RSS
 

Workspace ONE Trust Network

Workspace ONE Trust Network integrates threat data from security solutions including endpoint detection and response (EDR) solutions, mobile threat defense (MTD) solutions, and cloud access security brokers (CASB). This integration provides Workspace ONE Intelligence users with insights into the risks to devices and users in their environment. See how to register your specific Trust Network system with Intelligence.

Workspace ONE Intelligence displays event data for analysis in the Threats Summary module on the Security Risk dashboard.

FedRAMP consideration

The NIST Special Publication 800-47 Rev.1: Managing the Security of Information Exchanges defines a system interconnection as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.

Connecting IT systems is a customer configured capability. Before you connect IT systems in Workspace ONE Intelligence, discuss the risks of connecting non-FedRAMP accredited information systems with your Authorizing Official. Workspace ONE on AWS GovCloud, and by extension, Workspace ONE Intelligence is a FedRAMP Moderate, accredited information system. When you connect information systems to other systems with different security requirements and controls, carefully consider the risks.

Contact the Federal Support line (877-869-2730, OPTION 2) or submit a support request using My Workspace ONE for more details and to enable customer-controlled third party connections to other systems.

How do you integrate a system?

To integrate your Trust Network system, perform these general tasks.

Note: If you see no data identified in the Threats Summary after you have configured the service in Integrations, it does not mean that the configuration is broken. It can suggest that there have been no events reported from the Trust Network service.

  1. In Workspace ONE Intelligence, register the Trust Network supported service in Integrations.
  2. View, analyze, and work with data in the Threats Summary module on the Security Risk dashboard.
  3. In Workflows, create a workflow using Trust Network triggers to act on threat intelligence data with available actions.

Threats Summary categories for Trust Network

The Threats Summary module aggregates and displays events collected from your Trust Network services. You can find specific data by dates, event counts, and threat categories. Workspace ONE Intelligence categorizes threats into several groups to help simplify analysis and remediation.

Threat Category Descriptions

Threat Categories Descriptions
Anomaly Threats that involve an application, a device, or a network behavior that is unusual, suspicious, or abnormal. Examples include applications dropping an executable file or a privilege escalation.
Credential Threats that involve the attempt to use compromised credentials in a malicious way. Examples include the reading of credentials from a security process and a running application using system credentials.
Device Threats that involve using a device or other endpoint component with malicious intent. An example is an unauthorized application accesses a microphone or a camera.
Exfiltration Threats that involve an attempt to carry out an unauthorized data transfer. Such a transfer can be manual and carried out by someone with physical access to a computer. It can also be automated and carried out through malicious programming over a network.
Exploit Threats that involve taking advantage of a bug or vulnerability in an application or system, causing unintended behavior of that application or system. Examples include code injections and root enablers.
Malicious Web Host Threats that involve an attempt to access known malicious site or domain. Examples include spam, phishing, malware, and cryptojacking.
Malware Threats that involve malicious software, intentionally designed to damage an endpoint, device, or network. Examples include ransom ware, key logger, and spyware.
Network Threats that involve a method or process used to attempt to compromise network security. Examples include man-in-the-middle attacks, port scanning, and unusual network protocols.
Other Threats that do not fit into a category.
Policy Threats that involve a device or endpoint breaking a company policy. Examples include installing a untrusted application and using a jailbroken or rooted device.

Workspace ONE Mobile Threat Defense

Integrate your Workspace ONE Mobile Threat Defense service with Workspace ONE Intelligence so that Workspace ONE Intelligence can access threat intelligence data and display it for analysis.

To register Workspace ONE Mobile Threat Defense with Workspace ONE Intelligence, enter the application key generated from your Workspace ONE Mobile Threat Defense console.

