Trend Cloud One Main

Cross-Account Scanner Deployment Issue Resolved

Mon, 13 Jul 2020 00:00:00 GMT

July 13, 2020, File Storage Security—The scanner stack would not scan if it was deployed in a different AWS account from the storage stack in a cross-account scenario. This issue has been fixed.

Request Preview Access button added to File Storage Security page

Wed, 15 Jul 2020 00:00:00 GMT

July 15, 2020, File Storage Security—The Request Preview Access button is now available on the Coming Soon page.

Management role ARN submission failure notification fixed during stack creation

Wed, 15 Jul 2020 00:00:00 GMT

July 15, 2020, File Storage Security—During a stack creation, a failure notification may have been incorrectly displayed when you submitted the management role ARN. This issue has been fixed.

Improved tooltips in stacks table for enhanced user experience

Thu, 30 Jul 2020 00:00:00 GMT

July 30, 2020, File Storage Security—The console now displays useful on-hover tooltips in the stacks table.

Enhanced Stack Table Sorting and Infinite Scrolling Feature

Tue, 11 Aug 2020 00:00:00 GMT

August 11, 2020, File Storage Security—The stack table now supports sorting by stack name and infinite scrolling.

Data Collection Notice now accessible for File Storage Security

Tue, 18 Aug 2020 00:00:00 GMT

August 18, 2020, File Storage Security—The Data Collection Notice is now available here.

Enhanced User Interface for File Storage Security Stack Table

Tue, 25 Aug 2020 00:00:00 GMT

August 25, 2020, File Storage Security—The header of the stack table now sticks to the top while the stack table is scrolling vertically.

The stack table now displays the default message if no data is received from the API.

The storage stack table is now a fluid width. (The scanner stack table remains a static width.)

S3 bucket objects now encrypted with SSE-S3 for enhanced security

Mon, 07 Sep 2020 00:00:00 GMT

September 07, 2020, File Storage Security—The objects in the `CopyZipsDestBucket` S3 bucket are now encrypted using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3). This functionality requires a stack update.

Improved error message display for console loading issues

Fri, 11 Sep 2020 00:00:00 GMT

September 11, 2020, File Storage Security—When a problem occurs loading the console, a friendly error message is now displayed in the browser window instead of a blank page.

BytesTransferred attribute removed from File Storage Security scanner result message

Mon, 14 Sep 2020 00:00:00 GMT

September 14, 2020, File Storage Security—The `BytesTransferred` attribute is no longer included in the scanner result message.

ScanningBucket resource removed, scanning now on existing buckets with stack update

Mon, 21 Sep 2020 00:00:00 GMT

September 21, 2020, File Storage Security—The ScanningBucket resource was removed from the storage stack. The storage stack now only supports scanning on an existing bucket. This functionality requires a stack update.

Improved File Storage Security AWS Tag Handling

Mon, 21 Sep 2020 00:00:00 GMT

September 21, 2020, File Storage Security—The PostScanActionTagLambda no longer overwrites a file's existing AWS tags with its own `fss-*` tags. (If a file has previously been scanned, and is then scanned again, its existing `fss-*` tags will be overwritten by newer ones from the latest scan.) This functionality requires a stack update.

Improved User Interface and Functionality for File Storage Security

Fri, 25 Sep 2020 00:00:00 GMT

September 25, 2020, File Storage Security—The stack table now displays a spinner when data is loading.

The Scanner Policy and Storage Policy columns were removed from the console's main page since they didn't contain enough information to justify their presence.

The Deploy All-in-One Stack dialog box now displays a link to the Help Center.

An Add Post-Scan Action button now appears on the console's main page.

The instructions in the Deploy All-in-One Stack and Add Storage dialog boxes are now more descriptive.

The stack table can now be resized.

Enhanced IAM permissions for Scanner and Storage Stacks

Thu, 08 Oct 2020 00:00:00 GMT

October 08, 2020, File Storage Security—Scanner stacks and storage stacks now create IAM policies with more limited permissions. This functionality requires a stack update.

New default stack names introduced for File Storage Security

Mon, 12 Oct 2020 00:00:00 GMT

October 12, 2020, File Storage Security—The default stack names are now `All-in-one-TM-FileStorageSecurity` and `Storage-TM-FileStorageSecurity`.

Enhanced IAM Role Permissions for Scanner and Storage Stacks

Fri, 16 Oct 2020 00:00:00 GMT

October 16, 2020, File Storage Security—Scanner stacks and storage stacks now create management-related IAM roles with more limited permissions. This functionality requires a stack update.

Enhanced File Storage Security with Deploy Button and Delete Stack API

Wed, 11 Nov 2020 00:00:00 GMT

November 11, 2020, File Storage Security—A Deploy button now appears on the console's main page.

The Deploy dialog box contains the two clickable options. Deploy All-in-One Stack and Deploy Scanner Stack.

New Delete Stack API for deleting stacks.

List Stacks API now returns correct 'next' attribute for improved paging functionality

Wed, 11 Nov 2020 00:00:00 GMT

November 11, 2020, File Storage Security—List Stacks API now returns the correct attribute, `next` (instead of `cursor`), for paging the results.

Enhanced Deployment and Stack Management Features for File Storage Security

Tue, 17 Nov 2020 00:00:00 GMT

November 17, 2020, File Storage Security—The Deploy All-in-One Stack, Deploy Scanner Stack and Deploy Storage Stack dialog boxes now support deploying to the dedicated AWS regions.

Scanner stacks and storage stacks can now be deleted.

Change of the background color of the active stack.

The stack output now provides the value of the SNS ScanResultTopic ARN for the all-in-one stack and storage stack. This functionality requires a stack update.

File Storage Security now globally available

Wed, 18 Nov 2020 00:00:00 GMT

November 18, 2020, File Storage Security—File Storage Security has left private preview and is now globally available.

Memory leak issues resolved in scanner stack

Thu, 19 Nov 2020 00:00:00 GMT

November 19, 2020, File Storage Security—Fix memory leaks in scanner stack.

Enhanced AWS Region Selector in Deploy Modal for File Storage Security

Fri, 27 Nov 2020 00:00:00 GMT

November 27, 2020, File Storage Security—The AWS region selector in Deploy modal dialog boxes now displays the default value based on the last selected.

Trend Micro Cloud One - Container Security now released

Tue, 01 Dec 2020 00:00:00 GMT

December 01, 2020, Container Security—Trend Micro Cloud One - Container Security is now available.

Scanner Stacks No Longer Collect S3 Object Keys by Default

Tue, 01 Dec 2020 00:00:00 GMT

December 01, 2020, File Storage Security—From now on, scanner stacks do not collect S3 object keys by default.

Geolocation Filtering for Enhanced Network Security Protection

Tue, 08 Dec 2020 00:00:00 GMT

December 08, 2020, Network Security—Geolocation Filtering: Provides the ability to block incoming and outgoing IPv4 requests according to countries or regions. Learn more.

AWS Network Firewall integration enhances threat detection and disruption on AWS-managed networks

Tue, 08 Dec 2020 00:00:00 GMT

December 08, 2020, Network Security—AWS Network Firewall: Enables you to pair Network Security’s industry-leading threat intelligence with your AWS-managed network infrastructure to detect and disrupt common network-based threats. Learn more.

Enhanced Cost Allocation Tags for Network Security

Tue, 08 Dec 2020 00:00:00 GMT

December 08, 2020, Network Security—Vendor-provided cost allocation tags: A Network Security cost allocation tag that presents more detailed information about the various costs in your AWS environment. Learn more.

Advanced Search supports Fail Open criteria for Firewall Events

Mon, 04 Jan 2021 00:00:00 GMT

January 04, 2021, Workload Security—You were unable to do an advanced search on Events & Reports > Firewall Events > Advanced Search with the Search criteria set to "Action" and "Fail Open" entered as the search value.

Improved Agent Certificate Generation to Prevent Connection Issues

Tue, 05 Jan 2021 00:00:00 GMT

January 05, 2021, Workload Security—When Trend Cloud One - Endpoint & Workload Security generated a new certificate for an agent that already had one, there were sometimes connection issues.

Stack table columns can now be resized

Tue, 05 Jan 2021 00:00:00 GMT

January 05, 2021, File Storage Security—The columns of the stack table can now be resized.

Activity Monitoring now generally available for enhanced detection and analysis

Wed, 06 Jan 2021 00:00:00 GMT

January 06, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security XDR Activity Monitoring is now out of preview and generally available to all customers. When Activity Monitoring is enabled, additional information is collected by Trend Cloud One - Endpoint & Workload Security and forwarded to Trend Micro XDR to provide correlated detection and root cause analysis capabilities.

Simplified NSX Manager changes in vCenter for easier management

Thu, 07 Jan 2021 00:00:00 GMT

January 07, 2021, Workload Security—Updated vCenter to make changing an NSX Manager simpler by using the Remove NSX Manager button (Properties > NSX Manager) rather than editing the Manager Address: field.

Reduced Hourly Price for Extra Large and Not Cloud Instances on AWS Trend Cloud One

Mon, 11 Jan 2021 00:00:00 GMT

January 11, 2021, Workload Security—For subscribers to the Trend Cloud One listing on AWS, the hourly price of Extra Large and Not Cloud instances has been reduced from $0.06 USD to $0.045 USD per instance.

Note: This change applies only to the Trend Cloud One listing, the pricing for the Trend Micro Deep Security listing is unchanged.

Enhanced Resource Prefix Configuration for File Storage Security

Thu, 14 Jan 2021 00:00:00 GMT

January 14, 2021, File Storage Security—All-in-one stacks, scanner stacks and storage stacks can now specify resource prefix for IAM role name, IAM policy name, bucket name, Lambda function name, Lambda layer name, SQS queue name and SNS policy name. This functionality requires a stack update.

Enhanced File Storage Security supports scanning S3 buckets with SSE-KMS encryption

Fri, 15 Jan 2021 00:00:00 GMT

January 15, 2021, File Storage Security—File Storage Security can now scan S3 buckets that have server-side encryption with customer master keys (CMKs) stored in AWS Key Management Service (SSE-KMS). This functionality requires a stack update.

Network Security now available for Azure deployment

Fri, 15 Jan 2021 00:00:00 GMT

January 15, 2021, Network Security—Network Security for Azure is now generally available. Learn more about deploying Network Security on Azure.

Workload Security now supports Amazon Linux 2 on AWS ARM-based Graviton 2

Wed, 20 Jan 2021 00:00:00 GMT

January 20, 2021, Workload Security—The agent now supports Amazon Linux 2 on AWS ARM-based Graviton 2. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.

AIX platform now supports Anti-Malware detection

Wed, 20 Jan 2021 00:00:00 GMT

January 20, 2021, Workload Security—This release adds support for Anti-Malware on the AIX platform.

Behavior Monitoring now supported on Linux platform

Wed, 20 Jan 2021 00:00:00 GMT

January 20, 2021, Workload Security—This release adds support for Behavior Monitoring on the Linux platform.

Improved Display of Add Group(s) Pop-up Menu in Computers Tab

Mon, 25 Jan 2021 00:00:00 GMT

January 25, 2021, Workload Security—In the Computers tab of Trend Cloud One - Endpoint & Workload Security, when the Create Group(s) button was clicked, it sometimes failed to display the Add Group(s) pop-up menu properly.

Linux configurations now supported for relay version installation

Mon, 25 Jan 2021 00:00:00 GMT

January 25, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security was unable to install the correct relay version under some Linux configurations.

Corrected role rights after Trend Vision One onboarding

Mon, 25 Jan 2021 00:00:00 GMT

January 25, 2021, Workload Security—After completing Trend Vision One onboarding, some roles (Administration > User Management > Roles) did not have the correct rights assigned to them.

Trend Cloud One Enhancements: New Compliance and SOC Reports Available

Tue, 26 Jan 2021 00:00:00 GMT

January 26, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security has added compliance for ISO27014, ISO27017 and now has a SOC 2 and SOC 3 report available. For details, please see the Trend Cloud One Trust Center.

Additional static IP addresses added for Cloud One - Endpoint & Workload Security relays

Thu, 28 Jan 2021 00:00:00 GMT

January 28, 2021, Workload Security—On 2021-03-01, Trend Micro is adding additional static IP addresses for the relays hosted by Trend Cloud One - Endpoint & Workload Security. If you are using an Trend Cloud One - Endpoint & Workload Security account created on or before 2020-11-23 and apply egress traffic policy based on the static IP addresses defined in Port numbers, URLs, and IP addresses, read Addition of new static relay IP's for Cloud One accounts created before 2020-11-23 for details on this change and the action required to ensure your service continues without interruption.

Trend Micro discontinues Deep Security as a Service subscription options on AWS Marketplace

Fri, 29 Jan 2021 00:00:00 GMT

January 29, 2021, Workload Security—Beginning 2021-03-01, Trend Micro will no longer offer Deep Security as a Service | Annual + Pay as You Go subscription options to new subscribers on the AWS Marketplace. If you are currently subscribed you can continue to use the service until the end of your term, and there will be no impact to usage of the service. This service is now available as part of Trend Cloud One on AWS Marketplace.

Credit card payments no longer accepted for Workload Security subscriptions

Fri, 29 Jan 2021 00:00:00 GMT

January 29, 2021, Workload Security—Beginning 2021-03-31, Trend Micro will no longer accept credit card payments for Trend Cloud One - Endpoint & Workload Security or Deep Security as a Service. Customers currently subscribed using the credit card billing option through Trend Micro's billing partner, Cleverbridge, will need to transition to a supported payment option before March 31st to avoid any potential interruption in service.

Enhanced Domain Filtering with FQDN APIs

Wed, 10 Feb 2021 00:00:00 GMT

February 10, 2021, Network Security—Domain filtering: With appliance version 2021.1.0.10892 you can use APIs to create and manage a list of fully qualified domain names (FQDNs) that have permitted access to your environment. Learn more about using these FQDN APIs.

Enhanced Filter Searches for Precise Network Security Results

Wed, 10 Feb 2021 00:00:00 GMT

February 10, 2021, Network Security—Filter searches: Filter searches now include exact-match results for platform, protocol, and category searches. You can also narrow your results by enclosing multi-word searches in quotes for exact-match results. Learn more about these enhancements.

Improved display speed for Integrity Monitoring events

Fri, 12 Feb 2021 00:00:00 GMT

February 12, 2021, Workload Security—Applying certain filters to Integrity Monitoring events (Events & Reports > Events > Integrity Monitoring) caused an extended delay before the events were displayed.

File Storage Security Enhanced with Python 3.8 Upgrade

Wed, 17 Feb 2021 00:00:00 GMT

February 17, 2021, File Storage Security—The Python runtime of `CopyZipsLambda` has been upgraded to 3.8 to address the AWS SDK change. This functionality requires a stack update.

Improved Report Generation Performance in Trend Cloud One - Endpoint & Workload Security

Thu, 18 Feb 2021 00:00:00 GMT

February 18, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security sometimes timed out when attempting to generate a report (Events & Reports > Generate Reports).

Container Security now allows separate actions for each rule in Admission Policies page

Wed, 24 Feb 2021 00:00:00 GMT

February 24, 2021, Container Security—The Container Security Admission Policies page now enables you to specify separate actions for each rule. For details, see the Container Security help.

Improved wildcard functionality for file and directory exclusions in Trend Cloud One

Wed, 24 Feb 2021 00:00:00 GMT

February 24, 2021, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to improve wildcard functionality for file and directory exclusions (Policies > Common Objects > Other > Malware Scan Configurations). Details on wildcard use are provided in the Exclusions tab of any File List or Directory List.

Improved System Event Reports in Workload Security's Trend Cloud One

Wed, 24 Feb 2021 00:00:00 GMT

February 24, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security "System Event Reports" (Events & Reports > Generate Reports) sometimes had no data in the section for "Most Active Computers Ranked by Number of System Events."

Scheduled Maintenance Required for Pre-2018 Trend Cloud One Accounts

Mon, 01 Mar 2021 00:00:00 GMT

March 01, 2021, Workload Security—Scheduled maintenance will be required for all Trend Cloud One accounts that were created before 2018-10-31. For more information see Trend Cloud One Maintenance.

Enhanced Namespace Rule Customization for Cluster Security

Tue, 02 Mar 2021 00:00:00 GMT

March 02, 2021, Container Security—Previously, the policy assigned to a cluster applied the same set of rules to the entire cluster. Now, if your cluster contains more than one namespace, you can define separate sets of rules for the namespaces. For details, see the Container Security help.

Improved Clickable Links in Computer Status Widget and Agent/Appliance Upgrade Alerts

Fri, 05 Mar 2021 00:00:00 GMT

March 05, 2021, Workload Security—Links were sometimes not clickable from the Computer Status widget of the Dashboard tab, and from Agent/Appliance Upgrade Recommended (New Version Available) alerts opened from the List View of the Alerts tab.

Updated Service Level Agreement now includes all Trend Cloud One services

Fri, 05 Mar 2021 00:00:00 GMT

March 05, 2021, Workload Security—The Service Level Agreement (SLA) has been updated. This SLA now includes all Trend Cloud One services and replaces the prior Trend Cloud One - Endpoint & Workload Security/Deep Security as a Service SLA.

Improved scanning bucket switching with required stack update

Fri, 12 Mar 2021 00:00:00 GMT

March 12, 2021, File Storage Security—Fix the storage stack issue with switching from one scanning bucket to another. This functionality requires a stack update.

XDR Remote Shell added for agent version 20.0.0-2009

Tue, 16 Mar 2021 00:00:00 GMT

March 16, 2021, Workload Security—This release adds XDR Remote Shell support to agent version 20.0.0-2009. Following Trend Vision One onboarding, you can now run commands directly through the XDR-integrated Remote Shell. For more information see Trend Vision One (XDR) Remote Shell.

Improved Firewall Event Data Visibility in System Event Reports

Wed, 17 Mar 2021 00:00:00 GMT

March 17, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security "System Event Reports" (Events & Reports > Generate Reports) sometimes showed no firewall event data even if there were Firewall Events (Events & Reports > Events > Firewall Events) during the report period.

Smart Folders searchable by Computer Description in Trend Cloud One

Fri, 19 Mar 2021 00:00:00 GMT

March 19, 2021, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to make the Computer Description field for Smart Folders usable as a search criteria (Computers & Smart Folders).

Maintenance Announcement for Trend Cloud One Accounts Created Before October 31, 2018

Fri, 19 Mar 2021 00:00:00 GMT

March 19, 2021, Workload Security—The Trend Cloud One - Endpoint & Workload Security RSS feed did not notify subscribers of the Scheduled Maintenance announcement made on March 1. To recap that announcement:

"Scheduled Maintenance will be required for all Trend Cloud One accounts that were created before 2018-10-31. For more information see Trend Cloud One Maintenance."

Deploy All-in-One and Storage Stacks with Triggered Scans for File Storage Security

Mon, 22 Mar 2021 00:00:00 GMT

March 22, 2021, File Storage Security—All-in-one stacks and storage stacks can now be deployed if the `s3:ObjectCreated:*` event of the scanning bucket is in use by setting the TriggerWithObjectCreatedEvent option to false.

You can then trigger the scans by invoking the deployed BucketListenerLambda in storage stacks.

Agent package names now aligned with Download Center

Tue, 23 Mar 2021 00:00:00 GMT

March 23, 2021, Workload Security—Aligned agent package naming with the Download Center.

Container Security policies can now block or log images based on CVSS values

Mon, 29 Mar 2021 00:00:00 GMT

March 29, 2021, Container Security—Container Security policies can now include rules that block or log images based on the CVSS values of vulnerabilities found in Smart Check scans. For details, see the Container Security help.

Improved performance for Trend Cloud One - Endpoint & Workload Security APIs

Mon, 29 Mar 2021 00:00:00 GMT

March 29, 2021, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to improve "Search Computer API" and "List Computer API" performance.

AWS connector synchronization issue resolved in Workload Security

Tue, 30 Mar 2021 00:00:00 GMT

March 30, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security sometimes became unable to synchronize with an AWS connector after it had been renamed.

Improved description for upgrading agent software in Trend Cloud One - Endpoint & Workload Security

Tue, 30 Mar 2021 00:00:00 GMT

March 30, 2021, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to provide a clearer description for Upgrade Agent Software (Administration > Updates > Software > Upgrade Agent/Appliance Software).

Cloud One read-only role restricted from create/delete API usage

Thu, 08 Apr 2021 00:00:00 GMT

April 08, 2021, File Storage Security—The API now prevents Cloud One read-only role from using create or delete API.

Enhanced Filter Search Capabilities for Network Security

Thu, 08 Apr 2021 00:00:00 GMT

April 08, 2021, Network Security—Filter searching enhancements: Enhancements to filter searches are now available and include partial-match results for filter name, filter number, description, platform, severity, CVE, and category searches. This enables you to search for a single word in a sentence or phrase. Learn more.

TLS Inspection Preview Now Available for Network Security

Thu, 08 Apr 2021 00:00:00 GMT

April 08, 2021, Network Security—TLS inspection: A preview version of TLS inspection for Network Security is now available with appliance version 2021.3.0.10968. TLS inspection provides secure web server traffic inspection and insight into your network activity without compromising cryptographic security. To access this preview feature and help shape the future of this capability for Network Security, click Request Access. Learn more about TLS inspection.

New cost-optimized c5.xlarge instance type for AWS deployments

Thu, 08 Apr 2021 00:00:00 GMT

April 08, 2021, Network Security—New instance type: A new, smaller and cost-optimized instance type, c5.xlarge, is now available for AWS deployments. Learn more.

Statistics API now customizable for File Storage Security scan results

Fri, 09 Apr 2021 00:00:00 GMT

April 09, 2021, File Storage Security—Statistics API is now available, allowing API users to customize their File Storage Security scan results. For more details, click here.

Improved AWS connector management in Trend Cloud One Workload Security

Mon, 12 Apr 2021 00:00:00 GMT

April 12, 2021, Workload Security—Duplicate instances were sometimes created for AWS connectors in Trend Cloud One - Endpoint & Workload Security.

Enhanced Remote Shell Commands Support for Windows and Linux Agents

Mon, 12 Apr 2021 00:00:00 GMT

April 12, 2021, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to support additional Remote Shell commands for agent version 20.0.0-2204+ for Windows and Linux. For more information, see the Supported commands section of the Remote Shell article.

Improved console functionality for adding storage stacks after deletions

Tue, 13 Apr 2021 00:00:00 GMT

April 13, 2021, File Storage Security—Fixed the issue that sometimes storage stacks cannot be added to the console

if there were another storage stack(s) deleted from the same scanner stack.

Enhanced AWS Account Synchronization Notifications and Events

Tue, 20 Apr 2021 00:00:00 GMT

April 20, 2021, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to provide more information during AWS account synchronization, with banner notifications after starting synchronization (Computers > Right- or- double-click an AWS account > Synchronize Now) and events created when synchronization is requested or completed (Events & Reports > System Events).

Improved handling of Anti-Malware Scan timeouts for scheduled tasks

Tue, 20 Apr 2021 00:00:00 GMT

April 20, 2021, Workload Security—Anti-Malware Scan scheduled tasks that had timed out were sometimes starting again instead of triggering a "Scheduled Task Skipped" event as expected.

Trend Micro transitions Endpoint & Workload Security offering to AWS Marketplace

Wed, 21 Apr 2021 00:00:00 GMT

April 21, 2021, Workload Security—As of 2021-04-21, Trend Micro will no longer offer Trend Cloud One - Endpoint & Workload Security through the Azure Marketplace for new customers. Existing subscribers are not affected by this change and can continue to use and pay for the service through the Azure Marketplace. If you are a new customer looking to leverage pay-as-you-go hourly billing, please see Trend Cloud One on the AWS Marketplace.

Enhanced Domain Filtering Feature Re-enabled in Network Security

Thu, 22 Apr 2021 00:00:00 GMT

April 22, 2021, Network Security—Domain filtering: Enhancements to FQDN are included in this release and this feature has been re-enabled. You can now create and manage a list of fully qualified domain names (FQDNs) with defined access to your environment from the Network Security interface. To use domain filtering, you must deploy version 2021.4.0.10991 of the appliance. Learn more.

End of Complimentary Preview for Trend Micro Cloud One Services on AWS Marketplace

Mon, 26 Apr 2021 00:00:00 GMT

April 26, 2021, Billing and Subscription Management—As of 2021-05-03, Trend Micro will end the complimentary preview period for Application Security, Container Security, File Storage Security, and Conformity on AWS Marketplace. Billing for these services will start from May 3rd for customers subscribed to Trend Micro Cloud One.

Container Security policies now support Smart Check checklist rules integration

Mon, 26 Apr 2021 00:00:00 GMT

April 26, 2021, Container Security—Container Security policies can now include rules that block or log images based on results from Smart Check checklists. Checklists are pre-defined sets of rules that determine how well an image adheres to common compliance standards (PCI-DSS v2, NIST 800-190, and HIPAA). For details, see the Container Security help.

Heartbeat Interval settings phased out for new tenants in Workload Security

Mon, 26 Apr 2021 00:00:00 GMT

April 26, 2021, Workload Security—For new tenants, the following Trend Cloud One - Endpoint & Workload Security settings will no longer appear in the Administration tab:

Heartbeat Interval
Number of Heartbeats that can be missed before an alert is raised

For existing tenants, the settings above will be gradually removed starting May 26, 2021.

These changes are due to a new agent-manager communication design, and should have minimal impact on users. Policy changes will still be applied immediately, and the Trend Cloud One - Endpoint & Workload Security console can still trigger requests for agents to get any accumulated events on demand as required.

Introducing Scan Activity Page for File Storage Security

Tue, 27 Apr 2021 00:00:00 GMT

April 27, 2021, File Storage Security—The Scan Activity page has been added, which includes the Scan History chart and its scan counter, so users can see a summary of scan results from within File Storage Security. For details, see View scan results on the console Scan Activity page.

Improved User Experience with Tour Guide Dialog Box Hover Prevention

Thu, 29 Apr 2021 00:00:00 GMT

April 29, 2021, File Storage Security—Prevent auto-sliding when the cursor is hovering on the tour guide dialog box.

New "Deep Security Migration" role for seamless software migration to Trend Cloud One

Tue, 04 May 2021 00:00:00 GMT

May 04, 2021, Workload Security—Added a predefined "Deep Security Migration" role containing all rights required to migrate Deep Security software over to Trend Cloud One - Endpoint & Workload Security.

Improved agent package import and download process for better user experience

Tue, 04 May 2021 00:00:00 GMT

May 04, 2021, Workload Security—When you imported and then deleted an agent package from Trend Cloud One - Endpoint & Workload Security, direct downloads sometimes failed afterwards.

Conformity Release Notes for Latest Updates

Thu, 06 May 2021 00:00:00 GMT

May 06, 2021, Conformity—Please visit the Conformity Release Notes page for Conformity updates.

Enhanced Default Real-Time Scan Configuration with Behavior Monitoring and Predictive Machine Learning

Thu, 06 May 2021 00:00:00 GMT

May 06, 2021, Workload Security—Updated Endpoint & Workload Security's Default Real-Time Scan Configuration (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration) to enable Behavior Monitoring and Predictive Machine Learning by default.

Newer agents (20.0.0.1559 and higher on Windows, and 20.0.0-1822 and higher on Linux) will have "Use custom actions" set to "Pass" by default, and will log Anti-Malware Events. Older agents will have Behavior Monitoring turned off if their Possible Malware "action to take" is set to "Pass."

Enhanced Security and Performance in Network Security Virtual Appliance Version 2021.4.1

Thu, 06 May 2021 00:00:00 GMT

May 06, 2021, Network Security—Network Security virtual appliance version 2021.4.1.11004 includes important security and performance enhancements.

Improved Filter Searching Capabilities for Enhanced Search Precision

Thu, 06 May 2021 00:00:00 GMT

May 06, 2021, Network Security—Filter searching enhancements: API and UI enhancements to filter searching enable you to build a compound query expression to narrow down your search results according to multiple criteria. Learn more.

Gateway Load Balancer Preview Deployment Options Available for Network Security

Thu, 06 May 2021 00:00:00 GMT

May 06, 2021, Network Security—Gateway Load Balancer: A preview version of deployment options using a Gateway Load Balancer are now available. The Gateway Load Balancer service allows you to deploy and manage Network Security virtual appliances seamlessly in a centralized environment. Virtual appliance version 2021.4.1.11004 is required for this feature. Learn more about these preview deployment options.

PostScanActionTagLambda now tags objects without issues as 'no issues found'

Mon, 10 May 2021 00:00:00 GMT

May 10, 2021, File Storage Security—The PostScanActionTagLambda now tags object without issues with `no issues found`, instead of `clean`.

To migrate from the breaking change, modify your downstream workflow that checks `fss-scan-result` tag.

For more information, see Monitor scan results.

Improved Scan History chart functionality for enhanced user experience

Mon, 10 May 2021 00:00:00 GMT

May 10, 2021, File Storage Security—Prevent API requests when the Scan History chart is loading.

The Scan History chart prevents scrolling the timeline past the current time or later than 30 days ago.

The Scan History chart displays a minimum bar size for an item with small values to ensure that the bar is still visible.

Improved Software Changes Detected Warnings in Workload Security

Tue, 11 May 2021 00:00:00 GMT

May 11, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security sometimes created "Software Changes Detected" warnings (in the Alerts tab) for software that was already allowed, and sometimes encountered alerts which would reappear after a user had already resolved them.

Scan trigger issue resolved for folder creation in scanning bucket

Thu, 20 May 2021 00:00:00 GMT

May 20, 2021, File Storage Security—Fixed the issue where creating a folder in the scanning bucket would trigger a scan.

Streamlined Onboarding Process for Container Security Subscription Users

Fri, 21 May 2021 00:00:00 GMT

May 21, 2021, Container Security—In order to improve the onboarding experience with Container Security, you will no longer need to acquire an activation code and install or upgrade Smart Check with this code if you have a current subscription to the service. Simply enroll your Smart Check installation with a valid API key, as you would before, and you can use Smart Check without limitation.

Improved Scan History chart display for Safari browser

Fri, 21 May 2021 00:00:00 GMT

May 21, 2021, File Storage Security—Fixed the issue where the Scan History chart used an incorrect aspect ratio for the latest version of the Safari web browser.

Improved stack creation process reduces timeout errors

Wed, 26 May 2021 00:00:00 GMT

May 26, 2021, File Storage Security—After adding a stack in the console, the waiting time is increased, which reduces the chance of getting a timeout error.

Container Security enhances continuous compliance, accurate billing, and aligns with Kubernetes standards

Thu, 27 May 2021 00:00:00 GMT

May 27, 2021, Container Security—Container Security now extends the protection of your containers to the post-deployment phase. With the new continuous compliance feature, Container Security ensures that running containers continue to conform to the policy you've defined. If there are changes to the policy after the initial deployment or if new vulnerabilities are discovered, Container Security can take action to mitigate the problem. To take advantage of this feature, update your policies with the new continuous compliance settings.

Container Security now monitors the number of nodes and serverless containers that it's protecting, to allow for accurate billing, as described in About billing and pricing.

This update also aligns the labels for Container Security templates with Kubernetes standards. This change means that to upgrade to this release, you must uninstall and reinstall the Helm chart, as detailed in the Container Security Helm Chart.

Maintenance notifications now consolidated in Trend Cloud One maintenance page

Fri, 28 May 2021 00:00:00 GMT

May 28, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security maintenance notifications have been moved to the Trend Cloud One maintenance page to consolidate all maintenance info in one place. The Trend Cloud One maintenance page has an RSS feed that you can use to get notifications about any upcoming maintenance.

Check ServiceNow SecOps Module for Viewing Checks

Mon, 31 May 2021 00:00:00 GMT

May 31, 2021, Conformity—View Checks in ServiceNow SecOps Module.

Enhanced Domain Filtering with Custom Ports for FQDN Exceptions

Thu, 03 Jun 2021 00:00:00 GMT

June 03, 2021, Network Security—Custom ports for fully qualified domain name (FQDN) exceptions: You can specify as many as 20 associated ports to the fully qualified domain names in your Domain Filtering exceptions list. Learn more.

Gateway Load Balancer now generally available for Network Security deployment

Thu, 03 Jun 2021 00:00:00 GMT

June 03, 2021, Network Security—Gateway Load Balancer: The deployment options using a Gateway Load Balancer are now generally available. Learn more about deploying Gateway Load Balancer for Network Security in AWS.

Expanded asset protection list available in Network Security, Azure asset support coming soon

Thu, 03 Jun 2021 00:00:00 GMT

June 03, 2021, Network Security—Protectable assets: A more detailed list of which assets can be or are currently protected by Network Security is available from the Network → Assets page. Azure assets are not yet supported. To request access for this feature, contact us.

Apply Configuration Changes to Multiple Filters Simultaneously

Thu, 03 Jun 2021 00:00:00 GMT

June 03, 2021, Network Security—Apply the same configuration changes to multiple filters: You can use the GUI and APIs to apply specific filter policy overrides to as many as 100 filters at one time. Learn more.

Network Security now available in Azure Marketplace

Thu, 10 Jun 2021 00:00:00 GMT

June 10, 2021, Network Security—Azure public release: Network Security for Azure is now a generally available public offering on Azure Marketplace. Learn more about deploying Network Security in Azure.

Scanner Lambda publishes detailed skip codes for file scan results

Tue, 15 Jun 2021 00:00:00 GMT

June 15, 2021, File Storage Security—Scanner Lambda now publishes scan detail codes about skipped scans in scan result and ScanResultTopic.

The new field helps you make decisions in the downstream workflows on how to handle the scanned file.

NOTE: If your workflows monitor these detail codes with CloudWatch logs,

then, before October 1, 2021, use the new field in scan results instead.

For more information, see Scan result format.

BucketListenerLambda now complies with Lambda function public access prohibition rule

Tue, 15 Jun 2021 00:00:00 GMT

June 15, 2021, File Storage Security—Fixed the issue where BucketListenerLambda violates the rule Lambda function policies should prohibit public access from AWS Security Hub.

Network Security introduces free tier with 10GB monthly traffic inspection

Tue, 15 Jun 2021 00:00:00 GMT

June 15, 2021, Network Security—Free tier offering: Network Security now offers 10GB of free traffic inspection each month with Pay as You Go billing. With this free tier offering, you can get started with Network Security at no charge. Learn more.

Enhanced PostScanActionTagLambda now provides detailed scan information for S3 objects

Fri, 18 Jun 2021 00:00:00 GMT

June 18, 2021, File Storage Security—PostScanActionTagLambda has two new tags, `fss-scan-detail-code` and `fss-scan-detail-message`,

providing more detail about scans for the S3 object, especially scans that were skipped.

The new tags help you make decisions in the downstream workflows on how to handle the scanned file.

NOTE: If your workflows monitor these detail codes with CloudWatch logs,

then, before October 1, 2021, use the new field in

scan results

or the new tags instead.

For more information, see View Tags.

Discontinued "What's New in Workload Security" RSS Feed, Subscribe to Trend Cloud One Updates

Mon, 21 Jun 2021 00:00:00 GMT

June 21, 2021, Workload Security—The "What's New in Workload Security" RSS feed will no longer receive notifications. For details on updates and new features for Trend Cloud One - Endpoint & Workload Security, or any other Trend Cloud One services, please subscribe to the What's New in Trend Cloud One RSS feed.

Improved Smart Check Performance prevents duplicate registry scans

Tue, 22 Jun 2021 00:00:00 GMT

June 22, 2021, Container Security—Smart Check performance has been improved. When a full registry scan is requested, Smart Check now ensures that a duplicate scan is not already in progress. A scan is considered a duplicate if the Registry, Repository, Tag, and Digest values match, and the scan is pending or in progress. If the scan is a duplicate, the new scan is not queued and the existing scan details are returned in the response body of the request.

Enhancement: Removal of CopyZipsDestBucket and S3BucketPrefix for Improved Stack Deployment

Fri, 25 Jun 2021 00:00:00 GMT

June 25, 2021, File Storage Security—Removes `CopyZipsDestBucket` and related resources in scanner stacks and storage stacks. Also removes `S3BucketPrefix` parameter, which is used as the prefix of `CopyZipsDestBucket` name. This functionality requires a stack update.

This update enables customers who do not have permissions to create S3 buckets to deploy their stacks (since it removes the need to create `CopyZipsDestBucket`).

Azure Storage Container Scanner Stacks Deployment Now Supported

Mon, 28 Jun 2021 00:00:00 GMT

June 28, 2021, File Storage Security—The ability to deploy scanner stacks and storage stacks to Azure has been added to the console, allowing scanning of files uploaded to an Azure storage container.

File Storage Security now offers Events API for AWS stack scan results retrieval

Mon, 28 Jun 2021 00:00:00 GMT

June 28, 2021, File Storage Security—Events API is now available, allowing API users to retrieve their File Storage Security scan results of AWS stacks. For more details, click here.

Azure Stacks APIs Preview Release for File Storage Security

Mon, 28 Jun 2021 00:00:00 GMT

June 28, 2021, File Storage Security—Stacks APIs for managing Azure stacks are now available in a preview release, allowing API users to create, describe, list and delete Azure stacks on File Storage Security. For more details, click here.

Protect SAP Deployments with Trend Cloud One Endpoint & Workload Security Integration

Wed, 30 Jun 2021 00:00:00 GMT

June 30, 2021, Workload Security—You can now protect your SAP deployments using Trend Cloud One - Endpoint & Workload Security, helping to secure critical information from attack, including a wide variety of threats such as malware, cross-site scripting and SQL injection. Trend Cloud One - Endpoint & Workload Security scans content uploaded to the SAP NetWeaver technology platform to determine its true type and reports this to SAP systems via the NetWeaver-VSI interface. Content scanning protects against possible malicious script content that might be embedded or disguised inside documents. SAP administrators can then set policy according to which document types should be allowed. For more information, see Integrate with SAP NetWeaver.

Fail Open High Availability Preview for AWS Deployment with Gateway Load Balancer

Thu, 01 Jul 2021 00:00:00 GMT

July 01, 2021, Network Security—High availability enhancement: A preview version of fail open high availability was added to the AWS deployment to inspect inbound internet traffic with Gateway Load Balancer. Learn more.

Enhanced Filter Searching Capabilities for Network Security

Thu, 01 Jul 2021 00:00:00 GMT

July 01, 2021, Network Security—Filter searching enhancements: Filter searching enhancements enable you to further refine your compound query expressions according to the latest active threats and when the filter was released or modified. Learn more.

Improved Reset Functionality for Anti-Malware Real-Time Scan Configuration Policies

Tue, 06 Jul 2021 00:00:00 GMT

July 06, 2021, Workload Security—Anti-Malware Real-Time Scan Configuration policies sometimes did not reset to their inherited value properly.

Smart Feedback now enabled to rapidly identify and address new threats

Tue, 06 Jul 2021 00:00:00 GMT

July 06, 2021, Workload Security—Smart Feedback is enabled by default for new accounts. Smart Feedback shares protected threat information with the Smart Protection Network (SPN), allowing Trend Micro to rapidly identify and address new threats. For more information, please see Smart Protection in Trend Cloud One - Endpoint & Workload Security.

Enhanced File Security Scans for AWS S3 Uploads

Tue, 06 Jul 2021 00:00:00 GMT

July 06, 2021, File Storage Security—Fixed the issue where updating a stack with a template caused files uploaded to AWS S3 buckets to not be scanned and report an `invalid license status` message in the scan results. This functionality requires a stack update.

Improved reliability when disabling microservices in Workload Security

Tue, 06 Jul 2021 00:00:00 GMT

July 06, 2021, Workload Security—After disabling microservices using console commands, Trend Cloud One - Endpoint & Workload Security sometimes failed to restart.

Improved Trend Vision One registration under System Settings prevents account permissions issue

Tue, 06 Jul 2021 00:00:00 GMT

July 06, 2021, Workload Security—An account permissions issue sometimes caused Trend Vision One registration to fail or display the wrong status (under Administration > System Settings > Trend Micro One).

