Trend Vision One Plugin for Threat Exchange

Trend Vision One Plugin for Threat Exchange

This document explains how to configure the Trend Vision One plugin with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports pulling and sharing of URLs, domains, SHA256 file hashes, and IP addresses to Netskope that have been identified by Trend Micro Vision One.

Prerequisites

To complete this configuration, you need:

CE Version Compatibility

Netskope CE version 4.2.0, 5.0.0

Trend Micro Vision One Plugin Support

This plugin supports pulling data from the Suspicious Object List under Suspicious Object Management from the Trend Vision One platform. This plugin also supports sharing of IoCs to the Suspicious Object List and Exception List.

Fetched indicator typesURL, IPv4, IPv6, SHA256, Domain
Shared indicator typesURL, IPv4, IPv6, SHA256, Domain
Mappings
Type Mapping
CE IoC TypesTrend Vision One IoC Types
URLDomain URLs IPv4 IPv6
SHA256File SHA-256
Severity Mapping
CE Severity FieldsTrend Vision One Severity Fields
unknownhigh
lowlow
mediummedium
highhigh
criticalhigh
Pull Mapping
Netskope CE FieldsTrend Vision One Fields
valueindicator_value
typetype
commentsdescription
LastSeenlastModifiedDateTime
severityrisklevel
Push Mapping
Netskope CE FieldsTrend Vision One Fields
valueindicator_value
descriptiondescription
severityrisklevel
Permissions

Below are the permissions needed for the plugin.

Threat Intelligence > Suspicious Object Management.

View, filter, searchYes
Manage lists and configure settingsYes
API Details
List of APIs used
API EndpointMethodUse Case
/v3.0/threatintel/suspiciousObjectsGETTo pull indicators.
/v3.0/threatintel/suspiciousObjectsPOSTTo push indicators to Suspicious Object List
/v3.0/threatintel/suspiciousObjectExceptionsPOSTTo push indicators to Exception List
Pull Indicators

API Endpoint:

/v3.0/threatintel/suspiciousObjects

Method: GET

Parameters:

KeyValue
orderBystring
startDateTimestring <date-time>
endDateTimestring <date-time>
topinteger

Headers:

KeyValue
AuthorizationBearer <Authentication Token>
User-Agent:<USER AGENT>
Content-Typeapplication/json
Acceptapplication/json

API Request Endpoint:

https://api.in.xdr.trendmicro.com//v3.0/threatintel/suspiciousObjects

Sample Response:

{
  "items": [
         {
              "url": "https://*.example.com/path1/*",
              "type": "url",
              "description": "object description",
              "lastModifiedDateTime": "2019-03-15T07:44:27Z"
         }
     ],
  "nextLink":    "https://api.xdr.trendmicro.com/v3.0/xdr/threatintel/suspiciousObjects?top=50&skipToken=eyJpZCI6IjI1MGQxMmE3ZDQyMmVhM"                  
}
Push Indicators

API Endpoints:

  • /v3.0/threatintel/suspiciousObjects
  • /v3.0/threatintel/suspiciousObjectExceptions

Method: POST

Request Body:

[
      {
"url": "https://*.example.com/path1/*",
"description": "object description"
       }
]

Headers:

KeyValue
AuthorizationBearer <Authentication Token>
User-Agent:<USER AGENT>
Content-Typeapplication/json
Acceptapplication/json

API Request Endpoints:

https://api.in.xdr.trendmicro.com//v3.0/threatintel/suspiciousObjects https://api.in.xdr.trendmicro.com//v3.0/threatintel/suspiciousObjectExceptions

Sample Response:

207 Multiple status code
[
  {
    "status": 201
  }
]

Performance Matrix

This reading is conducted on a Large CE Stack with these specs by pulling and pushing 100K IoCs.

Stack detailsSize: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from Trend Vision One~20K per minute
Indicators shared with Trend Vision One~12K per minute
User Agent

netskope-ce-5.0.0-cte-trend-vision-one-v1.0.2

Workflow

  1. Create User Roles.
  2. Get your Authentication Token.
  3. Configure the Trend Vision One plugin.
  4. Configure a business rule for Trend Vision One.
  5. Configure sharing for Netskope and Trend Vision One.
  6. Validate the Trend Vision One plugin.

Click play to watch a video.

 

Get your Trend Vision One Authentication Token

Create User Roles

In order to generate the API Key, you need to create a user role. Follow these steps to configure the User Role on Trend Vision One.