Prerequisites

  • Use the Workspace ONE UEM console version required for Workspace ONE Intelligence. See Required Workspace ONE UEM console version for details.
  • Use Workspace One Mobile Threat Defense with the supported Workspace ONE Intelligent Hub or Lookout for Work client applications for iOS or Android.
  • Integrate your Workspace One Mobile Threat Defense console with Workspace ONE UEM. For information about this integration see Integrate Workspace ONE Mobile Threat Defense with Workspace ONE UEM. You must integrate these systems before you can use threat intelligence data from the Workspace One Mobile Threat Defense console in Workspace ONE Intelligence.

Procedure

  1. Log in to the Workspace One Mobile Threat Defense console to generate a key for use in Workspace ONE Intelligence.
    1. Go to System > Application Keys.
    2. Select Generate Key to generate an application key.
    3. Give this key a label and then copy it to your dashboard.
    4. Save the key somewhere safe because you need to enter this key in Workspace ONE Intelligence.
  2. Log in to Workspace ONE Intelligence to authorize it to communicate with Workspace ONE Mobile Threat Defense.
    1. Go to Integrations > Data Sources > Workspace One Mobile Threat Defense > Set Up > Get Started.
      To access previously entered credentials, select the three dots (…) at the bottom right of the card and select Edit.
    2. In the Authorization Details area, enter the listed information for a successful connection.
      • Base URL - Enter the API endpoint URL for Workspace One Mobile Threat Defense, which is https://api.lookout.com.
      • Application Key - Enter the Application Key that you generated in the Workspace One Mobile Threat Defense console. This value sets the communication between Workspace ONE Intelligence and the Workspace One Mobile Threat Defense service.
    3. To finish the configuration, select Authorize.

BETTER Mobile

Integration between Workspace ONE Intelligence and BETTER Mobile involves copying generated data from the Workspace ONE Intelligence console and adding it to your BETTER Mobile administrator portal. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from BETTER Mobile and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can register BETTER Mobile, integrate your BETTER Mobile and your Workspace ONE UEM environments. For details, access the Setup integration content on the Better Mobile Security documentation site.

Use the Better MTD console 3.x or later for this integration.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > BETTER Mobile > Set Up > Get Started.
  2. Enter an email on the Network Partner Setup Details tab. If there are any connection issues between Check Point and Workspace ONE Intelligence, the system notifies this email address.

  3. In the Network Partner Credentials tab, copy the generated information and add them to your BETTER Mobile administrator portal.

    • Hostname
    • Port
    • Integration Token

  4. To finish the configuration, select Done.

Carbon Black

Enter data that pertains to your Carbon Black connector for the CB Defense agent so that Workspace ONE Intelligence can access threat intelligence data and display it for analysis.

To register Carbon Black with Workspace ONE Intelligence, enter the keys and IDs for your Carbon Black API connector and your Carbon Black SIEM connector.

For information on how to generate API keys, subscribe to Carbon Black event notifications, and the API endpoint URL of your Carbon Black instance, access the topic API Access on the Carbon Black /Developers site.

Privacy controls and geographic regions

Carbon Black has privacy controls in place that limit data from being forwarded outside of the region where the Carbon Black tenant is based. For a successful integration with Workspace ONE Intelligence, ensure that the Carbon Black tenant and the Workspace ONE Intelligence instance are both located within the same geographic region.

Find the Workspace ONE Intelligence regions listed at Allowlisting URLs by region. The table depicts the Carbon Black regions mapped to Workspace ONE Intelligence regions.

Carbon Black Cloud Product URL Carbon Black AWS Region Name Carbon Black AWS Region Workspace ONE Intelligence AWS Region
https://dashboard.confer.net

https://defense.conferdeploy.net

https://defense-prod05.conferdeploy.net		 US East (Northern Virginia) us-east-1 Carbon Black us-east-1 customers can map to the Workspace ONE Intelligence North America regions (examples are NA1, Sandbox, and CA1).
https://defense-eu.conferdeploy.net Europe (Frankfurt) eu-central-1 Carbon Black eu-central-1 customers can be mapped to the European Workspace ONE Intelligence regions (examples are EU1 and EU2).
https://ew2.carbonblackcloud.vmware.com Europe (London) eu-west-2 Carbon Black eu-west-2 customers can be mapped to the London Workspace ONE Intelligence regions (an example is UK1).
https://defense-prodnrt.conferdeploy.net Asia-Pacific (Tokyo) ap-northwest-1 Carbon Black ap-northwest-1 customers can be mapped to the Asia-Pacific Tokyo Workspace ONE Intelligence region (an example is AP1).
https://defense-prodsyd.conferdeploy.net Asia-Pacific (Sydney) ap-southeast-2 Carbon Black ap-southeast-2 customers can be mapped to the Asia-Pacific Sydney Workspace ONE Intelligence region (an example is AU1).