Improved Smart Check Performance for Registry Scans

Thu, 08 Jul 2021 00:00:00 GMT

July 08, 2021, Container Security—Smart Check performance has been improved in 1.2.67. When a full registry scan is requested, Smart Check now checks if the image has already been scanned within the rescanProhibitedDuration (default = 12 hours). An image is the same if the Registry, Repository, Tag, and Digest values match. If already scanned, the new scan is not queued and the completed scan details are returned in the response body of the request. If you want to force scan the image again, you can queue one using the createScan API.

Statistics API now supports AWS provider query parameter with Azure support coming soon

Thu, 08 Jul 2021 00:00:00 GMT

July 08, 2021, File Storage Security—Statistics API now supports `provider` query parameter. Currently it only allows one value, `aws`.

Support for `azure` in preview will be added later.

NOTE: API users that don't want statistics results from both AWS and Azure scans when Azure scan statistics is supported

should add `provider=aws` in the query parameter to focus on AWS results only.

For more information, see List scan statistics.

XDR Network Isolation now available in Deep Security Agent 20.0.0

Thu, 08 Jul 2021 00:00:00 GMT

July 08, 2021, Workload Security—This release adds XDR Network Isolation support to Deep Security Agent version 20.0.0-2593 and later. Following Trend Vision One onboarding, you can now isolate potentially compromised endpoints from the rest of your network. For more information see Trend Vision One (XDR) Network Isolation.

Conformity enhances compliance with new Azure rules and AWS framework updates

Fri, 09 Jul 2021 00:00:00 GMT

Added Azure rules for AusGov ISM standard.
We’ve also updated AWS Well-Architected Framework to the March 2021 version.
You can now track and view the ‘apply profile’ events via the RTM dashboard or query them via the public events API by using ‘account.apply.profile’ as the event name.
Checks returned from Template Scanner will now attempt to include logicalResourceId property in addition to usual properties.
Updated the Jira Communications Channel to clear out existing fields when selecting a new 'Project' and 'Issue Type'.

Integrity Monitoring Baseline Removed from Workload Security Console for Improved Performance

Mon, 12 Jul 2021 00:00:00 GMT

July 12, 2021, Workload Security—As baselines have grown larger and workloads have become more dynamic, the ability to support the Integrity Monitoring baseline in the Trend Cloud One - Endpoint & Workload Security console has become increasingly challenging.

Trend Micro is committed to evolving the design of Integrity Monitoring to meet the performance and operational needs of customers. Through discussions with customers, it was determined that in its current form, this feature was not delivering the value to offset the performance and operational overhead required to maintain this data.

The first step in this process is to remove the Integrity Monitoring baseline capability from the Trend Cloud One - Endpoint & Workload Security console. This means that the View Baseline, Trusted Source Tagging, and Integrity Monitoring Baseline Report will no longer be available. For customers who subscribed after July 12, 2021 and are using agent version 20.0.0-2593 or later, the baseline is already removed. For customers who subscribed before that date, Trend Micro will not remove the baseline until January 1, 2022.

To view the Integrity Monitoring baseline, generate an agent diagnostic package.

For more information, see the following: Removal of the Integrity Monitoring "view baseline" option from Trend Cloud One - Endpoint & Workload Security and Removal of the Integrity Monitoring Baseline Report from Trend Cloud One - Endpoint & Workload Security

Transition to New Email-Based Sign In for Trend Cloud One Users

Tue, 13 Jul 2021 00:00:00 GMT

July 13, 2021, Workload Security—Trend Cloud One will soon be phasing in a new account and user management system, with an updated Sign In page.

Users who sign up for Trend Cloud One after the release of this new system will only require their Email and Password to log in through the Email Address Sign In.

Existing Trend Cloud One users must continue to use their current credentials (Account, Username, and Password) to log in through the Account & Username Sign In. No action is required for current customers. Existing accounts will be transitioned to the new email-based sign in at a later date.

Lambda alias now points to latest version after stack update

Mon, 19 Jul 2021 00:00:00 GMT

July 19, 2021, File Storage Security—Fixed the issue where updating a stack with a template caused Lambda alias `TM-FSS-Managed` to point to the previous version instead of the latest one. This functionality requires a stack update.

Azure added to Statistics and Events API for File Storage Security scan results retrieval

Mon, 19 Jul 2021 00:00:00 GMT

July 19, 2021, File Storage Security—Statistics and events API will soon support `azure` in `provider` parameter in a preview release,

allowing API users to retrieve their File Storage Security scan results of Azure stacks.

Extended Maintenance Period for Older Trend Cloud One Accounts

Thu, 22 Jul 2021 00:00:00 GMT

July 22, 2021, Workload Security—The scheduled maintenance period for Trend Cloud One accounts created before 2018-10-31 is being extended. Accounts that have already undergone scheduled maintenance will not be impacted by this extension. Any accounts that still require maintenance will have a maintenance window assigned to them before 2021-12-30.

For more information see Trend Cloud One Maintenance.

Enhanced collect-logs.sh script in Smart Check for targeted core file collection

Tue, 27 Jul 2021 00:00:00 GMT

July 27, 2021, Container Security—The collect-logs.sh script has been improved in Smart Check release 1.2.68. The script now allows you to specify the application name and namespace as options, and it collects core files from malware-scan pods.

Improved Performance and Synchronization for Smart Check in Container Security

Tue, 27 Jul 2021 00:00:00 GMT

July 27, 2021, Container Security—Smart Check performance has been improved in 1.2.68. Registries can only perform one full registry sync/scan at a time. If multiple concurrent requests are made to perform a full registry sync/scan for the same registry, then only one is be executed.

Bug Fixed for Full Registry Scan with Long Image Names in Container Security

Tue, 27 Jul 2021 00:00:00 GMT

July 27, 2021, Container Security—Fixed a bug where images with long names were not queued when performing a full registry scan in 1.2.68.

New key added to scan result for File Storage Security enhancement

Tue, 27 Jul 2021 00:00:00 GMT

July 27, 2021, File Storage Security—The scan result now has a new key, `xamz_request_id` with an empty string value.

We will soon pass the request ID of S3 to that field.

Conformity Enhancements: Improved Communication Channels, Cloud One Integration, and Bug Fixes

Wed, 28 Jul 2021 00:00:00 GMT

July 28, 2021, Conformity—The following updates were released to Conformity on 28th July 2021.

Communication Channels Update

Webhook: Updated the Webhook Communication Channel to send checks that have been deleted due to a user removing/deleting a resource. These checks delivered will have an additional field "isDeleted: true" to differentiate them from the current checks being sent via webhook.

Jira: Updated the Jira Communication Channel 'Create' and ‘Update' screens to no longer support swapping to an alternative connection type (OAuth or API token) to reduce the risk of breaking a successfully configured channel.

Cloud One Users

With SSOv2 can now access Conformity via Cloud One UI. See our help page on SSoV2 Public API.
Will receive account update emails if they have a valid email address in Conformity

Scan a Profile with Template Scanner

Users without Admin privileges can now select and scan a Profile in Template Scanner via Conformity UI or API by calling the `/profiles` API.

Bug Fixes

Fixed a bug to reduce the number of failed Schedule Reports generation.
Fixed a bug to return the correct API response when a user typed a value while filtering regions.
Fixed a bug to add an account name and account environment to the body of the system-disabled Conformity bot notification email.
Fixed a bug with Template Scanner API Response body to include the actual accountId in the `account` field only when the `accountId` field is passed in the request body.
Fixed a bug to successfully process intrinsic functions as arguments of '!Join' in the Template Scanner.
Fixed a bug where Reports generated with individual checks did not display the Total counts on the PDF report correctly.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Boosted error handling to prevent outdated or inconsistent checks.
Improvements to prevent Conformity Bot from running longer than expected for European accounts.

Rule Updates

EC2-072 - EC2 Instance Not In Public Subnet: This rule has been updated to allow exceptions based on EC2 Instances by name matched with a regex expression pattern.
IAM-066 - AWS IAM Groups with Admin Privileges: This rule has been updated to allow exceptions based on tags and resource id.

Rule Bug Fixes

IAM-046: Support Role: Fixed a bug where the rule generated false positives due to the throttling of the attached entities.
EKS-002: Kubernetes Cluster Version: Fixed a bug to update the rule to the latest Amazon EKS Kubernetes version 1.20.
Fixed a bug where the following rules failed to generate any checks because of inability to pull data from the ECS Service:
ECS-003: Check for Amazon ECS Service Placement Strategy
ECS-004: Check for Fargate Platform Version
Fixed a bug that prevents checks from being generated when there are a large number of exclusions for the following rules:
Inspector-002: Days since last Amazon Inspector run
Inspector-003: Check for Amazon Inspector Exclusions Updated

New sign-in and account system for Trend Micro Cloud One improves user management

Wed, 28 Jul 2021 00:00:00 GMT

July 28, 2021, General—Trend Micro Cloud One will be releasing a new sign-in and accounts system. The new system separates the creation of users from accounts, allowing a single user to more easily create and manage multiple Trend Micro Cloud One accounts for use across your organization, teams, and global regions.

Any customers signing up for Trend Micro Cloud One after the release of these features will use a new Trend Micro Cloud One account. Customers who created their accounts prior to the release will continue to use the legacy account and sign-in. There is no functional change or action required for existing customers, and existing accounts will be transitioned at a later date.

To learn more about the changes coming, see Changes to Trend Micro Cloud One accounts.

Improved Maintenance Mode Activation for Application Control

Thu, 29 Jul 2021 00:00:00 GMT

July 29, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security sometimes took much longer than expected to turn on Maintenance Mode for Application Control (Computers > Application Control > General > Maintenance Mode).

Lambda function license and pattern layer now retained during stack updates

Thu, 29 Jul 2021 00:00:00 GMT

July 29, 2021, File Storage Security—Fixed the issue where updating a stack with a template caused the Lambda function to lose the license and the latest pattern Lambda layer. This functionality requires a stack update.

Enhanced asset protection list now available in Network Security

Thu, 29 Jul 2021 00:00:00 GMT

July 29, 2021, Network Security—Protectable assets: A more detailed list of which assets can be or are currently protected by Network Security is now generally available. Azure assets are not yet supported. Learn more.

TLS Inspection Configuration Enhancements Available on Azure Platform

Thu, 29 Jul 2021 00:00:00 GMT

July 29, 2021, Network Security—TLS inspection configuration enhancements: TLS inspection for Network Security is now available on the Azure platform with appliance version 2021.7.0.11129. In addition, users with servers running behind a load balancer can now configure a subnet (CIDR). Learn more.

Azure high availability for Network Security virtual appliance auto-restart on failure

Thu, 29 Jul 2021 00:00:00 GMT

July 29, 2021, Network Security—Azure high availability enhancement: A Scale Set VM deployment enhancement now uses Azure native recovery to automatically restart a Network Security virtual appliance if it fails. Learn more.

Improved TLS Traffic Inspection for Trend Cloud One - Endpoint & Workload Security Customers

Thu, 29 Jul 2021 00:00:00 GMT

July 29, 2021, Workload Security—Updated the agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Cloud One - Endpoint & Workload Security customers.

Lambda Functions in Scanner and Storage Stacks Now Deployable in VPC

Mon, 02 Aug 2021 00:00:00 GMT

August 02, 2021, File Storage Security—Lambda functions in scanner stacks and storage stacks can now be deployed in a VPC. This functionality requires a stack update.

For more information, see Deploy FSS in a VPC.

Conformity introduces Terraform Template scanning in preview for user feedback

Wed, 04 Aug 2021 00:00:00 GMT

August 04, 2021, Conformity—We’re excited to share that you can now preview Terraform Template scanning using the Conformity Template Scanner UI as well as API endpoints.

Find out the supported Terraform resource types for our Preview release here.

We will be looking forward to your feedback before we announce the General Availability (official release).

New Sign-in and Accounts System Streamlines User Management in Trend Micro Cloud One

Wed, 04 Aug 2021 00:00:00 GMT

August 04, 2021, General—Trend Micro Cloud One has released a new sign-in and accounts system. The new system separates the creation of users from accounts, allowing a single user to more easily create and manage multiple Trend Micro Cloud One accounts for use across your organization, teams, and global regions.

Any customers signing up for Trend Micro Cloud One on or after August 4, 2021 will use a new Trend Micro Cloud One account. Customers who created their accounts prior to the release will continue to use the legacy account and sign-in. There is no functional change or action required for existing customers, and existing accounts will be transitioned at a later date.

To learn more about the changes, see Changes to Trend Micro Cloud One accounts.

AWS scanner stack now includes scannerLambdaAliasARN in details for enhanced security

Thu, 05 Aug 2021 00:00:00 GMT

August 05, 2021, File Storage Security—Stacks API now provides `scannerLambdaAliasARN` in `details` of AWS scanner stack.

For more information see Describe Stack or List Stacks.

Cost allocation tagging now supported for AWS Marketplace purchases

Fri, 06 Aug 2021 00:00:00 GMT

August 06, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports cost allocation tagging for customers buying through AWS Marketplace, allowing you to track usage and cost with your AWS account using Trend Cloud One. For more information, see Use cost allocation tags to check usage by cloud account.

Smart Check Upgrades Built-In Database to PostgreSQL 12.7 in Breaking Update

Mon, 09 Aug 2021 00:00:00 GMT

August 09, 2021, Container Security—Smart Check includes a built-in database pod for demonstration purposes. For production deployments, Trend Micro recommends using an external database. In previous releases, the built-in database was PostgreSQL 9.6, which will reach end-of-life in November 2021. To prepare for this, in an upcoming release, Smart Check will be upgraded to use PostgreSQL 12.7 for its built-in database pod. The changes between PostgreSQL 9.6 and 12.7 mean that this will be a breaking upgrade because data from PostgreSQL 9.6 does not work with version 12.7. Users will need to remove the Smart Check application and re-install it. This change does not affect customers who are using PostgreSQL 10, 11, 12, or 13 as an external database. It only affects customers who are using the built-in database pod.

Improved Smart Check Stability and Increased Malware-Scan Work Volume Limit

Mon, 09 Aug 2021 00:00:00 GMT

August 09, 2021, Container Security—Smart Check stability has been improved in release 1.2.69. To avoid a malware-scan pod eviction issue, the default size limit of the malware-scan work volume was increased to 500 MB and extra core files are removed when the malware-scan service restarts after a timeout.

JFrog registry support added for creating new registries in SmartCheck

Tue, 10 Aug 2021 00:00:00 GMT

August 10, 2021, Container Security—Added a JFrog registry type for creating a new registry in SmartCheck 1.2.70. Refer to how to add a registry for more details.

Enhanced UI Notifications for Stack Deployment Issues

Wed, 11 Aug 2021 00:00:00 GMT

August 11, 2021, File Storage Security—Added the UI notifications `Stack has been deployed` and `Stack information can't be retrieved` for the stack deployment. Before the enhancement, the notifications displayed "Something went wrong" for these issues.

Stack has been deployed: This notification now displays when the stack is created after the deployment but the GET API request of the created stack has reached the maximum number of retries.
Stack information can't be retrieved: This notification now displays when the stacks are deployed with incorrect parameters in your cloud account and File Storage Security is not able to retrieve the information it needs.

File Storage Security Azure deployment issue fixed

Wed, 11 Aug 2021 00:00:00 GMT

August 11, 2021, File Storage Security—Fixed the issue where clicking `Launch Stack` to deploy stacks on Azure (in preview) caused the Azure portal to display this error message:

`There was an error downloading the template from URI 'https://file-storage-security-preview.s3.amazonaws.com/latest/arm-templates/FSS-All-In-One-Template.json'. Ensure that the template is publicly accessible and that the publisher has enabled CORS policy on the endpoint. To deploy this template, download the template manually and paste the contents in the 'Build your own template in the editor' option below.`

Real Time Threat Monitoring for Azure, Organization Profiles, and Enhanced Reports Added

Thu, 12 Aug 2021 00:00:00 GMT

August 12, 2021, Conformity—The following updates were released to Conformity on 12th August 2021.

RTM for Azure

You can now set up Real Time Threat Monitoring and monitor events on your Azure accounts via UI and API. For details, see:Real-time Monitoring Settings.

Organization Profile

Conformity enables you to now set up an Organization Profile in your Conformity Account to customize default rule settings for all existing and newly added accounts to your organization. For details: see: Profiles.

CQL Filter Method

You can now customise your search results using the Conformity Query Language (CQL) to filter and search your checks on Reports. For details, see CQL Filter Method.

Compliance

Rule Mappings updated for the HITRUST and NIST 800-53 REV5 Compliance and Standard Reports.

Reports

You can now include/exclude Account names on pdf reports via a new checkbox when creating reports and report configurations. For details see: Generate and Download Report.

Bug Fixes

Fixed a bug where creating your first account using the API would display the message "Trial ends a few seconds ago" on the dashboard.
Fixed a bug to bring the Check status returned by the API endpoints in line with the current behaviour of the UI.
Fixed a bug where problem tickets in the ServiceNow communication channel were not resolving automatically.
Fixed a bug where deleting profiles too quickly was logging the user out of the application

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Fixed a bug where Conformity bot was switching between 'Success' and 'Failure' states due to throttling errors on targeted IAM Roles.

New Rule

AWS

VPC-017: Unrestricted Inbound Traffic on Remote Server Administration Ports: This rule ensures that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389.Boosted error handling to prevent outdated or inconsistent checks.

Rule Update

IAM-070: Check for IAM User Group Membership: This rule has been updated to support success checks in order to provide a more accurate compliance score.
Inspector-001: Amazon Inspector Findings: The rule has been optimized to reduce the likelihood of prevent throttling to ensure consistent checks.

Rule Bug Fix

VPC-001: VPC Flow Logs Enabled: Fixed a bug where shared VPC resources resulted in false positive results for this rule.

Enhanced File Storage Security Scans AWS S3 getObject Requests

Thu, 12 Aug 2021 00:00:00 GMT

August 12, 2021, File Storage Security—File Storage Security now supports scanning AWS S3 getObject requests.

The scan is performed when the client sends a GET request to S3 to get an object and if the object is malicious, the request is rejected.

This feature helps users to make sure all files are scanned with the latest pattern right before being downloaded.

It's also an alternative to setting up a scheduled scan or scanning on existing files.

For more information, see Scan on getObject request.

List Template Scanner Rules API endpoints added for Terraform and CloudFormation templates

Mon, 16 Aug 2021 00:00:00 GMT

August 16, 2021, Conformity—List Template Scanner Rules API endpoints are now available for the Terraform and CloudFormation template types in Conformity Template Scanner. For details see: Template Scanner API Documentation.

Automatic Policy Assignment and Smart Folder Grouping with Azure Tags

Mon, 16 Aug 2021 00:00:00 GMT

August 16, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports the use of Azure tags to assign policies automatically using event-based tasks and to group computers together using smart folders.

Enhanced Windows Anti-Malware Scan Interface (AMSI) options available

Wed, 18 Aug 2021 00:00:00 GMT

August 18, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security now has two scan action options for Windows Anti-Malware Scan Interface (AMSI). You can select either "Pass" or "Terminate" (under Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Edit > General > Windows Antimalware Scan Interface (AMSI)).

Resolved issue displaying "No description" in system event descriptions

Wed, 18 Aug 2021 00:00:00 GMT

August 18, 2021, Workload Security—Resolved an issue that caused some system event descriptions to display "No description".

Lambda function now retains license and pattern Lambda layer during stack updates

Thu, 19 Aug 2021 00:00:00 GMT

August 19, 2021, File Storage Security—Fixed the issue where updating a stack from certain versions of template caused the Lambda function to lose the license and the latest pattern Lambda layer. This functionality requires a stack update.

Runtime Security Preview with Container Activity Visibility and Control

Fri, 20 Aug 2021 00:00:00 GMT

August 20, 2021, Container Security—Container Security will be introducing the next iteration of runtime security with a preview of the runtime visibility and control feature. This runtime security feature will provide visibility and mitigation of container activity that violate a customizable set of rules. This preview will be available with a set of pre-defined rules that provide visibility into MITRE ATTACK framework tactics for containers as well as container drift detection. The preview is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, as well as OpenShift.

Azure now supported in File Storage Security scan results retrieval API

Fri, 20 Aug 2021 00:00:00 GMT

August 20, 2021, File Storage Security—The statistics and events API now supports `azure` in the `provider` parameter, allowing API users to retrieve their File Storage Security scan results of Azure stacks.

AWS Launch Stack now auto-populates ScannerLambdaAliasARN for S3 bucket scan enhancement

Fri, 20 Aug 2021 00:00:00 GMT

August 20, 2021, File Storage Security—`Launch Stack` for AWS now supports auto population of a storage stack parameter, `ScannerLambdaAliasARN`.

Previously, users wanting to enable scan on getObject request for AWS S3 buckets had to look up the alias ARN when using `Launch Stack` to deploy storage stacks.

For more information, see Add a storage stack on console and Scan on getObject request.

Improved accuracy of scan counts in Scan History chart interval switch

Fri, 20 Aug 2021 00:00:00 GMT

August 20, 2021, File Storage Security—Fixed an issue where scan counts displayed incorrectly when switching the interval of the Scan History chart from days to hours.

Fixed issue with updating stacks using prefix parameters

Tue, 24 Aug 2021 00:00:00 GMT

August 24, 2021, File Storage Security—Fixed the issue where stacks with prefix parameters cannot be updated to latest template.

Appliances page enhancements streamline policy management across scaling groups

Thu, 26 Aug 2021 00:00:00 GMT

August 26, 2021, Network Security—Enhancements to appliances page: Appliances on the appliances page are now organized by their scaling group. You can change the inspection state and distribute policies for all appliances in a group at the same time. Learn more.

CloudWatch now supports TLS logs for enhanced AWS platform security

Thu, 26 Aug 2021 00:00:00 GMT

August 26, 2021, Network Security—Cloudwatch support for TLS logs: TLS inspection on AWS platforms can now stream its logs to customer CloudWatch accounts. Learn more.

TLS Inspection Now Available for AWS and Azure Platforms

Thu, 26 Aug 2021 00:00:00 GMT

August 26, 2021, Network Security—TLS inspection public release: Network Security now offers TLS inspection as a generally available security option for both AWS and Azure platforms. Learn more.

Enhanced Deployment Control with ObjectFilterPrefix for File Storage Security

Mon, 30 Aug 2021 00:00:00 GMT

August 30, 2021, File Storage Security—All-in-one stacks and storage stacks can now be deployed with ObjectFilterPrefix to only invoke BucketListenerLambda on objects with a given prefix.

This feature binds the `s3:ObjectCreated:*` event only on the given prefix.

Previously, if the `s3:ObjectCreated:*` event of the scanning bucket was partially in use,

you could only deploy the stacks by setting the TriggerWithObjectCreatedEvent option to false.

Now with ObjectFilterPrefix, you can deploy the stack on a prefix that hasn't been used.

This feature also helps you to limit the scans on a certain bucket prefix.

For more information, see s3:ObjectCreated:* event in use.

Conformity API Integration Enhances AWS Well-Architected Tool Workflow

Tue, 31 Aug 2021 00:00:00 GMT

August 31, 2021, Conformity—Conformity API for AWS Well-Architected Tool

Conformity's API integration with the AWS Well-Architected Tool now enables you to push a report of failed and successful checks from your Conformity accounts to your workload review. This report allows you to review checks more accurately with data-driven responses.

Checks generated from rules are mapped to a particular Well-Architected review question. The checks are also summarised by 'Risk level' and 'Rule IDs' to allow better visibility for remediation based on the review findings. This summary is then pushed to the 'Notes' field for the related question. For details, see our API Documentation for the Well-Architected Tool.

Trend Micro Cloud One now available in UK region for data sovereignty requirements

Tue, 31 Aug 2021 00:00:00 GMT

August 31, 2021, General—Trend Micro Cloud One is now available in the UK region, providing customers who have data sovereignty needs the option to have their account and security data hosted in-region. All Trend Micro Cloud One services except Open Source Security by Snyk are available for accounts in the UK region.

Note: Only customers using a new Trend Micro Cloud One account can create their account in the UK region. To identify which type of account you have see What's the difference between a new account and a legacy account?.

Fixed disappearing scanner stacks issue in File Storage Security

Thu, 02 Sep 2021 00:00:00 GMT

September 02, 2021, File Storage Security—Fixed the issue where scanner stacks disappeared after deleting one scanner stack.

Upgrade Network Security virtual appliances to latest versions for AWS and Azure integration

Thu, 02 Sep 2021 00:00:00 GMT

September 02, 2021, Network Security—Upgrade your appliance: Network Security virtual appliances can now be upgraded to the latest available version, 2021.4.1 or higher for AWS or 2021.3 or higher for Azure. Learn more.

Conformity introduces new standards, bug fixes, and optimized rules for AWS users

Tue, 07 Sep 2021 00:00:00 GMT

September 07, 2021, Conformity—The following features and updates were released to Conformity on 7th September 2021.

Standards and Frameworks

Conformity now supports the NIS Europe (OES-2019) and FISC Security Compliance(V9).

Communication Channels Update

ServiceNow: Updated ServiceNow communication channel to include ‘cloud provider Id’ and ‘cloud provider in the description.

Jira: Disabled the ‘Test settings' and the ‘Save’ buttons for Jira communication channel when the configuration is invalid. This ensures valid configuration must be selected and a successful test must be run before saving.

Bug Fixes

Fixed a bug where PDF Reports with 0 checks displayed a blank white page.
Fixed a bug where a default email communication channel was not set up when an account was added on Cloud OneConformity.
Fixed a bug where no error message was displayed for ‘Create/Update’ Communication settings API endpoints with more than 2 statuses were passed in the request.
Fixed a bug where usage of wildcard (* or ?) in the first few characters of the filtername] field for [Events API was returning an error message.
Fixed a bug where the "Welcome to Trend Micro Cloud One" welcome email was being sent up to three times upon email verification.
Fixed a bug where the user could not see the option to add an Azure account on the Subscription page if they only had AWS accounts configured.
Fixed a bug to generate accurate checks for Lambda-007 Rule in the Template scanner results.
Fixed a bug where the number of active communication channels with manual notifications turned 'ON' was not being reflected immediately.
Fixed a bug to remove ‘Organisational Profile' as an option in the Template Scanner dropdown option for Profile rule settings' because the organisational profile is already checked against by default.
Fixed a bug to prevent users from configuring exceptions using the following APIs for Rules that do not support exceptions:
https://eu-west-1-api.cloudconformity.com/v1/accounts/{id}/settings/rules/{ruleId}
https://eu-west-1-api.cloudconformity.com/v1/accounts/{id}/settings/rules
https://eu-west-1-api.cloudconformity.com/v1/profiles
https://eu-west-1-api.cloudconformity.com/v1/profiles/{id}

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

New Rule

AWS

IAM-068: Unapproved IAM Policy in Use: This rule checks if there are any unapproved IAM-managed policies in use.

Rule Update

Optimized rule configurations to prevent the following rules from generating false positive checks due to API throttling:

ELB-005: ELB Insecure SSL Protocol
ELB-006: ELB Insecure SSL Ciphers
IAM-001: Access Keys Rotated 30 Days
IAM-002: Access Keys Rotated 45 Days
IAM-004: Unnecessary Access Keys.
IAM-007: Password Policy Lowercase.
IAM-008: Password Policy Uppercase.
IAM-009: Password Policy Number
IAM-010: Password Policy Symbol
IAM-011: Password Policy Expiration
IAM-012: Password Policy Reuse Prevention
IAM-013: MFA For IAM Users With Console Password
IAM-016: IAM User Policies
IAM-024: IAM User With Password And Access Keys
IAM-025: Unnecessary SSH Public Keys
IAM-026: SSH Public Keys Rotated 30 Days
IAM-027: SSH Public Keys Rotated 45 Days
IAM-028: Inactive IAM Console User
IAM-029: Unused IAM User
IAM-038: Access Keys Rotated 90 Days
IAM-044: SSH Public Keys Rotated 90 Days

Rule Bug Fixes

EC2-027: Instance In Auto Scaling Group: Fixed a bug where false positives were generated by RTM for EC2 Instances created by Auto Scaling Group in between the bot runs.

CS-001: AWS Custom Rule: Improved the rule to minimize the likelihood of missing checks due to throttling of AWS Config rules.

CC-003: Conformity Insufficient Access Permissions: Fixed a bug that occasionally had a minor impact on the reliability of some of the IAM rules supported by RTM and Conformity Bot.

Improved AWS region matching for Launch Stack feature

Wed, 08 Sep 2021 00:00:00 GMT

September 08, 2021, File Storage Security—Fixed the issue where clicking Launch Stack of AWS, the AWS region is not matching the selected region from the console.

Trend Micro Cloud One expands to Japan, Germany, and Australia regions

Tue, 14 Sep 2021 00:00:00 GMT

September 14, 2021, General—Trend Micro Cloud One is now available in the Japan, Germany, and Australia regions, providing customers who have data sovereignty needs the option to have their account and security data hosted in-region. All Trend Micro Cloud One services except Open Source Security by Snyk are available for accounts in these regions.

Note: Only customers using a new Trend Micro Cloud One account can create their account in the new regions. To identify which type of account you have see What's the difference between a new account and a legacy account?

Upgrade to Resolve Memory Issue on Azure Appliances

Tue, 14 Sep 2021 00:00:00 GMT

September 14, 2021, Network Security—Upgrade to resolve a memory issue on Azure appliances: Appliance version 2021.8.0.11160 is now publicly available for both AWS and Azure platforms. Trend Micro recommends Azure customers upgrade to this version as soon as possible to avoid a memory issue that will result in a disruption of service and a reboot of your appliance. This version corrects the memory issue and provides the best performance. Learn more about how to upgrade.

Resolved AWS stack deployment issue for Lambda alias creation

Fri, 17 Sep 2021 00:00:00 GMT

September 17, 2021, File Storage Security—Fixed the issue where deploying stacks in AWS sometimes fails at creating Lambda aliases with ResourceConflictException.

Conformity enhances Terraform Template Scanner and introduces new IAM rule

Tue, 21 Sep 2021 00:00:00 GMT

September 21, 2021, Conformity—The following features and updates were released to Conformity on 21st September 2021.

Terraform Template Scanner Update

Template Scanner now supports scanning AWS RDS DB Cluster resources for Terraform templates.

Bug Fixes

Fixed a bug to enable Template Scanner to resolve nested intrinsic functions within Fn-Sub maps on CloudFormation templates.
Fixed a bug where the rule - DynamoDB-001: Unused table was being displayed in the Template Scanner results.
Fixed a bug where settings for a newly configured communication channel were not being reflected in the account settings UI.
Fixed a bug where users were being logged out of Conformity after clicking on a profile deleted via the API.
Fixed bug where users weren't able to scroll back up the Main Dashboard after navigating away from provider-specific account settings, for example, AWS RTM settings, Azure access settings, etc.
Fixed a bug where deleting a CQL query and going back to ‘Simple filters’ did not reset the filters.
Fixed a bug for the `Get Excluded Resources` API endpoint to return accurate results for regions `ap-southeast-2` and `eu-west-1`.

Conformity Bot Updates

We added support for AWS API Gateway Rest API tags to Conformity Bot so that rules like AG-005 (API Gateway Private Endpoint) can now support exceptions based on tags.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

New Rule

AWS

IAM-071: Receive Permissions via IAM Groups Only: This rule ensures that your Amazon IAM users can receive permissions only through IAM groups to follow the Principle of Least Privilege (POLP), allowing you to manage user-based access to your AWS resources efficiently.

Rule Update

RG-001: Tags: ResourceGroup Tags now supports API Gateways - REST API and Stages. To enable these resources, please update and save your rule settings.

Rule Bug Fix

ELBV2-006: ELBv2 ALB Security Group: Improved this rule to smoothly handle API throttling and prevent the generation of false positives as a result.

Article on troubleshooting sign up and sign in problems now available in Trend Micro Cloud One

Wed, 22 Sep 2021 00:00:00 GMT

September 22, 2021, General—Trend Micro Cloud One now has an article to help with sign up and sign in problems.

GCP account synchronization progress messages now displayed in Trend Cloud One console

Wed, 22 Sep 2021 00:00:00 GMT

September 22, 2021, Workload Security—The Trend Cloud One - Endpoint & Workload Security console now displays messages when a GCP account synchronization is in progress.

Enhanced Network Security for PCI DSS Compliance Guide

Thu, 23 Sep 2021 00:00:00 GMT

September 23, 2021, Network Security—PCI DSS compliance with Network Security: Network Security can help you meet your PCI DSS requirements. Learn how by reviewing the new checklist to guide you through the process.

Multiple Appliance Support for TLS Inspection Available

Thu, 23 Sep 2021 00:00:00 GMT

September 23, 2021, Network Security—TLS inspection now supports more than one appliance and proxy: You can now configure multiple appliances and proxy servers for TLS inspection. Learn more.

Enhanced Domain Filtering for PCI Compliance

Thu, 23 Sep 2021 00:00:00 GMT

September 23, 2021, Network Security—Updates to domain filtering to facilitate PCI compliance: To comply with the PCI requirement for restricting outbound traffic, domain filtering on Network Security appliances beginning with version 2021.9.0.11188 will only enforce policies in the outbound direction, egress to the internet. For appliances running earlier software versions, you can still configure inbound filtering policies. Learn more.

Experience Real-Time Attack Blocking with Network Security Trial

Thu, 23 Sep 2021 00:00:00 GMT

September 23, 2021, Network Security—Try out Network Security: Experience how your virtual appliance blocks inbound and outbound attacks in real-time with our quick trial. Learn more.

File Storage Security enhances Azure Data Lake Storage Gen2 file scanning

Tue, 28 Sep 2021 00:00:00 GMT

September 28, 2021, File Storage Security—File Storage Security now supports the scanning of files uploaded to Azure Data Lake Storage Gen2.

File Storage Security enables tagging scan results on Azure Blob metadata

Tue, 28 Sep 2021 00:00:00 GMT

September 28, 2021, File Storage Security—Azure storage stack's Post Scan Action function requires the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` permission to update the Azure Blob metadata.

File Storage Security now provides the option of tagging the scan results on Azure Blob metadata via the All-in-One Stack and the Azure Storage Stack's ARM template. This functionality requires a stack update.

Azure Storage now supports dead lettering for Event Grid and Post Scan Action Tag functions

Fri, 01 Oct 2021 00:00:00 GMT

October 01, 2021, File Storage Security—Azure storage stack now enables dead lettering for both the protecting blob storage's Event Grid System Topic and the Post Scan Action Tag function's subscription to the Scan Result Topic. You can find the resource ID of the dead-letter storages in the `blobSystemTopicDeadLetterStorageID` and `blobScanResultSubscriptionDeadLetterQueueID` fields on the storage stack's deployment Outputs page. This functionality requires a stack update.

You monitor errors that occur during Azure functions that either process the blob created events or set the scan results to the blob's metadata or index tags from the dead-letter storages. For more information, see Monitor errors.

Improved AWS stack updates for seamless Lambda alias updates

Mon, 04 Oct 2021 00:00:00 GMT

October 04, 2021, File Storage Security—Fixed the issue where updating stacks in AWS sometimes fails at updating Lambda aliases with ResourceConflictException.

Runtime Security Feature Open to All Container Security Customers

Wed, 06 Oct 2021 00:00:00 GMT

October 06, 2021, Container Security—Container Security is introducing a new runtime security feature that was previously available to a limited number of customers by request only. The runtime security preview is now open to all Container Security customers.

Google Cloud Platform (GCP) Preview, Compliance Reports, Customization, and New Rules Released

Fri, 08 Oct 2021 00:00:00 GMT

October 08, 2021, Conformity—The following feature and updates were released to Conformity on 8th October 2021.

Preview for Google Cloud Platform (GCP) Now Available!

You can now onboard Google Cloud Projects to Conformity as cloud accounts and scan to produce checks. All GCP projects onboarded to Conformity during the Preview period will be monitored free of charge. Please refer to the Rules section below for Rules included in the Preview release. For details see: Add a GCP Account.

Standards and Compliance Reports

We now support the CIS AWS Foundations v1.3 Compliance Standard reports including the Excel version.

We’ve also added the NIST CyberSecurity Framework compliance reporting for Azure.

New Rules Start Date

You can now customize 'New Rules Start Date' in both organization settings and account settings. Any rules released after this set date will be treated as new rules.

Download Report Summary as PNG

You can download Report Summary as a PNG image from Dashboard > Overview and click on the three dots next to Configured Reports > Export PNG.

CSV Reports Update

CSV reports will now include 'Check Id' and 'Link to resource' fields.

Checks API Update

Added a `consistentPagination` parameter in the Checks API that can be set to ‘false’ to get better performance at the cost of consistency when paginating.

Filter RTM Rules with Services API

Updated v1/services API to indicate which rules are supported by RTM. Here is an example of using 'jq' command to parse the v1/services endpoint response to filter RTM rules:

```

curl https://ap-southeast-2.cloudconformity.com/v1/services > conformityservices.json

cat conformityservices.json | jq '.included[] | select(.attributes.rtm==true)' > rtmrules.json

```

View all unmonitored accounts in the Threat Monitoring section

Conformity now displays all the accounts unmonitored by RTM on the Threat Monitoring section as compared to previously displaying up to 10 accounts only.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Improved Conformity Bot to prevent duplicate notifications or false positives due to throttling without a change in the customer resources. We applied this improvement to some AWS rules for EC2, Route-53, VPC, IAM, KMS, CWL, Inspector, Trusted Advisor, Sheild, EMR, WAF, Lambda, Organisations, Cloud Conformity, Secrets Manager, BackUp, and Well-Architected.

New Rules

The following new rules will be available with the Preview release of the Google Cloud Platform to Conformity.

CloudSQL-002: Enable Automated Backups for Cloud SQL Database Instances: This rule ensures that Cloud SQL database instances are configured with automated backups.

CloudSQL-003: Enable High Availability for Cloud SQL Database Instances: This rule ensures that the production SQL database instances are configured to automatically failover to another zone within the selected cloud region.

BigQuery-001: Check for Publicly Accessible BigQuery Datasets: This rule checks for publicly accessible Google Cloud BigQuery datasets.

CloudStorage-001: Check for Publicly Accessible Cloud Storage Buckets: This rule ensures that there are no publicly accessible Cloud Storage buckets within your Google Cloud Platform (GCP) account.

CloudVPC-001: Check for Unrestricted RDP Access: This rule ensures that there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).

CloudVPC-002: Check for Unrestricted SSH Access: This rule ensures that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).

CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: This rule ensures that the VPC Flow Logs feature is enabled for all VPC network subnets.

CloudIAM-001: Restrict Administrator Access for Service Accounts: This rule ensures that user-managed service accounts are not using administrator-based roles.

ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses: This rule ensures that your Google Compute Engine instances are not configured to have external IP addresses to minimize their exposure to the Internet.

CloudKMS-001: Check for Publicly Accessible Cloud KMS Keys: This rule ensures that there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.

Rule Updates

RTM-009: VPC Network Configuration Changes: This rule now supports an ‘allow list’ of users based on ARNs such that checks are not generated for users added to this list. The Supported user types are IAMUser, AssumedRole, and FederatedUser.

VPC-015: Ineffective Network ACL DENY Rules: Updated this rule to generate a rule failure if a DENY NACL rule is ineffective due to a higher priority ALLOW rule.

Route53-003: Route 53 Domain Transfer Lock: This rule has been updated to not check the transfer lock status of these domains as AWS does not support transfer lock for the following top-level domains:
“.ch”
“.co.nz”
“.co.za”
“.com.ar”
“.com.au”
“.de”
“.es”
“.eu”
“.fi”
1“.fr”
“.jp”
“.net.au”
“.net.nz”
“.nl”
“.it”
“.org.nz”
“.qa”
“.ru”
“.se”
“.uk”

Rules labeled as 'New' have been updated to 'Recently added'.

