Configuring data sources

Procedure

1. Go to Attack Surface Risk Management → Operations Dashboard.
2. Click the Data sources button in the upper right.

   Tip You can also access Data sources by clicking the button in Executive Dashboard or Attack Surface Discovery.

   A list of all Trend Micro and third-party data sources supported by Attack Surface Risk Management appears. Click a risk factor to highlight the data sources used to collect data for the specified risk factor.
3. Find and click the data source you wish to connect. A screen appears to explain the data permissions needed and the connection requirements for the specified data source.

   Important You must have allocated credits, a valid license, or an established account for the data source you wish to connect. Most Trend Micro data sources must be configured, connected, and managed in the app corresponding to the source. Most third-party data sources must be configured, connected, and managed in Third-Party Integration unless otherwise specified. Once a data source is connected, it may take a few minutes for the data source status to change.

   The following tables detail the data sources supported by Attack Surface Risk Management, the type of data collected from the data source, and the connection method.

   Trend Vision One XDR Sensors

   Source	Data collected	Connection method
   Endpoint Sensor	User, app, and web activities, and vulnerability assessment on monitored endpoints	Configure in Endpoint Inventory.
   Email Sensor	Email activities in Office 365 Exchange Online	Configure in Email Asset Inventory.
   Network Sensor	Detected threats in monitored endpoint traffic	Configure in Network Inventory.

   Trend Micro Security Services

   Source	Data collected	Connection method
   Standard Endpoint Protection	Users, applications, web activities, security settings, and detected threats on monitored endpoints	Configure in Endpoint Inventory.
   Server & Workload Protection	Users, applications, web activities, and detected threats on monitored endpoints	Configure in Endpoint Inventory.
   Trend Micro Apex One as a Service	Users, applications, web activities, and detected threats on monitored endpoints	Configure in Product Instance.
   Trend Micro Apex One On-premises	Security settings and detected threats on monitored endpoints	Configure in Product Instance.
   Cloud Email and Collaboration Protection	Detected threats and security settings from Google Gmail and Microsoft Office 365 apps.	Configure in Product Instance.
   Trend Cloud One - Conformity	Cloud configurations on AWS™, Microsoft® Azure, and Google Cloud™ environments	Ensure you have a license for Conformity. You may sign up for a free trial if necessary. Connect and configure your cloud accounts in Conformity. Conformity AWS data source setup Conformity Azure data source setup Conformity Google Cloud Platform data source setup Create and copy a new read-only API key in the Trend Cloud One console. In the Trend Vision One console, click on the Trend Cloud One - Conformity data source. Paste the API key into the corresponding field and click Check After the API key has been successfully checked, turn on Data upload permission. Click Save.
   Trend Cloud One - Endpoint & Workload Security	Users, applications, web activities, and detected threats on monitored endpoints	Configure in Product Instance.
   Trend Micro Deep Discovery Inspector	Targeted attacks and advanced threats in monitored network traffic	Configure in Network Inventory.
   Trend Micro Deep Security	Users, applications, web activities, and detected threats on monitored endpoints	Configure in Product Instance.
   Cloud Email Gateway Protection	Email activities, security settings, and detected threats on monitored email domains.	Configure in Product Instance.
   Trend Micro Web Security	Web activity and web application related data of monitored devices and users via Trend Micro Web Security	Connected when Zero Trust Secure Access - Internet Access is configured and deployed.
   Trend Micro Mobile Security	Cloud apps, mobile apps, threats, and user activities detected on monitored mobile devices	Configure in Mobile Inventory.
   Trend Vision One Phishing Simulations	Breach events from phishing simulations	Configure in Phishing Simulations.
   Trend Vision One Container Security	Vulnerabilities, detected threats, and system configuration risks on monitored containers and images	Configure in Container Inventory.
   TippingPoint Security Management System	Network detection logs and filter rule status	Connect TippingPoint in Network Inventory. Ensure you have installed and configured a Service Gateway virtual appliance. Enable the following on your Service Gateway: Forward proxy Log forwarding Suspicious Object List synchronization TippingPoint policy management
   Zero Trust Secure Access - Private Access	Users, device,s threat detections, and internal app activities from your internal network	Configure in Zero Trust Secure Access.
   Zero Trust Secure Access - Internet Access	Users, devices, threat detections, and cloud app activities to external networks	Configure in Zero Trust Secure Access.

