Trend Vision One Plugin for Threat Exchange
Trend Vision One Plugin for Threat Exchange
This document explains how to configure the Trend Vision One plugin with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports pulling and sharing of URLs, domains, SHA256 file hashes, and IP addresses to Netskope that have been identified by Trend Micro Vision One.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Secure Web Gateway subscription for URL sharing.
- A Threat Protection subscription for malicious file hash sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A Trend Vision One Authentication token.
- Access to a Trend Vision One portal:
- Australia (https://portal.au.xdr.trendmicro.com/)
- European Union (https://portal.eu.xdr.trendmicro.com/)
- India (https://portal.in.xdr.trendmicro.com/)
- Japan (https://portal.xdr.trendmicro.co.jp/)
- Singapore (https://portal.sg.xdr.trendmicro.com/)
- United States (https://portal.xdr.trendmicro.com/)
- Connectivity to the following host: https://api.xdr.trendmicro.com.
CE Version Compatibility
Netskope CE version 4.2.0, 5.0.0
Trend Micro Vision One Plugin Support
This plugin supports pulling data from the Suspicious Object List under Suspicious Object Management from the Trend Vision One platform. This plugin also supports sharing of IoCs to the Suspicious Object List and Exception List.
Fetched indicator types | URL, IPv4, IPv6, SHA256, Domain |
Shared indicator types | URL, IPv4, IPv6, SHA256, Domain |
Mappings
Type Mapping
CE IoC Types | Trend Vision One IoC Types |
---|---|
URL | Domain URLs IPv4 IPv6 |
SHA256 | File SHA-256 |
Severity Mapping
CE Severity Fields | Trend Vision One Severity Fields |
---|---|
unknown | high |
low | low |
medium | medium |
high | high |
critical | high |
Pull Mapping
Netskope CE Fields | Trend Vision One Fields |
---|---|
value | indicator_value |
type | type |
comments | description |
LastSeen | lastModifiedDateTime |
severity | risklevel |
Push Mapping
Netskope CE Fields | Trend Vision One Fields |
---|---|
value | indicator_value |
description | description |
severity | risklevel |
Permissions
Below are the permissions needed for the plugin.
Threat Intelligence > Suspicious Object Management.
View, filter, search | Yes |
Manage lists and configure settings | Yes |
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
/v3.0/threatintel/suspiciousObjects | GET | To pull indicators. |
/v3.0/threatintel/suspiciousObjects | POST | To push indicators to Suspicious Object List |
/v3.0/threatintel/suspiciousObjectExceptions | POST | To push indicators to Exception List |
Pull Indicators
API Endpoint:
/v3.0/threatintel/suspiciousObjects
Method: GET
Parameters:
Key | Value |
---|---|
orderBy | string |
startDateTime | string <date-time> |
endDateTime | string <date-time> |
top | integer |
Headers:
Key | Value |
---|---|
Authorization | Bearer <Authentication Token> |
User-Agent: | <USER AGENT> |
Content-Type | application/json |
Accept | application/json |
API Request Endpoint:
https://api.in.xdr.trendmicro.com//v3.0/threatintel/suspiciousObjects
Sample Response:
{ "items": [ { "url": "https://*.example.com/path1/*", "type": "url", "description": "object description", "lastModifiedDateTime": "2019-03-15T07:44:27Z" } ], "nextLink": "https://api.xdr.trendmicro.com/v3.0/xdr/threatintel/suspiciousObjects?top=50&skipToken=eyJpZCI6IjI1MGQxMmE3ZDQyMmVhM" }
Push Indicators
API Endpoints:
- /v3.0/threatintel/suspiciousObjects
- /v3.0/threatintel/suspiciousObjectExceptions
Method: POST
Request Body:
[ { "url": "https://*.example.com/path1/*", "description": "object description" } ]
Headers:
Key | Value |
Authorization | Bearer <Authentication Token> |
User-Agent: | <USER AGENT> |
Content-Type | application/json |
Accept | application/json |
API Request Endpoints:
https://api.in.xdr.trendmicro.com//v3.0/threatintel/suspiciousObjects https://api.in.xdr.trendmicro.com//v3.0/threatintel/suspiciousObjectExceptions
Sample Response:
207 Multiple status code [ { "status": 201 } ]
Performance Matrix
This reading is conducted on a Large CE Stack with these specs by pulling and pushing 100K IoCs.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Indicators fetched from Trend Vision One | ~20K per minute |
Indicators shared with Trend Vision One | ~12K per minute |
User Agent
netskope-ce-5.0.0-cte-trend-vision-one-v1.0.2
Workflow
- Create User Roles.
- Get your Authentication Token.
- Configure the Trend Vision One plugin.
- Configure a business rule for Trend Vision One.
- Configure sharing for Netskope and Trend Vision One.
- Validate the Trend Vision One plugin.
Click play to watch a video.