Rule Bug Fixes

The following VPC Network ACLs rules will no longer scan shared VPC and produce checks
VPC-010: Unrestricted Network ACL Outbound Traffic
VPC-011: Unrestricted Network ACL Inbound Traffic
VPC-015: Ineffective Network ACL DENY Rules
VPC-017: Unrestricted Inbound Traffic on Remote Server Administration Ports

Fixed a bug to prevent false positives from being generated for the following rules:
SNS-006 - SNS Topic Encrypted
SNS-007 - SNS Topic Encrypted With KMS Customer Master Keys

New Agent Version 20.0.0.3165 Released for Trend Cloud One Customers

Fri, 08 Oct 2021 00:00:00 GMT

October 08, 2021, Workload Security—Agent version 20.0.0.3165 has been released to Trend Cloud One - Endpoint & Workload Security customers. However, it will not be made available on the Deep Security Agent software download page or released to customers using Deep Security Manager. For information about what's included in this version, see What's New in Deep Security Agent.

Security event sharing enhances visibility and collaboration in Network Security

Fri, 08 Oct 2021 00:00:00 GMT

October 08, 2021, Network Security—Security event sharing: Threat Insights provides visibility into the security events of your appliances by compiling statistics from those events and sharing them with Nework Security. Learn more.

File Storage Security API now supports filtering scan results by storage

Thu, 14 Oct 2021 00:00:00 GMT

October 14, 2021, File Storage Security—The scan statistics and events APIs now support the 'storage' parameter. This allows API users to filter their File Storage Security scan results by storage.

For more information, see List scan statistics and List events.

Enhanced role customization for Trend Micro Cloud One improves access control efficiency

Thu, 14 Oct 2021 00:00:00 GMT

October 14, 2021, General—Trend Micro Cloud One now supports customization of roles, enabling more granular role-based access control (RBAC) across security services and administrative functions. For more information, see Assign roles to users.

Enhanced IAM Service Checks for Conformity Bot Efficiency

Fri, 15 Oct 2021 00:00:00 GMT

October 15, 2021, Conformity—The Conformity Production account experienced a degree of outbound API call rate-limiting for the IAM service in AWS, between 30th August -16th September 2021, resulting in some missing and outdated checks by Conformity Bot.

Cause

Working with the AWS account teams, we identified certain instances where Conformity was making repetitive API calls. For example, redundant attempts to list and get certain AWS managed policies contributing to throttling by AWS.

Resolution

We have made Conformity Bot checks for the IAM service more reliable by caching certain IAM results to reduce the number of redundant API calls. This also reduces the likelihood of API throttling on your accounts. We will continue to monitor the system to ensure the success of these improvements. We have more improvements planned to increase the efficiency of the Conformity Bot in the near future and will keep you updated with the progress.

Fixed issue with S3 bucket event notifications post stack deletion

Fri, 15 Oct 2021 00:00:00 GMT

October 15, 2021, File Storage Security—Fixed the issue where the S3 bucket's event notification was not removed correctly after deleting a stack that specified the `ObjectFilterPrefix` parameter. This functionality requires a stack update.

If the stack has already been deleted, you need to remove the bucket's event notification manually. For more information, see Enabling event notifications.

AWS Storage Stack now supports dead-letter queue deployment

Mon, 18 Oct 2021 00:00:00 GMT

October 18, 2021, File Storage Security—AWS storage stack now provides the option to deploy with a dead-letter queue. This functionality requires a stack update. For more information, see Storage Stack DLQ.

AWS IAM Roles now support permissions boundary for File Storage Security

Mon, 18 Oct 2021 00:00:00 GMT

October 18, 2021, File Storage Security—AWS stacks now support specifying a permissions boundary for all the IAM roles created by File Storage Security.

This allows users to make sure the roles created by File Storage Security are limited to a scope of permissions.

For more information, see Add AWS stacks and AWS permissions control.

Trend Micro Cloud One expands to Canada and Singapore regions for data sovereignty compliance

Mon, 18 Oct 2021 00:00:00 GMT

October 18, 2021, General—Trend Micro Cloud One is now available in the Canada and Singapore regions, providing customers who have data sovereignty needs the option to have their account and security data hosted in-region. All Trend Micro Cloud One services except Open Source Security by Snyk are available for accounts in these regions.

Custom rule creation now displays dates in Workload Security

Mon, 18 Oct 2021 00:00:00 GMT

October 18, 2021, Workload Security—Resolved an issue where when creating custom Log Inspection, Integrity Monitoring, or Intrusion Prevention rules, the date wasn't displayed in the Issued and Last Updated fields.

Stacks no longer disappear from console

Tue, 19 Oct 2021 00:00:00 GMT

October 19, 2021, File Storage Security—Fixed the issue where stacks disappear from the console.

File Storage Security now restricts stack deployment and deletion for Read Only users

Wed, 20 Oct 2021 00:00:00 GMT

October 20, 2021, File Storage Security—File Storage Security console now disables the stack deployment buttons and the stack deleting button if the Cloud One user has `Read Only` role.

Enhanced Azure Security Configurations for Functions and Storage Accounts

Wed, 20 Oct 2021 00:00:00 GMT

October 20, 2021, File Storage Security—The following Azure security configurations are used for the functions and storage accounts deployed in the Azure stacks:

For all Azure functions, the `httpsOnly` property is set to `true`.
For all Azure storage accounts, the `minimumTlsVersion` property is set to `TLS1_2`.

This functionality requires a stack update.

CloudFormation Stack Creation Support for Enhanced Analysis and Troubleshooting

Thu, 21 Oct 2021 00:00:00 GMT

October 21, 2021, Network Security—CloudFormation stack creation support: You can now send your Cloud Formation stack event logs directly to Trend Micro for further analysis and troubleshooting by our team of experts. Learn more.

Improved Troubleshooting Report Submission Process

Thu, 21 Oct 2021 00:00:00 GMT

October 21, 2021, Network Security—Troubleshooting report improvements: Sending a troubleshooting report to us is now easier. You can now generate and send a report from your appliance without creating an S3 bucket. Learn more.

Legacy Trend Micro Cloud One API Endpoints Decommissioned for Certain Accounts

Fri, 22 Oct 2021 00:00:00 GMT

October 22, 2021, General—As of December 31st, 2021, API endpoints for the following Trend Micro Cloud One services will be decommissioned for legacy Trend Micro Cloud One accounts created before August 4th only:

Network Security
Application Security
File Storage Security
Container Security

Customers currently using these endpoints can contact Trend Micro to upgrade their account and access the same API functionality using the Trend Cloud One updated regional service API endpoints. For more information, see End of Support for Legacy Account API Endpoints for Cloud One - Network Security, Container Security, Application Security, and File Storage Security.

Custom Roles for Workload Security Accounts Now Available

Fri, 22 Oct 2021 00:00:00 GMT

October 22, 2021, General—Accounts created on or after August 4, 2021 now support the use of custom roles for Workload Security, enabling even more granular role-based access control (RBAC). For details, see Assign roles to users.

Pay as you go billing for protected containers and VMs in Trend Micro Cloud One

Mon, 25 Oct 2021 00:00:00 GMT

October 25, 2021, Billing and Subscription Management—Pay as you go billing is now available for containers and VMs protected by Trend Micro Cloud One - Application Security. For pricing and additional information, please see Trend Micro Cloud One on the AWS Marketplace.

Improved User Experience for Trend Cloud One Account Creation Dates After August 4, 2021

Mon, 25 Oct 2021 00:00:00 GMT

October 25, 2021, Workload Security—To limit redundancy, users with a Trend Cloud One account created on or after August 4, 2021 will no longer see legacy UI items in the Trend Cloud One - Endpoint & Workload Security console for elements that are controlled at the Trend Cloud One account level, such as API keys and user role assignments.

Additional IAM Policy Support for AWS Stacks in File Storage Security

Mon, 25 Oct 2021 00:00:00 GMT

October 25, 2021, File Storage Security—AWS stacks now support specifying a list of additional IAM policies for all the IAM roles created by File Storage Security.

This provides another option for users to control the permissions of File Storage Security in addition to permissions boundary.

For more information, see Add AWS stacks and AWS permissions control.

Extended Console Session Timeout for New Trend Micro Cloud One Accounts

Mon, 25 Oct 2021 00:00:00 GMT

October 25, 2021, General—The console session timeout has been extended to 30 minutes for new Trend Micro Cloud One accounts created on or after August 4th, 2021.

Anti-Malware Protection Status widget loading issue resolved on dashboard

Thu, 28 Oct 2021 00:00:00 GMT

October 28, 2021, Workload Security—Resolved an issue where the Anti-Malware Protection Status widget on the Trend Cloud One - Endpoint & Workload Security dashboard displayed "Unable to load widget".

Enhanced Agent Installer and Platform Support in Workload Security 20.0.0.3288

Thu, 28 Oct 2021 00:00:00 GMT

October 28, 2021, Workload Security—Agent version 20.0.0.3288 has been released.

Some highlights include:

Evolution of the agent installer: The agent installer now installs most agent content.
Enhanced platform support: Added AlmaLinux 8, Rocky Linux 8, Ubuntu 20.04 (AWS ARM-Based Graviton 2), and Ubuntu 18.04 (AWS ARM-Based Graviton 2).
Secure boot support: Added Oracle Linux 7 and Oracle Linux 8.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Default timeout for Trend Vision One (XDR) registration increased to 70 seconds

Thu, 28 Oct 2021 00:00:00 GMT

October 28, 2021, Workload Security—The default timeout for Trend Vision One (XDR) registration has changed from 60 seconds to 70 seconds.

Enhanced Security Posture Assessment in Network Security Deployment

Fri, 29 Oct 2021 00:00:00 GMT

October 29, 2021, Network Security—Security posture assessment: When deploying Network Security using the Get Started wizard, you can now view an assessment of your security posture to better assess your security needs. This visual evaluation shows you how Network Security can optimize and protect your assets. Learn more.

Annual subscriptions now setup through Trend Micro Activation Service

Mon, 01 Nov 2021 00:00:00 GMT

November 01, 2021, Billing and Subscription Management—For customers buying annual subscriptions of Trend Micro Cloud One, new purchases and renewal orders are now set up using the Trend Micro Activation Service. For more information and instructions, see this article. This does change does not affect customers subscribing to Trend Micro Cloud One through AWS Marketplace.

Deploy Network Security in Azure with Gateway Load Balancer

Tue, 02 Nov 2021 00:00:00 GMT

November 02, 2021, Network Security—Deploy in Azure with Gateway Load Balancer: A new deployment option that leverages Azure Gateway Load Balancer is now generally available from Azure Marketplace. With this Gateway Load Balancer offering, you can inspect inbound and outbound traffic with minimal changes to your existing network infrastructure. Learn more.

Pay as you go billing introduced for Trend Micro Cloud One - Workload Security Essentials

Wed, 03 Nov 2021 00:00:00 GMT

November 03, 2021, Billing and Subscription Management—Pay as you go billing is now available for Trend Micro Cloud One - Workload Security Essentials. Workloads using only the Anti-Malware or Activity Monitoring (XDR) modules will now be charged at a lower hourly rate. For more information, see Trend Micro Cloud One on the AWS Marketplace.

Instance IDs now included in azureARMVirtualMachineSummary object in Computers API response

Wed, 03 Nov 2021 00:00:00 GMT

November 03, 2021, Workload Security—The azureARMVirtualMachineSummary object in the computers API response now includes the instanceID, allowing you to get the Instance IDs of your Azure VMs by calling Computers API (List Computers).

Scanner now able to send scan events to File Storage Security backend

Wed, 03 Nov 2021 00:00:00 GMT

November 03, 2021, File Storage Security—Fixed the issue where scanner cannot send scan events to File Storage Security backend. The scanner stacks which are added after October 28th are not affected.

New option to schedule kernel updates for Workload Security agents

Wed, 03 Nov 2021 00:00:00 GMT

November 03, 2021, Workload Security—You can now choose when to perform kernel support package updates, using the new Automatically update kernel package when agent restarts option in the computer or policy editor. For details, see Manage kernel support package updates

Conformity introduces new rules, bug fixes, and custom policy updates for enhanced security

Thu, 04 Nov 2021 00:00:00 GMT

November 04, 2021, Conformity—The following features and updates were released to Conformity on 4th November 2021.

The Custom Check API now enables a user to specify a TTL field to auto remove/expire their check.
The extra data for checks earlier available through the Get Check Details API and UI is now included in the 'Meta' column of CSV reports.
We’ve Improved the RTM eventBridge rule to exclude data events.

Bug Fixes

Fixed an issue with the Jira communication channel configuration where the ‘Save’ and the ‘Test’ buttons got stuck when testing against an invalid priority.

Improved the performance of "Create Account" Public API, response time is now reduced.

Added missing metadata, page number, and size to the payload response examples in the Checks API Reference documentation.

Fixed a bug to display corresponding ticketing channels while viewing checks for ‘All Cloud Accounts’.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.33. The permissions added are:

macie2:GetClassificationExportConfiguration

macie2:ListClassificationJobs

macie2:GetFindingStatistics

Click here to access the latest custom policy.

New Rules

AWS

S3-029: Amazon Macie Finding Statistics for S3: This rule captures summary statistics about Amazon Macie security findings on a per-S3 bucket basis.

Macie2-002: Amazon Macie Sensitive Data Repository: This rule ensures that a data repository bucket is defined for Amazon Macie within each AWS region.

Macie2-003: Amazon Macie Discovery Jobs: This rule ensures that Amazon Macie data discovery jobs are created and configured within each AWS region.

Azure

SecurityCenter-029: Configure Additional Email Addresses for Azure Security Center Notifications: This rule ensures that additional email addresses are provided to receive security notifications.

Rule Updates

SSM-003: Check for SSM Managed Instances: Updated the rule to no longer produce checks for EC2 Instances in 'Stopped' state.

IAM-054: IAM Configuration Changes: Add a new rule configuration for setting a regular expression of ARNs for users (IAMUser, AssumedRole or FederatedUser) whose activity will not be checked against this rule (e.g. ^(arn:aws:iam::\\d{12}:user\\/James-.+)$)”

RTM-011: Unintended AWS API Calls Detected: This rule now supports ‘PasswordRecoveryRequested’, ‘PasswordRecoveryCompleted’, ‘PasswordUpdated’ root user events.

Updated Default Risk Levels for S3-026 and S3-027

We’ve updated the default risk levels for these rules to reduce alarm noise and provide more relevant notifications from the other S3 rules that do control exposure of a bucket to public access.

S3-026: Enable S3 Block Public Access for S3 Buckets - from 'Very High' to 'Medium'.
S3-027: Enable S3 Block Public Access for AWS Accounts - from 'Very High' to 'Low'.

Because an Account admin can only use the S3 Block Public Access feature to restrict public access to a bucket, but they cannot grant public access to the bucket. They need to use a policy or an ACL to open a given access point and buckets to grant public access. Therefore, failing the checks for the rules S3-026 & S3-027 with a ‘Very High’ severity overstates the exposure of the buckets in an account.

The severities of 'Medium' and 'Low' respectively provide a closer depiction of the exposure since the 'Very High' Severity rules S3-001, S3-002, S3-003, S3-004, S3-005, and S3-014 directly control public access to a bucket.

For more information see AWS documentation on Block Public Access and Access Control Block Public Access.

Bug Fixes

IAM-17: Unused IAM Group: Fixed the bug which RTM generates false positive check result for IAM-017 rule.

Fix a bug where duplicate notifications were generated for the following rules:
VirtualMachines-001: Enable Encryption for Boot Disk Volumes
VirtualMachines-002: Enable Encryption for Non-Boot Disk Volumes
VirtualMachines-003: Enable Encryption for Unattached Disk Volumes

Fixed a bug where EBS service retained stale checks for users with a large amount of EBS snapshots.

Fixed a bug where ELB related rules were not being triggered by RTM events. Added support for Terraform plans AWS KMS key resourceDB instance resource.

IAM-047: IAM Manager Roles: Fixed a bug where false negative checks were being generated for the rule.

Enhanced Mitigation of Runtime Issues with Customized Policies

Thu, 04 Nov 2021 00:00:00 GMT

November 04, 2021, Container Security—Container Security will be introducing the ability to mitigate problems detected by the runtime visibility and control feature, based on user-customized policy. If a pod violates any rule during runtime, the issue will be mitigated by terminating or isolating the pod based on the policy.

Lambda scanner now directly sends scan events to File Storage Security backend via API

Wed, 10 Nov 2021 00:00:00 GMT

November 10, 2021, File Storage Security—The Lambda scanner now sends scan events to the File Storage Security backend by API instead of AWS SNS topic.

Container Security Enhances Runtime Visibility and Control Feature

Fri, 12 Nov 2021 00:00:00 GMT

November 12, 2021, Container Security—Container Security introduces the next iteration of runtime security feature with the new runtime visibility and control feature. This runtime security feature provides visibility and mitigation of container activity that violates a customizable set of rules. Runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers as well as container drift detection. Runtime security is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, as well as OpenShift.

Enhanced Mitigation Capabilities for Container Security Runtime Violations

Fri, 12 Nov 2021 00:00:00 GMT

November 12, 2021, Container Security—Container Security introduces the ability to mitigate problems detected by the runtime visibility and control feature, based on a user-customized policy. If a pod violates any rule during runtime, the issue is be mitigated by terminating or isolating the pod based on the policy.

Improved Integration: User Email Addresses Imported Directly into Endpoint & Workload Security

Fri, 12 Nov 2021 00:00:00 GMT

November 12, 2021, Workload Security—To further improve integration between Trend Cloud One and Trend Cloud One - Endpoint & Workload Security, user email addresses from Trend Cloud One will soon be imported directly into Trend Cloud One - Endpoint & Workload Security's user properties. This change will mean that the same user cannot have a different email in Trend Cloud One and Trend Cloud One - Endpoint & Workload Security. Users will still be able to send reports to a custom contact and send alerts to a custom email. This change only affects new accounts created on or after August 4, 2021.

File Storage Security now scans over 50 buckets in the same AWS account

Tue, 16 Nov 2021 00:00:00 GMT

November 16, 2021, File Storage Security—File Storage Security now supports scanning more than 50 buckets if the storage stack and scanner stack are in the same AWS account.

New Trust Entities feature streamlines software changes and reduces manual management

Tue, 16 Nov 2021 00:00:00 GMT

November 16, 2021, Workload Security—The new Application Control Trust Entities feature for Trend Cloud One - Endpoint & Workload Security is now being rolled out in some regions. Trust entities lets you configure trust rules to auto-authorize software changes in your environments, reducing the number of software changes and security events you need to manage manually. Note that when Trust Entities becomes available in your region, you will also see Application Control "Software Rulesets" (previously known as "Application Control Rulesets") under Policies > Common Objects > Rules > Application Control.

Appliance health monitoring with Amazon SNS notifications

Thu, 18 Nov 2021 00:00:00 GMT

November 18, 2021, Network Security—Appliance health monitoring and notifications: With an Amazon Simple Notification Service (SNS) subscription, AWS users can configure Network Security to send notifications to their Amazon SNS topic when their tenants or appliances have health issues. Learn more.

Conformity introduces Terraform Provider, GCP Onboarding, UX Improvements, and New Rules

Fri, 19 Nov 2021 00:00:00 GMT

November 19, 2021, Conformity—The following features and updates were released to Conformity on 19th November 2021.

Conformity now available in the Terraform Provider Registry

Conformity is now supported as a Terraform Provider allowing you to provision and manage your Conformity account settings via Terraform templates. The functionality includes onboarding and managing AWS and Azure accounts, users, profiles and account rule settings, reports, conformity bot frequency, and communication channels. Read more >>

GCP Account Onboarding

You can now upload a service account key file while Adding a GCP account instead of using the copy and paste option.

You can also view the number of existing GCP projects added to the service account.

Profiles - UX Improvements

We’ve updated the ‘Apply to’ dialogue box to be more descriptive of the search function.

We’ve also updated the Profile Summary page providing clarity around the ‘manually configured’ and ‘available to be configured’ rules.

Additionally, we’ve added a ‘Rule Summary’ section under Rule Settings for individual accounts.

Bug Fixes

Fixed a bug to update the Communication Channel API endpoint to make it consistent with the UI.

Fixed a bug where incomplete accounts were being displayed in the unmonitored account list on the All accounts tab in the Threat monitoring dashboard.

Fixed a bug to make Azure conformity bot using consistent region naming for filter and check results.

Fixed a bug with validation while creating/updating report configs using the API to check for all items and reject the request on finding any invalid formats in the email array.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.34.

The permission added is:

config:SelectResourceConfig

Click here to access the latest custom policy

New Rules

Azure

ActiveDirectory-024: Enable Security Defaults: This rule ensures that the Security Defaults feature is enabled for Azure Active Directory (AAD) to help protect your organization from common attacks. It is a set of basic identity security mechanisms recommended by Microsoft and provided at no extra cost in Active Directory.

ActiveDirectory-023: Restrict User Access to AAD Group Features in Azure Access Panel: This rule ensures that the ‘Restrict user ability to access groups features in the Access Panel’ setting is enabled to ascertain that non-privileged users are unable to create and manage security groups using the Azure Access Panel.

Rule Updates

CS-001: AWS Custom Rule (ConfigService): This rule now allows you to configure the following categories to custom rules. If you’ve not configured a custom category, then the default categories will apply to all custom rules.

Security,
Reliability,
Performance Efficiency,
Cost Optimisation, and
Operational Excellence

CloudFormation Rules: Updated this rule to generate a rule failure if a DENY NACL rule is ineffective due to a higher priority ALLOW rule.

Rule Bug Fixes

RDS-005: RDS Encrypted With KMS Customer Master Keys: Fixed bug where the rule was generating false positives when encrypted using AWS default keys.
RDS-007: RDS Multi-AZ: Fixed a bug on RDS-007 such that no check is returned Aurora Serverless DB cluster.
Fixed the bug where RTM did not generate checks for the following rules when an IAM role was created or updated.
IAM-50: Cross-Account Access LAcks External ID and MFA
IAM-057: Check for Untrusted Cross-Account IAM Roles

Scheduled System Maintenance for Trend Micro Cloud One on December 4th, 2021

Fri, 19 Nov 2021 00:00:00 GMT

November 19, 2021, General—System maintenance for Trend Micro Cloud One is scheduled for Saturday December 4th, 2021 between 03:00 and 11:00 UTC. During the maintenance, console and API access for certain Trend Micro Cloud One services will be unavailable. For more information or to be notified of scheduled maintenance, see Trend Micro Cloud One Maintenance.

Improved Email Integration for Trend Cloud One User Properties

Mon, 22 Nov 2021 00:00:00 GMT

November 22, 2021, Workload Security—To further improve integration between Trend Cloud One and Trend Cloud One - Endpoint & Workload Security, user email addresses from Trend Cloud One are now imported directly into Trend Cloud One - Endpoint & Workload Security user properties. This means that the same user cannot have a different email in Trend Cloud One and Trend Cloud One - Endpoint & Workload Security. Users can still send reports to a custom contact and send alerts to a custom email. This change only affects new accounts created on or after August 4, 2021.

Enhanced azureARMVirtualMachineSummary object in Computers API response includes azureresourceid

Wed, 24 Nov 2021 00:00:00 GMT

November 24, 2021, Workload Security—The azureARMVirtualMachineSummary object in computers API response now includes the azureresourceid, allowing you to get the azureresourceid of your Azure VMs by calling Computers API (List Computers).

Agent now supports Windows Server 2022

Wed, 24 Nov 2021 00:00:00 GMT

November 24, 2021, Workload Security—The agent (version 20.0.0-3445+) now supports Windows Server 2022. For details, see Supported features by platform.

New API Endpoints, Bug Fixes, Custom Policy, and Rules Enhancements Released on Conformity

Thu, 25 Nov 2021 00:00:00 GMT

November 25, 2021, Conformity—The following features and updates will be released to Conformity on 29th November 2021.

New API Endpoints for:

GCP Account Onboarding

Create GCP Organisation: `POST/gcp/organisations`
Create GCP Account: `POST/accounts/gcp`
List GCP Projects in an Organisation: `GET/v1/gcp/organisations/{id}/projects`

Azure Subscriptions Onboarding

Onboard Azure Active Directory: `POST /azure/active-directories`
List all subscriptions in an onboarded Azure Active Directory: `GET azure/active-directories/{directoryId}/subscriptions`

Bug Fixes

Fixed a bug where a Conformity user and a CloudOne user having the same email address trying to reset the password over the Conformity screen was resulting in an error.
Fixed a bug to prevent the same checks from being generated on different GCP projects that are onboarded in the same service account.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.34. Click here to access the latest custom policy

New Rules

GCP

CloudSQL-004:Enable SSL/TLS for Cloud SQL Incoming Connections: This rule checks whether secure SSL/TLS is used for Incoming Connections to Cloud SQL server database instances.

ComputeEngine-002: Enforce HTTPS Connections for App Engine Applications: This rule ensures that all connections made to your Google App Engine applications are using HTTPS in order to protect against eavesdropping and data exposure.

Rule Updates

Route53-011: Remove AWS Route 53 Dangling DNS Records: Updated primary resource from “hosted zone” to “hosted zone's record” to allow-list IPs and record names. Please note that only records with AWS IPs can generate checks.

Note: resourceID has changed from "hosted zone" to "hosted zone-record name" (e.g. used to be "/hostedzone/xxxx" and now "/hostedzone/xxxx-domain.com."). You’ll need to update the existing resourceID exceptions and suppression settings accordingly.

RTM now supports RDS DB cluster events rules.

Improved handling of user email addresses in primary contact settings

Thu, 25 Nov 2021 00:00:00 GMT

November 25, 2021, Workload Security—Addressed an issue where Trend Cloud One - Endpoint & Workload Security did not keep email addresses for Trend Cloud One users when trying to set the primary contact.

Trend Micro Cloud One now offers pay as you go billing on Azure Marketplace

Mon, 29 Nov 2021 00:00:00 GMT

November 29, 2021, Billing and Subscription Management—Trend Micro Cloud One is now available for purchase with pay as you go billing on the Azure Marketplace. All Cloud One services are available, and are billed with the same hourly unit prices as Trend Micro Cloud One on AWS Marketplace. For more information see Subscribe with Azure - Pay as you Go billing.

Enhanced File Storage Security Reporting for Object Keys

Mon, 29 Nov 2021 00:00:00 GMT

November 29, 2021, File Storage Security—File Storage Security now supports the ability to choose whether to report object key in the scanning events to backend service.

When deploying stacks in cloud providers, enable the option to see the object keys of the malicious objects in the response of events API.

This functionality requires a stack update.

Select specific availability zones for Network Security protection during deployment

Mon, 29 Nov 2021 00:00:00 GMT

November 29, 2021, Network Security—Select availability zones to protect: When deploying Network Security using the Get Started wizard, you can now select which availability zones you want to protect with Network Security virtual appliances. You can also use the APIs to select the availability zones. Learn more.

Agent version 20.0.0.3445 introduces offline scheduled scan and security enhancements

Tue, 30 Nov 2021 00:00:00 GMT

November 30, 2021, Workload Security—Agent version 20.0.0.3445 has been released.

Some highlights include:

Anti-Malware offline scheduled scan: The agent (version 20.0.0-3445+ for Windows) adds the offline scheduled scan feature, enabling Anti-Malware scheduled scans to run while an agent is not connected to Trend Cloud One - Endpoint & Workload Security. This feature is only available to certain Trend Cloud One - Endpoint & Workload Security customers at this time.
Enhancements to database size management, TLS security, and the Application Control trust entities feature.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Maintenance for Trend Micro Cloud One rescheduled to December 18, 2021

Tue, 30 Nov 2021 00:00:00 GMT

November 30, 2021, General—System maintenance for Trend Micro Cloud One that was previously scheduled for December 4, 2021 will now take place Saturday December 18, 2021, between 03:00 and 11:00 UTC. During the maintenance, console and API access for certain Trend Micro Cloud One services will be unavailable. For more information or to be notified of scheduled maintenance, see Trend Micro Cloud One Maintenance.

Allow List for Trusted Namespace Resources in Container Security

Tue, 07 Dec 2021 00:00:00 GMT

December 07, 2021, Container Security—Container Security introduces the ability to create an allow list of namespaces whose resources are not monitored, evaluated, or mitigated by any policies. Use the allow list to avoid monitoring and receiving events from known trusted resources such as the Kubernetes Control plane, Calico, or Istio.

AWS Storage Stack now supports encryption for SNS ScanResultTopic

Wed, 08 Dec 2021 00:00:00 GMT

December 08, 2021, File Storage Security—AWS storage stack now provides the option to encrypt the SNS ScanResultTopic. If this option is enabled, the AWS scanner stack can also send the scan result to an encrypted topic. For more information, see Add AWS stacks.

This functionality requires a stack update.

Conformity now supports LGPD Compliance, adds descriptions to Configured Reports, and introduces new G

Fri, 10 Dec 2021 00:00:00 GMT

December 10, 2021, Conformity—The following features and updates were released to Conformity on 10th November 2021.

Conformity now supports the LGPD (Brazil) Compliance and Conformity AWS Standard and Framework report.
You can also add a description to all of your Configured Reports.

Bug Fixes

Fixed a bug where Conformity displayed a blank screen when onboarding a GCP project without correct permissions.

Fixed a bug where the Reports API endpoint returned an error on using the curl -L command.

Fixed a bug to hide admin links in the communication channel recipient configuration screen for non admin users.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.34. Click here to access the latest custom policy.

New Rules

GCP

CloudSQL-005: Disable 'Cross DB Ownership Chaining' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have 'cross db ownership chaining' flag set to Off.

CloudSQL-006: Disable 'Contained Database Authentication' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have 'contained database authentication' flag set to Off.

CloudSQL-007: Disable "log_min_duration_statement" Flag for PostgreSQL Database Instances:This rule ensures that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).

CloudKMS-002: New Rule: Rotate Google Cloud KMS Keys: This rule ensures that all KMS cryptographic keys available within your Google Cloud account are regularly rotated.

CloudIAM-002: Enforce Separation of Duties for Service-Account Related Roles:This rule ensures that separation of duties is implemented for all Google Cloud service account roles.

Azure

AccessControl-002: Resource Locking Administrator Role: This rule ensures that there is a custom IAM role assigned to manage resource locking within each Microsoft Azure subscription.

Rule Updates

Inspector-001: Amazon Inspector Findings: This rule now returns EC2 instance tags and finding attributes (tags) related to the finding as part of the check tags data. EC2 instance tags and inspector finding attributes can be disabled or enabled within the rule configuration. Both of these are enabled by default.

Advisor-001: Check for Azure Advisor Recommendations: This rule now displays checks under the relevant categories when trying to filter, report or calculate scores for each pillar instead of appearing under all 5 categories.

Enhanced Threat Insights show top network traffic regions for better geolocation filtering

Wed, 15 Dec 2021 00:00:00 GMT

December 15, 2021, Network Security—Insights into the countries and regions that most threaten your network: Network Security's Threat Insights now display the top five regions or countries that generate the most traffic events in your network. This insight enables you to refine your geolocation filtering policy. Learn more.

Improved detection of expired objects in Trend Cloud One - Endpoint & Workload Security

Thu, 16 Dec 2021 00:00:00 GMT

December 16, 2021, Workload Security—Trend Cloud One - Endpoint & Workload Security was sending suspicious objects to the agent even after the objects' expire time had ended.

File Storage Security console now shows malicious events in scan history chart

Mon, 27 Dec 2021 00:00:00 GMT

December 27, 2021, File Storage Security—The File Storage Security console now displays malicious events below the scan history chart.

Container Security now supports multi-property rule statements, deprecating single-property rules

Tue, 04 Jan 2022 00:00:00 GMT

January 04, 2022, Container Security—Container Security Policies API rule statements with a single property are deprecated and replaced by multi-properties rule statements. Single-property rule statements will be completely removed by February 1, 2022.

AWS scan results now include S3 request ID for improved security monitoring

Thu, 06 Jan 2022 00:00:00 GMT

January 06, 2022, File Storage Security—The AWS scan result now includes the S3 request ID in `xamz_request_id`.

Exclude files from Anti-Malware scanning based on digital certificates (Windows only)

Thu, 06 Jan 2022 00:00:00 GMT

January 06, 2022, Workload Security—You can now exclude files from Anti-Malware scanning based on their digital certificate. This feature is currently supported for agent version 20.0.0-3445+ on Windows platforms only. For details, see Exclude files signed by a trusted certificate.

Improved GCP account addition for non-US Trend Cloud One users

Thu, 06 Jan 2022 00:00:00 GMT

January 06, 2022, Workload Security—Fixed an issue where some customers in Trend Cloud One regions outside of the US were not able to add a GCP account to Trend Cloud One - Endpoint & Workload Security.

Offline Scheduled Scans now supported for Windows agents

Thu, 06 Jan 2022 00:00:00 GMT

January 06, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now provides an option that enables agents to run scheduled scans when the agent is offline and can't access Trend Cloud One - Endpoint & Workload Security. This feature is supported with agent version 20.0.3445+ on Windows platforms. See Run scheduled scans when Trend Cloud One - Endpoint & Workload Security is not accessible.

New GCP and Azure rules, bug fixes, and custom policy update in Conformity

Wed, 19 Jan 2022 00:00:00 GMT

January 19, 2022, Conformity—The following features and updates were released to Conformity on 19 January 2022.

The Jira communication channel configuration modal now displays an error message when the test ticket cannot be transitioned properly when testing a configuration.

Bug Fixes

Fixed a bug with the JIRA ticket workflows not resolving properly when the workflow has a screen attached to the Done transition and the screen has a required field (for example resolution)

Fixed a bug that was causing 'Resource' & 'Introduced by' fields to be included by default in slack notification messages from Conformity even though the default configuration displayed in the UI indicated otherwise.

Fixed a bug to enable an Admin user to invite a Cloud One Conformity user to a Conformity direct organization.

Fixed a bug where ‘Disable’ and ‘Remove’ buttons were being pushed out of the screen when there were multiple safe listed IP addresses for an API key.

Fixed a bug where previously suppressed checks were displayed as unsuppressed on an update to group settings or to azure access settings.

Fixed an issue wherein the ‘View by Resources’ tab, not scored checks were displaying and counting as failed checks.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.35. Click here to access the latest custom policy.

The permission added is: ‘iam:GetAccountAuthorizationDetails’

New Rules

GCP

ComputeEngine-003: Disable Interactive Serial Console Support: This rule ensures that interactive serial console support is disabled for all your production Google Compute Engine instances.

ComputeEngine-004: Disable IP Forwarding for Virtual Machine Instances: This rule ensures that the IP Forwarding feature is disabled at the Google Compute Engine instance level for security and compliance reasons, as instances with IP Forwarding enabled to act as routers/packet forwarders.

CloudSQL-008: Enable 'log_connections' Flag for PostgreSQL Database Instances:This rule ensures that PostgreSQL database instances have the 'log_connections' configuration flag enabled.

CloudSQL-009: Enable "log_disconnections" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the "log_disconnections" flag enabled.

CloudSQL-010: Enable "log_checkpoints" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have "log_checkpoints" flag enabled.

CloudSQL-011: Enable "log_lock_waits" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the "log_lock_waits" flag enabled.

CloudSQL-012: Enable 'log_temp_files' Flag for PostgreSQL Database Instances: This rule ensures that "log_temp_files" database flag is set to 0 (enabled) for all your Google Cloud PostgreSQL database instances.

CloudSQL-013: Configure "log_min_error_statement" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.

CloudSQL-014: Disable "local_infile" Flag for MySQL Database Instances: This rule ensures that MySQL database instances have the "local_infile" flag disabled.

Azure

AppService-017: Disable Plain FTP Deployment: This rule ensures that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead, the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol and helps you to comply with industry standards and regulations.

VirtualMachines-036: Use Customer Managed Keys for Virtual Hard Disk Encryption: This rule ensures that your Microsoft Azure Virtual Hard Disk (VHD) volumes are using Customer Managed Keys (CMKs) instead of Platform-Managed Keys (PMKs – default keys used by Microsoft Azure for disk encryption) in order to have full control over your VHD data encryption and decryption process.

Network-015 (Check for Unrestricted UDP Access)e: This rule ensures that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access (i.e. 0.0.0.0/0) on UDP ports.

ActivityLog-027 (Create Alert for "Delete Policy Assignment" Events): This rule ensures that an Azure activity log alert is used to detect "Delete Policy Assignment" events.

Rule Updates

RDS-023: Amazon RDS Public Snapshots: We’ve updated this rule to prevent stale checks due to throttling.

Updated the following rules so that checks won't be deleted if triggered by DeleteAccessKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteLoginProfile, DeletePolicyVersion events:
IAM-004: Unnecessary Access Keys
IAM-013: MFA For IAM Users With Console Password
IAM-016: IAM User Policies
IAM-024: IAM User With Password And Access Keys
IAM-025: Unnecessary SSH Public Keys
IAM-028: Inactive IAM Console User
IAM-029: Unused IAM User
IAM-036: AWS IAM Users with Admin Privileges
IAM-058: Check that only safelisted IAM Users exist
IAM-070: Check for IAM User Group Membership
IAM-071: Receive Permissions via IAM Groups Only

Bug Fixes

SSM-003:Check for SSM Managed Instances: Fixed a bug where the checks were generated for EC2 instances in a state that is not pending or running.

Fixed a bug that prevented RTM from generating checks for the following rules when DB cluster events are triggered:
RDS-007: RDS Multi-AZ
RDS-035: Cluster Deletion Protection
RDS-042: Enable Aurora Cluster Copy Tags to Snapshots

Legacy platform agent support now has defined EOL dates

Fri, 21 Jan 2022 00:00:00 GMT

January 21, 2022, Workload Security—Agent support for some legacy platforms had been extended annually. Those platforms now have a defined EOL date. For detailed EOL dates, see Support extensions in Deep Security LTS lifecycle dates.

Conformity now supports CIS Benchmarks for AWS Foundations 1.4 Standard and Framework

Sat, 22 Jan 2022 00:00:00 GMT

January 22, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 27 January 2022.

Conformity now supports CIS Benchmarks for AWS Foundations 1.4 Standard and Framework report.

Added a new property to ‘GET /v1/azure/active-directories/{id}/subscriptions’ to indicate whether or not a subscription has been onboarded onto Conformity.

Enhanced Rule Settings > Configure Rule on account level to exclude matched resources between the Conformity Bot runs.

Bug Fixes

Fixed an issue where a longer account name displayed a broken HTML tag on the RTM dashboard.

Fixed incorrect sample requests for the 'Update Rule Setting' and the 'Update Rule Settings' APIs.

Fixed an issue where reports generated in "Improve compliance across your organisation" were not saved in the ‘Other Reports - History’ section.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.35. Click here to access the current custom policy.

New Rules

GCP

ComputeEngine-005: Enable "Shielded VM" Security Feature: This rule ensures that the ‘Shielded VM’ feature is enabled for your virtual machine (VM) instances.

ComputeEngine-006: Check for Instances Associated with Default Service Accounts: This rule ensures that your VM instances are not associated with the default GCP service account.

ComputeEngine-008: Check for Instance-Associated Service Accounts with Full API Access:This rule ensures that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.

CloudIAM-003: Check for IAM Members with Service Roles at the Project Level: This rule ensures that the Service Account User and Service Account Token Creator roles are assigned to a user for a specific GCP service account rather than to a user at the GCP project level.

Bug Fix

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs: Fixed a bug where the disabled rule was generating checks.

App.deepsecurity.trendmicro.com login page to be removed, redirects to cloudone.trendmicro

Mon, 24 Jan 2022 00:00:00 GMT

January 24, 2022, Workload Security—Trend Micro will soon remove the app.deepsecurity.trendmicro.com login page for Trend Cloud One - Endpoint & Workload Security and will redirect all visitors to cloudone.trendmicro.com. Please use your existing credentials to sign in to Trend Cloud One at cloudone.trendmicro.com.

