Views:

Gain more access to risk indicators across your corporate network by connecting multiple data sources to Attack Surface Risk Management.

Trend Vision One allows you to connect multiple Trend Micro or third-party data sources to Attack Surface Risk Management in order to gain extra visibility into your organization’s attack surface, risk indicators, and vulnerabilities. The more data sources you connect to Attack Surface Risk Management, the more complete a picture you can get of your organization's security posture.
Different data sources have different requirements when connecting to Attack Surface Risk Management. The following procedure outlines the basic steps required to connect a data source.

Procedure

  1. Go to Attack Surface Risk ManagementOperations Dashboard.
  2. Click the Data sources button in the upper right.
    Tip
    Tip
    You can also access Data sources by clicking the button in Executive Dashboard or Attack Surface Discovery, or by going to Workflow and AutomationData Source and Log ManagementAttack Surface Risk Management.
    A list of all Trend Micro and third-party data sources supported by Attack Surface Risk Management appears. Click a risk factor to highlight the data sources used to collect data for the specified risk factor.
  3. Find and click the data source you wish to connect. A screen appears to explain the data permissions needed and the connection requirements for the specified data source.
    Important
    Important
    You must have allocated credits, a valid license, or an established account for the Trend Micro or third-party data source you wish to connect. Most Trend Micro data sources must be configured, connected, and managed in the app corresponding to the source. Most third-party data sources must be configured, connected, and managed in Third-Party Integration unless otherwise specified. Once a data source is connected, it may take a few minutes for the data source status to change.
    The following tables detail the data sources supported by Attack Surface Risk Management, the type of data collected from the data source, and the connection method.

    Trend Vision One XDR Sensors

    Source
    Data collected
    Connection method
    Endpoint Sensor
    User, app, and web activities, and vulnerability assessment on monitored endpoints
    Configure in Endpoint Inventory.
    Email Sensor
    Email activities in Office 365 Exchange Online
    Configure in Email Asset Inventory.
    Network Sensor
    Detected threats in monitored endpoint traffic
    Configure in Network Inventory.

    Trend Micro Security Services

    Source
    Data collected
    Connection method
    Standard Endpoint Protection
    Users, applications, web activities, security settings, and detected threats on monitored endpoints
    Configure in Endpoint Inventory.
    Server & Workload Protection
    Users, applications, web activities, and detected threats on monitored endpoints
    Configure in Endpoint Inventory.
    Trend Micro Apex One as a Service
    Users, applications, web activities, and detected threats on monitored endpoints
    Configure in Product Instance.
    Trend Micro Apex One On-premises
    Security settings and detected threats on monitored endpoints
    Configure in Product Instance.
    Cloud Email and Collaboration Protection
    Detected threats and security settings from Google Gmail and Microsoft Office 365 apps.
    Configure in Product Instance.
    Trend Cloud One - Conformity
    Cloud configurations on AWS, Microsoft® Azure, and Google Cloud environments
    1. Ensure you have a license for Conformity. You may sign up for a free trial if necessary.
    2. Connect and configure your cloud accounts in Conformity.
    3. Create and copy a new read-only API key in the Trend Cloud One console.
    4. In the Trend Vision One console, click on the Trend Cloud One - Conformity data source.
    5. Paste the API key into the corresponding field and click Check
    6. After the API key has been successfully checked, turn on Data upload permission.
    7. Click Save.
    Trend Cloud One - Endpoint & Workload Security
    Users, applications, web activities, and detected threats on monitored endpoints
    Configure in Product Instance.
    Trend Micro Deep Discovery Inspector
    Targeted attacks and advanced threats in monitored network traffic
    Configure in Network Inventory.
    Trend Micro Deep Security
    Users, applications, web activities, and detected threats on monitored endpoints
    Configure in Product Instance.
    Cloud Email Gateway Protection
    Email activities, security settings, and detected threats on monitored email domains.
    Configure in Product Instance.
    Trend Micro Web Security
    Web activity and web application related data of monitored devices and users via Trend Micro Web Security
    Connected when Zero Trust Secure Access - Internet Access is configured and deployed.
    Trend Micro Mobile Security
    Cloud apps, mobile apps, threats, and user activities detected on monitored mobile devices
    Configure in Mobile Inventory.
    Trend Vision One Phishing Simulations
    Breach events from phishing simulations
    Configure in Phishing Simulations.
    Trend Vision One Container Security
    Vulnerabilities, detected threats, and system configuration risks on monitored containers and images
    Configure in Container Inventory.
    TippingPoint Security Management System
    Network detection logs and filter rule status
    1. Connect TippingPoint in Network Inventory.
    2. Ensure you have installed and configured a Service Gateway virtual appliance.
    3. Enable the following on your Service Gateway:
      • Forward proxy
      • Log forwarding
      • Suspicious Object List synchronization
      • TippingPoint policy management
    Zero Trust Secure Access - Private Access
    Users, device,s threat detections, and internal app activities from your internal network
    Configure in Zero Trust Secure Access.
    Zero Trust Secure Access - Internet Access
    Users, devices, threat detections, and cloud app activities to external networks
    Configure in Zero Trust Secure Access.