Examples of privacy controls

  • A customer accessing the US East Carbon Black console can integrate with Workspace ONE Intelligence instances located within the North American regions NA1, CA1, and Sandbox.
  • Customers that use the Frankfurt Carbon Black console can integrate with the Workspace ONE Intelligence instances located in the Central European regions EU1 and EU2.
  • Customers that use the London Carbon Black console can integrate with the Workspace ONE Intelligence instance located in the Western European region UK1.
  • Customers that use the Tokyo Carbon Black console can integrate with the Workspace ONE Intelligence instance located within the Northwest Asia Pacific region AP1.
  • Customers that use the Sydney Carbon Black console can integrate with the Workspace ONE Intelligence instance located within the Southeast Asia Pacific region AU1.
  • As cross-regional integrations are blocked due to privacy controls, a Carbon Black tenant located in eu-central-1 is blocked from passing data to a Workspace ONE Intelligence instance located in NA1.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Carbon Black > Set Up > Get Started. To access previously entered credentials, select to Edit Carbon Black.
  2. In the Provide Credentials area, enter the information for a successful connection.
    • Base URL: Enter the API endpoint URL for your Carbon Black instance so that Workspace ONE Intelligence can access it. This string begins with https://.
    • API Key - Enter the value that gives Workspace ONE Intelligence permission to authenticate with your Carbon Black instance. This key with the ID provides access to Carbon Black APIs except notification APIs.
    • SIEM Key - Enter the value that gives Workspace ONE Intelligence permission to send notifications and alerts to devices that are part of SIEM systems. This key provides access to all Carbon Black notification APIs.
    • API Connector ID - Enter the value that works with the API Key to authenticate with your Carbon Black instance. This ID with the key provides access to Carbon Black APIs except notification APIs.
    • SIEM Connector ID - Enter the value that works with the SIEM Key to give Workspace ONE Intelligence access to Carbon Black APIs for notifications.
  3. To finish the configuration, select Authorize.

Check Point

Integration between Workspace ONE Intelligence and Harmony Mobile, Check Point’s Mobile Threat Defense solution, involves copying generated data from Workspace ONE Intelligence and adding it to your Check Point administrator portal. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Check Point and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can use this Trust Network integration, integrate your Check Point Harmony Mobile and your Workspace ONE UEM environments. For details, access Integration with Workspace ONE UEM.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Check Point > Set Up > Get Started.
  2. Enter an email on the Network Partner Setup Details tab. If there are any connection issues between Check Point and Workspace ONE Intelligence, the system notifies this email address.

  3. In the Network Partner Credentials tab, copy the generated information and add them to your Harmony Mobile administrator portal in Settings > Syslog > Workspace ONE Intelligence.

    • Hostname
    • Port
    • Integration Token

  4. To finish the configuration, select Done.

Lookout for Work

Enter data that pertains to your Lookout for Work service so that Workspace ONE Intelligence can access threat intelligence data and display it for analysis.

To register Lookout for Work with Workspace ONE Intelligence, enter the application key configured in your Lookout for Work console.

Prerequisites

  • Use Workspace ONE UEM console version required for Workspace ONE Intelligence.
  • Use the Lookout for Work client version 5.10.0 or newer for iOS or Android.

Integrate Lookout for Work and Workspace ONE UEM so that Workspace ONE UEM manages the Lookout for Work app. For information about this integration, go to the Lookout Enterprise Support site see the Deploying Lookout with VMware AirWatch guide.