   Third-Party Data Sources

   Source	Data collected or function performed	Connection method
   Active Directory (on-premises)	User information and activity data	Go to Workflow and Automation → Third-Party Integration. Find and click Active Directory (on-premises). Enable Active Directory integration. Follow the onscreen instructions to add your Active Directory server. Important Operations Dashboard and Zero Trust Secure Access both require data upload permission to ensure certain features function properly. Revoking data upload permission may prevent secure access policy enforcement and risk analysis.
   Google Cloud Identity	Directory data and activity data	Grant access permissions in your Google Cloud Identity tenant. Go to Workflow and Automation → Third-Party Integration. Configure your Google Cloud Identity tenant. You must configure the same tenant in which you granted permissions.
   Medigate	Third-party vulnerability assessment tool (SaaS)	Turn on Data upload permission and provide the country or region-specific Medigate URL and API key created for a Medigate user account with the appropriate role. For more information, see Medigate integration.
   Microsoft Entra ID	User information and activity data	Go to Workflow and Automation → Third-Party Integration and click Microsoft Entra ID. Locate one or multiple Microsoft Entra ID tenants that you want to grant permissions for, and click Grant permissions in the Status column for Attack Surface Risk Management. Follow the onscreen instructions to enable the data connection. For more information, see Microsoft Entra ID integration. Go back to Data sources, turn on Data upload permission and click Save.
   Nessus Pro	Nessus Pro user data on apps, devices, and behaviors	Go to Workflow and Automation → Third-Party Integration. Find and click Nessus Pro and follow the onscreen instructions to connect your account. For more information, see Nessus Pro Integration.
   Office 365	Usage and activities on Office 365 apps including OneDrive, SharePoint, and Teams	Turn on Data upload permission after you have connected Microsoft Entra ID. If desired, you may also turn permission off. Important Connecting Office 365 as a data source requires that you configure and connect Microsoft Entra ID as a data source. To do so, enable the Data upload permission toggle for Microsoft Entra ID and configure in Third-Party Integration.
   Okta	Allows access to user information and activity data	Obtain the Okta URL domain and API token from your Okta environment. For more information, see Obtaining your Okta URL domain and API token. Note Your Okta user account must have one of the following administrator privileges in Okta: API Access Management Admin Mobile Admin Read-Only Admin App Admin Org Admin Super Admin Go to Workflow and Automation → Third-Party Integration. Find and click Okta and follow the onscreen instructions to connect your account. For more information, see Okta integration. Important Operations Dashboard and Zero Trust Secure Access both require data upload permission to ensure certain features function properly. Revoking data upload permission may prevent secure access policy enforcement and risk analysis.
   OpenLDAP	Allows access to user information from your internal network	Ensure you have installed a Service Gateway and enabled the On-premises directory connection service. Go to Workflow and Automation → Third-Party Integration. Find and click OpenLDAP and follow the onscreen instructions to connect your server. For more information, see OpenLDAP integration.
   Qualys	Third-party vulnerability assessment tool (SaaS)	In your Qualys console, create a new account with an active subscription and the following permissions: Role: Reader Asset Management Permissions: Read Asset Allow access: API Asset Groups (assigned to) Add your Trend Vision One regional IP addresses for Attack Surface Risk Management to the list of trusted IP addresses in the Qualys console. Go back to Data sources and provide the username and password for the newly created account. Turn on Data upload permission and click Save and Verify. If desired, you may also turn permissions off. Note Qualys integration only provides CVE detection data and limited device information. For complete activity monitoring of exploit attempts and comprehensive device insights, install and enable Endpoint Sensor.
   Rapid7 - InsightVM	Third-party vulnerability assessment tools (SaaS)	From your Rapid7 console, obtain the Insight Platform URL and API key for a Rapid7 Insight user account with the Platform Admin role. For more information, see Rapid7 - InsightVM integration. Go back to Data sources and provide the newly obtained Platform URL and API key. Turn on Data upload permission and click Save. If desired, you may also turn permissions off.
   Rapid7 - Nexpose	Third-party vulnerability assessment tools (on-premises)	Ensure you have installed a Service Gateway with the Rapid7 - Nexpose connector service enabled. Go to Workflow and Automation → Third-Party Integration. Find and click Rapid7 - Nexpose and follow the onscreen instructions to connect your server. For more information, see Rapid7 - Nexpose integration.
   Rescana	Third-party tool for External Attack Surface Management	Important Enabling the Rescana integration switches the Attack Surface Risk Management data source for collecting internet-facing asset data to Rescana. After switching the data source, internet-facing asset data previously collected by Trend Micro solutions will no longer be available. Obtain the URL and API token for your Rescana account in your Rescana console. Go back to Data sources and provide the newly obtained URL and API token. Click Test connection to verify connectivity. Provide the URL and API token for your Rescana account. Click Connect. Important This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
   Salesforce	Salesforce metadata and information on system misconfigurations	Turn on Data upload permission after you have connected Salesforce in Third-Party Integration. For more information, see Salesforce integration. Important This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
   Splunk - Network Firewall / Web Gateway Logs	User activities on detected cloud apps	Go to Workflow and Automation → Third-Party Integration. Find and click Attack Surface risk Management for Splunk. Copy the displayed authentication token. Download and install the Attack Surface Risk Management for Splunk app. Use the authentication token to configure the app. For more information, see Attack Surface Risk Management for Splunk integration.
   Tanium Comply	Third-party vulnerability assessment tool (Saas)	Obtain the Tanium Comply URL and API token from the Tanium console using an account with the appropriate role. For more information, see Tanium Comply integration. Add your Trend Vision One regional IP addresses for Attack Surface Risk Management to the list of trusted IP addresses in the Tanium console. Go back to Data sources and provide the newly obtained URL and API token. Turn on Data upload permission and click Save. If desired, you may also turn permissions off.
   Tenable Security Center	Third-party vulnerability assessment tool (on-prem)	Ensure you have a Service Gateway installed with the Tenable Security Center connector service enabled. Go to Workflow and Automation → Third-Party Integration. Find and click Tenable Security Center and follow the onscreen instructions to connect your server. For more information, see Tenable Security Center data source setup.
   Tenable Vulnerability Management	Third-party vulnerability assessment tool (SaaS)	Obtain the Tenable Vulnerability Management secret key and access key from the Tenable Vulnerability Management console using an account with the appropriate permissions. For more information, see Tenable Vulnerability Management integration. Go back to Data sources and provide the newly obtained secret key and access key. Turn on Data upload permission and click Save. If desired, you may also turn permissions off.