FutureVuls > English > Manual > Integration with External Services > CloudOne Integration > Integration with Trend Micro Cloud One Workload Security (Deep Security)

Integration with Trend Micro Cloud One Workload Security (Deep Security)

How to integrate with Trend Micro Cloud One Workload Security

As of March 2021, this feature is available even on the Standard plan on a trial basis.

By integrating with Trend Micro Cloud One Workload Security (hereafter referred to as CloudOne), FutureVuls can add the following two functions:

Intrusion prevention rule optimization function Automatically generate intrusion prevention policies in CloudOne based on the list of CVE-IDs detected in FutureVuls. Since the rules are automatically generated based on the CVE-IDs actually detected, optimized rules can be generated. Policies will be created in CloudOne in the form of [Vuls] {Server Role Name}. Please divide the server roles into units to be managed as the same policy in CloudOne. (See how to create roles)
Intrusion prevention rule display and automatic triage function Display the CVE-IDs being defended in CloudOne on the list screen and set the status of the corresponding task to WorkAround. After installing CloudOne’s agent, it is necessary to rescan in FutureVuls.

Both functions are executed at the time of scanning by FutureVuls.

With the 2021/6/18 release, if a Cloud One intrusion prevention rule corresponding to the vulnerability detected by FutureVuls exists, an icon with an Available status will be displayed. The Available status is displayed by default even if “Group settings>Cloud One external cooperation” is not set. The information on whether or not there is an intrusion prevention rule is synchronized every few hours on the FutureVuls service side. This is a useful function when you detect a high-risk vulnerability but cannot update it immediately, and want to check if an intrusion prevention rule for the vulnerability exists in CloudOne as a temporary workaround.

Authentication settings

Operations in CloudOne

1. Checking region information

Check the region information of your CloudOne account.

2. Create a “Role” for FutureVuls

Create a role in “Role” under “Management” > “User Management”.

To obtain intrusion prevention rules for computers, editing rights for computers are required. We are currently inquiring with Trend Micro about the need for editing rights.

3. Issue an API token for FutureVuls

Select “New” in “API Key” under “User Management”.
Issue a key based on the role created earlier.
Enter the issued key and the region information confirmed earlier into the external cooperation screen in FutureVuls.

As of August 2021, with the account system change on CloudOne, the way to acquire APIs differs between the new system and legacy system.
As explained on the official website, please refer to the banner color on the login page to determine which system you are using.
If you are using the old CloudOne management screen, you need to obtain an API token by referring to this page.

Operation in FutureVuls

You can configure it from the External integration in the group setting.
Enter the API token created earlier and click the “Save” button.

At this time, you can also set whether to automatically generate policies and set triage.

Integration settings

0. Follow the above steps and set up integration on the group setting screen

1. Create “roles” on FutureVuls screen

Create roles in units that you want to divide.
Creating roles in units of CloudOne policies makes it easier to manage.

2. Create “policies” on CloudOne screen

When creating policies, create a policy name with the naming convention [Vuls] {role name}, and the intrusion defense rule will be automatically updated.
For example, if the name of the role is default, create a policy name of [Vuls] default on CloudOne.
※ If the policy name does not exist, a new policy will be created using the above naming convention.

For new creations, set “Perform continuous search for recommended settings” to “Yes” or “No” in “Settings > General > Recommended Settings” of the policy. If neither is selected, the intrusion defense will fail to reflect. (If “Inheritance (Yes/No)” or “Initial Settings (Yes/No)” is selected, the process will fail) Also, if you turn on the intrusion defense, the set rules will be enabled.

3. Assign servers to roles on FutureVuls screen

On the server page, you can change the roles of multiple servers at once by selecting them.

4. Assign policies and computers on CloudOne screen

5. Perform a scan

To integrate with CloudOne, you need to perform a scan again Until the integration with CloudOne is completed, it may take a few minutes.

6. Verification of integration

In the server list screen, the mark indicating that intrusion prevention rules are enabled will be displayed in the “CloudOne status”.

In the task list screen, if the intrusion prevention rules set in CloudOne are reflected, the status will be reflected in the “CloudOne status” column. Also, depending on the situation, the task status will also be changed.

After integration

Defended by CloudOne: “✔” icon, task status is Workaround
Detected by CloudOne: “!” icon, task status is unchanged
Intrusion prevention rule exists: “Magnifying glass on file” icon, there is an intrusion prevention rule in CloudOne, but the rule is not applied, so the task status is unchanged.

When the status changes

Change from defense by CloudOne to detection: task status is changed to New
Disconnect CloudOne integration: CloudOne information is deleted

Notes

Currently, integration with on-premises CloudOne is not possible.
If you disconnect the integration with CloudOne, the status of tasks already set to WORK_AROUND by CloudOne integration will not be restored to their original state.

Policy settings are created for each role, so appropriate server role management is necessary to enhance the effectiveness of integration.