You must integrate these systems before you can use threat intelligence data from Lookout for Work in Workspace ONE Intelligence.

As part of the integration, you add application configuration parameters to the Lookout for Work app’s record in the Workspace ONE UEM console.

  • Configuration Key: Get this value from the app’s metadata.
  • Value Type: Select String.
  • Configuration Value: Enter both parameters exactly. If you misspell a parameter or add a bracket where one is not needed, the parameter does not work.
    • DeviceUniqueIdentifier
    • DeviceUUID}

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Lookout > Set Up > Get Started. To access previously entered credentials, select to Edit Lookout for Work.
  2. In the Provide Credentials area, enter the information for a successful connection.
    • Base URL - Enter the API endpoint URL for Lookout for Work, which is https://api.lookout.com.
    • Application Key - Enter the value that sets the communication between Workspace ONE Intelligence and Lookout for Work.
  3. To finish the configuration, select Authorize.

Netskope

Enter data that pertains to your Netskope instance so that Workspace ONE Intelligence can access cloud security threat data and display it for analysis.

To register Netskope with Workspace ONE Intelligence, enter the Netskope application key set in the Netskope console.

Prerequisites

Integrate Netskope and Workspace ONE UEM so that Workspace ONE UEM manages the Netskope app.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Netskope > Set Up > Get Started. To access previously entered credentials, select to Edit Netskope.
  2. In the Connection Permissions area, view the data to which Workspace ONE Intelligence wants access.
  3. In the Provide Credentials area, enter the information for a successful connection.
    • Base URL - Enter the URL for Netskope so that Workspace ONE Intelligence can access it. This string begins with https://.
    • Application Key - Enter the value that sets the communication between Workspace ONE Intelligence and Netskope.
  4. To finish the configuration, select Authorize.

Pradeo

Integration between Workspace ONE Intelligence and Pradeo Security involves copying generated data Workspace ONE Intelligence and adding it to your Pradeo administrator portal. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Pradeo Security and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can use this Trust Network integration, integrate your Pradeo and your Workspace ONE UEM environments. Access Pradeo enriches VMware Workspace ONE with Mobile Threat Intelligence.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Pradeo > Set Up > Get Started. To access previously entered credentials, select to Edit Pradeo.
  2. Enter an email on the Network Partner Setup Details tab.

  3. In the Network Partner Credentials tab, copy the generated information and add them to your Pradeo Security administrator portal.

    • Integration Token
    • Hostname
    • Port

  4. To finish the configuration, select Done.

Wandera

Integration between Workspace ONE Intelligence and Wandera’s Mobile Threat Defense system involves copying generated data from Workspace ONE Intelligence and adding it to your Wandera administrator portal.

This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Wandera and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can use this Trust Network integration, integrate your Wandera and your Workspace ONE UEM environments. For details, use your Wandera account to access the listed articles. - Integrating Threat Events Stream with Workspace ONE Intelligence - EMM Connect Workspace ONE Configuration Guide

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Wandera > Set Up > Get Started. To access previously entered credentials, select to Edit Wandera.
  2. Enter an email on the Network Partner Setup Details tab.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your Wandera administrator portal.
    • Integration Token
    • Hostname
    • Port
  4. To finish the configuration, select Done.

Zimperium

Integration between Workspace ONE Intelligence and Zimperium involves copying generated data from Workspace ONE Intelligence and adding it to your Zimperium zConsole. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Zimperium and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

  • This integration works with the minimum version of zConsole 4.28 and later.
  • Integrate Zimperium and Workspace ONE UEM using the documentation on the Zimperium support portal. Use your Zimperium support portal credentials to access the documentation.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Data Sources > Zimperium > Set Up > Get Started. To access previously entered credentials, select to dEdit Zimperium.
  2. Enter an email on the Network Partner Setup Details tab.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your Zimperium zConsole.
    • Integration Token
    • Hostname
    • Port
  4. To finish the configuration, select Done.
check-circle-line exclamation-circle-line close-line
Scroll to top icon