Note: This change does not affect accounts using SAML single sign-on.

New Deployment Rules Enhance Container Security in Kubernetes

Tue, 25 Jan 2022 00:00:00 GMT

January 25, 2022, Container Security—Container Security introduced two new deployment rules to protect running containers from attacks via Kubernetes credentials or misconfigured role-based access control. With these two rules, you can log or block attempts to run a command in a container using kubectl exec or to add port forwarding using kubectl port-forward. Trend Micro recommends enabling these rules to protect privileged containers and containers with confidential information.

Improved usability for New Ruleset window in Trust Entities section

Tue, 25 Jan 2022 00:00:00 GMT

January 25, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security's trust entities New Ruleset window (Application Control Rulesets > Trust Entities > Trust Ruleset > New) had its "OK" and "Close" buttons blocked on some screen resolutions.

Discontinuation of Free 5 Computers License for Trend Micro Workload Security

Thu, 27 Jan 2022 00:00:00 GMT

January 27, 2022, Workload Security—Trend Micro will soon be discontinuing the "Free - Maximum 5 Protected Computers" license offering for Trend Cloud One - Endpoint & Workload Security and Deep Security as a Service. Customers currently using this license option will need to transition to a supported payment option before March 15th, 2022 to avoid any potential interruption of service. Please see Free - 5 Computers End of Support for Trend Micro Cloud One - Workload Security and Deep Security as a Service for more information.

Redesigned Sign-in Page with Videos, Customer References, and Resources Available Soon

Thu, 27 Jan 2022 00:00:00 GMT

January 27, 2022, General—Very soon you're going to see something quite different when you go to https://cloudone.trendmicro.com/ to sign in. We're redesigning this page and adding videos, customer references, resource links, and other content to help you really see how much you can do with Trend Micro Cloud One.

Don't worry it will still be easy for you to sign in from this new page but you can also bookmark https://cloudone.trendmicro.com/signin if you'd rather go directly to the sign-in page. But we are hoping you will like the new page and the new content!

And while we have your attention, why not go check out our recently redesigned Trend Micro Cloud One Docs page? We have freshened up the design of that page and added more resources for you.

Test Network Security features with free interactive demo

Fri, 28 Jan 2022 00:00:00 GMT

January 28, 2022, Network Security—Put Network Security to the test: Network Security now offers the option to try out features, such as malware blocking and vulnerability shielding, in a free dedicated test environment. With this Interactive demo, Trend Micro creates an environment in AWS to test out simulated attacks. Learn more.

Enhanced Network Security with Real-Time Threat Protection

Fri, 28 Jan 2022 00:00:00 GMT

January 28, 2022, Network Security—Protect your network from the latest threats: Select Policy > Emerging Threats for up-to-date information on ongoing threats to your environment and for best practices you can take to protect your network from them. Learn more.

Agents now connect to XDR Activity Monitoring using Trend Cloud One regions for improved connectivity

Fri, 28 Jan 2022 00:00:00 GMT

January 28, 2022, Workload Security—New agents now use a domain from your Trend Cloud One region to connect to XDR activity monitoring rather than an AWS provided domain. Agents that have already connected to XDR Activity Monitoring will be transitioned to use the new URL on April 4, 2022. Agents that have been unable to connect to XDR Activity Monitoring will be updated with the new URL earlier in the transition period to fix connectivity issues.

Why is Trend making this change?

Trend Micro is transitioning the URLs used for XDR Activity Monitoring from AWS-provided FQDNs to FQDNs for your Trend Cloud One region. This means you do not have to keep an entry in your firewall allowlist for the AWS-provided URL, and can simply rely on your existing entry if you have one.

How do I know whether I need to change something in my environment? What should I change?

If you do not filter outbound traffic, there is no action required. If you filter outbound traffic in your environment:

If you are already allowlisting the wildcard domain for your region (for example, *.workload.us-1.cloudone.trendmicro.com), there is no action required. After the transition period, your agents that connect to Activity Monitoring will automatically update to use the new URL during their next communication with Trend Cloud One - Endpoint & Workload Security.
If you cannot allowlist wildcard domains, you must add the FQDN starting with `agent-comm` for your Trend Cloud One region to your firewall's allowlist. This FQDN is listed on the Port numbers, URLs, and IP addresses page.

Correct User IP Address Displayed in Trend Cloud One - Endpoint & Workload Security

Fri, 04 Feb 2022 00:00:00 GMT

February 04, 2022, Workload Security—Updated Trend Cloud One - Endpoint & Workload Security to display the correct user IP address during authentication. The console previously recorded the CloudFront IP address in authentication-related logs, such as the user sign in event. This issue only affected new accounts created on or after August 4, 2021.

File Storage Security now shows time strings in user-specific time zone

Mon, 07 Feb 2022 00:00:00 GMT

February 07, 2022, File Storage Security—The File Storage Security console now displays time strings in the specific time zone based on CloudOne Account Settings.

Network Security Virtual Appliance Upgraded with Critical Security and Performance Improvements

Thu, 10 Feb 2022 00:00:00 GMT

February 10, 2022, Network Security—Network Security virtual appliance version 2022.1.0.11311 includes important security and performance enhancements.

Automated Verification of Network Asset Prerequisites Before Deployment

Thu, 10 Feb 2022 00:00:00 GMT

February 10, 2022, Network Security—Verify network asset prerequisites: You can now automatically verify that all of the prerequisites required for deployment are met before you deploy using the Get Started wizard. Learn more.

Conformity resolves AWS data retrieval errors impacting IAM and TrustedAdvisor checks

Fri, 11 Feb 2022 00:00:00 GMT

February 11, 2022, Conformity—From approximately 00:30 UTC 19 January 2022 to approximately 10:00 UTC 10 February 2022, Conformity experienced data retrieval errors for the AWS IAM and TrustedAdvisor services, which resulted in missing checks for certain rules. The issues have now been resolved and the affected checks have been regenerated.

Incident Summary

Due to changes deployed on 19 January to how Conformity handles certain AWS credentials, AWS Conformity Bot was not able to retrieve certain resource data for two AWS services. These changes affected rules dependent upon AWS TrustedAdvisor Checks and IAM Credential Reports.

Impact

Checks related to the AWS Trusted Advisor and IAM Credential Report services were removed and deleted by Conformity Bot due to not being able to retrieve any resources for these services. The following IAM and TrustAdvisor rules were affected:

IAM Rules

IAM-055: Canary Access Token
IAM-048: Root Account Active Signing Certificates
IAM-042: Hardware MFA for AWS Root Account
IAM-041:IAM User Password Expiry 45 Days
IAM-040: IAM User Password Expiry 30 Days
IAM-039: IAM User Password Expiry 7 Day
IAM-035: Root Account Usage
IAM-003: Credentials Last Used

TrustedAdvisor Rules

TrustedAdvisor-001: Trusted Advisor Service Limits
TrustedAdvisor-002: Trusted Advisor Checks
TrustedAdvisor-003: Exposed IAM Access Keys

Resolution

We’ve improved how Conformity Bot handles the way we retrieve TrustedAdvisor Checks and IAM Credential Reports to be compatible with the changes we introduced in January 2022.

Option to Disable Malware Scanning Added for Faster Container Security

Mon, 14 Feb 2022 00:00:00 GMT

February 14, 2022, Container Security—Trend Micro learned that malware scanning is not always a useful use case for customers, especially given the potential for a very long scan time. Trend Micro has added the ability to disable malware scanning as an option.

Real-time Integrity Monitoring now generates delete events for edited files

Tue, 15 Feb 2022 00:00:00 GMT

February 15, 2022, Workload Security—With real-time Integrity Monitoring enabled, Integrity Monitoring delete events were not being generated for files that were edited before being deleted.

Improved Deep Security Agent now displays accurate host IP addresses

Tue, 15 Feb 2022 00:00:00 GMT

February 15, 2022, Workload Security—Updated Deep Security Agent to correctly display the host's IP address in the "LastIpUsed" field. Previously, the field displayed the load balancer or proxy IP in environments using one of those.

New Google Cloud Platform rules and bug fixes enhance Conformity's security and compliance capabilities

Wed, 16 Feb 2022 00:00:00 GMT

February 16, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 16 February 2022.

Bug Fix

Fixed a bug where the PATCH Rule Settings API endpoint was returning an error when the request had misplaced exception attributes.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.35. Click here to access the current custom policy.

New Rules

GCP

CloudSQL-015: Check for Publicly Accessible Cloud SQL Database Instances: This rule ensures that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only.

ComputeEngine-007: Enable VM Disk Encryption with Customer-Supplied Encryption Keys: This rule ensures that the disks attached to your production Google Compute Engine instances are encrypted with Customer-Supplied Encryption Keys (CSEKs).

CloudIAM-004: Delete User-Managed Service Account Keys:This rule ensures that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.

Rules Updates

Firehose-001: Firehose Delivery Stream Destination Encryptions: This rule has been updated to specify the relevant encryption type. The rule ensures that Firehose delivery stream data records are encrypted at the destination.

Lambda-001: Lambda Runtime Environment Version: Customers can now configure the end of support runtime in the rule settings.

Rule Bug Fixes

ECS-002: ECS Task Log Driver In Use: Fixed a bug where the disabled rule was generating checks.

ECS-003: ECS Configuration Changes: We've fixed a bug where Conformity Bot was unable to correctly scan ECS Clusters.

File Storage Security now includes scan start timestamp in scan result

Mon, 21 Feb 2022 00:00:00 GMT

February 21, 2022, File Storage Security—The scan result now includes the timestamp when the scan started in `scan_start_timestamp`.

Enhanced Container Security: Detects kubectl exec and kubectl attach Usage

Tue, 22 Feb 2022 00:00:00 GMT

February 22, 2022, Container Security—Container Security extends the coverage of existing kubectl exec rule. Now the deployment rule detects the usage of both kubectl exec and kubectl attach. Trend Micro recommends enabling this rule to prevent access to privileged containers and containers with confidential information.

Scheduled Network Security Maintenance Update on March 1st, 2022

Wed, 23 Feb 2022 00:00:00 GMT

February 23, 2022, Network Security—Network Security is making a scheduled maintenance update on March 1st, 2022, between 19:00 and 23:00 (UTC). This update might temporarily cause API error messages to display during the update. Traffic inspection is not affected by this scheduled maintenance.

Container Security rules now enforce undefined context fields, pod-level rule deprecated

Thu, 24 Feb 2022 00:00:00 GMT

February 24, 2022, Container Security—Rules that are based on a container security context field are now in violation when that field is undefined. This affects rules for containers that are permitted to run as root, for containers with privilege escalation rights, and for containers that can write to the root filesystem. Also, the pod-level rule for containers that run as root is now deprecated and covered by the corresponding container-level rule. The container-level rule for containers that are permitted to run as root evaluates both the pod and container security context.

Enhanced Coverage for Stratum Protocol and Privilege Escalation Detection

Fri, 25 Feb 2022 00:00:00 GMT

February 25, 2022, Container Security—Container Security extends the coverage of two existing runtime rules. The rule "(T1496)Detect crypto miners using the Stratum protocol" now provides coverage for variants of the stratum protocol. The rule "(T1068)Sudo Potential Privilege Escalation" improves its detection of privilege escalation.

Expanded SAML Single Sign-On across all Cloud One products

Fri, 25 Feb 2022 00:00:00 GMT

February 25, 2022, General—It will be possible to log into all of Cloud One using Security Assertion Markup Language (SAML). Previously, only Cloud One Workload Security supported single-sign on via SAML.

Container Security enhances protection with new runtime rule for Linux namespace switch

Mon, 28 Feb 2022 00:00:00 GMT

February 28, 2022, Container Security—Container Security introduces new runtime rule "(T1611) Switch Linux namespace". The new rule provides coverage of unauthorized usage of setns syscalls, which could lead to container escape.

Relays now optimized for efficiency and speed in preview release

Tue, 01 Mar 2022 00:00:00 GMT

March 01, 2022, Workload Security—Major improvements to relays were introduced with agent version 20.0.0-3445+. These changes are in still in preview and are only available for certain Trend Cloud One - Endpoint & Workload Security customers at this time.

Earlier versions of the relay downloaded every agent software package supported by Trend Cloud One - Endpoint & Workload Security (all versions, all platforms). This took approximately 400 GB of disk space and the download could take several hours to complete.

Relays that use agent version 20.0.0-3445+ are a reverse proxy and only download the agent packages that are deployed in your environment. These new relays use a maximum of 50 GB of disk space and can use as little as 2 GB, depending on your environment. After deployment, the relay is ready to serve packages within 1 minute. For details, see Improvements to the relay.

New Container Security rule detects Ingress Remote File Copy Tools

Wed, 02 Mar 2022 00:00:00 GMT

March 02, 2022, Container Security—Container Security introduces new runtime rule "(T1105)Launch Ingress Remote File Copy Tools in Container". The new rule provides coverage for ingress tool transfer through commands like wget or curl.

File Storage Security now links malware names to TrendMicro Threat Encyclopedia

Thu, 03 Mar 2022 00:00:00 GMT

March 03, 2022, File Storage Security—The malware name displayed in the File Storage Security console is now a link to the malware information on the TrendMicro Threat Encyclopedia website.

Conformity Enhancements: Updated Compliance Metrics, Special Characters Support, New GCP Rules

Wed, 09 Mar 2022 00:00:00 GMT

March 09, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 9 March 2022.

Updated Compliance Evolution Score Calculation: Conformity Compliance Status numbers are calculated based on the latest Conformity Bot run. We’ve updated the calculation of the evolution chart compliance to match the formula used in the live Conformity compliance status dashboard i.e. using the unweighted formula: (Total number of successful Checks / Total number of Checks) * 100

Previously, the evolution compliance was an average of the compliances across accounts, which produced daily results that were not comparable with the live results because:
The Compliance level evolution numbers are calculated based on the last 24 Conformity Bot runs
The base dataset to calculate the values for each widget is different, therefore, even if the calculation method is the same - total successes / total checks * 100, the results are likely to be different.
This change will affect the evolution chart API, Dashboard and the results received in the Conformity weekly summary email. For details see: Compliance Evolution

Special Characters in Report Title and Description

We now support Chinese characters in the Title and Description fields of Report Configurations.

Search and View Accounts by Account ID

As an Admin user, you can allow users to view and search for a cloud account by its Account ID by toggling the ON/OFF button from Administration > Subscription > Conformity Accounts. For more info see Subscriptions

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.35. Click here to access the current custom policy.

New Rules

GCP

CloudVPC-004: Default VPC Network In Use: This rule ensures that the default VPC network is not being used within your GCP projects.

CloudVPC-005: Check for Legacy Networks: This rule ensures that legacy networks are not being used anymore within your GCP projects.

CloudIAM-005: Enable Multi-Factor Authentication for User Accounts: This rule ensures that Multi-Factor Authentication (also known as 2-Step Verification or 2SV) is enabled for all user accounts in order to help protect the access to your Google Cloud Platform (GCP) resources, applications and data.

CloudIAM-006: Enable Security Key Enforcement for Admin Accounts: This rule ensures that security key enforcement is enabled for all Google Cloud Platform (GCP) organization administrator accounts.

CloudSQL-016: Configure Root Password for MySQL Database Access: This rule ensures that Google Cloud MySQL database instances do not allow anyone to connect with administrative privileges only, without needing a root password.

Rules Updates

EC2-034: Unrestricted Security Group Ingress on Uncommon Ports: We’ve updated:
The rule’s name from ‘Unrestricted Security Group Ingress’ to ‘Unrestricted Security Group Ingress on Uncommon Port’ and
Added a configuration to enable users to allowlist AWS Security Groups by name with Regex.

Rules Bug Fixes

RDS-034: Backtrack: Fixed a bug for the rule where checks for Aurora RDS instances were not being generated.

VPC-016: VPC Endpoints in Use: Fixed a bug where the rule returned false positives for VPCs’ shared from another account.

VPC-010: Unrestricted Network ACL Outbound Traffic and VPC-011: Unrestricted Network ACL Inbound Traffic: The rules have been updated to:
Include a list of the number of compliant/non-compliant rules in the check message
Restrict the ICMP protocol from contributing to the ‘FAILURE’ status checks

IAM-13: MFA for IAM Users with Console Password: Fixed a bug where a stale check still existed after the IAM User Login Profile has been removed.

New introduction page added to File Storage Security console

Thu, 10 Mar 2022 00:00:00 GMT

March 10, 2022, File Storage Security—The File Storage Security console now displays a new introduction page as the landing page.

View and Improve Network Security Posture against Latest Threats

Thu, 10 Mar 2022 00:00:00 GMT

March 10, 2022, Network Security—Determine your network's posture against the latest threats: You can now view the status of your network policy's current defense posture and learn which recommended actions to take to be protected. Learn more about Emerging Threats.

Enhanced Geolocation Filtering for AWS ALB Support

Thu, 10 Mar 2022 00:00:00 GMT

March 10, 2022, Network Security—Enhancements to geolocation filtering: Network Security geolocation filtering can now block and report traffic for XFF IP addresses when your Network Security virtual appliance is behind an AWS Application Load Balancer (ALB) in your cloud network. Learn more about geolocation filtering.

Agent Upgrade Task Time Zone Configuration Added for Deep Security Agent Version 20

Mon, 21 Mar 2022 00:00:00 GMT

March 21, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now provides an option to create a task to upgrade agents that supports setting a time zone for the task. Previously, agents were upgraded based on the UTC time zone. You can see the new option by going to Administration > Scheduled Tasks and selecting Scheduled Agent Upgrade Task as the task type. This feature is available only for Deep Security Agent version 20 on Windows and Linux platforms.

Improved AWS and Azure scanner result handling and object tagging

Tue, 22 Mar 2022 00:00:00 GMT

March 22, 2022, File Storage Security—Fixed the issue where AWS and Azure scanner DLQ handler did not publish 'unsuccessful scanner invocation' scan result, and the objects were not tagged when scanner timed out.

Enhanced Monitoring of Internet-Facing AWS Assets for Compliance

Thu, 24 Mar 2022 00:00:00 GMT

March 24, 2022, Network Security—Verify status of internet-facing assets: Network Security can now provide updates on the status of AWS assets located behind internet-facing Application Load Balancers (ALBs). The posture assessment summary dashboard now includes information about the protection status of these assets helping you comply with PCI 11.4 standards. Learn More.

Agent-triggered malware scans now available in preview for jp-1 region customers

Fri, 25 Mar 2022 00:00:00 GMT

March 25, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now provides an option to allow agents to trigger all scheduled scans for malware. To enable the option, from the computer editor, select Anti-Malware > General, then ensure that Enable agent to trigger scheduled scans for malware is selected. This feature is still in preview and is currently available only for Trend Cloud One - Endpoint & Workload Security customers in the jp-1 region.

Conformity introduces updated compliance reports, new rules, and bug fixes

Mon, 28 Mar 2022 00:00:00 GMT

March 28, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 28 March 2022.

Updated NIST 800-53 Rev5 Compliance & Conformity Report: We've updated the NIST 800-53 Rev5 Compliance & Conformity report to include rules and enhanced controls.

Updated Suppression Data Behaviour for Azure Accounts: We've updated the suppression data behaviour for Azure accounts where suppressed Azure checks disappeared on recreating the check.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.36 and the permission added is: firehose:ListTagsForDeliveryStream. Click here to access the current custom policy.

New Rules

Azure

StorageAccounts-018: Account Encryption using Customer Managed Keys: This rule ensures that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e. default keys used by Microsoft Azure for data encryption), to have more granular control over your Azure Storage data encryption and decryption process.

AWS

Firehose-002: Firehose Delivery Stream Server-Side Encryption: This rule ensures that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-Managed Keys (CMKs).

GCP

CloudIAM-007: Login Credentials In Use: This rule ensures the use of corporate login credentials instead of personal accounts such as Gmail accounts.

CloudStorage-002: Check for Enable Uniform Bucket-Level Access: This rule ensures that Google Cloud Storage buckets have uniform bucket-level access enabled. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket.

Rules Updates

StorageAccounts-006: Disable Anonymous Access to Blob Containers
StorageAccounts-012: Enable Immutable Blob Storage
StorageAccounts-016: Check for Publicly Accessible Web Containers
StorageAccounts-017: Review Storage Accounts with Static Website Configuration

The rules now support exceptions by tags retrieved from Azure Blob Container Metadata.

Lambda-008: Enable Encryption in Transit for Environment Variables
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys

Updated the rules' names and descriptions to clearly specify encryption in transit and at rest.

IAM-054: IAM Configuration Changes: Updated this rule allowing you to change the severity for each IAM configuration event via rule settings.

Rules Bug Fixes

IAM-034: Valid IAM Identity Providers: We've improved how we handle IAM identity provider data and fixed an issue with remediating OpenID Connect identity providers to prevent false positives.

EBS-004: EBS Volumes Recent Snapshots
EBS-005: EBS Volumes Too Old Snapshots

We've updated the way we handle AWS EBS Volumes and EBS Volume Snapshots to improve reliability and functionality for the rules. AWS rules EBS-004 and EBS-005.

AG-001: APIs CloudWatch Logs
AG-002: APIs Detailed CloudWatch Metrics
AG-003: Tracing Enabled
AG-004: Content Encoding
AG-007: Private Endpoint
AG-008: Rotate Expiring SSL Client Certificates
AG-009: Enable Encryption for API Cache
AG-010: Enable API Cache
RG-001: Tags

Fixed a bug to resolve the throttling issue for API Gateway rules by reducing the API Gateway API call concurrency.

Self-serve trials for Cloud One Security Services now available for extended trial periods

Thu, 31 Mar 2022 00:00:00 GMT

March 31, 2022, Billing and Subscription Management—Self-serve trials for Cloud One Security Services are now available! For any service that does not have a current subscription, a customer may activate a 30-day free trial, once per Security Service, from the Subscription Management page. Additionally, customers in an existing trial for a Cloud One Security Service can use this feature to extend their trial by 30 days.

Note: Currently this does not include accounts subscribed to Cloud One on AWS or Azure Marketplace.

Enhanced Container Security UI Indicates Disabled Malware Scanner and Default SmartCheck Update

Tue, 05 Apr 2022 00:00:00 GMT

April 05, 2022, Container Security—To go with the ability to disable malware scanning, Trend Micro has modified the user interface to indicate when the malware scanner is disabled. Trend Micro has also updated SmartCheck to disable malware scanning by default.

ZDI Predisclosure Filters Enhance Network Security Defenses

Thu, 07 Apr 2022 00:00:00 GMT

April 07, 2022, Network Security—Zero Day Initiative (ZDI) predisclosure filters now included in all Network Security deployments (version 2022.3.0.11400 and later): ZDI predisclosure filters identify vulnerabilities within a product or application that have not yet been patched by the vendor. By restricting the information they contain, predisclosure filters preemptively defend your network from attacks against these vulnerabilities until the vendor develops a patch. After a patch is available, the filters are fully disclosed and include more details about the vulnerability. Learn More about the components of filters included in your Digital Vaccine security package.

Conformity Introduces Sustainability Pillar Support and New Rules for Azure, AWS, and G

Fri, 08 Apr 2022 00:00:00 GMT

April 08, 2022, Conformity—The following rules and updates will be available with Conformity's latest release on 12 April 2022.

Conformity will now support the new 'Sustainability' pillar

Conformity can now help customers benchmark and remediate their sustainability impact. AWS Well-Architected Framework added the 'Sustainability' pillar in December 2021. We've updated our Rules, Reports, Checks filter, Compliance Level Comparison Table, and the Compliance Status Widget in accordance with the AWS Well-Architected Framework updated version.

API Updates

Conformity now supports Trend Micro's domain when using Conformity's public API
The legacy users (signed up for Conformity in the 'us-west-2', 'ap-southeast-2', and 'eu-west-1' regions) won't be affected by this change.
Cloud One Conformity users can now use 'https://conformity.{region}.cloudone.trendmicro.com/api' to access Conformity's public APIs.

Custom Policy Updates

There are no changes to the custom policy as a result of the new deployment. The current custom policy version is 1.36. Click here to access the current custom policy.

New Rules

Azure

Monitor-007: Configure Diagnostic Setting Categories: This rule ensures that the diagnostic settings are configured to capture the appropriate categories.

Monitor-008: Enable Diagnostic Logs for the Supported Resources: This rule ensures that Diagnostic Logs are enabled for the supported Azure cloud resources.

AWS

EC2-077: Require IMDSv2 for EC2 Instances: This rule ensures that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS).

GCP

CloudDNS-001: Enable DNSSEC for Google Cloud DNS Zones: This rule ensures that DNSSEC security feature is enabled for all your Google Cloud Domain Name System (DNS) managed zones.

CloudDNS-002: Check for DNSSEC Key-Signing Algorithm in Use: This rule ensures that RSASHA1 signature algorithm is not used for DNSSEC key signing.

CloudAPI-002: Check for API Key Application Restrictions: This rule ensures that your Google Cloud API key usage is restricted to trusted hosts, HTTP referrers, or applications.

CloudAPI-003: Check for API Key API Restrictions: This rule ensures that API keys have restrictions in place to only allow access to specific APIs, and not general access to all GCP APIs.

CloudIAM-008: Rotate Google Cloud API Keys: This rule ensures that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.

Rules Updates

SQL-005: Enable Transparent Data Encryption for SQL Databases: Updated the rule title to 'Enable Transparent Data Encryption for SQL Databases' for an appropriate representation of the best practice recommendation.

Rule Bug Fixes

Firehose-001: Firehose Delivery Stream Destination Encryption
Firehose-002: Enable Firehose Delivery Stream Server-Side Encryption

Fixed a bug where the rule - Firehose-001 did not have a link to their resources. Also, both the rules Firehose-001 and Firehose-002 did not support tags for "DirectPut" Delivery Stream Type Firehose Delivery Streams.

Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys

Fixed a bug where Lambda-009 did not generate a SUCCESS check after remediation steps have been followed to encrypt Lambda Environment variables at rest using CMKs.

AWS Account ID displayed for Cloud One subscriptions on AWS marketplace

Wed, 20 Apr 2022 00:00:00 GMT

April 20, 2022, Billing and Subscription Management—On the Subscription Management page in Cloud One, an AWS Account ID is now displayed for accounts subscribed to Trend Micro Cloud One on AWS marketplace.

False positive checks for Azure rule AppService-018 resolved

Wed, 20 Apr 2022 00:00:00 GMT

April 20, 2022, Conformity—Incident Update: False positive checks generated for the Azure rule - AppService-018

From approximately 2022-03-09 10:00:00 UTC to 2022-04-19 03:20:00 UTC, the Conformity Bot incorrectly produced failure checks associated with the rule AppService-018 for Azure AppService resources. This was caused due to an error in our deployment where some components of AppService-018 were released prematurely. We’ve removed the rule from the application and all the associated checks and will notify you in a release notice when we re-introduce the rule.

Cloud One now displays user sign-in and API Key last used times

Mon, 25 Apr 2022 00:00:00 GMT

April 25, 2022, General—Cloud One now includes the last sign-in time for users and the last used time for API Keys in the respective console pages and API responses.

AWS Scanner Lambda now updated to Python 3.8 runtime

Tue, 26 Apr 2022 00:00:00 GMT

April 26, 2022, File Storage Security—The AWS Scanner Lambda is now running on Python 3.8 runtime. Python 3.6 runtime will be end of support by AWS at July 18, 2022. For more information, see Runtime deprecation policy. We encourage you to update the runtime as soon as possible by updating the Scanner Stack.

This functionality requires a stack update.

Conformity Introduces New Rules and Updates for AWS, Azure, and GCP Integration

Thu, 28 Apr 2022 00:00:00 GMT

April 28, 2022, Conformity—The following rules and updates are now available with Conformity's latest release on 28 April 2022.

We've updated the PCI DSS c3.2.1 standard to support the new AWS and Azure rules added to Conformity.

You can now view the GCP Project ID for the GCP Account under Settings > Update General Settings.

Bug Fixes

Fixed a bug with the API documentation to include descriptions for the fields appearing under the API endpoint.

Fixed a bug with the check count statistics on the Evolution API to reflect the average number across bot runs instead of a cumulative number.

Fixed a bug that stopped the Conformity bot from running successfully.

Fixed up a bug to display an error for the unverified user(s) when creating or updating an SMS or email channel via our public API.

Fixed a bug to set the default cooldown value for the Autoscaling group to 300 seconds if it is not specified in the CloudFormation template.

Custom Policy Updates

We've updated the custom policy as a result of the new deployment. The latest custom policy version is 1.37 and the permissions added are:

inspector:DescribeAssessmentTargets

inspector:DescribeResourceGroups

inspector:ListAssessmentTargets

inspector:PreviewAgents

Click here to access the current custom policy.

New Rules

Azure

Monitor-009: Enable Exporting Activity Logs for Azure Cloud Resources: This rule ensures that exporting activity logs is enabled for each cloud resource within a subscription.

StorageAccounts-019: Enable Logging for Azure Storage Blob Service: This rule ensures that storage logging is enabled for the Azure Storage Blob service.
StorageAccounts-020: Enable Logging for Azure Storage Table Service: This rule ensures that storage logging is enabled for the Azure Storage Table service.

AWS

EC2-078: Instances Scanned by Amazon Inspector: This rule ensures that all your Amazon EC2 instances are included in at least one Inspector Classic assessment target to make sure that Amazon Inspector Classic service can evaluate your EC2 instances for potential security issues and common vulnerabilities during assessment runs.

GCP

CloudDNS-003: Check for DNSSEC Zone-Signing Algorithm in Use: This rule ensures that DNSSEC key signing is not using RSASHA1 as a signature algorithm for the Zone-Signing Key (ZSK) associated with your public DNS managed zone.

CloudIAM-009: Configure Google Cloud Audit Logs to Track All Activities: This rule ensures that the Audit Logs feature is configured to record all service and user activities.

CloudAPI-001: Google Cloud API Keys: This rule ensures that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.

Rules Updates

ELBv2-003: ALB Security Policy
ELBv2-009 Network Load Balancer Security Policy: Updated ELBv2-003 and ELBv2-009 to use the latest and most secure security policies.

IAM-036: AWS IAM Users with Admin Privileges: Updated IAM-036 to show the policies attached to privileged IAM Users.

Enhanced Intrusion Prevention and Windows Defender Compatibility in Latest Agent Version

Thu, 28 Apr 2022 00:00:00 GMT

April 28, 2022, Workload Security—Agent version 20.0.0-4416 has been released.

Some highlights include:

Enhanced Intrusion Prevention performance with the "Bypass Network Scanner" rule applied.
Improved compatibility for Deep Security Agent on systems running Windows Defender in passive mode.
Several resolved issues and security updates.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Scan error events now visible in File Storage Security console

Wed, 04 May 2022 00:00:00 GMT

May 04, 2022, File Storage Security—The File Storage Security console now displays scan error events below the scan history chart.

Enhanced File Storage Security Console Display for AWS and Azure Tabs

Wed, 11 May 2022 00:00:00 GMT

May 11, 2022, File Storage Security—The storage stack table in the File Storage Security console now displays the header in the order of:

under the AWS tab: Bucket Name, AWS Account, Storage Stack, and Stack Created.
under the Azure tab: Storage Account Name, Subscription Name, Storage Stack, and Stack Created.

Updated Compliance Dashboard and New GCP and Azure Rules Available

Tue, 17 May 2022 00:00:00 GMT

May 17, 2022, Conformity—The following updates and features are now available with Conformity's latest release on 17 May 2022.

What's New

Updated the note below the Compliance level Comparison section on the Main Dashboard to clearly display the number of incomplete and onboarded accounts included in the comparison.

Bug Fixes

Fixed a bug in RTM, where the 'Read Only' users could view the Configure Rules button. The button is now visible to the authorised users only.

Fixed a bug where suppressing an Azure check was returning errors after a successful suppression.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37.

Click here to access the current custom policy.

New Rules

GCP

CloudSQL-017: Disable 'remote access' Flag for SQL Server Database Instances: This rule ensures that the "remote access" SQL Server flag is set to "off".

CloudSQL-018: Disable 'log_statement_stats' Flag for PostgreSQL Database Instances: This rule ensures that the 'log_statement_stats' PostgreSQL database flag is set to `Off`.

CloudSQL-019: Disable 'external scripts enabled' Flag for SQL Server Database Instances: This rule ensures that the "external scripts enabled" SQL Server flag is set to `Off`.

BigQuery-002: Enable BigQuery Encryption with Customer-Managed Keys: This rule ensures that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).

ComputeEngine-009: Enable "Block Project-Wide SSH keys" Feature: This rule ensures that the Block Project-Wide SSH keys feature is enabled for all your virtual machine instances.

CloudLogging-001: Enable Monitoring for Bucket Permission Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GPC alerting policy that is triggered each time a Google Cloud Storage bucket permission change is made.

CloudLogging-002: Enable VPC Network Changes Monitoring: This rule ensures that VPC network route changes are being monitored using alerting policies.

CloudLogging-003: Enable VPC Network Changes Monitoring This rule ensures that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.

CloudLogging-004: Enable Monitoring for Custom Role Changes: This rule ensures that custom IAM role changes are being monitored using alerting policies.

CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes: This rule ensures that SQL instance configuration changes are being monitored using alerting policies.

CloudLogging-006: Enable Monitoring for Firewall Rule Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GCP alerting policy that is triggered every time a Virtual Private Cloud (VPC) network firewall rule change is made.

CloudLogging-007: Enable Monitoring for Audit Configuration Changes: This rule ensures that GCP project audit configuration changes are being monitored using alerting policies.

CloudLogging-009: Export All Log Entries Using Sinks: This rule ensures that all the log entries generated for your Google Cloud projects are exported using sinks.

Azure

SecurityCenter-028: All Parameters for Microsoft Defender for Cloud Default Policy: This rule ensures that all the parameters supported by Microsoft Defender for Cloud default policy are enabled.

SecurityCenter-030: Enable Defender for Endpoint Integration with Microsoft Defender for cloud: This rule ensures that Defender for Endpoint – Defender for Cloud integration is enabled.

SecurityCenter-031: Enable Defender Microsoft Defender for Cloud Apps Integration: This rule ensures that Microsoft Defender for Cloud Apps integration is enabled.

SecurityCenter-032: Enable Azure Defender for Virtual Machine Servers: This rule ensures that Azure Defender is enabled for Azure virtual machine (VM) servers.

SecurityCenter-033 Enable Microsoft Defender for Cloud for App Service Instances: This rule ensures that Microsoft Defender for Cloud is enabled for Azure App Service instances.

SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults: This rule ensures that Microsoft Defender for Cloud is enabled for Azure key vault resources.

Rule Updates

IAM-013: MFA For IAM Users With Console Password: The rule now supports MFA events.

VirtualMachine-001: Enable Encryption for Boot Disk Volumes, VirtualMachine-002: Enable Encryption for Non-Boot Disk Volumes, VirtualMachine-003:Enable Encryption for Unattached Disk Volumes:

Updated the rules' names to clarify encryption in Azure Disk Encryption and the risk level from `High` to `Medium`.

Rule Bug Fixes

EC2-030: EC2 Instance Termination Protection: Fixed a bug where EC2-030 was returning checks for EC2 instances that are part of Auto Scaling groups.

CT-002: CloudTrail S3 Bucket Logging Enabled, CT-003: CloudTrail Bucket Publicly Accessible, CT-004: CloudTrail Bucket MFA Delete Enabled:

Fixed how we handle AWS CloudTrail resource data to address incorrect check results with the AWS rules CT-002, CT-003, and CT-004. We also improved how we evaluate CT-002 and CT-004, you may notice that old checks are removed and recreated.

Fixed a bug where Resource types were not displayed correctly in the View by Resource tab for some resources.

Improved event count display in Scan History chart

Wed, 18 May 2022 00:00:00 GMT

May 18, 2022, File Storage Security—The Scan History chart in the File Storage Security console now displays the event counts with the format numbers.

Enhanced Threat Assessment Walkthroughs in Network Security Demo

Wed, 18 May 2022 00:00:00 GMT

May 18, 2022, Network Security—Enhanced Interactive demo experience: Network Security's Interactive demo experience now includes detailed walkthroughs of threat assessment features, to help you learn how to protect your cloud environment from threats such as log4j.

Time display configuration added to File Storage Security console settings

Thu, 19 May 2022 00:00:00 GMT

May 19, 2022, File Storage Security—You can now configure the File Storage Security console's time display on the User Setting page of the Cloud One console.

Enhanced Container Security Events with Detailed Contextual Information

Tue, 24 May 2022 00:00:00 GMT

May 24, 2022, Container Security—Trend Micro enhanced its events with additional meaningful context. Events now include the following new fields: pod ID, pod name, pod labels, namespace, container name, container ID, image name, image tag, image digest, event number, event catagory, process ID, process, executable, process arguments, process name, parent process, parent process ID, parent process name, and file number. Note that in some instances not all fields are necessarily available/applicable.

Enhanced Runtime Rules feature MITRE ATT&CK technique identifier links

Thu, 26 May 2022 00:00:00 GMT

May 26, 2022, Container Security—Many runtime rules contain a MITRE ATT&CK technique identifier in the name. Trend Micro added a link in the rule description that leads to the page on the MITRE ATT&CK website corresponding to the technique identifier.

Improved Lambda Function Python Runtime Update Process

Fri, 27 May 2022 00:00:00 GMT

May 27, 2022, File Storage Security—Fixed the issue where updating a stack to update Lambda function's Python runtime did not take effect and caused the Lambda function to lose the license and the latest pattern Lambda layer. This functionality requires a stack update.

Enhanced AWS Scanner Lambda for Larger File Scans

Tue, 31 May 2022 00:00:00 GMT

May 31, 2022, File Storage Security—You can configure a larger ephemeral storage for the AWS Scanner Lambda to scan larger files in zip files.

This functionality requires a stack update.

Enhanced Deep Security Relay metrics and security updates in Agent version 20.0.0-472

Tue, 31 May 2022 00:00:00 GMT

May 31, 2022, Workload Security—Agent version 20.0.0-4726 has been released.

This release includes:

Enhancements to Deep Security Relay that enable it to record its status and other metrics for potential troubleshooting.
Several resolved issues and security updates.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Conformity Enhancements: New Standards, Bug Fixes, Rules, and Policy Updates

Mon, 06 Jun 2022 00:00:00 GMT

June 06, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 6 June 2022.

Updated the FedRAMP Rev 4 Compliance Standard to support the new AWS and Azure rules released by Conformity.

Updated the Get Services API endpoint to display data for associated compliance standards.

Bug Fixes

Fixed a bug to display the `resource type` in the View By Resource tab for some rules.

Fixed a bug to disable the 'Configure' button for Power users in the Conformity Administration > Users tab.

Fixed a bug to enable users to apply a profile to over 1000 accounts at once.

Fixed a bug that incorrectly allowed suppression of checks via the Public API without correctly setting one of the mandatory values in the request.

Fixed a bug to remove an outdated Knowledge Base page for the rule - Route53-008.

Fixed a bug with the drop down email selection to load all the available emails when configuring a scheduled report.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

New Rules

GCP

CloudSQL-020: Configure 'user connections' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have the appropriate configuration set for the `user connections` flag.

CloudSQL-021: Disable 'user options' Flag for SQL Server Instances: This rule ensures that the `user options` SQL Server flag is not configured.

ComputeEngine-011: Enable Confidential Computing for Virtual Machine Instances: This rule ensures that Confidential Computing is enabled for virtual machine (VM) instances.

ComputeEngine-010: Enable OS Login for GCP Projects: This rule ensures that the OS Login feature is enabled at the GCP project level.

CloudLogging-008: Enable Project Ownership Assignments Monitoring: This rule ensures that GCP project ownership changes are being monitored using alerting policies.