    Third-Party Data Sources

    Source
    Data collected or function performed
    Connection method
    Active Directory (on-premises)
    User information and activity data
    1. Go to Workflow and AutomationThird-Party Integration.
    2. Find and click Active Directory (on-premises).
    3. Enable Active Directory integration.
    4. Follow the onscreen instructions to add your Active Directory server.
    Important
    Important
    Operations Dashboard and Zero Trust Secure Access both require data upload permission to ensure certain features function properly. Revoking data upload permission may prevent secure access policy enforcement and risk analysis.
    Google Cloud Identity
    Directory data and activity data
    1. Grant access permissions in your Google Cloud Identity tenant.
    2. Go to Workflow and AutomationThird-Party Integration.
    3. Configure your Google Cloud Identity tenant. You must configure the same tenant in which you granted permissions.
    xDome
    Third-party vulnerability assessment tool (SaaS)
    Turn on Data upload permission and provide the country or region-specific xDome URL and API key created for an xDome user account with the appropriate role. For more information, see xDome integration.
    Microsoft Entra ID
    User information and activity data
    1. Go to Workflow and AutomationThird-Party Integration and click Microsoft Entra ID.
    2. Locate one or multiple Microsoft Entra ID tenants that you want to grant permissions for, and click Grant permissions in the Status column for Attack Surface Risk Management.
    3. Follow the onscreen instructions to enable the data connection. For more information, see Microsoft Entra ID integration.
    4. Go back to Data sources, turn on Data upload permission and click Save.
    Nessus Pro
    Nessus Pro user data on apps, devices, and behaviors
    1. Go to Workflow and AutomationThird-Party Integration.
    2. Find and click Nessus Pro and follow the onscreen instructions to connect your account. For more information, see Nessus Pro Integration.
    Office 365
    Usage and activities on Office 365 apps including OneDrive, SharePoint, and Teams
    Turn on Data upload permission after you have connected Microsoft Entra ID. If desired, you may also turn permission off.
    Important
    Important
    Connecting Office 365 as a data source requires that you configure and connect Microsoft Entra ID as a data source. To do so, enable the Data upload permission toggle for Microsoft Entra ID and configure in Third-Party Integration.
    Okta
    Allows access to user information and activity data
    1. Obtain the Okta URL domain and API token from your Okta environment. For more information, see Obtaining your Okta URL domain and API token.
      Note
      Note
      Your Okta user account must have one of the following administrator privileges in Okta:
      • API Access Management Admin
      • Mobile Admin
      • Read-Only Admin
      • App Admin
      • Org Admin
      • Super Admin
    2. Go to Workflow and AutomationThird-Party Integration.
    3. Find and click Okta and follow the onscreen instructions to connect your account. For more information, see Okta integration.
    Important
    Important
    Operations Dashboard and Zero Trust Secure Access both require data upload permission to ensure certain features function properly. Revoking data upload permission may prevent secure access policy enforcement and risk analysis.
    OpenLDAP
    Allows access to user information from your internal network
    1. Ensure you have installed a Service Gateway and enabled the On-premises directory connection service.
    2. Go to Workflow and AutomationThird-Party Integration.
    3. Find and click OpenLDAP and follow the onscreen instructions to connect your server. For more information, see OpenLDAP integration.
    Qualys
    Third-party vulnerability assessment tool (SaaS)
    1. In your Qualys console, create a new account with an active subscription and the following permissions:
      • Role: Reader
      • Asset Management Permissions: Read Asset
      • Allow access: API
      • Asset Groups (assigned to)
    2. Add your Trend Vision One regional IP addresses for Attack Surface Risk Management to the list of trusted IP addresses in the Qualys console.