Get your Trend Vision One Authentication Token
Create User Roles
In order to generate the API Key, you need to create a user role. Follow these steps to configure the User Role on Trend Vision One.
- Login to your Trend Vision One platform and go to Administration > User Roles.
- Click Add Role and provide a Role name, and then go to the Permissions tab.
- Scroll down to Threat Intelligence > Suspicious Object Management and select these permissions.
- View, filter and search
- Manage lists and configure settings
- Click Submit and your Role will be saved and used for generating the API Key.
Generate an API Key
- In to Trend Vision, go to Administration > API Keys.
- Click Add API Keys.
- Add a Name, select the previously created role, and select an expiration time.
- Click Add. Save the key to use it to configure the plugin, and it will only be visible once.
- In Cloud Exchange, go to Settings and click Plugins.
- Search for and select the Trend Micro Plugin box to open the plugin creation pages.
- Enter and select the Basic Information on the first page:
- Configuration Name: Enter a name appropriate for your integration.
- Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.
- Aging Criteria: Expiration Date for indicators.
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL verification: Enable if SSL verification is required for communication.
- Use System Proxy: Enable if proxy is required for communication
- Click Next.
- Enter and select these Configuration Parameters:
- Data Region: Select a Region for your Trend Vision One account.Authentication Token: Enter your Trend Vision One Authentication Token obtained previously.Enable Polling: Enable to start pulling data.Initial Range (in days): Enter an Initial range to fetch indicators.
- Click Save.
Configure a Threat Exchange Business Rule for Trend Vision One
To share indicators fetched from Trend Vision One to the Netskope and vice versa, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule, follow these steps:
- In Threat Exchange, go to Business Rules and click Create New Rule.
- Add the filter according to your requirement in the rule.
Configure Threat Exchange Sharing for Trend Vision One
To share IoCs from the Netskope CE to the Trend Vision One platform or vice versa, follow these steps:
- In Threat Exchange, go to Sharing. Click Add Sharing Configuration.
- Select your Source Configuration (Netskope CTE), the Business Rule, Destination Configuration (Trend Vision One), and Target (Suspicious Object List).
- Click Save.
- Add another Sharing configuration, but select Trend Vision One as the Source Configuration, and Netskope CTE as the Destination Configuration, plus the Business Rule and desired Target (like URL List or File Hash List). When finished, click Save.
Validate the Trend Vision One Plugin
Validate the Pull
To verify the data pulled from the Trend Vision One platform, follow these steps.
- Go to Logging and filter the pull logs from the Trend Vision One plugin.
- Data from Trend Vision One is pulled from the Threat Intelligence > Suspicious Object Management > Suspicious Object List.
Validate the Push
Indicators pushed from CE can be checked from Logging. Search filter to check the IoCs pushed to Trend Vision One platform.
Pushed data on Trend Vision One will be listed on either the Suspicious Object list or Exception list page from Suspicious Object Management under Threat Intelligence, depending on the target page selected while configuring the sharing.
The pushed IoCs on Trend Vision One can identified based on the default description added from CE, like Created from Netskope CTE.
Troubleshooting
Indicators are not pulled from the Trend Vision One platform
After the plugin configuration, if the IoCs are not pulled from the platform, it might be due to one of the following.
- IoCs are not available on the platform to pull
- IoCs are not available for the given time range
- Available IoCs are pushed from CE
- Unable to push IoCs to Trend Vision One
What to do: Identity your root cause from the list above and follow these steps to resolve the issue.
No IoCs are available on the platform to pull
Check if the IoCs are available on the platform to pull. If available, check the resolution for the next point.
IoCs are not available for the given time range
If the IoCs are available on the platform to pull, but the plugin has not pulled the IoCs in CE, check the number of days mentioned in the initial range parameter of the plugin configuration. On the Trend Vision One platform, check if you have data for the given time range.
Available IoCs are pushed from CE
If the IoCs are available on the platform and yet not pulled, check the description of the IoCs. IoCs that are shared from CE will have a default description, like Created from Netskope CTE.
And those IoCs will not be pulled back in CE.
Unable to push IoCs to Trend Vision One
If you are not able to push the IoCs on the platform and receiving error while pushing, it might be due to either:
- Insufficient permission for the API Key (Authentication token)
- Platform has reached it limit for IoCs
What to do: Identify the reason for IoCs not being pushed. Check if the User has sufficient permissions. If sufficient permissions are added and the IoCs are still not pushed, check the count of each type of IoCs that you are trying to push on Trend Vision One to check if the limit exceeded for the IoCs.
If the domain that you are trying to share has multiple /, it won’t be shared to the Trend Vision One platform, as the platform itself does not consider a domain with multiple / as a valid domain.
Limitation
Observed that we are only able to push 10K IoCs of each type on the Trend Vision One’s Suspicious Object List page and around ~300 IoCs in total on the Exception List page.