AWS

CF-012: Cloudfront Content Distribution Network: This rule ensures that your websites/web applications are using the Amazon CloudFront Content Distribution Network (CDN) to secure the web content delivery (media files and static resource files e.g. html, .css, .js).

Azure

SQL-017: Enable Vulnerability Assessment for Microsoft SQL Servers: This rule ensures that Vulnerability Assessment is enabled for Microsoft SQL database servers.

Network-016: Check for Unrestricted CIFS Access: This rule ensures that Microsoft Azure Network Security Groups (NSGs) do not allow unrestricted access on TCP port 445 to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs.

Network-017: Check for Unrestricted HTTP Access: This rule ensures that Microsoft Azure Network Security Groups (NSGs) do not allow unrestricted access on TCP port 80 to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs.

Rule Updates

Improved the following rules to take the `resource region` into account when producing check results:
EC2-048: Reserved Instance Lease Expiration In The Next 7 Days
EC2-049: Reserved Instance Lease Expiration In The Next 30 Days
EC-004: ElastiCache Reserved Cache Node Lease Expiration In The Next 7 Days
EC-005: ElastiCache Reserved Cache Node Lease Expiration In The Next 7 Days
ES-015: ElasticSearch Node To Node Encryption
ES-016: Elasticsearch Reserved Instance Lease Expiration in The Next 7 Days
ES-017: Elasticsearch Reserved Instance Lease Expiration in The Next 7 Days
RDS-010: RDS General Purpose SSD
RDS-011: RDS Default Port
RDS-014: RDS Reserved DB Instance Lease Expiration In The Next 7 Days
RDS-015: RDS Reserved DB Instance Lease Expiration In The Next 30 Days
S3-026: Enable S3 Block Public Access for S3 Buckets

Updated the following rules to check for additional unrestricted inbound access scenarios on Azure Network Security Groups:
Network-001: Check for Unrestricted RDP Access
Network-002: Check for Unrestricted SSH Access
Network-005: Check for Unrestricted FTP Access
Network-006: Check for Unrestricted MySQL Database Access
Network-007: Check for Unrestricted PostgreSQL Database Access
Network-008: Check for Unrestricted MS SQL Database Access
Network-009: Check for Unrestricted Oracle Database Access
Network-010: Check for Unrestricted RPC Access

CT-003: Publicly Accessible CloudTrail Buckets: We've improved how we evaluate the CloudTrail target bucket and its access policies.

Rule Bug Fixes

SecurityCenter-001 "Enable Microsoft Defender Standard Pricing Tier: Fixed a bug to take Microsoft's Defender (formerly Security Centre) service changes into account preventing the remediation of failed checks.

Enhanced Container Security with New Admission Rule

Wed, 08 Jun 2022 00:00:00 GMT

June 08, 2022, Container Security—Trend Micro has a new admission rule to protect users from containers with unnecessary capabilities. If these capabilities are exploited, they could cause greater damage than if they had been otherwise dropped. This new policy allows users to log or block containers based on the container capabilities and to continue following the best security practices from the CIS Kubernetes Benchmarks and Pod Security Standards.

AWS Security Hub integrated in Cloud One for enhanced security monitoring

Tue, 14 Jun 2022 00:00:00 GMT

June 14, 2022, Integrations—AWS Security Hub Integration Preview Release: you can now configure AWS Security Hub with Cloud One using our API Endpoints in this Preview release.

Retirement of Log4j Assessment as of June 15th 2022

Wed, 15 Jun 2022 00:00:00 GMT

June 15, 2022, Workload Security—As of June 15th 2022, the Log4j Assessment has been retired.

Please refer to Trend Micro's Log4j security alert for more information on Trend Micro's coverage of Log4j and resources to protect your environment.

Enhanced User Visibility in System Events for Trend Cloud One Users

Thu, 16 Jun 2022 00:00:00 GMT

June 16, 2022, Workload Security—When starting Trend Cloud One - Endpoint & Workload Security, Trend Cloud One users will now have their username imported and displayed alongside the URN under System Events (Events & Reports > Events > System Events). All system events generated after these changes were made will reflect this update.

Account Closure for Expired Subscriptions after 60 Days Starting July 18, 2022

Mon, 20 Jun 2022 00:00:00 GMT

June 20, 2022, Billing and Subscription Management—Starting July 18, 2022, Trend Micro Cloud One will start closing accounts whose subscriptions have been expired for over 60 days. For more information please see What happens when my subscription expires.

Enhanced Multi-Factor Authentication Recovery Code Feature

Mon, 20 Jun 2022 00:00:00 GMT

June 20, 2022, General—You can now record a code that can be used to disable your multi-factor authentication if your device is lost, destroyed, or stops working. This applies to accounts created on or after August 4, 2021, or ones that have been updated to the new sign-in system introduced on that date. For more information, see Enable multi-factor authentication.

File Storage Security console updates parameter from `objectId` to `id` in Azure CLI

Wed, 22 Jun 2022 00:00:00 GMT

June 22, 2022, File Storage Security—The File Storage Security console now replaces the parameter `objectId` of the Azure CLI with `id`.

Scheduled Maintenance for Trend Micro Cloud One on July 9th, 2022

Fri, 24 Jun 2022 00:00:00 GMT

June 24, 2022, General—System maintenance for Trend Micro Cloud One is scheduled for Saturday, July 9th, 2022. For US, EU and CA regions (us-1, gb-1, de-1, ca-1) between 03:00 and 10:00 UTC.; for APAC regions (in-1, jp-1, sg-1, au-1) between 17:00 and 21:00 UTC. During the maintenance, console and API access for certain Cloud One services will be unavailable. For more information or to be notified of scheduled maintenance, see Trend Micro Cloud One Maintenance

Update AWS Scanner Stack for Python 3.8 Runtime by July 18, 2022

Tue, 28 Jun 2022 00:00:00 GMT

June 28, 2022, File Storage Security—We would like to remind you to update the AWS Scanner Stack to update Scanner Lambda function's runtime to Python 3.8 before July 18, 2022.

The AWS Scanner Lambda is now running on Python 3.8 runtime. Python 3.6 runtime will be end of support by AWS at July 18, 2022. For more information, see Runtime deprecation policy. We encourage you to update the runtime as soon as possible by updating the Scanner Stack.

This functionality requires a stack update.

File Storage Security Enhances Support for Google Cloud Storage with File Scanning

Thu, 30 Jun 2022 00:00:00 GMT

June 30, 2022, File Storage Security—File Storage Security now supports the scanning of files uploaded to Google Cloud Storage bucket.

For details, see GCP Architecture and flow.

The Scan Activity for GCP is coming soon.

Fixed issue with GCP deployment scripts for smoother stack deployment

Fri, 01 Jul 2022 00:00:00 GMT

July 01, 2022, File Storage Security—Fixed the issue where GCP deployment scripts cannot deploy the stacks.

Enhanced Compliance Monitoring and New Rules Added for Conformity Platform

Mon, 04 Jul 2022 00:00:00 GMT

July 04, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 4 July 2022.

Introducing in the new Evolution Chart summary widget under the Overview tab, which enables you to view your overall compliance trends upto one year and the daily average breakdown of your compliance score by Success, Failed, and Total checks. Read more>

Conformity now supports the following compliance standards:
The ISO ISO 27001:2013 for GCP
The PCI DSS V3.2.1 (updated to April 2022)for GCP

Updated AWS and Azure rules mapping for APRA CPS 234 compliance standard.

Added a new operator `isNullOrUndefined` for Custom Rules.

Bug Fixes

Fixed a bug where unassociated checks from other accounts were being shown inside the Most critical failures section of the Group Dashboard and the Account Dashboard.

Fixed a bug where users were unable to connect to Jira OAuth via our Jira communications channel using SSO into the conformity platform via Trend Micro Cloud One Console.

To ensure Microsoft Teams notifications are received promptly for all organizations, Microsoft Teams communication channels are now limited to 100 notifications/hr per channel.

Fixed a bug where unassociated checks were being displayed from other accounts in the same organisation in View by Rule & View by Standards & Frameworks views.

Fixed a bug with the drop-down email selection to load all the available emails configuring a scheduled report.

Fixed a bug with Well Architected Tool notes not being generated at times and added support for the Sustainability pillar.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

Conformity Bot Update

Enhanced performance of Conformity Bot to only assess by scanning or to only scan the minimum Active Directory data required to run Active Directory rules for Azure subscriptions.

New Rules

GCP

CloudSQL-022: Disable "log_planner_stats" Flag for PostgreSQL Database Instances: The rule ensures that the `log_planner_stats` PostgreSQL database flag is set to "off"

CloudSQL-023: Disable 'log_parser_stats' Flag for PostgreSQL Database Instances: This rule ensures that the `log_hostname` PostgreSQL database flag is set to "on".

CloudSQL-024: Enable "skip_show_database" Flag for MySQL Database Instances: This rule ensures that the `skip_show_database` MySQL database flag is set to "on".

CloudSQL-025: Disable 'log_parser_stats' Flag for PostgreSQL Database Instances: This rule ensures that the `log_parser_stats` PostgreSQL database flag is set to "off".

CloudSQL-026: Disable 'log_executor_stats' Flag for PostgreSQL Database Instances: Ensure that the `log_executor_stats` PostgreSQL database flag is set to Off.

CloudVPC-006: Cloud DNS logging for VPC Networks: This rule ensures that the Cloud DNS logging is enabled for all your Virtual Private Cloud (VPC) networks using DNS server policies.

CloudLoadBalancing-001: Check for Insecure SSL Cipher Suites: This rule ensures that there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.

CloudStorage-003: Configure Retention Policies with Bucket Lock: This rule ensures that the log bucket retention policies are using the Bucket Lock feature

CloudIAM-010: Enforce Separation of Duties for KMS-Related Roles: This rule ensures that separation of duties is implemented for all Google Cloud KMS-related roles.

Azure

Network-023: Check for Unrestricted DNS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP and UDP port 53.

Network-020: Check for Unrestricted ICMP Access: This rule ensures that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Network-018: Check for Unrestricted SMTP Access: This rule ensures that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 25.

Network-019: Check for Unrestricted Telnet Access: This rule ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 23

SecurityCenter-035: Microsoft Defender for Cloud for SQL Server Virtual Machines: This rule ensures that Microsoft Defender for Cloud is enabled for SQL Server virtual machines.

SecurityCenter-036: Enable Microsoft Defender for Cloud for Azure SQL Database Servers: This rule ensures that Microsoft Defender for Cloud is enabled for your Azure SQL database servers.

SecurityCenter-037: Enable Microsoft Defender for Cloud for Azure Containers: This rule ensures that Microsoft Defender for Cloud is enabled for Azure containers.

SecurityCenter-038: Enable Microsoft Defender for Cloud for Storage Accounts: This rule ensures that Microsoft Defender for Cloud is enabled for Azure storage accounts.

Rule Updates

Updated the following rules to enhance check result and improve the way exceptions are handled:
CloudVPC-004: Default VPC Network In Use
CloudVPC-005: Check for Legacy Networks

Updated the following rules check results with minor text changes:
SecurityCenter-032: Enable Microsoft Defender for Cloud for Virtual Machines
SecurityCenter-033: Enable Microsoft Defender for Cloud for App Service
SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults

The following rules will now have no checks for Google Kubernetes (GKE) clusters as the best practices do not apply to GKE clusters:
ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses
ComputeEngine-004: Disable IP Forwarding for Virtual Machine Instances
ComputeEngine-006: Check for Instances Associated with Default Service Accounts
ComputeEngine-008: Check for Instance-Associated Service Accounts with Full API Access

VirtualMachines-023:Enable Accelerated Networking for Virtual Machines: Enabled a feature to exclude checks by `tags` or `resourceId` for the rule.

ActiveDirectory-003: Check for Active Directory Guest Users: Updated Active-Directory 003 to evaluate 100 guest users instead of all the guest users.

Device Control feature enhances security by managing access to USB and mobile devices

Wed, 06 Jul 2022 00:00:00 GMT

July 06, 2022, Workload Security—Device Control enables Trend Cloud One users to manage access to both USB mass storage and mobile devices on server and desktop machines. Administrators can use Device Control to set user permission levels (Full Access, Read-Only, or Blocked) to comply with their organization's security policy and avoid data loss, leakage, and security risk. Device Control is available for Deep Security Agent for Windows (version 20.0.0.4959+) and for macOS (version 20.0.0-158+).

Conformity Full Access Users Can Create Custom Roles with Varied Permissions

Fri, 08 Jul 2022 00:00:00 GMT

July 08, 2022, Conformity—Cloud One Conformity Full Access users can now create Conformity Custom Roles that can be set up with the different levels of access permissions for different accounts. Follow these steps to create a Custom Role and assign the access permissions i.e. Full Access, Read-Only, or No Access in Conformity and then map it to any Trend Micro Cloud One ™ role from User Management >> Administration >> Roles.

MacOS Support Added for Deep Security Agent Version 20.0.0-158

Mon, 11 Jul 2022 00:00:00 GMT

July 11, 2022, Workload Security—Deep Security Agent version 20.0.0-158 (20 LTS Update 2022-07-11) is now available for macOS.

This is currently available only for Trend Cloud One - Endpoint & Workload Security customers. For details, see What's new in the agent.

Public Usage API now available for all Cloud One subscribers

Thu, 14 Jul 2022 00:00:00 GMT

July 14, 2022, Billing and Subscription Management—Our public Usage API is officially available to all Cloud One subscribers. You can check your Cloud One usage records by using our public API. For more information, please see our API Reference guide.

Conformity Enhancements: Enforce API Key Safe IP Ranges and New Rule Updates

Mon, 18 Jul 2022 00:00:00 GMT

July 18, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 18 July 2022.

Conformity now allows admins to enforce API key safe IP ranges being used when creating API keys.

RTM-005: Users Signed into AWS from an Approved Country: Conformity now supports North Macedonia previously known as Macedonia (Macedonia changed its name to North Macedonia).

Bug Fixes

Fixed a bug with the Jira communications channel to display only active users in the channel's 'Assignee' list.

Fixed a bug with the display of CSV Compliance Standard report data when importing it in Excel format through the 'Import data' wizard.

Fixed a bug where the 'Configure rule...' and 'Send rule to...' options became visible for custom checks created along with the existing custom rules.

Fixed a bug to enhance the performance of the RTM Event Monitoring dashboard section to prevent screen performance issues for customers with a large number of RTM events.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

New Rules

Azure

VirtualMachines-037: Server Side Encryption for Unattached Disk using CMK: This rule ensures that unattached managed disk volumes are encrypted at rest using Customer-Managed Keys (CMKs).

Network-022: Check for Unrestricted HTTPS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP port 443. *This rule was released on 4th July 2022 and was missed out from our release communications. We apologise for the miscommunication and the confusion.*

GCP

CloudIAM-011: Minimize the Use of Primitive Roles: This rule limits the use of primitive roles, for example, `Owner`, `Editor`, and `Viewer` for Cloud IAM members in production and security-critical cloud environments.

Rule Update

Network-015: Check for Unrestricted UDP Access: Updated the rule to prevent Conformity Bot from generating false positive checks for some scenarios, for example, security groups with `Access Deny` configurations.

File Storage Security introduces Scan Activity support for GCP

Thu, 21 Jul 2022 00:00:00 GMT

July 21, 2022, File Storage Security—File Storage Security now supports Scan Activity for GCP.

Deep Security Agents now require FQDNs for connectivity starting December 31, 2022

Thu, 21 Jul 2022 00:00:00 GMT

July 21, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security accounts created prior to November 23, 2020 may still be allowing their Deep Security Agents access to Trend Cloud One - Endpoint & Workload Security by using static IP addresses provided on the Port numbers, URLs, and IP addresses documentation page. Starting on December 31, 2022, the Agent will connect only by using the fully-qualified domain names (FQDNs) and not by using IP addresses. To avoid service interruptions, customers filtering outbound traffic from their protected workloads to the outside internet must ensure they configured their firewall to add allowlist entries for the URLs listed at Port numbers, URLs, and IP addresses prior to December 31, 2022. If you do not filter outbound traffic or you are already using FQDNs, there is no action required.

How do I know whether I need to change something in my environment?

If your network is filtering outbound traffic to the internet using any static IP addresses listed on this page, you must update your firewall's allowlist to use the domain-name URLs instead of the IPs.

Remote Custom Script Tasks Supported for Deep Security Agent 20.0.0-5137 and Later

Tue, 26 Jul 2022 00:00:00 GMT

July 26, 2022, Workload Security—When registered with Trend Vision One, Trend Cloud One - Endpoint & Workload Security can now run remote custom script tasks for customers using Deep Security Agent version 20.0.0-5137 or later for Linux or Windows.

Agents can trigger all scheduled malware scans in Trend Cloud One - Endpoint & Workload Security

Tue, 26 Jul 2022 00:00:00 GMT

July 26, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now allows agents to trigger all scheduled scans for malware. To enable this feature, select Anti-Malware > General, then ensure that Enable agent to trigger scheduled scans for malware is selected. This feature is available for Trend Cloud One - Endpoint & Workload Security customers in all regions.

Automatic Pattern Update for GCP enhances File Storage Security

Fri, 29 Jul 2022 00:00:00 GMT

July 29, 2022, File Storage Security—File Storage Security now supports Automatic Pattern Update for GCP.

This functionality requires a stack update.

Deploy Network Security with Hosted Infrastructure for Streamlined Protection

Tue, 02 Aug 2022 00:00:00 GMT

August 02, 2022, Network Security—Network Security with hosted infrastructure: You can now deploy Network Security with hosted infrastructure to monitor traffic and assess threats in your environment. The streamlined, 2-step deployment process gives you the same advanced network protection without having to manage security infrastructure. Learn more about the capabilities and benefits of deploying Network Security with hosted infrastructure.

Enhanced Agent Connectivity Options for Windows and macOS

Tue, 02 Aug 2022 00:00:00 GMT

August 02, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now allows agents to apply OS proxy or direct connect when the configured proxy is unavailable. To enable this option, open the Administration tab and go to System Settings > Proxies. Ensure that Yes is selected for Allow agents to apply OS proxy or direct connect when the configured proxy is inaccessible. This feature supports Windows and macOS.

Enhanced File Storage Security now supports additional GCP regions

Wed, 03 Aug 2022 00:00:00 GMT

August 03, 2022, File Storage Security—Updated File Storage Security supported GCP regions. For details, see what's supported in GCP.

New Container Security Feature Provides Real-Time Visibility into Running Container Vulnerabilities

Fri, 05 Aug 2022 00:00:00 GMT

August 05, 2022, Container Security—Containers are key parts of most Cloud Native Applications and, as it is well known, these applications contain a lot of open source code. According to the Linux Foundation, approximately between 70% and 90% of all cloud-native code is open source. However, over 95% of organizations lack real-time visibility into vulnerabilities in their running containers.

Coming soon to Cloud One - Container Security is a new feature that will enable organizations visibility of open source and operating system vulnerabilities running in their containers. This new view will provide actionable detections with context and enable teams to identify risky applications in production at a glance - all without having their images leaving their cluster.

This feature will be available in private preview soon and Trend Micro is looking for customers that would like to be the first to have a chance to test it out and helps us shape the future of this feature.

Runtime Security to Support AWS Bottlerocket OS V 5.10 on EKS

Mon, 08 Aug 2022 00:00:00 GMT

August 08, 2022, Container Security—Runtime Security will soon support AWS Bottlerocket OS V 5.10 on EKS.

Cost Optimization Feature Deprecated to Focus on Cloud Security Posture Management

Tue, 09 Aug 2022 00:00:00 GMT

August 09, 2022, Conformity—End of Life - Conformity Cost Optimization Feature

In *April 2020*, we decided to deprecate the Cost Optimization feature, which has helped Standalone Conformity customers manage their AWS costs. It has been deprecated as of *July 2022* and will reach the end of life on 10th September 2022.

Why are we doing this?

The Cost Optimization feature used data from the deprecated AWS ‘Detailed Billing Report’. AWS strongly recommends that all customers move away from this report and migrate to the newer Cost and Usage Report.

We have decided to discontinue all support for Cost Analysis as our strategic focus as Trend Micro Cloud One ™ Conformity is on core Cloud Security Posture management (CSPM) features.

What does it mean for you?

No Cost Optimization widget - you will stop seeing the Cost Optimization widget on your Organizations’ Main Dashboard.

What happens to the Cost Rules?

All Cost category rules except for the following Rules will still be available to all customers. We’re deprecating these four Rules because their AWS data source is a deprecated AWS billing report.

Budgets- 001: Budget Overrun

Budgets -002: Cost Fluctuation

Budgets-003: Budgets Overrun Forecast

Budgets-004: Cost Fluctuation Forecast

What do I need to do?

You don't need to do anything at your end. If you wish, you can turn off the AWS Billing report used by Conformity. If you have any concerns or queries regarding the end of life for the Cost Optimization feature, please reach out to your account managers.

*This feature is unavailable to our Trend Micro Cloud One ™ Conformity customers.*

Conformity introduces new Azure network security rules and bug fixes

Wed, 10 Aug 2022 00:00:00 GMT

August 10, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 10 August 2022.

Bug Fixes

Fixed a timeout bug happening when adding an AWS account vis Public API.
Fixed a bug with SNS notifications being triggered for excluded resources in any rule for AWS, Azure and GCP bots.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

New Rules

Azure

Network-021: Check for Unrestricted MongoDB Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019.

Azure: Network-024: Check for Unrestricted NetBIOS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Azure: VirtualMachines-039: Server Side Encryption for Boot Disk using CMK: This rule ensures that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs).

Enhanced Web Reputation Coverage for Port 443 in Trend Cloud One Security

Mon, 15 Aug 2022 00:00:00 GMT

August 15, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now includes port 443 by default in the values for the setting "Ports to monitor for potentially harmful web pages" (Computer or Policy editor > Web Reputation > Advanced). Port 443 is included by default _in addition to_ the existing default ports 80 and 8080. When using Trend Cloud One - Endpoint & Workload Security with Deep Security Agent version 20.0.0.5137 or later, the Web Reputation feature can now protect all default ports, including 443, on both Linux and Windows when native TLS libraries or communication channels are being used.

File Storage Security adds support for AWS Hong Kong region

Mon, 22 Aug 2022 00:00:00 GMT

August 22, 2022, File Storage Security—File Storage Security now supports Hong Kong (ap-east-1) region on AWS. For more information, see what's supported in AWS.

Conformity Enhancements: Expanded GCP Project Onboarding, Updated Compliance Standards, and New Rules

Tue, 23 Aug 2022 00:00:00 GMT

August 23, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 23 August 2022.

You can now search and add GCP projects while onboarding your GCP accounts to Conformity.

You can also view and onboard all GCP projects as we've eliminated the 100 projects limit.

Uninstall Azure RTM script is now available.

Updated the following Compliance Standards and Reports to include newly release rules:

HITRUST CSF v9.3
HIPAA 45CFR164
NIST 800-53 Rev4
FedRAMP rev4
SOC 2 Nov 2019

Updated the following Compliance & Conformity Reports to include newly released rules:

ISO 27001:2013 - updated May 2022
NIST 800-53 Rev5 - updated June 2022, also available to GCP accounts now

Bug Fixes

Fixed a bug to improve CSV compliance and generic reports generation with a huge number of checks.

Fixed a bug to change the API response from status code `200` to `422` when a custom rule is run with wrong configuration.

Fixed a bug where account level rule setting exceptions were deleted on applying a profile with no configured exceptions AND “include exceptions” unchecked.

Custom Policy Updates

We've updated the custom policy as a result of the new deployment. The new custom policy version is 1.38. Click here to access the current custom policy.

And the new permissions added are:

`appflow:DescribeFlow`

`appflow:ListFlows`

New Rules

Azure

Network-025: Check for Unrestricted Inbound TCP or UDP Access on Selected Ports: This rule ensures that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports.

AWS

AppFlow-001: Enable Data Encryption with KMS Customer Master Keys: This rule ensures that Amazon AppFlow flows are encrypted with KMS Customer Master Keys (CMKs).

GCP

CloudLoadBalancing-002: Check for Cloud SQL Database Instances with Public IPs: This rule ensures that Cloud SQL database instances don't have any public IP addresses assigned.

Rule Bug Fix

CT-002 CloudTrail S3 Bucket Logging Enabled: Fixed a bug where the rule did not correctly exclude the relevant S3 resource using exceptions via tags.

Automatic Function Code Update for GCP in File Storage Security

Tue, 23 Aug 2022 00:00:00 GMT

August 23, 2022, File Storage Security—File Storage Security now supports automatic function code update for GCP.

This functionality requires a stack update.

Support for Ubuntu 22.04 (AWS ARM) and AIX 7.3 added in

Mon, 29 Aug 2022 00:00:00 GMT

August 29, 2022, Workload Security—Agent version 20.0.0-5394 has been released.

This release includes:

Support for Ubuntu 22.04 (AWS ARM-based Graviton 2) and AIX 7.3. These platforms require Deep Security Manager version 20.0.677 or later.
Several enhancements and resolved issues

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Remote Shell feature added for macOS agents in Trend Cloud One - Endpoint & Workload Security

Mon, 29 Aug 2022 00:00:00 GMT

August 29, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security customers running Deep Security Agent for macOS (version 20.0.0-173 or later) can now use Remote Shell through the Trend Vision One Portal. For details, see Trend Vision One (XDR) Remote Shell.

Improved AWS Scanner Lambda function configuration stability

Tue, 06 Sep 2022 00:00:00 GMT

September 06, 2022, File Storage Security—Fixed the issue where the AWS Scanner Lambda function would lose the environment variable configuration in some situations when updating stack parameters.

Conformity Enhancements: New Compliance Standards, Bug Fixes, and Azure Rule Updates

Wed, 07 Sep 2022 00:00:00 GMT

September 07, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 7 September 2022.

Updated the following Compliance Standards and Reports to include newly released rules:

Monetary Authority of Singapore MAS-TRM 2021
NIST CyberSecurity Framework
AusGov ISM

Bug Fixes

Fixed a bug that was preventing users from successfully updating the CQL filter for an existing saved report.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rule

Azure

StorageAccounts-021: Configure Minimum TLS Version: This rule ensures that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts.

Rule Update

EKS-001: EKS Cluster Endpoint Public Access: Added an optional rule configuration to Safelist source IP addresses from the EKS cluster "Public access source allowlist". If all the source IP addresses in the EKS "Public access source allowlist" are in the configured Safelist, the rule will succeed.

Rule Bug Fix

VirtualMachines-013: Enable Backups for Azure Virtual Machines: Fixed a bug where an incorrect failure check was generated for a re-created VM instance using a previously used name.

Improved display of metadata in GCP PU scan results

Wed, 07 Sep 2022 00:00:00 GMT

September 07, 2022, File Storage Security—Fix the issue where GCP PU displays the `fss-error-message` metadata even if the scan success.

GCP General Availability with Marketplace Consumption Pricing for Cloud One Conformity Customers

Tue, 13 Sep 2022 00:00:00 GMT

September 13, 2022, Conformity—Announcing the General Availability- GA of GCP for Cloud One Conformity Customers.

What does it mean for you?

If you are currently subscribing through AWS or Azure marketplace, the metered billing for your GCP accounts using Cloud One - Conformity will start on September 13th, 2022.

If you are currently using the 30-day free trial, the metered billing won’t start until your trial period is over and you subscribe to the service.

Marketplace Consumption Pricing for Cloud One Conformity

Cloud Account Resource Count	Pricing
Accounts with < 250 resources	$0.00/hr
Per cloud account with 250-1,000 resources	$0.07/hr
Accounts with 1001-5,000 resources	$0.29/hr
account 5,001+ resources	$0.35/hr

For more information, see Cloud One billing.

The following rules, standards and enhancements are already available for all GCP customers:

90+ cloud security configuration rules
PCI-DSS-V3.2.1 standard
ISO-27001:2013 standard
APRA CPS 234
NIST 800-53 Rev5
Ability to search for projects while onboarding
While onboarding GCP projects on Conformity via UI, the customer could only see 100 projects at a time due to a project cap in Conformity. This project cap is now removed, and users will be able to view & onboard all GCP projects within a service account.

Cloud One Audit Log now includes sign-in and sign-out events for improved tracking

Wed, 21 Sep 2022 00:00:00 GMT

September 21, 2022, Billing and Subscription Management—Account sign-in and sign-out events will soon be available in the Cloud One Audit Log. As part of this enhancement, the following audit logs will be changed:

The "Token Created" event will be changed to "User Signed In"
The "Token Created" event type will be changed to "audit.user-signed-in.v1" from "audit.token-creation.v1"
The "Token Revoked" event will be changed to "User Signed Out"
The "Token Revoked" event type will be changed to "audit.user-signed-out.v1" from "audit.token-revocation.v1".

Improved Azure Scanner function now scans files without timing out

Wed, 21 Sep 2022 00:00:00 GMT

September 21, 2022, File Storage Security—Fixed the issue that the Azure Scanner function would time out when scanning certain files.

Azure Scanner now supports scanning larger files within zip files

Wed, 21 Sep 2022 00:00:00 GMT

September 21, 2022, File Storage Security—Azure Scanner now supports scanning larger files in zip files.

Agents can now trigger or cancel manual scans from the Trend Micro notifier

Wed, 21 Sep 2022 00:00:00 GMT

September 21, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports having agents trigger or cancel a manual scan from the Trend Micro notifier application (Computer or Policy editor > Anti-Malware > General) Once the checkbox Allow agent to trigger or cancel a manual scan from Trend Micro's notifier application has been selected, the notifier application will display the Scan section. Available for Windows and macOS agents.

Enhanced Linux/Unix Agent Scanning with Multi-thread Support and Additional Host Details

Thu, 22 Sep 2022 00:00:00 GMT

September 22, 2022, Workload Security—Agent version 20.0.0-5512 has been released.

This release includes:

Multi-thread support for On-demand and Scheduled Scans on agents for Linux and Unix.
Additional host metadata and installed software details reported by agents for Linux.
Several resolved issues and security updates.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Workload Security now supports Memory Dump Remote Shell on Trend Vision One

Thu, 22 Sep 2022 00:00:00 GMT

September 22, 2022, Workload Security—When registered with Trend Vision One, Workload Security now supports the process memory dump Remote Shell command on Deep Security Agent version 20.0.0-5512 or later for Windows. For details, see Trend Vision One (XDR) Remote Shell.

Forward Device Control events to Trend Vision One for enhanced visibility

Fri, 23 Sep 2022 00:00:00 GMT

September 23, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports forwarding Device Control events to Trend Vision One. Customers must be registered with Trend Vision One to support this feature. For details, see Integrate Trend Cloud One - Endpoint & Workload Security with Trend Vision One.

Improved Identity Provider Integration for Trend Cloud One Accounts

Fri, 23 Sep 2022 00:00:00 GMT

September 23, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security accounts that sign in to Trend Cloud One are now redirected to the Identity Providers page. This page allows users to connect to an identity provider from Trend Cloud One rather than connecting through Trend Cloud One - Endpoint & Workload Security. For accounts already using the workload-only SAML, the login page will be unchanged.

AWS Security Hub Integration User Interface Now Configurable in Cloud One Management Console

Mon, 26 Sep 2022 00:00:00 GMT

September 26, 2022, Integrations—AWS Security Hub Integration User Interface Release: you can now configure AWS Security Hub with Cloud One using the management console. For more information and instructions, click here.

Conformity introduces new GCP and Azure rules, Compliance Standards updates, and bug fixes

Wed, 28 Sep 2022 00:00:00 GMT

September 28, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 28 September 2022.

Updated the following Compliance Standards and Reports to include the newly released rules:

Azure Well-Architected Framework
AWS Well-Architected Framework
NIS Europe OES-2019

Bug Fixes

Fixed a bug where the Lambda rules displayed only 50 checks per region.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rule

GCP

GKE-001: Enable GKE Cluster Node Encryption with Customer-Managed Keys: This rule ensures that boot disk encryption with Customer-Managed Keys is enabled for GKE cluster nodes.

BigQuery-003: Enable BigQuery Dataset Encryption with Customer-Managed Encryption Keys: This rule ensures that all your Google Cloud BigQuery datasets are encrypted using Customer-Managed Encryption Keys (CMEKs).

CloudSQL-027: Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances: This rule ensures that `cloudsql.enable_pgaudit` and `pgaudit.log` flags are enabled for Google Cloud PostgreSQL server instances.

CloudSQL-028: Disable '3625' Trace Flag for SQL Server Database Instances: This rule ensures that the `3625` trace flag for SQL database servers is set to `off`.

CloudIAM-012: Enable Access Approval: This rule ensures that `Access Approval` is enabled for your Google Cloud account.

CloudAPI-004: Enable Cloud Asset Inventory This rule ensures that `Google Cloud Asset Inventory` is enabled for your GCP projects.

Azure

PostgreSQL-012: Enable Infrastructure Double Encryption: This rule ensures that infrastructure double encryption is enabled for all Azure PostgreSQL database servers.

PostgreSQL-013: log_checkpoints" Parameter for PostgreSQL Flexible Servers: This rule ensures that the `log_checkpoints` parameter for your Microsoft Azure PostgreSQL flexible database servers is set to `ON`.

Rule Bug Fix

ELB-007: ELB Security Group: Fixed a bug where the rule did not generate checks for some regions with access permissions to Conformity.

AWS Outage in Oregon Region Impacting Conformity Application Access and Workflows

Fri, 30 Sep 2022 00:00:00 GMT

September 30, 2022, Conformity—From 2022-09-28 16:20 UTC - 20:43 UTC (9:20 AM PDT - 1:43 PM PDT)

AWS experienced a service outage in the us-west-2 (Oregon) region, which affected the Conformity application. This outage affected the API Gateway service, which made the Conformity application inaccessible during the time window. The service has fully recovered now, and Conformity has returned to normal.

Affected regions

Oregon service region (us-west-2) and Cloud One US-1

P.S: No other Conformity regions were impacted.

Impact

The customers could not access the Conformity application via the UI or API or successfully scan their accounts. Any automated workflows relying on Conformity, for example, the API workflows using the Template Scanner, may also have been impacted.

Resolution

The service health of Amazon API Gateway has now fully recovered and can be tracked here. Conformity also has service returned to normal.

Conformity Enhancements: New Features, Bug Fixes, and GCP Rules Introduced

Wed, 12 Oct 2022 00:00:00 GMT

October 12, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 12 October 2022.

Added the `skipUpdatingEnabledSuppression` attribute to prevent updating the `suppressed` and `suppressed-until` attributes on suppressed checks using the Checks API.

Improved our compliance score calculation logic to prevent the score of greater than 95% being rounded off to 100%.

Bug Fixes

Fixed a bug where the Conformity Bot reported stale checks with a large number of EC2 resources.

Fixed a bug that prevented getting the list of excluded resources in the UI and the public API by making some performance enhancements.

Fixed a bug with the Custom Rules engine that returned an `HTTP 500` error for resources without data.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rules

GCP

CloudIAM-013: Essential Contacts for Organizations (Not Scored): This rule ensures that the Essential Contacts are defined for your Google Cloud organization.

ResourceManager-001: Disable User-Managed Key Creation for Service Accounts: This rule ensures that the `Disable Service Account Key Creation` policy is enforced.

Rule Bug Fixes

Config-002: AWS Config Referencing Missing S3 Bucket: Fixed a bug where the rule did not return a success check for compliant Config resources on the Provider level.

Fixed an issue where the check region for the following rules incorrectly returned as `ALL`:

Monitor-002: Activity Log Retention
Monitor-003: Activity Log All Activities
Monitor-004: Activity Log All Regions
Monitor-005: Check for Publicly Accessible Activity Log Storage Container
Monitor-006: Use BYOK for Activity Log Storage Container Encryption
Resources-001: Tags

Runtime Security now supports AWS Bottlerocket OS V 5.10 on EKS

Wed, 12 Oct 2022 00:00:00 GMT

October 12, 2022, Container Security—Runtime Security now supports AWS Bottlerocket OS V 5.10 on EKS.

Public Preview of Vulnerability View enhances container security with real-time visibility

Wed, 12 Oct 2022 00:00:00 GMT

October 12, 2022, Container Security—Containers are key parts of most Cloud Native Applications and these applications contain open source code. According to the Linux Foundation, between approximately 70% and 90% of all cloud-native code is made of open source. However, over 95% of organizations lack real-time visibility into vulnerabilities in their running containers.

Trend Micro is announcing the Public Preview of Vulnerability View, a new feature that enables organizations to have visibility of open source and operating system vulnerabilities that are part of their containers in runtime. This new view provides actionable detections with context, while enabling teams to identify risky applications in production at a glance - all without having their images leaving their cluster.

Active Directory Connector now integrated for structured security management

Fri, 14 Oct 2022 00:00:00 GMT

October 14, 2022, Workload Security—The Active Directory Connector allows Trend Cloud One - Endpoint & Workload Security to use your Active Directory structure. This feature synchronizes AD computer objects, creates grouping structure, and relocates systems to use their AD Organizational Unit structure. Please note that this connector requires a Cloud One Data Center Gateway. For more details see AD connector documentation.

Update Azure Scanner and Storage Stack to Version 4.x by Dec 3, 2022

Wed, 19 Oct 2022 00:00:00 GMT

October 19, 2022, File Storage Security—You need to update your Azure Scanner Stack and Storage Stack to update the function app's runtime to version 4.x before Dec 3, 2022.

Beginning on December 3, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime can no longer be supported.

This functionality requires a stack update.

Enhanced software reporting and SAP Scanner support in Deep Security Agent 20.0.0

Fri, 21 Oct 2022 00:00:00 GMT

October 21, 2022, Workload Security—Deep Security Agent version 20.0.0-5761 has been released.

This release includes:

Improved installed software reporting on agents for Windows.
SAP Scanner support for Oracle Linux 7.
Several enhancements and resolved issues.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Windows OS proxy exclusion now supported in Trend Cloud One - Endpoint & Workload Security

Fri, 21 Oct 2022 00:00:00 GMT

October 21, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports Windows OS proxy exclusion when OS proxy is applied. For details, see Enable OS proxy. This feature is currently only supported on Windows platforms and is available for Trend Cloud One - Endpoint & Workload Security customers in all regions.

Enhanced Remote Shell Commands for macOS in Trend Cloud One Workload Security

Fri, 21 Oct 2022 00:00:00 GMT

October 21, 2022, Workload Security—When registered with Trend Vision One, Trend Cloud One - Endpoint & Workload Security now supports additional Remote Shell commands on Deep Security Agent version 20.0.0-182 and later for macOS. For details, see Trend Vision One (XDR) Remote Shell - Supported Commands.

Register for Trend Cloud One and Single Sign One from Trend Vision One

Fri, 21 Oct 2022 00:00:00 GMT

October 21, 2022, Workload Security—You can now register for Trend Cloud One and sign up for Single Sign One from Trend Vision One. For details, see Integrate Trend Cloud One - Endpoint & Workload Security with Trend Vision One.

Resolved GCP Scanner timeout issue for scanning certain files

Mon, 24 Oct 2022 00:00:00 GMT

October 24, 2022, File Storage Security—Fixed the issue that the GCP Scanner function would time out when scanning certain files.

GCP Scanner now supports scanning larger files in zip files

Mon, 24 Oct 2022 00:00:00 GMT

October 24, 2022, File Storage Security—GCP Scanner now supports scanning larger files in zip files.

Conformity introduces new compliance features, bug fixes, and expanded rule support

Wed, 26 Oct 2022 00:00:00 GMT

October 26, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 26 October 2022.

Introducing the 'skipUpdatingEnabledSuppression' attribute in the Check API allowing you to prevent updating suppressed checks until you reach your 'suppressed-until' date.

You can now add tags when onboarding AWS, Azure or GCP accounts using the Accounts API.

The CSV reports now include cost and savings data for the checks related to the cost rules.

