench alerts list