  1. Login to your Trend Vision One platform and go to Administration > User Roles.
  2. Click Add Role and provide a Role name, and then go to the Permissions tab.
  3. Scroll down to Threat Intelligence > Suspicious Object Management and select these permissions.
    • View, filter and search
    • Manage lists and configure settings

  4. Click Submit and your Role will be saved and used for generating the API Key.

Generate an API Key

  1. In to Trend Vision, go to Administration > API Keys.
  2. Click Add API Keys.
  3. Add a Name, select the previously created role, and select an expiration time.
  4. Click Add. Save the key to use it to configure the plugin, and it will only be visible once.

Configure the Trend Vision One Plugin

  1. In Cloud Exchange, go to Settings and click Plugins.
  2. Search for and select the Trend Micro Plugin box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Enter a name appropriate for your integration.
    • Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.
    • Aging Criteria: Expiration Date for indicators.
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL verification: Enable if SSL verification is required for communication.
    • Use System Proxy: Enable if proxy is required for communication
  4. Click Next.
  5. Enter and select these Configuration Parameters:
    • Data Region: Select a Region for your Trend Vision One account.Authentication Token: Enter your Trend Vision One Authentication Token obtained previously.Enable Polling: Enable to start pulling data.Initial Range (in days): Enter an Initial range to fetch indicators.
  6. Click Save.

Configure a Threat Exchange Business Rule for Trend Vision One

To share indicators fetched from Trend Vision One to the Netskope and vice versa, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule, follow these steps:

  1. In Threat Exchange,  go to Business Rules and click Create New Rule.
  2. Add the filter according to your requirement in the rule.

Configure Threat Exchange Sharing for Trend Vision One

To share IoCs from the Netskope CE to the Trend Vision One platform or vice versa, follow these steps:

  1. In Threat Exchange, go to Sharing. Click Add Sharing Configuration.
  2. Select your Source Configuration (Netskope CTE), the Business Rule, Destination Configuration (Trend Vision One), and Target (Suspicious Object List).
  3. Click Save.
  4. Add another Sharing configuration, but select Trend Vision One as the Source Configuration, and Netskope CTE as the Destination Configuration, plus the Business Rule and desired Target (like URL List or File Hash List). When finished, click Save.

Validate the Trend Vision One Plugin

Validate the Pull

To verify the data pulled from the Trend Vision One platform, follow these steps.

  1. Go to Logging and filter the pull logs from the Trend Vision One plugin.
  2. Data from Trend Vision One is pulled from the Threat Intelligence > Suspicious Object Management > Suspicious Object List.

Validate the Push

Indicators pushed from CE can be checked from Logging. Search filter to check the IoCs pushed to Trend Vision One platform.

Pushed data on Trend Vision One will be listed on either the Suspicious Object list or Exception list page from Suspicious Object Management under Threat Intelligence, depending on the target page selected while configuring the sharing.
The pushed IoCs on Trend Vision One can identified based on the default description added from CE, like Created from Netskope CTE.

Troubleshooting

Indicators are not pulled from the Trend Vision One platform

After the plugin configuration, if the IoCs are not pulled from the platform, it might be due to one of the following.

  • IoCs are not available on the platform to pull
  • IoCs are not available for the given time range
  • Available IoCs are pushed from CE
  • Unable to push IoCs to Trend Vision One

What to do: Identity your root cause from the list above and follow these steps to resolve the issue.

No IoCs are available on the platform to pull

Check if the IoCs are available on the platform to pull. If available, check the resolution for the next point.

IoCs are not available for the given time range

If the IoCs are available on the platform to pull, but the plugin has not pulled the IoCs in CE, check the number of days mentioned in the initial range parameter of the plugin configuration. On the Trend Vision One platform, check if you have data for the given time range.

Available IoCs are pushed from CE

If the IoCs are available on the platform and yet not pulled, check the description of the IoCs. IoCs that are shared from CE will have a default description, like Created from Netskope CTE.
And those IoCs will not be pulled back in CE.

Unable to push IoCs to Trend Vision One

If you are not able to push the IoCs on the platform and receiving error while pushing, it might be due to either:

  • Insufficient permission for the API Key (Authentication token)
  • Platform has reached it limit for IoCs

What to do: Identify the reason for IoCs not being pushed. Check if the User has sufficient permissions. If sufficient permissions are added and the IoCs are still not pushed, check the count of each type of IoCs that you are trying to push on Trend Vision One to check if the limit exceeded for the IoCs.

If the domain that you are trying to share has multiple /, it won’t be shared to the Trend Vision One platform, as the platform itself does not consider a domain with multiple / as a valid domain.

Limitation

Observed that we are only able to push 10K IoCs of each type on the Trend Vision One’s Suspicious Object List page and around ~300 IoCs in total on the Exception List page.

Share this Doc

Trend Vision One Plugin for Threat Exchange

Or copy link

In this topic ...