Security event forwarding via TrendAI Vision One Endpoint Security agent

Views:

Enable sharing security event information from an on-premises Active Directory server with TrendAI Vision One™.

Configuring security event forwarding enhances visibility into identity-related risks by allowing Active Directory to share the following security event information with TrendAI Vision One™:

Object access events
Logon/logoff events
System events
Account management events

This function is now achieved using the TrendAI Vision One™ Endpoint Security agent with the Identity Security Sensor - Active Directory enabled, replacing the previous requirements to install a separate Active Directory Connector.

The TrendAI Vision One™ Endpoint Security agent replaces the standalone Active Directory Connector for forwarding security events only. It does not replace the Active Directory (on-premises) integration or the Service Gateway connection used for data synchronization and user access control. Enabling the integration and configuring data synchronization remain required, because these handle separate functions, such as object synchronization and response actions (for example, disabling user accounts and forcing password resets).

Important

The Active Directory Connector is no longer supported as of May 1, 2026. To prevent duplicate security events and future interruptions, TrendAI™ recommends uninstalling the Active Directory Connector (if installed), and installing the TrendAI Vision One™ Endpoint Security agent with the Identity Security Sensor - Active Directory enabled instead.

Procedure

Go to Workflow and Automation → Third-Party Integrations.
Locate and click the Active Directory (on-premises) card.
Ensure that the toggle at the top is set to Enable Active Directory integration.

This toggle enables the overall Active Directory (on-premises) integration and is required for all integration functions, including security event forwarding. It is separate from the Identity Security Sensor - Active Directory setting that you enable later in the endpoint security policy.
Perform steps described in Configure data synchronization and user access control.

Data synchronization and user access control connects your Active Directory servers through a Service Gateway. This is a separate function from security event forwarding: the Service Gateway handles object synchronization and response actions, while the TrendAI Vision One™ Endpoint Security agent forwards security events. Configuring it is required to complete the integration.

Go to Endpoint Security → Endpoint Inventory, and click Agent Installer to deploy the TrendAI Vision One™ Endpoint Security agent.

Ensure that you install the correct agent package on all Active Directory servers in your network.

The following agent types support the Identity Security Sensor - Active Directory at the specified minimum versions:

Agent type	Minimum version (Windows)
Standard Endpoint Protection	14.0.0.20372 or later
Server & Workload Protection	20.0.2-26670 or later
Endpoint Sensor	1.2.0.6967 or later

For detailed deployment instructions, see Manage your agent deployments.

Configure an endpoint security policy and enable Identity Security Sensor - Active Directory in the policy settings:
1. Go to Endpoint Security → Endpoint Security Configuration → Endpoint Security Policies → Policies.
2. Click Create policy.
  
  The Create policy window appears.
3. Specify the Policy name.
  
  TrendAI™ recommends using a name that is easy to search and identify the purpose of the policy.
4. From the Identity Security Sensor list, select Enable.
5. Click Save or Save and exit.
Follow steps described in Assign the policy.

Monitor the agent deployment status and verify that agents are functioning correctly.

If you have previously deployed the Active Directory Connector, you can still view the Active Directory Connector deployments in Third-Party Integrations → Active Directory (on-premises).

Action	Steps
View agents with the Identity Security Sensor - Active Directory enabled	Go to Endpoint Security → Endpoint Inventory. Click Add filters (). Select the filter Endpoint security policy setting. From the security module list, search and set Identity Security Sensor - Active Directory to Enabled.
View agents properly forwarding security events to TrendAI Vision One™	Go to Endpoint Security → Endpoint Inventory. Click Add filters (). Select the filter Identity Security Sensor - Active Directory.