Skip to main content

Netskope Help

Trend Micro Vision One Plugin for Threat Exchange

This document explains how to configure the Trend Micro Vision One integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports sharing of URLs, Domains, Sha256 File Hashes and IP addresses to Netskope that have been identified by Trend Micro Vision One. This plugin also allows for sharing of URLs and SHA256 File Hashes to Trend Micro Vision One.

Fetched indicator types

URL, IP, SHA256, Domain

Shared indicator types

URL, SHA256

Prerequisites

To complete this configuration, you need:

Workflow
  1. Get your Trend Micro auth token.

  2. Configure the Trend Micro Plugin.

  3. Configure sharing for Netskope and Trend Micro.

  4. Validate the Trend Micro Plugin.

Click play to watch a video.

 
  1. Go to https://tm.login.trendmicro.com/ and log in with your credentials. This site is for the America region; use the one for your region.

  2. Go to Administration > User Accounts.

  3. Click the account name that you use for API access. Note that a simple Analyst role has permission for these operations, so there's no need for a Master Admin Account. You can also create a custom role that have these permissions:

    Suspicious Object Management

    • View, filter, and search

    • Manage lists and configure settings

    image1.png
  4. Verify that the Access level is set to Trend Micro Vision One console and API.

  5. Click Generate new authentication token.

    image2.png
  6. Copy and save the generated Authentication Token because it will be displayed only once.

    image3.png
  7. Click Save.

  1. In Cloud Exchange, go to Settings and click Plugins.

  2. Search for and select the Trend Micro Plugin box to open the plugin creation pages.

    image4.png
  3. Enter and select the Basic Information on the first page:

    • Configuration Name: Enter a name appropriate for your integration.

    • Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.

    • Aging Criteria: Expiration Date for indicators.

    • Override Reputation: Leave Default.

    • Enable SSL verification: Enable if SSL verification is required for communication.

    • Use System Proxy: Enable if proxy is required for communication

    image5.png
  4. Click Next.

  5. Enter and select these Configuration Parameters:

    • Data Region: Select a Region for your Trend Micro Account.

    • Authentication Token: Enter your Trend MicroAuthentication Token obtained previously.

    • Enable Polling: Enable to start pulling data.

    • Initial Range (in days): Enter an Initial range to fetch indicators.

    image6.png
  6. Click Save.

    image7.png
Add to Suspicious Object List

Add to Suspicious Object will share indicators to Trend Micro’s Suspicious Object List.

  1. Create a Business Rule.

  2. Go to Threat Exchange > Sharing.

  3. Click Add Sharing Configuration.

    image9.png
  4. From the Source Configuration dropdown, select a source plugin configuration.

  5. From the Business Rule dropdown, select a Business Rule.

  6. From the Destination Configuration dropdown, select Trend Micro.

  7. From the Target dropdown, select Add to Suspicious Object List.

  8. Add a Description.

  9. Click Save.

    image8.png
  10. Click Sync.

  11. Add Time Period and click Fetch. The number of IoCs will be shared when you click Sync.

    image10.png
  12. Click Save.

Add to Suspicious Object Exception List

Add to Suspicious Object will share indicators to Trend Micro’s Suspicious Object Exception List.

  1. Create a Business Rule.

  2. Go to Threat Exchange > Sharing.

  3. Click Add Sharing Configuration.

    image12.png
  4. From the Source Configuration dropdown, select thes ource plugin configuration.

  5. From the Business Rule dropdown, select a Business Rule.

  6. From the Destination Configuration dropdown, select Trend Micro.

  7. From the Target dropdown, select Add to Suspicious Object Exception List.

  8. Add a Description.

  9. Click Save.

    image11.png
  10. Click Sync.

  11. Add a Time Period and click Fetch. The number of IoCs will be shared when you click Sync.

    image13.png
  12. Click Save.

Pulling of Indicators

In Threat Exchange, select Threat IoCs.

image14.png
Sharing of Indicators
  1. Log in to the Trend Micro Vision One console.

  2. Go to Threat Intelligence > Suspicious Object Management.

  3. Select the Suspicious Object List or Suspicious Object Exception List tab on top.

    image15.png
  4. If data is not being fetched from the platform, you can look at the logs in Cloud Exchange. In Cloud Exchange select Logging. Look through the logs for errors.

    image16.png