Workspace ONE Trust Network integrates threat data from security solutions including endpoint detection and response (EDR) solutions, mobile threat defense (MTD) solutions, and cloud access security brokers (CASB). This integration provides Workspace ONE Intelligence users with insights into the risks to devices and users in their environment. See how to register your specific Trust Network system with Intelligence.

Workspace ONE Intelligence displays event data for analysis in the Threats Summary module on the Security Risk dashboard.

FedRAMP Consideration

The NIST Special Publication 800-47 Rev.1: Managing the Security of Information Exchanges defines a system interconnection as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.

Connecting IT systems is a customer configured capability. Before you connect IT systems in Workspace ONE Intelligence, discuss the risks of connecting non-FedRAMP accredited information systems with your Authorizing Official. Workspace ONE on AWS GovCloud, and by extension, Workspace ONE Intelligence is a FedRAMP Moderate, accredited information system. When you connect information systems to other systems with different security requirements and controls, carefully consider the risks.

Contact the Federal Support line (877-869-2730, OPTION 2) or submit a support request using My Workspace ONE for more details and to enable customer-controlled third party connections to other systems.

How Do You Integrate a System?

To integrate your Trust Network system, perform these general tasks.

  1. In Workspace ONE Intelligence, register the Trust Network supported service in Integrations.
  2. View, analyze, and work with data in the Threats Summary module on the Security Risk dashboard. Note: If you see no data identified in the Threats Summary after you have configured the service in Integrations, it does not mean that the configuration is broken. It can suggest that there have been no events reported from the Trust Network service.
  3. In Automations, create a workflow using Trust Network triggers to act on threat intelligence data with available actions.

Threats Summary Categories for Trust Network

The Threats Summary module aggregates and displays events collected from your Trust Network services. You can find specific data by dates, event counts, and threat categories. Workspace ONE Intelligence categorizes threats into several groups to help simplify analysis and remediation.

Threat Category Descriptions

Threat Categories Descriptions
Anomaly Threats that involve an application, a device, or a network behavior that is unusual, suspicious, or abnormal. Examples include applications dropping an executable file or a privilege escalation.
Credential Threats that involve the attempt to use compromised credentials in a malicious way. Examples include the reading of credentials from a security process and a running application using system credentials.
Device Threats that involve using a device or other endpoint component with malicious intent. An example is an unauthorized application accesses a microphone or a camera.
Exfiltration Threats that involve an attempt to carry out an unauthorized data transfer. Such a transfer can be manual and carried out by someone with physical access to a computer. It can also be automated and carried out through malicious programming over a network.
Exploit Threats that involve taking advantage of a bug or vulnerability in an application or system, causing unintended behavior of that application or system. Examples include code injections and root enablers.
Malicious Web Host Threats that involve an attempt to access known malicious site or domain. Examples include spam, phishing, malware, and cryptojacking.
Malware Threats that involve malicious software, intentionally designed to damage an endpoint, device, or network. Examples include ransom ware, key logger, and spyware.
Network Threats that involve a method or process used to attempt to compromise network security. Examples include man-in-the-middle attacks, port scanning, and unusual network protocols.
Other Threats that do not fit into a category.
Policy Threats that involve a device or endpoint breaking a company policy. Examples include installing a untrusted application and using a jailbroken or rooted device.

BETTER Mobile

Integration between Workspace ONE Intelligence and BETTER Mobile involves copying generated data from the Workspace ONE Intelligence console and adding it to your BETTER Mobile administrator portal. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from BETTER Mobile and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can register BETTER Mobile, integrate your BETTER Mobile and your Workspace ONE UEM environments. For details, access the Setup integration content on the Better Mobile Security documentation site.

Use the Better MTD console 3.x or later for this integration.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > BETTER Mobile > Set Up > Get Started.
  2. Enter an email on the Network Partner Setup Details tab. If there are any connection issues between Check Point and Workspace ONE Intelligence, the system notifies this email address.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your BETTER Mobile administrator portal.

    • Hostname
    • Port
    • Integration Token
  4. To finish the configuration, select Done.

Carbon Black

Enter data that pertains to your Carbon Black connector for the CB Defense agent so that Workspace ONE Intelligence can access threat intelligence data and display it for analysis.

To register Carbon Black with Workspace ONE Intelligence, enter the keys and IDs for your Carbon Black API connector and your Carbon Black SIEM connector.

For information on how to generate API keys, subscribe to Carbon Black event notifications, and the API endpoint URL of your Carbon Black instance, access the topic API Access on the Carbon Black /Developers site.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Carbon Black > Set Up > Get Started. To access previously entered credentials, select to Edit Carbon Black.
  2. In the Provide Credentials area, enter the information for a successful connection.
    • Base URL: Enter the API endpoint URL for your Carbon Black instance so that Workspace ONE Intelligence can access it. This string begins with https://.
    • API Key - Enter the value that gives Workspace ONE Intelligence permission to authenticate with your Carbon Black instance. This key with the ID provides access to Carbon Black APIs except notification APIs.
    • SIEM Key - Enter the value that gives Workspace ONE Intelligence permission to send notifications and alerts to devices that are part of SIEM systems. This key provides access to all Carbon Black notification APIs.
    • API Connector ID - Enter the value that works with the API Key to authenticate with your Carbon Black instance. This ID with the key provides access to Carbon Black APIs except notification APIs.
    • SIEM Connector ID - Enter the value that works with the SIEM Key to give Workspace ONE Intelligence access to Carbon Black APIs for notifications.
  3. To finish the configuration, select Authorize.