Added support for PCI DSS v4 and CIS Controls Version 8 across Conformity compliance features for AWS, Azure and GCP.

Added support for CIS GCP Foundation Benchmark Version 1.2.0 in Conformity compliance features.

Bug Fixes

Fixed a bug preventing CSV reports from being generated when compliance reports had 0 checks.

Fixed a bug to make notes mandatory while updating the suppressed or unsuppressed property in the Check API regardless of whether the underlying rule is custom or standard.

Fixed a bug where reports generation failed due to a large amount of data.

Fixed a bug with the public API `Events get` to strip all html tags (syntax to enclose username, api keys or similar data in a strong tag) from `event.attributes.description` property of the response object.

Fixed a bug to make the `Note` field mandatory when suppressing or un-suppressing a check the UI.

Fixed a bug to allow the users to go back to the Project selection from the Confirmation page when onboarding GCP projects.

Fixed a bug where users weren't receiving the 'Welcome' email after signing up.

Fixed a bug to display a warning icon indicating the rule exception state for Tags case insensitive, Tags case sensitive, and resource id filters in all 3 rule list views (Account, Organisational profile and Custom Profile).

Fixed a bug to increase the size limit of an Organisation Profile allowing you to save and apply multiple rule configurations to many accounts.

Fixed a bug where the Profile API was timing out when a profile with multiple rule configurations was applied to a large number of accounts.

WS-005: WorkSpaces Storage Encryption: Fixed a bug for the rule to generate checks for all Workspace checks on an AWS account instead of 25 workspaces.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rules

Azure

MySQL-002 (Configure TLS Version for MySQL Flexible Database Servers): This rule ensures that the `tls_version` parameter is set to a minimum of `TLSv1.2` for all MySQL flexible database servers.

Rule Update

CF-006: CloudFront Security Policy: Updated the rule to include the latest Security policies.

Deep Security Agent Windows Upgrade Requires Reboot to Prevent System Crashes

Thu, 27 Oct 2022 00:00:00 GMT

October 27, 2022, Workload Security—After upgrading the Deep Security Agent package for Windows from version 20.0.0-5761 to 20.0.0-5810, a reboot is required to solve an issue causing systems to crash. This issue affects agents for all Windows platforms.

For more information, including steps detailing an upgrade and reboot, please see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761.

View Summary of Disabled Cloud Accounts on Main Dashboard with Latest Conformity Update

Mon, 31 Oct 2022 00:00:00 GMT

October 31, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 31 October 2022.

You can now view a summary of your cloud accounts with disabled Conformity Bot on the Main Dashboard by clicking on the View Accounts button.

Bug Fix

Fixed a bug happening due to the updated AZ CLI Version, where the users weren't able to generate the password for the created App Registration manually. We've updated the script to generate the Password & Client_secret_key automatically. Please ensure that the AZ CLI version is higher than `2.40.0` for the new script to work.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

GCP Scanner DLT Function Issue Resolved

Tue, 01 Nov 2022 00:00:00 GMT

November 01, 2022, File Storage Security—Fixed the issue that caused the GCP Scanner DLT function to fail.

Conformity discontinues pre-release notices for faster rule deployment

Thu, 03 Nov 2022 00:00:00 GMT

November 03, 2022, Conformity—Discontinuing Rules Pre-Release Notice: The 48-hour pre-release notice to be discontinued with effect from 10 January 2023

From 10 January 2023, Trend Micro Cloud OneTM - Conformity will no longer send a Pre-release Notice 48 hours prior to releasing new rules and rule updates. You will be receiving all the release updates including rules through a post deployment update on the What’s New page.

Important: As a part of our new communication strategy, we will no longer be sending release emails effective 10th January 2023. We highly recommend that you subscribe to the Trend Micro Cloud One TM Updates RSS Feed using an RSS Feed Reader to get notified about the latest releases and news for Conformity.

Why?

This change is a part of Conformity’s strategy to deliver you new rules, features and, fixes faster.
In 2023, Conformity aims to deploy multiple times per week and we can only do this if we remove the 48 hour pre-release rules notice and manual release emails.

Impact

We acknowledge that some of you are under strict SLAs that require monitoring of new rules impacting your compliance scores.

If you’re affected by the release of new rules, we recommend configuring the New Rules Behaviour settings `Manually` so your compliance scores are not impacted by newly released rules and you can enable them as required.

If you have already configured the setting to automatically enable newly released rules, no further action is required.

Enhanced Role-Based Access Control for Anti-Malware Common Objects

Fri, 04 Nov 2022 00:00:00 GMT

November 04, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now allows administrators to control which anti-malware related common objects each role can access. For details, see Manage role-based access control for common objects.

Conformity Enhancements: Bug Fixes and Azure Storage Account Limit Update

Mon, 07 Nov 2022 00:00:00 GMT

November 07, 2022, Conformity—The following updates are now available with Conformity's latest release on 07 November 2022.

Bug Fixes with Rule Updates

Fixed a bug to prevent Conformity from generating checks for the backup vault with different types of protected item(s) for a number of Virtual Machine rules.

Fixed a bug to prevent the throttling of Azure Storage Accounts service due to numerous storage accounts and blob containers by implementing a hard limit of 100 storage accounts.
This implies that Conformity will now scan only the first 100 Azure storage accounts with an unlimited number of blob containers for the rules listed below:
StorageAccounts-006 - Disable Anonymous Access to Blob Containers
StorageAccounts-012 - Enable Immutable Blob Storage
StorageAccounts-016 - Check for Publicly Accessible Web Containers
StorageAccounts-017 - Review Storage Accounts with Static Website Configuration

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

Automatic Assignment of Trend Cloud One Rules on Rule Update

Mon, 07 Nov 2022 00:00:00 GMT

November 07, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security can now be set to automatically assign all core Trend Cloud One - Endpoint & Workload Rules to your policy when a Rule Update occurs. For details, see Configure Trend Cloud One - Endpoint Security.

Support for Mobile (MTP/PTP) Read Only protocol on Windows 11

Mon, 07 Nov 2022 00:00:00 GMT

November 07, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports the Mobile (MTP/PTP) Read Only protocol of Device Control for Windows 11. This requires Deep Security Agent version 20.0.0-5810 or later.

Limit introduced to prevent SNS service throttling for scanning AWS topics

Tue, 08 Nov 2022 00:00:00 GMT

November 08, 2022, Conformity—Fixed an issue to prevent SNS service throttling by introducing a limit to scan upto 4000 AWS SNS topics for the following rules:

SNS-001 Topic Exposed
SNS-002 Cross Account Access
SNS-003 SNS Appropriate Subscribers
SNS-004 Topic Accessible For Publishing
SNS-005 Topic Accessible For Subscription
SNS-006 Topic Encrypted
SNS-007 Topic Encrypted With KMS Customer Master Keys

Improved Cloud Account Onboarding and Bug Fix in Conformity's Latest Release

Mon, 14 Nov 2022 00:00:00 GMT

November 14, 2022, Conformity—The following updates are now available with Conformity's latest release on 14 November 2022.

To improve Conformity Bot's reliability, cloud accounts onboarded to Conformity via the Public API will be queued to run with in the next 10 minutes of the API call.

Bug Fix

Fixed the broken 'Add and Manage Users' link on the Public API page linking to Cloud One help documentation.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

Domain filtering now supported in Network Security deployments with hosted infrastructure

Wed, 16 Nov 2022 00:00:00 GMT

November 16, 2022, Network Security—Domain filtering support: Domain filtering is now supported on deployments using Network Security with hosted infrastructure. Learn more about domain filtering.

Conformity Enhancements for AWS and Azure Compliance Standards

Mon, 21 Nov 2022 00:00:00 GMT

November 21, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 21 November 2022.

The FISC Security Guidelines v9 compliance standard mapping now supports the latest AWS and Azure rules released in Conformity.

Bug Fixes

Enhanced the scanning of all AWS RDS Instances to reduce throttling.
Fixed a bug where the note for 'number of checks included' indicated an incorrect count while configuring a report for individual checks.
Fixed a bug where the 'Account rule settings' notes were not being saved correctly for the Custom Role Full Access Users.
KMS-002:Key Rotation Enabled: Fixed a bug where checks were generated incorrectly if the KMS key did not support key rotation.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

Rules

Azure

SecurityCenter-039: Enable Automatic Provisioning of Vulnerability Assessment for Virtual Machines: This rule advises users to manually check that automatic provisioning of vulnerability assessment solutions is `Enabled` for virtual machines.

Rule Updates

Fixed an issue with the following rules handling AWS regions with restricted permissions in Conformity:

EBS-010: EBS Volumes Attached to Stopped EC2 Instances

VPC-016: VPC Endpoints in Use

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs

CT-003: Publicly Accessible CloudTrail Buckets

RDS-027: Instance Level Events Subscriptions

RDS-028: Security Groups Events Subscriptions

RDS-029: RDS Event Notifications

RDS-039: RDS Instance Not in Public Subnet

End of Life - Conformity Cost Optimization Feature

*The Conformity Cost Optimization feature will reach end of life with the upcoming release on 21 November 2022. If you've missed our advance notice, please read through the details below.*

Why are we doing this?

We have decided to discontinue all support for Cost Analysis as our strategic focus as Trend Micro Cloud One ™ Conformity is on core Cloud Security Posture management (CSPM) features.

What does it mean for you?

No Cost Optimization widget - you will stop seeing the Cost Optimization widget on your Organizations’ Main Dashboard.

What happens to the Cost Rules?

All Cost category rules except for the following Rules will still be available to all customers. We’re deprecating these four Rules because their AWS data source is a deprecated AWS billing report.

Budgets- 001: Budget Overrun

Budgets -002: Cost Fluctuation

Budgets-003: Budgets Overrun Forecast

Budgets-004: Cost Fluctuation Forecast

What do I need to do?

*The Cost Optimization feature is unavailable to our Trend Micro Cloud One ™ Conformity customers.*

Enhanced Security and Resilience for Conformity Platform with Elasticsearch Upgrade

Thu, 24 Nov 2022 00:00:00 GMT

November 24, 2022, Conformity—On 23 November 2022, we upgraded the Elasticsearch clusters to improve your experience with the Conformity platform, providing you with a more resilient and secure cloud infrastructure by applying the security best practices.

Cloud One Central introduces preview release for enhanced application visibility

Mon, 28 Nov 2022 00:00:00 GMT

November 28, 2022, Cloud One Central—Cloud One Central is now in Preview release. It helps you gain visibility across your applications. At launch, it lists your cloud workloads (EC2 instances), container image repositories (ECR), and serverless functions (Lambda functions), along with security findings grouped by cloud account. For more information, see About Cloud One Central.

Cloud Sentry available in preview release deployment as serverless application

Mon, 28 Nov 2022 00:00:00 GMT

November 28, 2022, Cloud Sentry—Cloud Sentry is now available in Preview release. It deploys as a serverless application in your cloud account to scan your resources for threats. For more information, see About Cloud Sentry.

Windows agents can trigger manual scans for specific folders in Trend Cloud One

Mon, 28 Nov 2022 00:00:00 GMT

November 28, 2022, Workload Security—Trend Cloud One - Endpoint & Workload Security now allows agents for Windows platforms to trigger a manual scan from the Trend Micro notifier application for specified folders only. This requires Deep Security Agent version 20.0.0-5995 or later.

Conformity introduces Chinese character support, extended GCP regions, and bug fixes

Tue, 29 Nov 2022 00:00:00 GMT

November 29, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 29 November 2022.

Added a new Replay endpoint to the Checks API allowing you to send checks history into newly created Communication Channels. For details see: Re-run Historical Check Notifications.

You can now add Chinese characters in the Account Tags via the UI and the public API.

GCP Conformity Bot now supports the following regions:
asia-south2
australia-southeast2
europe-southwest1
europe-west8
europe-west9
northamerica-northeast2
us-east5
us-south1
southamerica-west1

Bug Fixes

Fixed a bug where the Real Time Threat Monitoring notifications were not being sent when a check status changed from `Failure`, to `Success`, and then back to `Failure` in quick succession.

Fixed a bug where the Power Users and the Read Only users were able to view users' activity on the Main Dashboard. User activities can only be viewed by a Full Access user and a Custom Role user with appropriate permissions.

Fixed a bug where the Azure Real Time Monitoring install script failed to install monitoring resources correctly.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

Rules

Azure

SecurityCenter-040: Enable Automatic Provisioning of Microsoft Defender for Containers Components [Not scored]: This rule recommends that automatic provisioning of security components is enabled for Azure containers.

StorageAccounts-022: Disable public access to storage accounts with blob containers: This rule ensures that public access to blob containers is disabled for your Azure storage accounts. The recommended setting overrides any alternative configurations allowing public blob access.

GCP

GKE-002: Enable Encryption for Application-Layer Secrets for GKE Clusters: This rule ensures that GKE Clusters have Application-Layer Secrets Encryption enabled.

Rule Updates

Updated the following AWS EC2 Non-Security-Group service level rules to fix an error-handling issue and generate accurate checks for all regions.

EC2-009: EC2-Classic Elastic IP Address Limit
EC2-010: EC2-VPC Elastic IP Address Limit
EC2-011: Account Instance Limit
EC2-024: Unassociated Elastic IP Addresses
EC2-026: Unused AMI
EC2-056: Unused AWS EC2 Key Pairs
EC2-072: EC2 Instance Not in Public Subnet
EC2-078: EC2 Instances Scanned by Amazon Inspector Classic

Enhanced Vulnerability View for Container Security Available

Tue, 29 Nov 2022 00:00:00 GMT

November 29, 2022, Container Security—Vulnerability view is now available for Container Security, detailing any vulnerabilities found in open source code and operating system code running in your clusters. This feature allows you to search vulnerabilities by name and filter results by severity level or CVE score. For details on how vulnerability view integrates with runtime vulnerability scanning, see Configure runtime vulnerability scanning.

New Azure rule, bug fixes, and rule updates in Conformity's latest release

Thu, 08 Dec 2022 00:00:00 GMT

December 08, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 08 December 2022.

Bug Fixes

Fixed a bug to prevent Azure RTM events from being created intermittently by improving the logic of detecting duplicate events.

Fixed a bug with the Security Group rules scanning by ignoring them if the Ingress or Egress rules cannot be extracted from the IaC template.

Fixed a bug to return the error response of `200 with {data: []}` instead of `403` for service group API for an organisation without any account.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rule

Azure

ActivityLog-029: Create Alert for "Delete Public IP Address" Events: This rule ensures that an Azure activity log alert is used to detect "Delete Public IP Address" events.

Rule Updates

Updated the following rules to fix an issue with their handling of AWS regions with restricted permissions for Conformity:

IAM-060: Attach Policy to IAM Roles Associated with APP-Tier EC2

IAM-064: Attach Policy to IAM Roles Associated with Web-Tier EC2

ASG-004: Same Availability Zones in ASG and ELB

Inspector-001: Amazon Inspector Findings

Inspector-002: Days since last Amazon Inspector run

Inspector-003: Check for Amazon Inspector Exclusions

SQL-010: Check for Unrestricted SQL Database Access: Updated the rule to return a SUCCESS check when the ‘Deny public network access’ toggle is checked. The rule continues to ensure firewalls associated with your Microsoft Azure SQL servers are not configured to allow unrestricted inbound access.

SQS-004 : Queue Server Side Encryption: Updated the rule to cover the latest SQS encryption options in AWS and prevent false negative checks

Conformity Enhancements for AWS EventBridge Cross-Account IAM Role Changes

Thu, 08 Dec 2022 00:00:00 GMT

December 08, 2022, Conformity—Impact of AWS EventBridge Cross-Account IAM Role Changes on Conformity

The following features and updates are now available with Conformity's latest release on 08 December 2022.

From 16 February 2023, all new AWS EventBridge Cross-account event bus targets will require an IAM role. This change will affect new Conformity Real Time Monitoring (RTM) EventBridge configurations but does not immediately affect the existing Conformity customers.

What is the change?

To increase security, AWS will soon require creating an IAM role for new Cross-account event bus targets. Consequently, Conformity will update the RTM installation process for new accounts to comply with the new requirement.

Fixed a bug to prevent Azure RTM events from being created intermittently by improving the logic of detecting duplicate events.

Fixed a bug with the Security Group rules scanning by ignoring them if the Ingress or Egress rules cannot be extracted from the IaC template.

Fixed a bug to return the error response of `200 with {data: []}` instead of `403` for service group API for an organisation without any account.

Custom Policy Updates

User Impact

AWS has confirmed that there will be no immediate impact on existing customers. If you are an existing Conformity customer using RTM, there is no deadline and you will be able to update your RTM resources after 16 February 2023 at your own pace.

Resolution

We are working on updating the authentication method and installation script for RTM. The new script will allow you to install or update RTM in your AWS accounts in line with the new IAM role requirements from AWS.

Trend Micro Cloud One APAC Maintenance Completed, Services Coming Online Soon

Sat, 10 Dec 2022 00:00:00 GMT

December 10, 2022, General—System maintenance for Trend Micro Cloud One - Workload Security is complete for APAC regions. Affected Trend Micro Cloud One services will be online shortly. For more information or to be notified of scheduled maintenance, see Trend Micro Cloud One Maintenance.

Sentry scanner log volume reduced in CloudWatch integration

Thu, 15 Dec 2022 00:00:00 GMT

December 15, 2022, Cloud Sentry—Fixed the issue that caused the Sentry scanner to write large amount of logs to CloudWatch.

Enhanced AWS Security Rules and Custom Policies in Conformity's Latest Update

Thu, 15 Dec 2022 00:00:00 GMT

December 15, 2022, Conformity—The following rules and updates are now available with Conformity's latest release on 15 December 2022.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The new custom policy version is 1.39 and the permission added is:

`securityhub:DescribeHub`

Click here to access the new custom policy.

New Rule

AWS

SecurityHub-002: Security Hub Enabled: This rule ensures Amazon Security Hub service is enabled for your AWS accounts.

Rule Updates

Updated the following rules to improve error-handling and ensure that the checks are only generated in regions with security groups:
EC2-012: Security Group Excessive Counts
EC2-013: Security Group Large Counts

SQS-005: SQS Encrypted With KMS Customer Master Keys: Updated the rule to return a failure when the ‘Amazon SQS key (SSE-SQS)’ is selected as encryption key type. The rule continues to ensure that your SQS queues are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used in absence of defined customer keys) to benefit from a more granular control over the queues data encryption/decryption process.

Monitor-006: Activity Log Storage Encryption with Customer-Managed Key: Updated the rule to check storage container encryption for diagnostic settings in addition to log profiles. The rule ensure that your Microsoft Azure activity log storage container is encrypted with a Customer-Managed Key (CMK) to protect your activity log data at rest with a key from your own Azure key vault.

Updated the following AWS service-level rules to fix an error-handling issue and generate accurate checks when Conformity's permissions to certain AWS regions is restricted:

Lambda-005: Lambda Function With Admin Privileges
Lambda-006: Using An IAM Role For More Than One Lambda Function
SSM-003: Check for SSM Managed Instances
EC2-002: Unrestricted SSH Access
EC2-003: Unrestricted RDP Access
EC2-004: Unrestricted Oracle Access
EC2-005: Unrestricted MySQL Access
EC2-006: Unrestricted PostgreSQL Access
EC2-007: Unrestricted DNS Access
EC2-008: Unrestricted MsSQL Access
EC2-015: EC2 Instance Security Group Rules Counts
EC2-038: Unrestricted Telnet Access
EC2-039: Unrestricted SMTP Access
EC2-040: Unrestricted RPC Access
EC2-041: Unrestricted NetBIOS Access
EC2-042: Unrestricted FTP Access
EC2-043: Unrestricted CIFS Access
EC2-045: Unrestricted MongoDB Access
EC2-063: Unrestricted Elasticsearch Access
EC2-064: Unrestricted HTTP Access
EC2-065: Unrestricted HTTPS Access
EC2-074: Check for Unrestricted Redis Access
EC2-075: Check for Unrestricted Memcached Access

Bug Fixes and Custom Policy Status Update in Conformity's Latest Release

Tue, 20 Dec 2022 00:00:00 GMT

December 20, 2022, Conformity—The following bug fixes are now available with Conformity's latest release on 20 December 2022.

Fixed a bug to prevent Power User and Read Only from accessing all event activities through public API.

Fixed a bug with CQL to now validate the query length and also display an error message for queries exceeding 5000 characters.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.39. Click here to access the current custom policy.

Advanced Threat Scan Engine now available for AWS, Azure, and GCP scanners

Fri, 23 Dec 2022 00:00:00 GMT

December 23, 2022, File Storage Security—The AWS, Azure, and GCP scanners with Advanced Threat Scan Engine (ATSE) 21.600.1005 are now available for use.

File Storage Security Enhances Deployment Capabilities with Terraform Support

Mon, 09 Jan 2023 00:00:00 GMT

January 09, 2023, File Storage Security—File Storage Security now supports deploying GCP stacks by using Terraform.

Conformity Introduces New Azure and GCP Rules, Expanded GCP Region Support, and

Thu, 12 Jan 2023 00:00:00 GMT

January 12, 2023, Conformity—The following updates are now available with Conformity's latest release on 12 January 2023.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.39. Click here to access the current custom policy.

New Rules

Azure

Monitor-010: Enable Subscription Activity Log Diagnostic Settings: This rule ensures that Azure Monitor Activity Logs for your subscription are exported to an appropriate data store using diagnostic settings. This rule also replaces the rule: `Monitor-001 - Azure Activity Log Profile in Use` which will be deprecated soon.

ActivityLog-028: Create Alert for `Create or Update Public IP Address` Events: This rule ensures that activity log alerts are created for the `Create or Update Public IP Address` events.

GCP

ResourceManager-003: Enforce Uniform Bucket-Level Access: This rule ensures that `Enforce Uniform bucket-level access organization` policy is enabled at the Google Cloud Platform (GCP) organization level, and that the project inherits the parent's policy.

ResourceManager-002: Disable Automatic IAM Role Grants for Default Service Accounts: This rule ensures that `Disable Automatic IAM Grants for Default Service Accounts` policy is enforced.

Dataproc-001: Enable Dataproc Cluster Encryption with Customer-Managed Keys: This rule ensures that your Dataproc Clusters on Compute Engine are encrypted using Customer-Managed Keys (CMKs).

Platform Updates

We've now empowered the Conformity Bot with the following 10 additional regions to support GCP:
eur4
eur6
nam4
nam7
nam8
nam10
nam11
nam12
nam13
nam-eur-asia1

We've also improved our PDF report engine to generate reports with up to 5,000 checks.

Bug Fixes

Fixed a bug where checks for CloudStorage Buckets resources returned incorrect region value i.e. `global` for a region with hosted resources.

Fixed a bug where the Deprecated Rules were being enabled on clicking the 'Reset to Default' button.

AWS Real-Time Monitoring now supports EventBridge Cross-Account IAM Role for enhanced security

Thu, 19 Jan 2023 00:00:00 GMT

January 19, 2023, Conformity—The following update is available with Conformity's latest release on 19 January 2023.

AWS Real-Time Monitoring installation now supports EventBridge Cross-Account IAM Role

We have updated the AWS Real-Time Monitoring installation template to include an IAM role for cross-account access to increase security and adhere to the latest AWS EventBridge cross-account access requirements.

For more information see the RTM Settings. While there is no firm deadline from AWS, we recommended that you update your EventBridge configuration to follow the best practice.

For more information about sending and receiving Amazon EventBridge events between AWS accounts, see the AWS documentation.

New AWS regions in Europe and Canada for Network Security deployment

Fri, 27 Jan 2023 00:00:00 GMT

January 27, 2023, Network Security—New regions available for deployment: You can now deploy Network Security with hosted infrastructure deployments in several new AWS regions in Europe and Canada. View all supported regions.

New AWS CloudShell script for route changes in Network Security

Fri, 27 Jan 2023 00:00:00 GMT

January 27, 2023, Network Security—New deployment routing script: Network Security now provides a script that enables you to make route changes using AWS CloudShell for Network Security with hosted infrastructure deployments. This script provides step-by-step instructions to create the required route tables for hosted infrastructure deployments in your particular AWS environment. Learn more.

Updated Compliance Standards and ISO 27001:2022 Support for Cloud Environments

Tue, 31 Jan 2023 00:00:00 GMT

January 31, 2023, Conformity—Updated Compliance Standards: CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for AWS, Azure and GCP. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Amazon Web Services Foundations Benchmark, v1.5.0
CIS Microsoft Azure Foundations Benchmark v1.5.0
CIS Google Cloud Platform Foundation Benchmark v1.3.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

ISO 27001:2022 Support for AWS, Azure and GCP

We now support ISO 27001:2022 across compliance features for AWS, Azure and GCP.

Custom Policy Updates

We've updated the custom policy to version - 1.40. The added permission is:

`lambda:ListFunctionUrlConfigs`

Click here to access the new custom policy.

No Deadline for Switching to FQDNs for Trend Cloud One Access

Tue, 31 Jan 2023 00:00:00 GMT

January 31, 2023, Workload Security—There is no longer a deadline to switch from Static Ips to FQDNs to access Trend Cloud One - Endpoint & Workload Security. This means that Trend Cloud One - Endpoint & Workload Security accounts created prior to November 23, 2020 can continue to use their Deep Security Agents to access Trend Cloud One - Endpoint & Workload Security by using the static IP addresses provided in Port numbers, URLs, and IP addresses.

Windows Server Device Control now supported in Trend Cloud One - Endpoint & Workload Security

Tue, 31 Jan 2023 00:00:00 GMT

January 31, 2023, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports the Windows Server platform for Device Control. This requires Deep Security Agent 20.0.0-6313 or later. See Supported features by platform for the supported list.

Enhanced Resource Details and Links in Tags Rule

Wed, 01 Feb 2023 00:00:00 GMT

February 01, 2023, Conformity—Rule Update

Resources-001: Tags: Improved this rule to return more resource details in the check including service and resource names and a link to the resource.

Severity Update for RTM Configuration Change Rules to Improve Alert Fatigue

Thu, 02 Feb 2023 00:00:00 GMT

February 02, 2023, Conformity—Rule Update

Updated the Severity for the following RTM Configuration Change Rules from `HIGH` to `LOW` to improve alert fatigue as these rules do not ideally represent a security vulnerability. These rules are more of events prompting you to review your severity and change it as required.

Azure

Network-014: Monitor Network Security Group Configuration Changes

AWS

Config-005: AWS Config Configuration Changes
CT-013: AWS CloudTrail Configuration Changes
ECS-001: Monitor Amazon ECS Configuration Changes
GD-003: AWS GuardDuty Configuration Changes
IAM-054: IAM Configuration Changes
KMS-007: Monitor AWS KMS Configuration Changes
Organizations-003: AWS Organizations Configuration Changes
RDS-036: Amazon RDS Configuration Changes
Route53-009: Amazon Route 53 Configuration Changes
Route53Domains-001: Amazon Route 53 Domains Configuration Changes
RTM-009: Network configuration change detected
S3-022: S3 Configuration Changes
SecurityHub-001: Detect AWS Security Hub Configuration Changes

Conformity Bot enhanced to scan large numbers of SNS resources efficiently

Thu, 02 Feb 2023 00:00:00 GMT

February 02, 2023, Conformity—Bug Fix

Improved Conformity Bot to scan a large numbers of SNS resources and produce checks successfully.

Improved AWS Config rule for referencing missing S3 bucket enhances scanning and reduces false positives

Mon, 06 Feb 2023 00:00:00 GMT

February 06, 2023, Conformity—Rule Update

Config-002: AWS Config Referencing Missing S3 Bucket: Improved this rule to simplify account scanning, improve reliability and reduce false positive checks.

Improved AWS Kinesis resource scanning for enhanced performance

Tue, 07 Feb 2023 00:00:00 GMT

February 07, 2023, Conformity—Bug Fix

Improved the way Conformity scans AWS Kinesis resources to reduce API throttling and improve performance.

Three new runtime rules added to Container Security for enhanced threat detection

Wed, 08 Feb 2023 00:00:00 GMT

February 08, 2023, Container Security—Container Security has three new runtime rules. They are:

Detect file execution from the /dev/shm directory, a common tactic for threat actors to stash their files. (T1059.004)Execution from /dev/shm.

Detect usage of find or grep trying to access AWS credentials. (T1552.001)Find AWS Credentials.

Detect attempts to inject code into a process using PTRACE. (T1055.008)PTRACE attached to process.

You need to update your cluster's Runtime Rulesets in order to benefit from these new rules as per the documentation.

Improved accuracy and account restriction in CloudTrail Bucket MFA Delete rule

Mon, 13 Feb 2023 00:00:00 GMT

February 13, 2023, Conformity—Rule Update

CT-004: CloudTrail Bucket MFA Delete Enabled: Updated the rule to improve check accuracy and remove duplicate checks. This rule will no longer produce checks if the CloudTrail S3 bucket is located in another account.

Improved accuracy and elimination of duplicate checks in CloudTrail S3 Bucket Logging

Thu, 16 Feb 2023 00:00:00 GMT

February 16, 2023, Conformity—Rule Update

CT-002: CloudTrail S3 Bucket Logging Enabled: Updated the rule to improve check accuracy and remove duplicate checks. This rule will no longer produce checks if the CloudTrail S3 bucket is located in another account.

Enhancement: Improved Rule Management for Trend Cloud One - Endpoint & Workload

Mon, 20 Feb 2023 00:00:00 GMT

February 20, 2023, Workload Security—A change has been made to the way core Trend Cloud One - Endpoint & Workload rules are updated. Core Trend Cloud One - Endpoint & Workload rules that were unassigned by users now remain unassigned after rule updates.

Conformity now excludes TTL checks from compliance score calculation for accuracy

Wed, 22 Feb 2023 00:00:00 GMT

Checks with Time to Live (TTL) attribute have now been excluded from the compliance score calculation to produce more accurate percentage scores. This update will affect the scores displayed under:

Conformity compliance status
Compliance level comparison
Compliance level evolution

Updated the following Compliance Standards and Reports to include newly released rules:

PCI DSS v3.2.1
AWS Well-Architected Framework

AWS S3 bucket and file name included in File Storage Security scan results topic

Wed, 22 Feb 2023 00:00:00 GMT

February 22, 2023, File Storage Security—File Storage Security now supports AWS S3 bucket and file name in the message of SNS scan result topic.

Bug Fix: Event Rule now successfully creates CloudWatch Alarm without errors

Mon, 27 Feb 2023 00:00:00 GMT

February 27, 2023, Conformity—Bug Fix

Fixed a bug with "!Ref" on the Event Rule to create a CloudWatch Alarm successfully without an error.

Conformity Template Scanner now supports additional AWS regions for CloudFormation templates

Thu, 02 Mar 2023 00:00:00 GMT

March 02, 2023, Conformity—Conformity Template Scanner API now supports scanning CloudFormation templates for additional AWS regions (`me-central-1`, `ap-south-2`, `ap-southeast-3`, `ap-southeast-4`, `eu-central-2`, `eu-south-2`, `us-gov-west-1`, `us-gov-east-1`).

Updated resource links for Azure Console access in SecurityCenter rules

Fri, 03 Mar 2023 00:00:00 GMT

March 03, 2023, Conformity—March 03, 2023 Updated the resource link for following rules to incorporate the new Azure functionality allowing users to access the resource directly on the Azure Console.

SecurityCenter-002
SecurityCenter-003
SecurityCenter-004
SecurityCenter-005
SecurityCenter-006
SecurityCenter-007
SecurityCenter-008
SecurityCenter-009
SecurityCenter-010
SecurityCenter-011
SecurityCenter-012
SecurityCenter-013
SecurityCenter-014
SecurityCenter-015
SecurityCenter-020
SecurityCenter-021
SecurityCenter-022
SecurityCenter-023
SecurityCenter-024
SecurityCenter-025

Bug fix enables onboarding new Azure subscriptions via public APIs

Mon, 06 Mar 2023 00:00:00 GMT

Fixed a bug that prevented users from onboarding new Azure subscriptions via public APIs.

Administration User screen removed for Cloud One Users in Conformity Feature

Mon, 06 Mar 2023 00:00:00 GMT

Remove Administration User screen for Cloud One Users as Cloud One Users are managed by Cloud One

Cloud Sentry now available for General Availability

Tue, 07 Mar 2023 00:00:00 GMT

March 07, 2023, Cloud Sentry—We are pleased to announce the General Availability of Cloud Sentry. It deploys as a serverless application in your cloud account to scan your resources for threats. For more information, see About Cloud Sentry.

Enhanced SQS-004 Rule Logic for Latest AWS Encryption Options

Thu, 09 Mar 2023 00:00:00 GMT

March 09, 2023, Conformity—SQS-004 : Queue Server Side Encryption:

Updated the rule logic to cover the latest SQS encryption options in AWS and prevent false negative checks.

Azure Storage Accounts Default to Disallowing Public Blob Access

Tue, 14 Mar 2023 00:00:00 GMT

March 14, 2023, File Storage Security—For all Azure storage accounts created in the stacks, the `allowBlobPublicAccess` property is set to `false`.

This requires a stack update.

Improved EBS resource scanning and resolved logout bug in Cloud One

Wed, 15 Mar 2023 00:00:00 GMT

March 15, 2023, Conformity—Enhanced the scanning of EBS resources to improve performance and reduce API throttling by updating the following Rules:

EBS-004: EBS Volume Recent Snapshots
EBS-005: EBS Volumes Too Old Snapshots

Bug Fixes

Fixed a bug where users were being logged out of the Cloud One console while actively working in Conformity.

Bug Fix: Improved Template Scanner Results for S3 Bucket Keys Compliance Checks

Mon, 20 Mar 2023 00:00:00 GMT

March 20, 2023, Conformity—Bug Fix

S3-028: Enable S3 Bucket Keys: Fixed a bug where the Template Scanner results displayed an error message `cannot read properties of undefined (reading 'filter')` on scanning the rule.

Fixed a bug where the Template Scanner returned checks for the following rules on scanning a Cloud Formation template without the required number of `instances`:

ELB-001: Unused Elastic Load Balancers
ELB-010: ELB Minimum Number of EC2 Instances

Enhanced support for AWS S3 and GCP Cloud Storage in scan results

Wed, 22 Mar 2023 00:00:00 GMT

March 22, 2023, File Storage Security—File Storage Security now supports AWS S3 object eTag and GCP Cloud Storage CRC32C in the message of the scan result.

Deep Security Agent 20.0.0-6658 for Linux and Unix Release with Oracle Linux

Wed, 22 Mar 2023 00:00:00 GMT

March 22, 2023, Workload Security—Deep Security Agent 20.0.0-6658 for Linux and Unix has been released.

This release includes:

Oracle Linux 9 support, including FIPS mode and Secure Boot support.
Logging system improvements to help debug customer issues.
OS platform metadata for Web Reputation Service.
Several resolved issues.

For detailed information on what's included in this version, see What's New in Deep Security Agent.

Changes to AWS IAM Scanning Require Updated Permissions and Custom Policy

Thu, 23 Mar 2023 00:00:00 GMT

March 23, 2023, Conformity—Upcoming changes to AWS IAM Scanning

We will soon change how Conformity scans AWS IAM resources. In preparation, you will need to update your Conformity Custom Policy and ensure you have the permission `iam:GetAccountAuthorizationDetails`. This permission was first added on 19 January 2022 as part of v1.35. If you are missing the permission, you may lose IAM checks.

Reminder: Update Conformity AWS Custom Policy

The latest Conformity Custom Policy is v1.40. Click here to access the new custom policy.

Conformity requires up-to-date permissions to properly scan your AWS account. Please refer to our documentation on keeping your aws custom policy up to date.

To be notified of out of date permissions, you can also refer to the following rules:

Amazon SNS Integration UI Preview Release: Configure with Cloud One using API Endpoints

Mon, 27 Mar 2023 00:00:00 GMT

March 27, 2023, Integrations—Amazon SNS Integration User Interface Preview Release: you can now configure Amazon SNS with Cloud One using our API Endpoints in this Preview release.

Fixed false positive checks for enabling system-assigned managed identities

Tue, 28 Mar 2023 00:00:00 GMT

March 28, 2023, Conformity—Bug Fix

VirtualMachines-015: Enable System-Assigned Managed Identities: Fixed a bug where the rule generated false positive checks while configuring both the system-assigned managed identities and user-assigned identities simultaneously.

Network Security now integrated with Cloud One for simplified Cloud Account Management

Wed, 29 Mar 2023 00:00:00 GMT

March 29, 2023, Network Security—Create new Cloud One accounts: Network Security is now integrated with Cloud One Cloud Account Management, which allows you to use a single Cloud Account connection across the Cloud One platform. Learn more.

Enhanced Event Count Accuracy in Dashboard Widgets and Reports

Wed, 29 Mar 2023 00:00:00 GMT

March 29, 2023, Workload Security—Improvements have been made to more accurately count security events that are used in dashboard widgets and reports. Duplicate events are no longer being counted and may result in event count total disparity after the upgrade. This is a staged release and may not be immediately available in your region.

Improved Deployment Stability with Existing Log Groups Fix

Thu, 30 Mar 2023 00:00:00 GMT

March 30, 2023, Cloud Sentry—Fixed the issue that deployment might fail if there are already some existing log groups created by Sentry.

Updated AWS IAM Scanning Requires `iam:GetAccountAuthorizationDetails` Permission

Thu, 30 Mar 2023 00:00:00 GMT

March 30, 2023, Conformity—Changes to AWS IAM Scanning

We have changed how Conformity scans AWS IAM resources. Please ensure you have the permission `iam:GetAccountAuthorizationDetails`. This permission was first added on 19 January 2022 as part of v1.35 of the AWS custom policy. The latest version of the AWS custom policy is v.1.40. If you are missing the permission, you may lose IAM checks.

AWS Scanner DLQ Function Fix for February-March 2023 Deployments

Fri, 31 Mar 2023 00:00:00 GMT

March 31, 2023, File Storage Security—Fixed the issue that caused the AWS Scanner DLQ function to fail. This issue only impacts scanner stacks deployed from February 22, 2023 to March 31, 2023. It requires a manually-updated Lambda code to fix. For instructions on manually updating the Lambda code, see Update AWS components

Improved Logo Upload and Organisation Details Management for Cloud One Users

Wed, 05 Apr 2023 00:00:00 GMT

April 05, 2023, Conformity—Bug Fixes and Enhancements

Fixed a bug that prevented users from uploading their organisation logo.
Removed Organisation Details from the Administration screen for Cloud One Users, as these details are managed at the Cloud One level.

Conformity introduces Custom Policy Update with new permission for AWS users

Tue, 11 Apr 2023 00:00:00 GMT

April 11, 2023, Conformity—The following update is now available with Conformity's latest release on 11 April 2023.

Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.41 and the permission added is:

`rds:DescribeDBParameterGroups`

Click here to access the new custom policy.

Trend Cloud One integrates with AWS Security Hub for simplified findings publication

Tue, 11 Apr 2023 00:00:00 GMT

April 11, 2023, Integrations—Trend Cloud One is now available as an AWS Security Hub partner product integration.

You can now more easily allow Trend Cloud One to publish findings to your specified AWS Security Hub by accepting findings inside the AWS console.

For more information and instructions, click here.

Enhanced Compliance Standards and New Rule for AWS Lambda Authentication

Thu, 13 Apr 2023 00:00:00 GMT

April 13, 2023, Conformity—The following compliance standards now support GCP and have been updated for AWS and Azure:

NIST Cyber Security Framework v1.1
Update System and Organization Controls 2 (SOC 2)

New Rule

AWS

Lambda-010: Enable IAM Authentication for Lambda Function URLs: This rule ensures that your function URLs are secured with IAM authentication (AWS_IAM) allowing only authenticated IAM users and roles to invoke your Amazon Lambda functions via function URLs.