    3. Go back to Data sources and provide the username and password for the newly created account.
    4. Turn on Data upload permission and click Save and Verify. If desired, you may also turn permissions off.
    Note
    Note
    Qualys integration only provides CVE detection data and limited device information. For complete activity monitoring of exploit attempts and comprehensive device insights, install and enable Endpoint Sensor.
    Rapid7 - InsightVM
    Third-party vulnerability assessment tools (SaaS)
    1. From your Rapid7 console, obtain the Insight Platform URL and API key for a Rapid7 Insight user account with the Platform Admin role. For more information, see Rapid7 - InsightVM integration.
    2. Go back to Data sources and provide the newly obtained Platform URL and API key.
    3. Turn on Data upload permission and click Save. If desired, you may also turn permissions off.
    Rapid7 - Nexpose
    Third-party vulnerability assessment tools (on-premises)
    1. Ensure you have installed a Service Gateway with the Rapid7 - Nexpose connector service enabled.
    2. Go to Workflow and AutomationThird-Party Integration.
    3. Find and click Rapid7 - Nexpose and follow the onscreen instructions to connect your server. For more information, see Rapid7 - Nexpose integration.
    Rescana
    Third-party tool for External Attack Surface Management
    Important
    Important
    Enabling the Rescana integration switches the Attack Surface Risk Management data source for collecting internet-facing asset data to Rescana. After switching the data source, internet-facing asset data previously collected by Trend Micro solutions will no longer be available.
    1. Obtain the URL and API token for your Rescana account in your Rescana console.
    2. Go back to Data sources and provide the newly obtained URL and API token.
    3. Click Test connection to verify connectivity.
    4. Provide the URL and API token for your Rescana account.
    5. Click Connect.
    Important
    Important
    This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
    Salesforce
    Salesforce metadata and information on system misconfigurations
    Turn on Data upload permission after you have connected Salesforce in Third-Party Integration.
    For more information, see Salesforce integration.
    Important
    Important
    This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
    Splunk - Network Firewall / Web Gateway Logs
    User activities on detected cloud apps
    1. Go to Workflow and AutomationThird-Party Integration.
    2. Find and click Attack Surface risk Management for Splunk.
    3. Copy the displayed authentication token.
    4. Download and install the Attack Surface Risk Management for Splunk app.
    5. Use the authentication token to configure the app. For more information, see Attack Surface Risk Management for Splunk integration.
    Tanium Comply
    Third-party vulnerability assessment tool (Saas)
    1. Obtain the Tanium Comply URL and API token from the Tanium console using an account with the appropriate role. For more information, see Tanium Comply integration.
    2. Add your Trend Vision One regional IP addresses for Attack Surface Risk Management to the list of trusted IP addresses in the Tanium console.
    3. Go back to Data sources and provide the newly obtained URL and API token.
    4. Turn on Data upload permission and click Save. If desired, you may also turn permissions off.
    Tenable Security Center
    Third-party vulnerability assessment tool (on-prem)
    1. Ensure you have a Service Gateway installed with the Tenable Security Center connector service enabled.
    2. Go to Workflow and AutomationThird-Party Integration.
    3. Find and click Tenable Security Center and follow the onscreen instructions to connect your server. For more information, see Tenable Security Center data source setup.
    Tenable Vulnerability Management
    Third-party vulnerability assessment tool (SaaS)
    1. Obtain the Tenable Vulnerability Management secret key and access key from the Tenable Vulnerability Management console using an account with the appropriate permissions. For more information, see Tenable Vulnerability Management integration.
    2. Go back to Data sources and provide the newly obtained secret key and access key.
    3. Turn on Data upload permission and click Save. If desired, you may also turn permissions off.