Check Point

Integration between Workspace ONE Intelligence and SandBlast Mobile, Check Point's Mobile Threat Defense solution, involves copying generated data from Workspace ONE Intelligence and adding it to your Check Point administrator portal. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Check Point and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can use this Trust Network integration, integrate your Check Point SandBlast Mobile and your Workspace ONE UEM environments. For details, access SandBlast Mobile for Workspace ONE UEM.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Check Point > Set Up > Get Started. To access and edit previously entered credentials, go to Integrations > Check Point > ... > Edit.
  2. Enter an email on the Network Partner Setup Details tab. If there are any connection issues between Check Point and Workspace ONE Intelligence, the system notifies this email address.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your SandBlast Mobile administrator portal in Settings > Syslog > Workspace ONE Intelligence.

    • Hostname
    • Port
    • Integration Token
  4. To finish the configuration, select Done.

Lookout for Work

Enter data that pertains to your Lookout for Work service so that Workspace ONE Intelligence can access threat intelligence data and display it for analysis.

To register Lookout for Work with Workspace ONE Intelligence, enter the application key configured in your Lookout for Work console.

Prerequisites

  • Use Workspace ONE UEM console version required for Workspace ONE Intelligence.
  • Use the Lookout for Work client version 5.10.0 or newer for iOS or Android.

Integrate Lookout for Work and Workspace ONE UEM so that Workspace ONE UEM manages the Lookout for Work app. For information about this integration, go to the Lookout Enterprise Support site see the Deploying Lookout with VMware AirWatch guide.

You must integrate these systems before you can use threat intelligence data from Lookout for Work in Workspace ONE Intelligence.

As part of the integration, you add application configuration parameters to the Lookout for Work app's record in the Workspace ONE UEM console.

  • Configuration Key: Get this value from the app's metadata.
  • Value Type: Select String.
  • Configuration Value: Enter both parameters exactly. If you misspell a parameter or add a bracket where one is not needed, the parameter does not work.
    • DeviceUniqueIdentifier
    • DeviceUUID}

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Lookout > Set Up > Get Started. To access previously entered credentials, select to Edit Lookout for Work.
  2. In the Provide Credentials area, enter the information for a successful connection.
    • Base URL - Enter the API endpoint URL for Lookout for Work, which is https://api.lookout.com.
    • Application Key - Enter the value that sets the communication between Workspace ONE Intelligence and Lookout for Work.
  3. To finish the configuration, select Authorize.

Netskope

Enter data that pertains to your Netskope instance so that Workspace ONE Intelligence can access cloud security threat data and display it for analysis.

To register Netskope with Workspace ONE Intelligence, enter the Netskope application key set in the Netskope console.

Prerequisites

Integrate Netskope and Workspace ONE UEM so that Workspace ONE UEM manages the Netskope app.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Netskope > Set Up > Get Started. To access previously entered credentials, select to Edit Netskope.
  2. In the Connection Permissions area, view the data to which Workspace ONE Intelligence wants access.
  3. In the Provide Credentials area, enter the information for a successful connection.
    • Base URL - Enter the URL for Netskope so that Workspace ONE Intelligence can access it. This string begins with https://.
    • Application Key - Enter the value that sets the communication between Workspace ONE Intelligence and Netskope.
  4. To finish the configuration, select Authorize.

Pradeo

Integration between Workspace ONE Intelligence and Pradeo Security involves copying generated data Workspace ONE Intelligence and adding it to your Pradeo administrator portal. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Pradeo Security and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can use this Trust Network integration, integrate your Pradeo and your Workspace ONE UEM environments. Access Pradeo enriches VMware Workspace ONE with Mobile Threat Intelligence.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Pradeo > Set Up > Get Started. To access previously entered credentials, select to Edit Pradeo.
  2. Enter an email on the Network Partner Setup Details tab.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your Pradeo Security administrator portal.

    • Integration Token
    • Hostname
    • Port
  4. To finish the configuration, select Done.

Wandera

Integration between Workspace ONE Intelligence and Wandera's Mobile Threat Defense system involves copying generated data from Workspace ONE Intelligence and adding it to your Wandera administrator portal.

This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Wandera and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

Before you can use this Trust Network integration, integrate your Wandera and your Workspace ONE UEM environments. For details, use your Wandera account to access the listed articles. - Integrating Threat Events Stream with Workspace ONE Intelligence - EMM Connect Workspace ONE Configuration Guide

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Wandera > Set Up > Get Started. To access previously entered credentials, select to Edit Wandera.
  2. Enter an email on the Network Partner Setup Details tab.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your Wandera administrator portal.
    • Integration Token
    • Hostname
    • Port
  4. To finish the configuration, select Done.

Zimperium

Integration between Workspace ONE Intelligence and Zimperium involves copying generated data from Workspace ONE Intelligence and adding it to your Zimperium zConsole. This action authorizes Workspace ONE Intelligence to ingest threat intelligence data from Zimperium and to display it for analysis.

This integration works for Android and iOS platforms.

Prerequisites

  • This integration works with the minimum version of zConsole 4.28 and later.
  • Integrate Zimperium and Workspace ONE UEM using the documentation on the Zimperium support portal. Use your Zimperium support portal credentials to access the documentation.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Zimperium > Set Up > Get Started. To access previously entered credentials, select to dEdit Zimperium.
  2. Enter an email on the Network Partner Setup Details tab.
  3. In the Network Partner Credentials tab, copy the generated information and add them to your Zimperium zConsole.
    • Integration Token
    • Hostname
    • Port
  4. To finish the configuration, select Done.
check-circle-line exclamation-circle-line close-line
Scroll to top icon