Minimum TLS 1.2 Requirement for Azure Functions and Service Buses in Azure Stacks

Thu, 13 Apr 2023 00:00:00 GMT

April 13, 2023, File Storage Security—TLS 1.2 is now the minimum version required for Azure functions and Azure service buses deployed in the Azure stacks.

This requires a stack update.

New AWS Lambda Rule: Function URL Security Check and Resource ID Exceptions

Fri, 14 Apr 2023 00:00:00 GMT

April 14, 2023, Conformity—New Rule

AWS

Lambda-011: Lambda Function URL Not in Use: Check whether your Amazon Lambda functions are configured with function URLs for HTTP(S) endpoints. A function URL creates a direct HTTP(S) endpoint to your function and this may pose a security risk depending on the security configuration and intention of the function.

You can now configure a rule's setting to allow exceptions based on Resource IDs up to 256 characters.

Enhanced AWS Bucket Listener Lambda Generates Regional Presigned URLs

Fri, 14 Apr 2023 00:00:00 GMT

April 14, 2023, File Storage Security—The AWS Bucket Listener Lambda function now generates presigned URLs by regional S3 endpoint to prevent a URL temporary redirect when scanning a newly created scanning bucket. For more information, see Why am I getting an HTTP 307 Temporary Redirect response from Amazon S3?

Bug Fix for Template Scanner bypassing Account settings for KMS Cross Account Access

Wed, 19 Apr 2023 00:00:00 GMT

April 19, 2023, Conformity—Bug Fix

KMS-006: KMS Cross Account Access: Fixed a bug where the Template Scanner bypassed the Account settings - Include as friendly AWS accounts > All within this AWS Organization and All within this Conformity organization.

Bug fix for Conformity Template Scanner handling default behaviors of parameter

Wed, 19 Apr 2023 00:00:00 GMT

April 19, 2023, Conformity—Bug Fix

Fixed a bug to ensure that the Conformity Template Scanner can handle default behaviours of the parameter `SqsManagedSseEnabled` for the following rules:

SQS-004: Queue Unprocessed Messages

SQS-005: SQS Encrypted With KMS Customer Master Keys

Conformity deprecates multiple AWS and Azure rules for enhanced compliance

Thu, 20 Apr 2023 00:00:00 GMT

April 20, 2023, Conformity—Rule Deprecation Notice

As of 20 April 2023, Conformity has deprecated the following rules:

AWS

Azure

You can find summaries of the reasons we deprecated each rule via the knowledge base articles linked above.

Click here to learn more about rule deprecation.

File Storage Security expands AWS region support to Milan and Bahrain

Thu, 20 Apr 2023 00:00:00 GMT

April 20, 2023, File Storage Security—File Storage Security now supports Milan (eu-south-1) and Bahrain (me-south-1) regions on AWS. For more information, see What's supported in AWS.

Fixed bug causing users to be logged out of Conformity console while working

Fri, 21 Apr 2023 00:00:00 GMT

April 21, 2023, Conformity—Bug Fixes

Fixed a bug where users were being logged out of the Cloud One console while actively working in Conformity.

File Storage Security now supports Cloud Functions and GCP stack updates

Tue, 25 Apr 2023 00:00:00 GMT

April 25, 2023, File Storage Security—Fixed the issue that caused File Storage Security to fail to update Cloud Functions, scanner license, and patterns in GCP stacks. If you are deploying File Storage Security via GCP (Deployment Manager), run the following commands in the Cloud Shell of the GCP console:

```
gcloud iam roles update trend-micro-fss-service-account-management-role --project= --add-permissions=iam.serviceAccounts.actAs
```
```
gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com --member="serviceAccount:@.iam.gserviceaccount.com" --role="projects/
PROJECT_ID>/roles/trend_micro_fss_service_account_management_role"
```
```
gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com --member="serviceAccount:@.iam.gserviceaccount.com" --role="projects//roles/trend_micro_fss_service_account_management_role"
```

If you are deploying File Storage Security via GCP (Terraform), this requires a stack update.

Enhanced Security with Azure VNet Integration

Thu, 27 Apr 2023 00:00:00 GMT

April 27, 2023, File Storage Security—Azure VNet integration is now available for enhanced security and network isolation, see Deploy in Azure VNet.

Bug Fix for Exception Support in Rules RDS-023 and RDS-040

Fri, 28 Apr 2023 00:00:00 GMT

April 28, 2023, Conformity—Bug Fix

Fixed a bug to support exceptions via tags while generating checks for the following Rules:

RDS-023: Amazon RDS Public Snapshots

RDS-040: Enable RDS Snapshot Encryption

Event Filtering now available in preview release

Mon, 01 May 2023 00:00:00 GMT

May 01, 2023, Integrations—Event Filtering Preview Release: You can now configure Event Filters when creating a new integration or updating an existing integration in Trend Cloud One using the API endpoints.

Proxy Auto-Configuration (PAC) support added to Trend Cloud One - Endpoint & Workload Security

Mon, 01 May 2023 00:00:00 GMT

May 01, 2023, Workload Security—Trend Cloud One - Endpoint & Workload Security now supports adding Proxy Auto-Configuration (PAC) for the proxy server. This requires Deep Security Agent 20.0.0.6860 or later.

For information on how to add a PAC proxy, see the "Connect to Workload Security and Relays via Proxy Auto_Configuration (PAC) proxy" section in Configure proxies.

This is supported on Windows and macOS.

Updated rule logic for Storage Account access permissions

Tue, 02 May 2023 00:00:00 GMT

May 02, 2023, Conformity—Bug Fix

StorageAccounts-008: Enable Trusted Microsoft Services for Storage Account Access: Updated the rule logic to ensure accurate checks.

New LTS update for Deep Security Agent on Red Hat Enterprise Linux Workstation 7

Tue, 02 May 2023 00:00:00 GMT

May 02, 2023, Workload Security—Deep Security Agent 20.0.0-6912 (20 LTS Update 2023-05-02) is available for Red Hat Enterprise Linux Workstation 7.

Deep Security Agent 20.0.0-6912 now supports AlmaLinux 9

Tue, 02 May 2023 00:00:00 GMT

May 02, 2023, Workload Security—Deep Security Agent 20.0.0-6912 (20 LTS Update 2023-05-02) is available for AlmaLinux 9.

New API Endpoints for Custom Access Control Roles Introduced

Thu, 04 May 2023 00:00:00 GMT

May 04, 2023, Conformity—Introducing New API Endpoints for Access Control (Conformity Custom Roles:)

Create a role: `POST /access-control/roles/`
Update a role: `PATCH /access-control/roles/{roleId}`
List all roles: `GET /access-control/roles`
Describe a role: `PATCH /access-control/roles/{roleId}`

RBAC Enabled for Kubernetes Cluster with Fixed Bug AKS-001

Thu, 04 May 2023 00:00:00 GMT

May 04, 2023, Conformity—Bug Fix

AKS-001: Enable Kubernetes Role-Based Access Control: Fixed a bug where the rule generated failure checks for a cluster with RBAC enabled.

GCP Bucket listener now supports objectFilterPrefix for enhanced file storage security

Thu, 04 May 2023 00:00:00 GMT

May 04, 2023, File Storage Security—The GCP Bucket listener now support `objectFilterPrefix`. For more information, see Add GCP stack.

This requires a stack update.

Enhanced Azure Advisor Recommendations Integration for Improved Functionality

Mon, 08 May 2023 00:00:00 GMT

May 08, 2023, Conformity—Rule Update

Advisor-001: Check for Azure Advisor Recommendations: Updated the scanning and display of Azure Advisor Findings to accurately reflect the latest functionality in the Azure Advisor service.

Improved CSV Report Tag Handling with New TagObjects Column

Mon, 08 May 2023 00:00:00 GMT

May 08, 2023, Conformity—Bug Fix

Fixed a bug where the `Tags` column in the CSV report replaced `::` with `=`. In addition, we have introduced a new column i.e. `TagObjects` to avoid any ambiguity of Key Value pairs in the `Tags` column.

Enhanced Access Control API validation for Cloud One Admin users

Tue, 09 May 2023 00:00:00 GMT

May 09, 2023, Conformity—We've improved the access validation for following Access Control Public APIs to be called by Cloud One Admin users only:

Real-Time Threat Monitoring now available for Google Cloud Platform (GCP)

Tue, 09 May 2023 00:00:00 GMT

May 09, 2023, Conformity—RTM for Google Cloud Platform (GCP)

You can now set up Real-Time Threat Monitoring and monitor events on your Google Cloud Platform (GCP) accounts in Trend Cloud One - Conformity. For details, see Real-time Monitoring Settings.

Enhanced Azure Scanner Performance and Fixed Timeout Issue

Tue, 09 May 2023 00:00:00 GMT

May 09, 2023, File Storage Security—Fixed the timeout issue when the Azure scanner function scaled out instances during a large scan and enhanced the performance of the Azure scanner.

Improved Template Scanner now remediates resources for specific naming conventions and tags

Wed, 10 May 2023 00:00:00 GMT

May 10, 2023, Conformity—Bug Fix

Updated the Template Scanner where several resources were not being remediated for the following rules:

RG-001: Tags
EBS-006: EBS Volume Naming Conventions
EC2-035: EC2 Instance Naming Conventions
EC2-036: Security Group Naming Conventions

New API Endpoint for Deleting Custom Roles in Access Control

Wed, 10 May 2023 00:00:00 GMT

May 10, 2023, Conformity—Introducing A new API Endpoint for Access Control (Conformity Custom Roles:)

Delete a role: `DELETE /access-control/roles/{roleId}`

Updated SecurityCenter rule for Microsoft Defender for Cloud recommendations

Wed, 10 May 2023 00:00:00 GMT

May 10, 2023, Conformity—Rule Update

SecurityCenter-020 : Microsoft Defender for Cloud Recommendations:

Updated the rule logic to reflect the latest Assessments in Microsoft Defender for Cloud.

Bug fixes for accurate GCP Cloud Logging rule checks added

Wed, 10 May 2023 00:00:00 GMT

May 10, 2023, Conformity—Bug Fixes

Fixed a bug to produce accurate checks for the following GCP Cloud Logging rules:

CloudLogging-001: Enable Monitoring for Bucket Permission Changes
CloudLogging-002: Enable VPC Network Route Changes Monitoring
CloudLogging-003: Enable VPC Network Changes Monitoring
CloudLogging-004: Enable Monitoring for Custom Role Changes
CloudLogging-007: Enable Monitoring for Audit Configuration Changes

Updated Rule to Monitor Public Access to Azure Diagnostic Logs

Fri, 12 May 2023 00:00:00 GMT

May 12, 2023, Conformity—Rule Update

Monitor-005 : Check for Publicly Accessible Activity Log Storage Container:

Updated the rule to support Azure diagnostic settings. Diagnostic settings are the preferred way to capture Azure Monitor logs and it's recommended to ensure the target storage container for diagnostic settings logs is not publicly accessible.

Scanner Stack Scaling Issue Resolved for Private Network Deployments

Fri, 12 May 2023 00:00:00 GMT

May 12, 2023, File Storage Security—Fixed an issue where the Scanner Stack function application could not be scaled out when deploying your Azure stacks into a private network using VNet integration.

This requires a stack update.

SNI Support for TLS Inspection with Up to 30 Certificates

Fri, 12 May 2023 00:00:00 GMT

May 12, 2023, Network Security—SNI support for TLS: You can now use SNI to support up to 30 certificates for TLS inspection in AWS. Enable using the API. Appliance version number of 2023.4.0.12159 or higher is required. Learn more.

Fixed bug enabling/disabling AWS GovCloud in Conformity Bot settings

Mon, 15 May 2023 00:00:00 GMT

May 15, 2023, Conformity—Bug Fix

Fixed a bug where AWS GovCloud could not be enabled or disabled in the Conformity Bot settings.

Bug Fix: Improved Accuracy in AWS IAM Access Key Rotation Checks

Thu, 18 May 2023 00:00:00 GMT

May 18, 2023, Conformity—Bug Fix

Fixed a bug to produce accurate checks for the following AWS IAM rules:

IAM-001: Access Keys Rotated 30 Days
IAM-002: Access Keys Rotated 45 Days
IAM-038: Access Keys Rotated 90 Days

Enhanced scan customization options for directories, files, and extensions

Thu, 18 May 2023 00:00:00 GMT

May 18, 2023, Workload Security—Trend Cloud One - Endpoint & Workload Security enables adding multiple scan directory lists, scan file lists, and scan file extension lists (Computer or Policy > Details > Anti-Malware > Inclusions or Policy > Details > Anti-Malware > Exclusions).

Azure scanners now successfully scan files after license verification fix

Fri, 19 May 2023 00:00:00 GMT

May 19, 2023, File Storage Security—Fixed an issue where some Azure scanners could not scan files and sent scan results containing "failed to verify license" in the error message.

Osaka region now supports S3 object lambda for file scanning

Fri, 19 May 2023 00:00:00 GMT

May 19, 2023, File Storage Security—Osaka region now supports S3 object lambda to scan files. For more information, see Scan existing files in the S3 bucket to scan.

Rule EC2-033 now supports allowlist for unconfigurable Security Groups

Mon, 22 May 2023 00:00:00 GMT

May 22, 2023, Conformity—Rule Update

EC2-033 : Unrestricted Outbound Access:

Updated the rule to support an allowlist for the unconfigurable Security Groups.

ServiceNow Integration now allows setup without delete permissions

Tue, 23 May 2023 00:00:00 GMT

Servicenow Integration Update: We've updated the settings to allow users to set up a ServiceNow integration without delete permissions.

Open Source Vulnerability Scans Integrated with Trend Micro Artifact Scanner (TMAS) CLI

Tue, 23 May 2023 00:00:00 GMT

May 23, 2023, Container Security—Open source vulnerability scans can now be performed using Trend Micro's managed Trend Micro Artifact Scanner (TMAS) CLI. The TMAS CLI can be easily integrated into your continuous integration (CI) or continuous delivery (CD) pipelines. This managed service allows you to scan your container images for open source vulnerabilities before their deployment. The scan results are automatically integrated into Container Security, allowing you to define admission control policies that enforce requirements based on the vulnerabilities found in your images.

Bug fix for accurate AWS IAM rule checks for Credentials Last Used

Mon, 29 May 2023 00:00:00 GMT

May 29, 2023, Conformity—Bug Fix

Fixed a bug to produce accurate checks for the following AWS IAM rules:

IAM-003: Credentials Last Used

Enhanced AWS Resource and Rule Support in Template Scanner Github App

Mon, 29 May 2023 00:00:00 GMT

May 29, 2023, Conformity—Trend Cloud One™ - Template Scanner Github app

* Cloudformation Templates *

We have increased support to 35 AWS resource types scanned (previously 8 supported), and increased rules coverage to over 250 rules ( previously 45 were supported).

* Terraform *

We have increased rules coverage to over 85 rules ( previously 45 were supported).

For more information, please refer to the documentation.

Bug fix for S3 Object Lock template scanner returning incorrect checks

Mon, 05 Jun 2023 00:00:00 GMT

June 05, 2023, Conformity—Bug Fix

S3-023: S3 Object Lock: Fixed a bug to return no checks by Template Scanner when both the `Days` and the `Years` are set to `ObjectLockConfiguration`.

New Feature: Disable Specific Regions in Rule Configuration Settings

Tue, 06 Jun 2023 00:00:00 GMT

June 06, 2023, Conformity—Rule Update

You can now disable specific regions from the Rule configuration settings and exclude them from generating checks for the following AWS rules:

Config-001: AWS Config Enabled
CT-001: CloudTrail Enabled
GD-001: GuardDuty Enabled

HIPAA compliance standard updated to latest version and added support for GCP rules

Tue, 06 Jun 2023 00:00:00 GMT

June 06, 2023, Conformity—We've added the HIPAA compliance standard to support GCP rules and also updated the standard to the latest version i.e. HIPAA Feb-2023 for AWS and Azure rules.

Conformity Billing Incident Leads to Reduced Usage Charges for Customers

Wed, 07 Jun 2023 00:00:00 GMT

June 07, 2023, Conformity—Incident Update: Trend Cloud One Conformity Recorded Reduced Usage for Customers with Metered Consumption Billing

An incident affecting Conformity consumption billing reduced the expected billing charges for some accounts with S3, IAM, EC2, and Azure Monitor resources.

This led to incorrectly excluding resource counts during the incident. As a result, account consumption tiers may have been temporarily changed to a lower tier.

Affected Regions

All

Impact

Intermittent reduction in usage charges between 21 August 2021 to 7 June 2023 for some customers using consumption billing.

Resolution

We’re working on deploying a fix for the bug that caused the drop in usage. As a result, you may see an increase in your Conformity consumption and, consequently, your charges once we deploy the bug fix. Watch out for the bug fix update on our What’s New page.

New GCP rule ensures SSL certificates are renewed within validity period

Wed, 07 Jun 2023 00:00:00 GMT

June 07, 2023, Conformity—New Rule

GCP

CertificateManager-001: SSL certificates validity period: This rule ensures that the SSL certificates are renewed within the appropriate validity period.

Efficient Cloud Account Scanning for Conformity Bot Introduced

Thu, 08 Jun 2023 00:00:00 GMT

June 08, 2023, Conformity—Introduced a system improvement to increase the efficiency of scanning cloud accounts with large numbers of resources.

Please note: some accounts with large number of resources may experience a brief disruption in scheduled Conformity Bot scans while the change is being rolled out. The system will recover and return to normal within 2 hours.

Bug Fix: Increased Conformity consumption billing for certain resources

Thu, 08 Jun 2023 00:00:00 GMT

June 08, 2023, Conformity—Bug Fix

Reduced Consumption Billing: Fixed a bug where Conformity consumption billing reduced the expected billing charges for some accounts with S3, IAM, EC2, and Azure Monitor resources. As a result of the bug fix, you may see an increase in your Conformity consumption and, consequently, your billing charges.

Updated rule logic to restrict default network access for Azure Cosmos DB Accounts

Thu, 08 Jun 2023 00:00:00 GMT

June 08, 2023, Conformity—Bug Fix

CosmosDB-003: Restrict Default Network Access for Azure Cosmos DB Accounts: Updated the rule logic to incorporate public network setting to avoid false negatives.

Bug Fix for Template Scanner for CMK Encrypted RDS

Tue, 13 Jun 2023 00:00:00 GMT

June 13, 2023, Conformity—Bug Fix

RDS-005: RDS Encrypted With KMS Customer Master Keys: Fixed a bug with Template Scanner to return correct scan results for CMK encrypted RDS.

Trend Vision One integration moved to Trend Cloud One console

Thu, 15 Jun 2023 00:00:00 GMT

June 15, 2023, Workload Security—The integration of Trend Cloud One - Endpoint & Workload Security with Trend Vision One has been deprecated. In the past, users integrated Trend Vision One with Trend Cloud One - Endpoint & Workload Security (C1WS > Administration > Vision One (XDR)). Now, to check the Trend Vision One integration status, users must use the Trend Cloud One console (Integrations > Vision One).

New GCP rule requires defining index page suffix and error page for bucket websites

Mon, 19 Jun 2023 00:00:00 GMT

June 19, 2023, Conformity—New Rule

GCP

CloudStorage-005: Define index page suffix and error page for the bucket website configuration: This rule ensures that the bucket website configuration includes a main page suffix and an error page.

Configure load balancers for Managed Instance Groups in GCP

Wed, 21 Jun 2023 00:00:00 GMT

June 21, 2023, Conformity—New Rule

GCP

ComputeEngine-013: Configure load balancers for Managed Instance Groups: This rule ensures that Managed Instance Groups (MIGs) are associated with load balancers.

Bug Fix for S3 Bucket DNS Compliance Check Accuracy

Thu, 22 Jun 2023 00:00:00 GMT

June 22, 2023, Conformity—Bug Fix

S3-018: DNS Compliant S3 Bucket Names: Fixed a bug to return correct check results when the S3 bucket resource sets the DNS compliant bucket name.

Deep Security Agent now supports Amazon Linux 2023 on AWS ARM-based Graviton 2

Wed, 28 Jun 2023 00:00:00 GMT

June 28, 2023, Workload Security—Deep Security Agent 20.0.0-7303 (20 LTS Update 2023-06-28) supports Amazon Linux 2023 (AWS ARM-based Graviton 2). This requires Deep Security Manager 20.0.789 or later.

Conformity Bot now accurately scans RDS Snapshots

Mon, 03 Jul 2023 00:00:00 GMT

July 03, 2023, Conformity—Bug Fix

Fixed a bug that limited Conformity Bot from scanning the RDS Snapshots accurately.

Conformity User Interface transitioning to Dark Mode on 12 July 2023

Tue, 04 Jul 2023 00:00:00 GMT

July 04, 2023, Conformity—We’re moving the Conformity User Interface to Dark Mode on 12 July 2023 to align with Trend’s brand identity and be consistent with the user experience and messaging across all assets and standards.

Bug Fix for Weekly Summary Emails in `us-west-2` Region

Tue, 04 Jul 2023 00:00:00 GMT

July 04, 2023, Conformity—Bug Fix

Fixed a bug where some users belonging to Organisations in the region `us-west-2` were not receiving their weekly summary emails.

Bug Fix: Active users without email no longer appear in recipient list

Wed, 05 Jul 2023 00:00:00 GMT

July 05, 2023, Conformity—Bug Fix

Fixed a bug where active users without an email were showing up on the email recipient list when sending a failed rule resolution email or when setting up an email communication channel.

Conformity Bot bug fix ensures STS enabled in all AWS regions

Thu, 06 Jul 2023 00:00:00 GMT

July 06, 2023, Conformity—Bug Fix

Fixed a bug with the Conformity Bot's scanning where STS was disabled in at least one AWS region.

AWS account scanner stacks for enhanced S3 bucket protection

Mon, 10 Jul 2023 00:00:00 GMT

July 10, 2023, File Storage Security—File Storage Security now provides AWS account scanner stacks which are capable to protect all AWS S3 buckets in your AWS account.

For details, see Deploy account scanner stacks.

Enhanced scanner reports password-protected PDF files

Mon, 10 Jul 2023 00:00:00 GMT

July 10, 2023, File Storage Security—The scanner is now able to report if a PDF file is password-protected.

Updated Security Policy Rules with Configurability and Latest TLS Versions

Wed, 12 Jul 2023 00:00:00 GMT

July 12, 2023, Conformity—Rule Update

Updated the following security policy rules to be configurable, and updated to the latest TLS versions:

ELBv2-003: ELBv2 ALB Security Policy
ELBv2-009: Network Load Balancer Security Policy
CF-006: CloudFront Security Policy
ELB-004: ELB Security Policy
ELB-015: Web-Tier ELB Security Policy
ELB-016: App-Tier ELB Security Policy

Conformity UI transitions to Dark Mode for improved consistency and branding

Wed, 12 Jul 2023 00:00:00 GMT

July 12, 2023, Conformity—Trend Cloud One Conformity - Dark Mode Released

We’ve moved the Conformity User Interface to Dark Mode to align with Trend’s brand identity and be consistent with the user experience and messaging across all assets and standards.

Azure StorageAccounts-023 Rule: Private Endpoint Enforcement for Microsoft Azure Storage Accounts

Fri, 14 Jul 2023 00:00:00 GMT

July 14, 2023, Conformity—New Rule

Azure

StorageAccounts-023: Private Endpoint in Use: This rule ensures that private endpoints are used to access Microsoft Azure Storage accounts.

New Azure rule enforces no custom subscription administrator roles

Wed, 19 Jul 2023 00:00:00 GMT

July 19, 2023, Conformity—New Rule

Azure

AccessControl-003: Subscription Administrator Custom Role: This rule ensures that there are no custom subscription administrator roles within your Microsoft Azure cloud account.

Historical Reports Download Bug Fixed, Restoration Efforts Made

Thu, 20 Jul 2023 00:00:00 GMT

July 20, 2023, Conformity—Bug Fix

Fixed a bug where some customers could not download their organization's historical reports. We've made every effort to restore the maximum number of historical reports, but could not recover all.

Bug Fix: AWS Conformity Bot now supports disabled AWS Gov Cloud regions

Mon, 24 Jul 2023 00:00:00 GMT

July 24, 2023, Conformity—Bug Fix

Fixed a bug that prevented users from updating the AWS Conformity Bot settings with disabled AWS Gov Cloud regions.

Updated CloudFront Security Policy for CF-006 Rule Compliance

Tue, 25 Jul 2023 00:00:00 GMT

July 25, 2023, Conformity—Rule Update

CF-006: CloudFront Security Policy

Updated the rule to be compliant with the latest security policy.

Manual Scan Trigger via Right-Click for Deep Security Agent

Tue, 25 Jul 2023 00:00:00 GMT

July 25, 2023, Workload Security—Deep Security Agent now allows users to trigger a manual scan by right-clicking on a file or folder and selecting Scan with Deep Security Agent.

Enhanced AWS CloudFront scanning for improved security checks

Wed, 26 Jul 2023 00:00:00 GMT

July 26, 2023, Conformity—Rule Update

Fixed an issue with the way we scan AWS CloudFront resources to provide a more accurate and complete set of checks.

CF-001: CloudFront In Use
CF-002: CloudFront Insecure Origin SSL Protocols
CF-003: CloudFront Traffic To Origin Unencrypted
CF-004: CloudFront Integrated With WAF
CF-005: CloudFront Logging Enabled
CF-006: CloudFront Security Policy
CF-007: CloudFront Viewer Protocol Policy
CF-008: CloudFront Geo Restriction
CF-009: CloudFront Compress Objects Automatically
CF-011: FieldLevel Encryption
CF-012: Use CloudFront Content Distribution Network

New Azure Rules Enhance Security and Compliance Measures

Wed, 26 Jul 2023 00:00:00 GMT

July 26, 2023, Conformity—New Rules

Azure

Monitor-011: Configure Application Insights: This rule ensures that an Application Insights resource is created within your Azure cloud account.

PostgreSQL-014: Disable "Allow access to Azure services" for PostgreSQL database servers: This rule ensures that any access from Azure services to Azure PostgreSQL database servers is disabled.

Network-026: Bastion Host in Use: This rule ensures that Azure Bastion service is used within your Microsoft Azure cloud account.

Subscriptions-004: Basic/Consumption SKU Should not be Used in Production: This rule ensures that the Basic/Consumption SKU is not used for Azure cloud resources that need to be monitored, for example, production workloads.

New Azure encryption rule & compliance updates for NIST, APRA, and CIS Controls

Thu, 27 Jul 2023 00:00:00 GMT

July 27, 2023, Conformity—New Rule

Azure

StorageAccounts-024: Enable Infrastructure Encryption: This rule ensures that infrastructure encryption is enabled for Microsoft Azure Storage accounts.

Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the NIST 800-53 Rev.5, APRA CPS 234 and CIS Controls Version 8 Compliance and Standard Reports.

Scanner Lambda function vulnerability in dependent modules fixed

Fri, 28 Jul 2023 00:00:00 GMT

July 28, 2023, File Storage Security—Fixed the issue where the scanner Lambda function was vulnerable in the dependent modules.

Enhanced Azure Network Watcher rule with region customization and failure notification

Mon, 31 Jul 2023 00:00:00 GMT

July 31, 2023, Conformity—Rule Update

Network-003: Enable Azure Network Watcher: You can now Add or Remove Azure regions from the rule Settings in addition to a default list of regions we've included in the rule. We've also updated the rule to return a failure if the Network Watcher service isn't enabled for all the configured Azure regions.

Custom Compliance Standards now accessible via Conformity API endpoints

Thu, 03 Aug 2023 00:00:00 GMT

August 03, 2023, Conformity—Custom Compliance Standards

We’re excited to share that you can now preview Custom Compliance Standards through the Conformity API endpoints. For details, see our help documentation.

Updated CFM-006 rule now generates failure check for overly permissive IAM role policies

Fri, 04 Aug 2023 00:00:00 GMT

August 04, 2023, Conformity—Rule Update

CFM-006: CloudFormation Stack With IAM Role: Updated the rule to generate a failure check if the policy allows for all actions with all the resources.

Trend Micro Artifact Scanner CLI now supports scanning multiple-architecture container images

Wed, 09 Aug 2023 00:00:00 GMT

August 09, 2023, Container Security—Trend Micro Artifact Scanner (TMAS) CLI now supports scanning container images with multiple architectures and platforms.

The new platform flag lets you specify which platform/architecture to use when scanning multiple-architecture container images. It also allows you to scan images from the docker or podman daemons with different architectures than the host that is running TMAS. For example, if you are on an M1 powered Mac, you can now easily scan x86_64 specific images.

Updated rule for identifying KMS keys in S3 buckets with customer-provided CMKs

Thu, 10 Aug 2023 00:00:00 GMT

August 10, 2023, Conformity—Bug Fixes

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs: Updated the rule to identify KMS keys properly.

Enhanced Azure Stack Storage Security Configurations Applied

Fri, 11 Aug 2023 00:00:00 GMT

August 11, 2023, File Storage Security—The following Azure security configurations are now used for the storage accounts deployed in the Azure stacks:

The `allowBlobPublicAccess` property is set to `false`.
The `supportsHttpsTrafficOnly` property is set to `true`.

This requires a stack update.

Vulnerability in GCP scanner cloud function modules fixed

Fri, 11 Aug 2023 00:00:00 GMT

August 11, 2023, File Storage Security—Fixed the issue where the GCP scanner cloud function was vulnerable in the dependent modules.

AWS Account Scanner now supports encrypted DLQs for enhanced security

Sun, 13 Aug 2023 00:00:00 GMT

August 13, 2023, File Storage Security—Fixed AWS Account Scanner's PostScanActionLambda Lambda function where it was unable to send message to an encrypted DLQ due to lacking permission to access KMS key responsible for DLQ encryption.

This requires a stack update.

Standalone Conformity SSO Certificate Expiry Reminder

Mon, 14 Aug 2023 00:00:00 GMT

August 14, 2023, Conformity—IMPORTANT: Standalone Conformity SSO Certificate Expiry

The current Conformity SSO certificate will expire on Thursday 17 August 2023 at 09:41:05 UTC. Follow the instructions on this help page for actions that you may need to take to switch to the new certificate.

Trend Micro support will be reaching out to customers affected.

Customers using Cloud One SSO are unaffected.

New GCP Rule for Configuring "log_min_messages" Flag on PostgreSQL Instances

Tue, 15 Aug 2023 00:00:00 GMT

August 15, 2023, Conformity—New Rules

GCP

CloudSQL-030: Configure "log_min_messages" Flag for PostgreSQL Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_min_messages" flag.

Rule CloudSQL-001 Updated to Align with CIS GCP v2.0 Control 6

Tue, 15 Aug 2023 00:00:00 GMT

August 15, 2023, Conformity—Rule Update

CloudSQL-001: Check for Cloud SQL Database Instances with Public IPs: Update the rule to align more closely with CIS GCP v2.0 Control 6.2.9.

Azure scanner vulnerability in dependent modules now fixed

Tue, 15 Aug 2023 00:00:00 GMT

August 15, 2023, File Storage Security—Fixed the issue where the Azure scanner function was vulnerable in the dependent modules.

New rule to manage API keys for active services in Google Cloud projects

Wed, 16 Aug 2023 00:00:00 GMT

August 16, 2023, Conformity—New Rules

GCP

CloudAPI-005: API Keys Should Only Exist for Active Services (Not Scored): This rule ensures that there are no API keys in use within your Google Cloud projects.

New PostgreSQL configuration rule for CloudSQL instances

Mon, 21 Aug 2023 00:00:00 GMT

August 21, 2023, Conformity—New Rule

GCP

CloudSQL-031: Configure "log_error_verbosity" Flag for PostgreSQL Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_error_verbosity" flag.

Updated rule logic for EBS encryption with KMS Customer Master Keys

Tue, 22 Aug 2023 00:00:00 GMT

August 22, 2023, Conformity—Bug Fix

EBS-002: EBS Encrypted With KMS Customer Master Keys: Updated the rule logic to validate the EBS volumes correctly.

Improved AWS stack security with role policy update requirement

Wed, 23 Aug 2023 00:00:00 GMT

August 23, 2023, File Storage Security—Fixed the issue of cross-service confused deputy problem in the AWS stacks. To update the existing stacks, the `iam:UpdateAssumeRolePolicy` permission is required.

This requires a stack update.

Improved performance for uploading large number of files to Azure Storage

Fri, 25 Aug 2023 00:00:00 GMT

August 25, 2023, File Storage Security—Fixed the performance issue when large number of files were uploaded to the Azure storage account.

This requires a stack update.

Custom Rule Updates for Enhanced Customization Experience

Mon, 28 Aug 2023 00:00:00 GMT

August 28, 2023, Conformity—Custom Rule Updates

When creating a new custom rule, there is now an option to specify rule slug that will yield a custom rule id combined from the `CUSTOM` prefix and the slug provided. The slug field needs to be unique across organization, up to 200 characters long and comprised of only alphanumeric characters and - and _ without spaces.

GCP Conformity Bot no longer scans shutdown projects

Tue, 29 Aug 2023 00:00:00 GMT

August 29, 2023, Conformity—We've updated the GCP Conformity Bot; it won't scan a shutdown GCP project now.

Improved scanning for GCP Resource Manager service to reduce API throttling

Tue, 29 Aug 2023 00:00:00 GMT

August 29, 2023, Conformity—Bug Fix

Updated the way we scan GCP Resource Manager service to reduce API throttling with the following rules:

ResourceManager-001: Disable User-Managed Key Creation for Service Accounts
ResourceManager-002: Disable Automatic IAM Role Grants for Default Service Accounts
ResourceManager-003: Enforce Uniform Bucket-Level Access

Deep Security Agent now supports Miracle Linux 8 in FIPS mode

Tue, 29 Aug 2023 00:00:00 GMT

August 29, 2023, Workload Security—Deep Security Agent version 20.0.0-7719 and later supports Miracle Linux 8, including FIPS mode. This requires Deep Security Manager version 20.0.817 or later.

Conformity Report renamed to Cloud Posture Report; Lambda Runtime Environment Version Rule Update

Fri, 01 Sep 2023 00:00:00 GMT

We've renamed The 'Conformity Report' to the 'Cloud Posture Report' to align with Trend's brand messaging.

September 01, 2023, Conformity—Rule Update

Lambda-001: Lambda Runtime Environment Version: Updated the rule with a default 'Latest runtime version' list configurable from the Rule Settings, to ensure the use the latest version of the execution environment configured for your Amazon Lambda functions.

Enhanced Container Security FAQs and TMAS Upgrade Guidelines for Improved User Experience

Fri, 01 Sep 2023 00:00:00 GMT

September 01, 2023, Container Security—Revised the FAQ section titled "If I Restrict Outbound Traffic, What URLs Do I Need to Allow for Internet Communication?" to incorporate additional URLs for all C1 regions, which is responsible for enabling the download of vulnerability reports for TMAS directly from S3.

Updated the TMAS documentation by adding additional guidelines on how to upgrade TMAS to the most recent version.

New Rule for Examining and Resolving Microsoft Defender for Cloud Security Alerts in Azure

Tue, 05 Sep 2023 00:00:00 GMT

September 05, 2023, Conformity—New Rule

Azure

SecurityCenter-041: Microsoft Defender for Cloud Security Alerts: This rule ensures that Microsoft Defender for Cloud security alerts are examined and resolved.
Known issue: We have an existing issue with the new rule where alerts that are in progress status will be displayed as active. We'll share an update as soon as this is resolved.

Efficient Scanning for Cloud Accounts with Large Resources Added

Thu, 07 Sep 2023 00:00:00 GMT

September 07, 2023, Conformity—Introduced a system improvement to increase the efficiency of scanning cloud accounts with large numbers of resources.

AI Assistant now available for Knowledge Base and Help pages

Fri, 08 Sep 2023 00:00:00 GMT

September 08, 2023, Conformity—You can now use our new AI Assistant for the Knowledge base and Help pages to get the most out of Conformity and help improve your cloud infrastructure.

File Storage Security expands support to new Azure regions

Mon, 11 Sep 2023 00:00:00 GMT

September 11, 2023, File Storage Security—File Storage Security now supports Australia East (australiaeast), Australia Southeast (australiasoutheast) and Japan West (japanwest) regions on Azure. For more information, see What's supported in Azure.

Rule Update for ComputeEngine-003: Improved identification of Interactive Serial Console Support status

Tue, 12 Sep 2023 00:00:00 GMT

September 12, 2023, Conformity—Rule Update

GCP

ComputeEngine-003: Disable Interactive Serial Console Support: Update the rule to identify "Enable connecting to serial ports" configuration setting status properly.

Integrate Conformity with Trend Vision One for enhanced risk insights

Wed, 13 Sep 2023 00:00:00 GMT

September 13, 2023, Conformity—Integrate Trend Cloud One - Conformity with Trend Vision One

Trend Cloud One - Conformity customers

You can now integrate Conformity with Trend Vision One by signing up for a 30 day fully customizable Trend Vision One trial. Once you sign-up or you've already signed up with Trend Vision One, you can integrate Conformity with Trend Vision One > Risk Insights using an API key.

For step-by step insrtuctions, see the help page: Integrating Trend Vision One Conformity with Trend Vision One.

Haven't Signed up for Conformity

If you haven't signed up for Conformity yet, please follow the Conformity AWS Data Source Setup guide and follow the steps in the help page linked above.

Conformity Standalone (Legacy Customers)

Refer to the Conformity Standalone (Legacy) Customers section in the help page linked above.

Updated rule in Azure SecurityCenter for enabling Microsoft Defender Standard Pricing Tier

Wed, 13 Sep 2023 00:00:00 GMT

September 13, 2023, Conformity—Rule Update

Azure

SecurityCenter-001: Enable Microsoft Defender Standard Pricing Tier: Updated the rule enabling you to configure 'Resource Types' validation from the 'Rule Settings'.

AI Assistants now support 85 languages for enhanced user experience

Wed, 13 Sep 2023 00:00:00 GMT

September 13, 2023, Conformity—Our AI Assistants for the Knowledge base and Help pages can now answer questions in 85 languages including English, Spanish, French, German, Portuguese, Italian, Dutch, Russian, Arabic, and Chinese.

Rule Update for GCP Compute Engine-001: Improved identification of VM instance network interface access configuration

Thu, 14 Sep 2023 00:00:00 GMT

September 14, 2023, Conformity—Rule Update

GCP

ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses: Updated the rule to identify the VM instance network interface access configuration status accurately.

Azure SQL Managed Instances now support encryption with Customer-Managed Keys

Mon, 18 Sep 2023 00:00:00 GMT

September 18, 2023, Conformity—New Rule

Azure

SQL-019: Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys: This rule ensures that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).

AWS scanner retry period reduced to 4 minutes for quicker error resolution

Tue, 19 Sep 2023 00:00:00 GMT

September 19, 2023, File Storage Security—The retry period for the scan error of the AWS scanner is shortened from 12 minutes to 4 minutes.

This requires a stack update.

Object names in GCP scan activities no longer contain bucket names

Wed, 20 Sep 2023 00:00:00 GMT

September 20, 2023, File Storage Security—Fixed the issue where the object names of GCP scan activities contained Google Cloud Storage bucket names.

Enable Transparent Data Encryption for Azure Synapse Analytics Dedicated SQL Pools

Thu, 21 Sep 2023 00:00:00 GMT

September 21, 2023, Conformity—New Rule

Azure

Synapse-001: Enable Transparent Data Encryption for Azure Synapse Analytics Dedicated SQL Pools: This rule ensures that Transparent Data Encryption (TDE) is enabled for dedicated SQL pools in Azure Synapse Analytics.

New AWS Lambda rule to ensure supported runtime environments usage

Fri, 22 Sep 2023 00:00:00 GMT

September 22, 2023, Conformity—Rule Update

AWS

Lambda-001: Lambda Using Latest Runtime Environment: Updated the rule title from 'Lambda Runtime Environment Version' to 'Lambda Using Latest Runtime Environment'.

