Updated on March 14, 2024

Trend Micro Vision One Plugin for Threat Exchange

Trend Micro Vision One Plugin for Threat Exchange

This document explains how to configure the Trend Micro Vision One integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports sharing of URLs, Domains, Sha256 File Hashes and IP addresses to Netskope that have been identified by Trend Micro Vision One. This plugin also allows for sharing of URLs and SHA256 File Hashes to Trend Micro Vision One.

Prerequisites

To complete this configuration, you need:

Trend Micro Vision One Plugin Support
Fetched indicator typesURL, IP, SHA256, Domain
Shared indicator typesURL, SHA256

Workflow

  1. Get your Trend Micro auth token.
  2. Configure the Trend Micro Plugin.
  3. Configure sharing for Netskope and Trend Micro.
  4. Validate the Trend Micro Plugin.

Click play to watch a video.

 

Get your Trend Micro Authentication Token

  1. Go to https://tm.login.trendmicro.com/ and log in with your credentials. This site is for the America region; use the one for your region.
  2. Go to Administration > User Accounts.
  3. Click the account name that you use for API access. Note that a simple Analyst role has permission for these operations, so there’s no need for a Master Admin Account. You can also create a custom role that have these permissions:

    Suspicious Object Management

    • View, filter, and searchManage lists and configure settings
    image1.png
  4. Verify that the Access level is set to Trend Micro Vision One console and API.
  5. Click Generate new authentication token.
    image2.png
  6. Copy and save the generated Authentication Token because it will be displayed only once.
    image3.png
  7. Click Save.

Configure the Trend Micro Plugin

  1. In Cloud Exchange, go to Settings and click Plugins.
  2. Search for and select the Trend Micro Plugin box to open the plugin creation pages.
    image4.png
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Enter a name appropriate for your integration.Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.Aging Criteria: Expiration Date for indicators.Override Reputation: Leave Default.Enable SSL verification: Enable if SSL verification is required for communication.Use System Proxy: Enable if proxy is required for communication
    image5.png
  4. Click Next.
  5. Enter and select these Configuration Parameters:
    • Data Region: Select a Region for your Trend Micro Account.Authentication Token: Enter your Trend MicroAuthentication Token obtained previously.Enable Polling: Enable to start pulling data.Initial Range (in days): Enter an Initial range to fetch indicators.
    image6.png
  6. Click Save.
    image7.png

Configuring Threat Exchange Sharing for Trend Micro

Add to Suspicious Object List

Add to Suspicious Object will share indicators to Trend Micro’s Suspicious Object List.

  1. Create a Business Rule.
  2. Go to Threat Exchange > Sharing.
  3. Click Add Sharing Configuration.
    image9.png
  4. From the Source Configuration dropdown, select a source plugin configuration.
  5. From the Business Rule dropdown, select a Business Rule.
  6. From the Destination Configuration dropdown, select Trend Micro.
  7. From the Target dropdown, select Add to Suspicious Object List.
  8. Add a Description.
  9. Click Save.
    image8.png
  10. Click Sync.
  11. Add Time Period and click Fetch. The number of IoCs will be shared when you click Sync.
    image10.png
  12. Click Save.

Add to Suspicious Object Exception List

Add to Suspicious Object will share indicators to Trend Micro’s Suspicious Object Exception List.

  1. Create a Business Rule.
  2. Go to Threat Exchange > Sharing.
  3. Click Add Sharing Configuration.
    image12.png
  4. From the Source Configuration dropdown, select thes ource plugin configuration.
  5. From the Business Rule dropdown, select a Business Rule.
  6. From the Destination Configuration dropdown, select Trend Micro.
  7. From the Target dropdown, select Add to Suspicious Object Exception List.
  8. Add a Description.
  9. Click Save.
    image11.png
  10. Click Sync.
  11. Add a Time Period and click Fetch. The number of IoCs will be shared when you click Sync.
    image13.png
  12. Click Save.

Validate the Trend Micro Plugin

Pulling of Indicators

In Threat Exchange, select Threat IoCs.

image14.png

Sharing of Indicators

  1. Log in to the Trend Micro Vision One console.
  2. Go to Threat Intelligence > Suspicious Object Management.
  3. Select the Suspicious Object List or Suspicious Object Exception List tab on top.
    image15.png
  4. If data is not being fetched from the platform, you can look at the logs in Cloud Exchange. In Cloud Exchange select Logging. Look through the logs for errors.
    image16.png
Share this Doc

Trend Micro Vision One Plugin for Threat Exchange

Or copy link

In this topic ...