New Rules

AWS

Lambda-012: Lambda Using Supported Runtime Environment: This rule ensures that you always use a supported environment version for your Amazon Lambda functions in order to avoid end of support timeframes from AWS.

Enhanced AWS Account Scanner template with ExclusiveBucketList parameter

Fri, 22 Sep 2023 00:00:00 GMT

September 22, 2023, File Storage Security—A new parameter `ExclusiveBucketList` has been added to the AWS Account Scanner template. You can now ignore some S3 buckets for scanning, and the quarantine bucket will be skipped as well.

This requires a stack update.

New AWS Rule Update Allows Disabling Specific Regions for Conformity Checks

Tue, 26 Sep 2023 00:00:00 GMT

September 26, 2023, Conformity—Rule Update

AWS

You can now disable specific regions from the Rule configuration settings and exclude them from generating checks for the following AWS rules:

IAM-065: IAM Access Analyzer in Use
EBS-014: EBS default encryption
Macie2-003: Amazon Macie Discovery Jobs
SecurityHub-002: Security Hub Enabled

Rule mappings now compliant with ISO 27001:2022 and AWS Well-Architected Framework

Wed, 27 Sep 2023 00:00:00 GMT

September 27, 2023, Conformity—Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the ISO 27001:2022 and AWS Well-Architected Framework Compliance and Standard Reports.

Enable Instance Storage AutoScaling and Template Scanner Bug Fix

Wed, 27 Sep 2023 00:00:00 GMT

RDS-041: Enable Instance Storage AutoScaling

Fixed a bug with the Template Scanner to support the `MaxAllocatedStorage` property in the RDS DBInstance resource.

Improved Scanner Lambda Function Connectivity in File Storage Security

Wed, 27 Sep 2023 00:00:00 GMT

September 27, 2023, File Storage Security—Fixed the issue where the scanner Lambda function may timeout when failing to connect to File Storage Security backend.

New `dateComparison` operator added for Custom Rules

Thu, 28 Sep 2023 00:00:00 GMT

September 28, 2023, Conformity—We've introduced a new operator, `dateComparison`, for Custom Rules. This operator enables the creation of custom rules that interact with date strings in resources. Within this operator, we've added two sub-operators: olderThan and within. You can use this operator to determine whether a date string is older than a specific date or falls within a certain time frame.

For more information, see

An Overview of Conformity Custom Rules

API Reference

Updated Conformity rules for optimal interaction with restricted AWS regions

Thu, 28 Sep 2023 00:00:00 GMT

September 28, 2023, Conformity—Rule Update

AWS

Updated the following rules' to interact optimally with AWS regions with restricted permissions in Conformity:

Config-001: AWS Config Enabled
CT-001: CloudTrail Enabled
GD-001: GuardDuty Enabled

Updated Compliance Standards Mapping for Rules in Conformity

Thu, 28 Sep 2023 00:00:00 GMT

September 28, 2023, Conformity—Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the NIST Cybersecurity Framework and ISO 27001 Compliance and Standard Reports.

Updated rule now supports Windows and unsupported Linux VMs for Azure Virtual Machines

Fri, 29 Sep 2023 00:00:00 GMT

September 29, 2023, Conformity—Rule Update

Azure

VirtualMachines-024: Enable Performance Diagnostics for Azure Virtual Machines: Updated this rule to support Windows and unsupported Linux VMs.

Advanced Threat Scan Engine now integrated with AWS, Azure, and GCP scanners

Thu, 05 Oct 2023 00:00:00 GMT

October 05, 2023, File Storage Security—The AWS, Azure, and GCP scanners with Advanced Threat Scan Engine (ATSE) 22.610.1017 are now available.

Scanner Lambda function issue resolved for File Storage Security backend

Thu, 05 Oct 2023 00:00:00 GMT

October 05, 2023, File Storage Security—Fixed the issue where the scanner Lambda function repeatedly sent a scan event to the File Storage Security backend.

Conformity Enhancements for SOC 2 Compliance and Security Group Mapping Updates

Thu, 12 Oct 2023 00:00:00 GMT

October 12, 2023, Conformity—Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the System and Organization Controls 2 (SOC 2) Compliance and Standard Reports.

Rule Update

Azure

AppService-012: Enable FTPS-Only Access: Updated this rule to resolve the case-sensitive issue to avoid false negatives.

AWS

The following rules won't generate checks for security groups that are shared from other accounts.

EC2-001: Security Group Port Range
EC2-002: Unrestricted SSH Access
EC2-003: Unrestricted RDP Access
EC2-004: Unrestricted Oracle Access
EC2-005: Unrestricted MySQL Access
EC2-006: Unrestricted PostgreSQL Access
EC2-007: Unrestricted DNS Access
EC2-008: Unrestricted MsSQL Access
EC2-012: Security Group Excessive Counts
EC2-013: Security Group Large Counts
EC2-014: Security Group Rules Counts
EC2-032: SecurityGroup RFC 1918
EC2-033: Unrestricted Security Group Egress
EC2-034: Unrestricted Security Group Ingress on Uncommon Ports
EC2-036: Security Group Naming Conventions
EC2-038: Unrestricted Telnet Access
EC2-039: Unrestricted SMTP Access
EC2-040: Unrestricted RPC Access
EC2-041: Unrestricted NetBIOS Access
EC2-042: Unrestricted FTP Access
EC2-043: Unrestricted CIFS Access
EC2-044: Unrestricted ICMP Access
EC2-045: Unrestricted MongoDB Access
EC2-059: Descriptions for Security Group Rules
EC2-061: Security Group Name Prefixed With 'launch-wizard'
EC2-063: Unrestricted Elasticsearch Access
EC2-064: Unrestricted HTTP Access
EC2-065: Unrestricted HTTPS Access
EC2-074: Check for Unrestricted Redis Access
EC2-075: Check for Unrestricted Memcached Access
RG-001: Tags

Shared security groups won't be considered by the following rules:

EC2-015: EC2 Instance Security Group Rules Counts
ELB-007: ELB Security Group

Updated Compliance Standards: CIS Foundations Benchmarks for AWS, Azure, and GCP

Thu, 19 Oct 2023 00:00:00 GMT

October 19, 2023, Conformity—Updated Compliance Standards: CIS Foundations Benchmarks

CIS Amazon Web Services Foundations Benchmark v2.0.0
CIS Microsoft Azure Foundations Benchmark v2.0.0
CIS Google Cloud Platform Foundation Benchmark v2.0.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

Updated Azure Cosmos DB rule to improve network access restriction validation

Wed, 25 Oct 2023 00:00:00 GMT

October 25, 2023, Conformity—Rule Update

Azure

CosmosDB-003: Restrict Default Network Access for Azure Cosmos DB Accounts: Updated this rule to skip virtual network validation to avoid false negatives.

GuardDuty Enabled Rule now supports all AWS regions

Wed, 25 Oct 2023 00:00:00 GMT

October 25, 2023, Conformity—Rule Update

AWS

GD-001: GuardDuty Enabled: Updated rule to support all regions. Read more >>

Update Required for Azure Scanner and Storage Stacks for Application Insights Migration

Thu, 26 Oct 2023 00:00:00 GMT

October 26, 2023, File Storage Security—You need to update your Azure Scanner and Storage Stacks to migrate the classic Application Insights to the workspace-based Application Insights before Feb 29, 2024.

For more information, see We are retiring Classic Application Insights on 29 February 2024 on the official Azure site. It is recommended to migrate the Application Insights by updating your Scanner and Storage Stacks as soon as possible.

In the Azure deployment templates, a new parameter `VNETRestrictedAccessForAzureMonitorResources` was added, so that you can allow or disallow public network access to those Azure Monitor resources deployed by the templates. The parameter, `VNETRestrictedAccessForApplicationInsights`, will be replaced by the new one and be deprecated after October 31st, 2024.

This requires a stack update.

Template Scanner in Conformity now continues scanning Terraform plans without interruption

Wed, 08 Nov 2023 00:00:00 GMT

November 08, 2023, Conformity—Template Scanner - Terraform plans: Fixed a bug to ensure that the Template Scanner continues scanning in event of missing or empty attributes from certain rules in the template.

File Storage Security expands to AWS Jakarta and Zurich regions

Fri, 10 Nov 2023 00:00:00 GMT

November 10, 2023, File Storage Security—File Storage Security now supports Jakarta (ap-southeast-3) and Zurich (eu-central-2) regions on AWS. For more information, see What's supported in AWS.

File Storage Security scanner now updated with urllib3 version 1.26.18

Fri, 10 Nov 2023 00:00:00 GMT

November 10, 2023, File Storage Security—Update urllib3 version to 1.26.18 in scanner to resolve CVE-2023-45803

Expanded Tag Support for Additional AWS Resource Types

Mon, 13 Nov 2023 00:00:00 GMT

November 13, 2023, Conformity—Rules Update

AWS

RG-001: Tags: Update the rule to add the following resource types to support tags:

EC2 Key Pair
EC2 Reserved Instance
ECS Cluster
ECS Container Instance
ECS Services
ECS Task Definition
EKS Cluster
Lambda Function
Neptune DB Cluster
RDS DB Cluster
RDS DB Snapshot
RDS Event Subscription
RDS Reserved DB Instance
VPC Egress-Only Internet Gateway
VPC Endpoint
VPC Internet Gateway
VPC NAT Gateway
VPC Peering Connection
VPC Route Table
VPC Subnet
VPC Transit Gateway
VPC Transit Gateway Attachment
VPC Transit Gateway Route Table
VPC VPN Connection
VPC VPN Gateway

Fixed IAM certificate bug impacting multiple SSL/TLS certificate rules and updated CloudLogging-001 rule

Tue, 14 Nov 2023 00:00:00 GMT

November 14, 2023, Conformity—Bug Fix

AWS

Fixed a bug impacting IAM certificate which affected the following rules:
IAM-018: SSL/TLS Certificate Expiry 7 Days
IAM-019: SSL/TLS Certificate Expiry 30 Days
IAM-020: SSL/TLS Certificate Expiry 45 Days
IAM-021: Expired SSL/TLS Certificate
IAM-033: Pre-Heartbleed Server Certificates
IAM-059: Server Certificate Signature Algorithm
IAM-062: AWS IAM Server Certificate Size

GCP

CloudLogging-001: Enable Monitoring for Bucket Permission Changes: Updated the rule to validate the alerting policy correctly.

New parameter added for selecting tag format in File Storage Security template

Wed, 15 Nov 2023 00:00:00 GMT

November 15, 2023, File Storage Security—A new parameter `ScanResultTagFormat` has been added to the AWS All-in-one, Storage Stack and Account Scanner template. You can now select tag format for the post scan action tag. For more information, see View Tags.

This requires a stack update.

Updated terminology to 'Microsoft Entra ID' in Conformity and UI for clarity

Mon, 20 Nov 2023 00:00:00 GMT

November 20, 2023, Conformity—We've updated all instances of the term 'Azure AD' to 'Microsoft Entra ID' in Trend Cloud One - Conformity and Standalone UI, Online help and API documentation following an update from Microsoft in July 2023. For details, see: Microsoft's Glossary of Updated Terminology.

Improved accuracy in scanning Terraform Templates for invalid format in Template Scanner

Tue, 21 Nov 2023 00:00:00 GMT

November 21, 2023, Conformity—We've added sanity checking to produce more accurate results while scanning a Terrafrom Template with an invalid format in the Template Scanner.

System events descriptions in Trend Cloud One now display time zones accurately

Tue, 21 Nov 2023 00:00:00 GMT

November 21, 2023, Workload Security—As part of the SNS update, time zones in the description of the system events in Trend Cloud One - Endpoint & Workload Security are no longer converted to the local time zone to match security events.

Improved Azure template deployment success with explicit dependencies in Application Insights

Mon, 27 Nov 2023 00:00:00 GMT

November 27, 2023, File Storage Security—Fixed the issue of Azure template deployment failure by adding explicit dependencies in Application Insights to ensure that the Log Analytics workspace was deployed before them.

Bug Fix for CloudLogging Rules and Update to CloudIAM-001 Rule Configuration

Mon, 04 Dec 2023 00:00:00 GMT

December 04, 2023, Conformity—Bug Fix

GCP

Fixed a bug impacting the following CloudLogging rules:
CloudLogging-001: Enable Monitoring for Bucket Permission Changes
CloudLogging-002: Enable VPC Network Route Changes Monitoring
CloudLogging-003: Enable VPC Network Changes Monitoring
CloudLogging-004: Enable Monitoring for Custom Role Changes
CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes
CloudLogging-006: Enable Monitoring for Firewall Rule Changes
CloudLogging-007: Enable Monitoring for Audit Configuration Changes
CloudLogging-008: Enable Project Ownership Assignments Monitoring

Rules Update

GCP

CloudIAM-001: Restrict Administrator Access for Service Accounts:

Update the rule to accurately exclude Google-managed service accounts.
Update the rule to display the number of service accounts associated with each role. Additionally, detailed information will only be shown for roles that have fewer than 5 service accounts.

Microsoft Azure AD renamed to Microsoft Entra ID in Trend Cloud One

Thu, 07 Dec 2023 00:00:00 GMT

December 07, 2023, Workload Security—Azure AD is now referred to as Microsoft Entra ID in Trend Cloud One - Endpoint & Workload Security UI, online help, and API documentation following the product name change by Microsoft in July 2023. For details, see Microsoft's Glossary of Updated Terminology

Deep Security Agent (DSA) Requires Upgrade to New Revision in January 2024

Mon, 11 Dec 2023 00:00:00 GMT

December 11, 2023, Workload Security—Using the new release of Deep Security Agent (DSA) requires upgrading agents with the new DSA revision in January 2024. For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.

Updated Conformity Custom Policy with Added Permissions

Tue, 12 Dec 2023 00:00:00 GMT

December 12, 2023, Conformity—Custom Policy Update

The Conformity AWS custom policy was updated on 5.12.2023 at 09:59 AEST. The new custom policy version is 1.45 and the permissions added are:

ecr:DescribeImages
lambda:ListLayers

Click here to access the new custom policy.

Deep Security Agent now supports Debian Linux 12

Tue, 12 Dec 2023 00:00:00 GMT

December 12, 2023, Workload Security—Deep Security Agent 20.0.0-8438 and later supports Debian Linux 12.

Deep Security Agent now supports Windows 11 23H2

Tue, 12 Dec 2023 00:00:00 GMT

December 12, 2023, Workload Security—Deep Security Agent 20.0.0-8438 and later supports Windows 11 23H2.

Conformity Enhancements for NIS Europe Compliance Standards and Rule Updates

Tue, 19 Dec 2023 00:00:00 GMT

December 19, 2023, Conformity—Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the NIS Europe Compliance and Standard Reports.

Rules Update

AWS

IAM-042: Hardware MFA for AWS Root Account: Updated this rule to a not scored rule. AWS can now support multiple virtual and hardware MFA devices on the root account. It is no longer possible to conclusively determine the presence of a hardware MFA device on the root account via API.

Azure

Advisor-001: Check for Azure Advisor Recommendations: Updated the extra data within the check message to improve the identification of the check and its corresponding recommendation.

Bug Fix improves Activity Log Storage Container checks in Monitor-005

Tue, 09 Jan 2024 00:00:00 GMT

January 09, 2024, Conformity—Bug Fix

Monitor-005: Check for Publicly Accessible Activity Log Storage Container: Fixed a bug that was inhibiting the checks being created by the scanner.

New AWS Lambda function rule and S3 bucket encryption exceptions added

Tue, 09 Jan 2024 00:00:00 GMT

January 09, 2024, Conformity—New Rules

AWS

Lambda-013: Function in Private Subnet: This rule ensures that your Amazon Lambda functions are configured to use private subnets.

Rules Update

AWS

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs: You can now add exceptions to the rule configurations.

DynamoD-004: AWS KMS Customer Master Keys for Table Encryption: Update the rule title, description, and check message to clearly distinguish between Customer Managed Keys (CMK) and AWS Managed Keys.

Enable Amazon Inspector 2 for enhanced AWS cloud environment security

Wed, 10 Jan 2024 00:00:00 GMT

January 10, 2024, Conformity—New Rules

AWS

Inspector2-001: Enable Amazon Inspector 2: This rule ensures that Amazon Inspector 2 is enabled for your AWS cloud environment.

GCP Scanner now auto-retries on failure for improved File Storage Security

Wed, 10 Jan 2024 00:00:00 GMT

January 10, 2024, File Storage Security—The GCP scanner function auto retry on failure is now enabled. This mitigates a known issue where the cloud function randomly threw an error when performing HTTP requests.

This requires a stack update.

GCP Deprecating 'python38' and 'nodejs16' Runtimes for Functions

Wed, 10 Jan 2024 00:00:00 GMT

January 10, 2024, File Storage Security—The GCP functions currently run in the Node.js 20 and Python 3.12 runtimes. Both `python38` and `nodejs16` runtimes are scheduled to be deprecated later this year by GCP. For more information, see Runtime support. It is recommended to update the runtime as soon as possible by updating the Scanner Stack and Storage Stack.

This requires a stack update.

Improved AWS API call monitoring with bug fix for regex validation

Thu, 11 Jan 2024 00:00:00 GMT

January 11, 2024, Conformity—Bug Fix

RTM-011: Monitor Unintended AWS API Calls: Fixed the regex validation for the rule setting. We advise checking for any existing invalid regex patterns as your configured rule settings will not be modified.

Support for AWS RDS Transport Encryption for MySQL and Aurora Databases

Tue, 16 Jan 2024 00:00:00 GMT

January 16, 2024, Conformity—Rule Update

RDS-037: Enable AWS RDS Transport Encryption: Updated the rule to support MySQL, Aurora MySQL, and Aurora PostgreSQL database engines.

Enhanced VDI Support and Endpoint Identification in Trend Cloud One Integration

Tue, 16 Jan 2024 00:00:00 GMT

January 16, 2024, Workload Security—Trend Vision One Endpoint Security and Trend Cloud One integrated with Trend Vision One can now use Virtual Desktop Infrastructure (VDI) operations on endpoints without needing the image setup tool. This feature can be enabled via the agent System Settings by selecting Allow Vision One Virtual Desktop Infrastructure (VDI) support and cloned virtual machines. Before enabling this feature, be aware of the following:

Enabling VDI support locks three system settings:
- If a computer already exists: Reactivate the existing computer
- Reactivate cloned agents: True
- Reactivate unknown agents: True
The number of hosts in the computer list may vary.

This enhancement also resolves the following issues:

Trend Cloud One - Endpoint & Workload Security and Trend Vision One Endpoint Security Server & Workload Protection mistook multiple endpoints as the same endpoint.
The detection log for Trend Vision One and the endpoint inventory for Trend Vision One Endpoint Security mistook agents installed on one device as a different endpoint.

Upgrade to Deep Security Agent version 20.0.1-690 required for new release

Wed, 17 Jan 2024 00:00:00 GMT

January 17, 2024, Workload Security—Using the new release of Deep Security Agent requires upgrading agents with the new version 20.0.1-690. For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release

Conformity introduces updated AWS custom policy with new permissions

Thu, 18 Jan 2024 00:00:00 GMT

January 18, 2024, Conformity—Custom Policy Update

The Conformity AWS custom policy was updated on 16.01.2024 at 10:59 AEDT. The new custom policy version is 1.46 and the permissions added are:

rds:DescribeDBClusterParameters
rds:DescribeDBClusterParameterGroups

Click here to access the new custom policy.

Support for Google Cloud Architecture Framework compliance in GCP

Thu, 18 Jan 2024 00:00:00 GMT

January 18, 2024, Conformity—Compliance standards

Google Cloud Architecture Framework

We now support Google Cloud Architecture Framework (version August 2023) across compliance features for GCP.

Custom Role for File Storage Security Bucket Listener in GCP Terraform Deployment

Thu, 18 Jan 2024 00:00:00 GMT

January 18, 2024, File Storage Security—Created a custom role Trend Micro File Storage Security Bucket Listener Storage Role to access the scanning bucket in a GCP stack's Terraform deployment to prevent a predefined role's IAM binding from being overwritten.

This requires a stack update.

Stable Network Connectivity for AWS Scanner Function

Mon, 22 Jan 2024 00:00:00 GMT

January 22, 2024, File Storage Security—Fixed the issue where the AWS scanner function sometimes reported an "Invalid license status" message in the scan results due to unstable network status.

AWS Lambda upgraded to Python 3.11 runtime, deprecating Python 3.8 later

Tue, 23 Jan 2024 00:00:00 GMT

January 23, 2024, File Storage Security—The AWS Lambda now runs on Python 3.11 runtime. AWS Lambda Python 3.8 is scheduled to be deprecated later this year by AWS. For more information, see Lambda runtimes. It is recommended to update the runtime as soon as possible by updating the Scanner Stack, Storage Stack, and Account Scanner Stack.

This requires a stack update.

Conformity Enhancements: New Custom Checks TTL Management and Rule Update for Client Certificates

Mon, 29 Jan 2024 00:00:00 GMT

January 29, 2024, Conformity—Rule Update

AppService-008: Enable Incoming Client Certificates: Updated the rule to automatically produce a SUCCESS check if HTTP 2.0 is enabled.

Custom Checks Updates

We have made the following updates to the Custom Checks API feature:

Updated the Custom Checks 'Time-To-Live' (TTL) feature to allow mutability for existing checks, enabling easier stateless management and deletion.
Introduced a Maximum TTL of 12 months for newly created checks. If no TTL is specified, the value will default to 12 months after the creation date.
Fixed a bug that resulted in some existing custom checks being incorrectly deleted.

Custom Checks Data Migration

On Wednesday 31 January (AEDT), we will migrate your existing custom checks to the new TTL system.
All existing custom checks without a TTL will be updated to include a TTL of 12 months from the update date.

For further details, see Create Custom Checks and Custom Rules vs Conformity Rules.

Enhanced Azure Scanner with Updated Service Bus SDK for Improved Authorization Timeout Handling

Mon, 29 Jan 2024 00:00:00 GMT

January 29, 2024, File Storage Security—Updated the Azure Service Bus SDK's version to 7.10.0 in the Azure scanner to mitigate the Authorization timeout issue during publishing scan results to the Service Bus.

Custom Checks now support Time-To-Live updates for better customization

Wed, 31 Jan 2024 00:00:00 GMT

January 31, 2024, Conformity—Custom Checks Updates

On Monday 29 January 2024 (AEDT), we introduced the following updates to Custom Checks:

Allow 'Time-To-Live' (TTL) to be mutable.
Introduced a default and maximum TTL value of 12 months after the check creation date.

As of Wednesday 31 January (AEDT), we have migrated all existing Custom Checks to use TTL. The affected checks now have a TTL of 12 months from today, at which point they will automatically be deleted.

If you have existing Custom Checks, you can update the TTL value via the Update Check endpoint. If you wish to maintain a Custom Check beyond 12 months, we recommend scheduling an automated API process to keep your Custom Checks up-to-date.

Improved AWS scanner function for reliable scan retries

Wed, 31 Jan 2024 00:00:00 GMT

January 31, 2024, File Storage Security—Fixed the issue where the AWS scanner function sometimes did not retry the scan for scan error scan results.

This requires a stack update.

Updated rules exclude cross account evaluation for BigQuery encryption with customer-managed keys

Mon, 05 Feb 2024 00:00:00 GMT

February 05, 2024, Conformity—Rule Update

Updated these rules to exclude cross account evaluation to avoid false positive checks:

BigQuery-002: Enable BigQuery Encryption with Customer-Managed Keys
BigQuery-003: Enable BigQuery Dataset Encryption with Customer-Managed Encryption Keys

New GCP account permission "iam.roles.list" added for Conformity cloudiam-roles descriptor

Wed, 07 Feb 2024 00:00:00 GMT

February 07, 2024, Conformity—GCP account permission list updated

New permission "iam.roles.list" added for "cloudiam-roles" descriptor. For the full list of required GCP permissions, see here.

Upcoming Rule Updates for AWS and GCP with Key Rotation and Runtime Environment Changes

Thu, 08 Feb 2024 00:00:00 GMT

February 08, 2024, Conformity—Upcoming Rule Updates

The following rule updates will be released soon. These changes may affect your checks and compliance scores:

AWS

KMS-002: Key Rotation Enabled: Update to stop incorrect checks for Asymmetric keys.
Lambda-001: Lambda Using Latest Runtime Environment: Remove 'dotnet7' and add 'dotnet8' to the default recommended list of latest runtime versions.
Lambda-012: Lambda Using Supported Runtime Environment: Add 'dotnet8' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

GCP

CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: Update to exclude non-PRIVATE subnets from being incorrectly evaluated by the rule. VPC Flow Logs cannot be enabled for subnets whose purpose is not PRIVATE.

Rule Updates: Key Rotation and VPC Flow Logs Improvements

Mon, 12 Feb 2024 00:00:00 GMT

February 12, 2024, Conformity—Rule Updates

KMS-002: Key Rotation Enabled: Updated the rule to bypass asymmetric keys for having rotation enabled.
CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: Updated the rule to exclude non PRIVATE purpose subnets from being incorrectly evaluated. VPC Flow Logs cannot be enabled for subnets whose purpose is not PRIVATE.

Container Security Enhances Runtime Security Rule Download for Improved Protection

Tue, 20 Feb 2024 00:00:00 GMT

February 20, 2024, Container Security—If you are using Runtime security, you should upgrade scout to version 2.3.26 or later to ensure access to future Runtime Security rules.

Container Security's Runtime Security has been updated to allow scout to download larger runtime security rule files. You should upgrade clusters that are running scout versions older than 2.3.26 to the latest available version to ensure that you have access to new runtime security rules as they become available. Older versions of scout will continue receiving rules and existing installations will retain their protection, but they will not be updated as frequently with new rules due to file size limitations that are fixed in newer versions.

To upgrade Runtime security, upgrade clusters individually via Helm by following instructions provided in Upgrade a Trend Micro Cloud One Container Security deployment.

Lambda Runtime Updates and Security Group Rule Deprecation

Mon, 26 Feb 2024 00:00:00 GMT

February 26, 2024, Conformity—Rule Updates

Lambda-001: Lambda Using Latest Runtime Environment: Removed 'dotnet6' and added 'dotnet8' to the default recommended list of latest runtime versions.
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys: Improved the rule logic to generate no check when lambda functions have no environment variable.
Lambda-012: Lambda Using Supported Runtime Environment: Added 'dotnet8' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

Rule Deprecation

EC2-015: EC2 Instance Security Group Rules Counts: The recommendation of limiting security group rules to a certain quota is no longer a best practice. See the knowledge base article for additional context. For more information on rule deprecation, see here.

Updated DynamoDB-005 Rule for Accurate Backup and Restore Detection

Tue, 27 Feb 2024 00:00:00 GMT

February 27, 2024, Conformity—Rule Update

DynamoDB-005: DynamoDB Backup and Restore: Updated the rule to correctly get backups created with both Amazon DynamoDB and AWS Backup.

New GCP account permissions for Conformity added

Wed, 28 Feb 2024 00:00:00 GMT

February 28, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permissions:

`compute.disks.getIamPolicy`
`compute.disks.list`

For a full list of GCP permissions, see Add a GCP Account.

Improved uninstallation process removes all Deep Security Agent folders

Thu, 29 Feb 2024 00:00:00 GMT

February 29, 2024, Workload Security—Uninstalling Deep Security Agent did not remove all folders associated with the agent.

Conformity enhances Azure compliance reporting with updated frameworks

Tue, 05 Mar 2024 00:00:00 GMT

March 05, 2024, Conformity—Standards and Compliance Reports

The Azure Well-Architected Framework compliance standard report has been updated to reflect recent updates to Azure's Well-Architected Framework.

Considering substantial changes applied to the rule mapping, Conformity now supports the following compliance standards:

Azure Well-Architected Framework (updated October 2023)
Azure Well-Architected Framework (Deprecated) (updated July 2022)

As of 01 June 2024, the following compliance standards will be deprecated:

Azure Well-Architected Framework (Deprecated) (updated July 2022)

This deprecated compliance standard will be no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of the Azure Well-Architected Framework by 01 June 2024.

Lambda VPC setting can now be removed during stack updates

Wed, 06 Mar 2024 00:00:00 GMT

March 06, 2024, File Storage Security—Fixed the issue where Lambda VPC setting could not be removed in the stack update when the VPC setting-related parameters were empty.

This requires a stack update.

New GCP account permission `compute.vpnGateways.list` added

Wed, 13 Mar 2024 00:00:00 GMT

March 13, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permissions:

`compute.vpnGateways.list`

For a full list of GCP permissions, see Add a GCP Account.

Updated rule for Application Insights in Azure App Service

Wed, 13 Mar 2024 00:00:00 GMT

March 13, 2024, Conformity—Rule Update

This change may affect your checks and compliance scores:

Azure

AppService-016: Enable Application Insights: Updated the rule to handle Application Insights configured using either instrumentation keys or connection strings.

Template Scanner now supports Lambda Function, Kinesis Stream, and SNS Topic resources

Wed, 20 Mar 2024 00:00:00 GMT

March 20, 2024, Conformity—More Terraform resources supported by Template Scanner

We've supported the following Terraform resources in Template Scanner:

Lambda Function
Kinesis Stream
SNS Topic

New GCP account permissions added for enhanced network and function management

Wed, 20 Mar 2024 00:00:00 GMT

March 20, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permissions:

`networkconnectivity.hubs.list`
`networkconnectivity.hubs.listSpokes`
`cloudfunctions.functions.list`
`cloudfunctions.functions.getIamPolicy`

For a full list of GCP permissions, see Add a GCP Account.

Real-Time Monitoring Issue Resolved for AWS Region us-east-1

Mon, 25 Mar 2024 00:00:00 GMT

March 25, 2024, Conformity—Incident Affecting Real-Time Monitoring for AWS

From 11:16 UTC 21 March to 01:10 UTC 25 March, Trend Cloud One Conformity did not receive Real-Time Monitoring events from the AWS region `us-east-1`. The affected events may include critical IAM service events and resource-based events in your AWS accounts from `us-east-1`.

We have resolved the issue and sincerely apologize for the inconvenience this may have caused. If you have any more concerns, please feel free to raise a support request.

New GCP Cloud Logging rules updated to accept bucket-based log-based metrics

Wed, 27 Mar 2024 00:00:00 GMT

March 27, 2024, Conformity—Upcoming Rule Update

These GCP Cloud Logging rules have been updated to accept bucket-based log-based metrics:

CloudLogging-001: Enable Monitoring for Bucket Permission Changes
CloudLogging-002: Enable VPC Network Route Changes Monitoring
CloudLogging-003: Enable VPC Network Changes Monitoring
CloudLogging-004: Enable Monitoring for Custom Role Changes
CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes
CloudLogging-006: Enable Monitoring for Firewall Rule Changes
CloudLogging-007: Enable Monitoring for Audit Configuration Changes
CloudLogging-008: Enable Project Ownership Assignments Monitoring

Azure Functions Service Bus Extension updated to v5.x for enhanced file storage security

Wed, 27 Mar 2024 00:00:00 GMT

March 27, 2024, File Storage Security—The Azure Functions Service Bus Extension for Azure blob listener and post-scan functions have been updated to v5.x.

Improved AWS Stack Deployment Compatibility for File Storage Security

Thu, 28 Mar 2024 00:00:00 GMT

March 28, 2024, File Storage Security—Fixed the issue where the AWS stacks could not be deployed on the File Storage Security console if the stacks were deployed on an AWS account where the AWS region's STS of the selected Cloud One region was not activated.

New Supported Cache Node Types Added to Conformity Rule Settings

Wed, 03 Apr 2024 00:00:00 GMT

April 03, 2024, Conformity—Upcoming Rule Update

The change will allow you to add new supported cache node types to the rule settings:

EC-011: ElastiCache Desired Node Type

Updated GCP account permission list now includes `compute.targetVpnGateways.list`

Thu, 04 Apr 2024 00:00:00 GMT

April 04, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permissions:

`compute.targetVpnGateways.list`

For a full list of GCP permissions, see Add a GCP Account.

RTM introduces new AWS rules for EKS cluster security and logging

Mon, 08 Apr 2024 00:00:00 GMT

April 08, 2024, Conformity—RTM for AWS

RTM now supports the following rules:

EKS-001: EKS Cluster Endpoint Public Access: Ensure that AWS EKS cluster endpoint access isn't public and prone to security risks.
EKS-003: Kubernetes Cluster Logging: Ensure that EKS control plane logging is enabled for your Amazon EKS clusters.

AuditEvent Logging now enabled for Azure Key Vaults

Thu, 11 Apr 2024 00:00:00 GMT

April 11, 2024, Conformity—Bug Fix

KeyVault-004: Enable AuditEvent Logging for Azure Key Vaults: Fixed a bug that created failed checks when the audit category group is enabled.

New Rule Added: Scan ECR Container Images Automatically on Push

Wed, 17 Apr 2024 00:00:00 GMT

April 17, 2024, Conformity—RTM for AWS

Added the following rule to RTM:

ECR-003: Enable Scan on Push for ECR Container Images: This rule ensures that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository.

Enhanced Template Scanner now supports Auto Scaling Group, CloudFormation Stack, and SQS Queue

Thu, 18 Apr 2024 00:00:00 GMT

April 18, 2024, Conformity—Additional Terraform Resources' support in the Template Scanner

We now support the following Terraform resources in the Template Scanner:

Auto Scaling Group
CloudFormation Stack
SQS Queue

Updated GCP account permissions for Conformity now include new options

Mon, 22 Apr 2024 00:00:00 GMT

April 22, 2024, Conformity—GCP account permission list updated

New permissions

apigateway.apis.list
apigateway.apis.getIamPolicy

For the full list of required GCP permissions, see here.

Updated Lambda Runtimes for Improved Performance

Tue, 23 Apr 2024 00:00:00 GMT

April 23, 2024, Conformity—Rule Updates

Lambda-001: Lambda Using Latest Runtime Environment: Removed 'ruby3.2' and added 'ruby3.3' to the default recommended list of latest runtime versions.
Lambda-012: Lambda Using Supported Runtime Environment: Added 'ruby3.3' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

New Azure API Management Rules Enhance Security and Performance

Wed, 24 Apr 2024 00:00:00 GMT

April 24, 2024, Conformity—New Rules

Azure

APIManagement-001: Enable Built-In Response Caching: This rule ensures that built-in response caching is enabled for Microsoft Azure API Management APIs to reduce latency for API callers and backend load for API providers.
APIManagement-004: Prevent the Exposure of Credentials and Secrets using Encrypted Named Values: This rule ensures that named values are encrypted to prevent the exposure of secrets in Azure API Management.

Enhanced SUSE Linux Enterprise Server 12 SP5 Support in Deep Security Agent

Wed, 24 Apr 2024 00:00:00 GMT

April 24, 2024, Workload Security—Deep Security Agent version 20.0.1-7380 and later supports the majority of features for SUSE Linux Enterprise Server 12 SP5 (PowerPC little-endian), with the exception of Integrity Monitoring, Application Control, and Trend Vision One (XDR).

Azure API Management now enforces resource logs for enhanced monitoring

Thu, 02 May 2024 00:00:00 GMT

May 02, 2024, Conformity—New Rules

Azure

APIManagement-005: Enable Resource Logs: This rule ensures that Azure API Management API services are configured to use resource logs.

Enhanced Terraform Template Scanner with ELBv2 Support and Lambda VPC Access Fix

Mon, 06 May 2024 00:00:00 GMT

May 06, 2024, Conformity—Template Scanner Updates

Additional Terraform Resources' Support: We now support Terraform resource ELBv2 in the Template Scanner.
Lambda-007: VPC Access for AWS Lambda Functions: Fixed a bug in the Terraform Template Scanner to return correct checks.

Conformity GCP account permissions updated with new AlloyDB access

Mon, 06 May 2024 00:00:00 GMT

May 06, 2024, Conformity—GCP account permission list updated

New permissions

alloydb.clusters.list
alloydb.instances.list

For the full list of required GCP permissions, see here.

Azure Custom Role Template Update: Permission Removal for Queue Read Access

Tue, 07 May 2024 00:00:00 GMT

May 07, 2024, Conformity—Azure Custom Role Permissions Update

The Azure permission `Microsoft.Storage/storageAccounts/queueServices/queues/read` has been removed from the Custom Role template. For the full list of required Azure permissions, see here.

Updated PCI DSS v4 Standards Report for AWS, Azure, and GCP compliance

Wed, 08 May 2024 00:00:00 GMT

May 08, 2024, Conformity—Standards and Compliance Reports

The PCI DSS v4 Standards and Compliance report has been updated to reflect the latest rules released for AWS, Azure and GCP.

Azure API Management now supports HTTP/2 for improved performance

Wed, 08 May 2024 00:00:00 GMT

May 08, 2024, Conformity—New Rules

Azure

APIManagement-006: Enable Support for HTTP/2: This rule ensures that Azure API Management API gateways are configured to use HTTP/2.

New GCP account permissions for pubsub topics added

Thu, 09 May 2024 00:00:00 GMT

May 09, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permissions:

pubsub.topics.get
pubsub.topics.getIamPolicy

AWS Lambda runtime changes affecting conformity scores

Mon, 13 May 2024 00:00:00 GMT

May 13, 2024, Conformity—Upcoming Rule Update

The following rule updates will be released soon. These changes may affect your checks and compliance scores:

AWS

Lambda-001: Lambda Using Latest Runtime Environment: Removed 'dotnet7' from the default recommended list of latest runtime versions.
Lambda-012: Lambda Using Supported Runtime Environment: Removed 'dotnet7' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

New Apigee API & Account Permissions added for enhanced GCP project management

Mon, 13 May 2024 00:00:00 GMT

May 13, 2024, Conformity—Updated GCP project APIs & Account Permissions list

We've added the following new APIs & Account Permissions:

Apigee API

New permissions:

apigee.apiproducts.list
apigee.deployments.list
apigee.envgroupattachments.list
apigee.envgroups.list
apigee.instanceattachments.list
apigee.instances.list
apigee.proxies.list
apigee.proxyrevisions.list

For the full list of required GCP permissions, see here.

Updated GCP account permissions now include spanner and memcache instance access

Mon, 20 May 2024 00:00:00 GMT

May 20, 2024, Conformity—GCP account permission list updated

New permissions

spanner.instances.getIamPolicy
spanner.instances.list
memcache.instances.list

For the full list of required GCP permissions, see here.

AWS Custom Policy Update: New `lambda:GetFunction` Permission Added

Tue, 21 May 2024 00:00:00 GMT

May 21, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.49. The new permission added is:

`lambda:GetFunction`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

Enable Integration with Application Insights for API Gateway APIs

Tue, 21 May 2024 00:00:00 GMT

May 21, 2024, Conformity—New Rule

Azure

APIManagement-003: Enable Integration with Application Insights: This rule ensures that API Gateway APIs are integrated with application insights for diagnostic logging.

Conformity now available in AWS ca-west-1 and il-central-1 regions

Thu, 23 May 2024 00:00:00 GMT

May 23, 2024, Conformity—New Region

AWS

The new AWS region ca-west-1 and il-central-1 is enabled for Conformity.

Enforce HTTPS for Azure API Management APIs

Sun, 26 May 2024 00:00:00 GMT

May 26, 2024, Conformity—New Rule

Azure

APIManagement-002: Enforce HTTPS: This rule ensures that Azure API Management APIs are using HTTPS.

Enable Trusted Launch for Azure Virtual Machines with New Rule Azure VirtualMachines-040

Thu, 30 May 2024 00:00:00 GMT

May 30, 2024, Conformity—New Rule

Azure

VirtualMachines-040: Enable Trusted Launch for Virtual Machines: This rule ensures that all Azure Virtual Machines are using the Trusted Launch security feature.

Removed unused permission 'apigee.proxyrevisions.list' from GCP account permission list

Thu, 30 May 2024 00:00:00 GMT

May 30, 2024, Conformity—GCP account permission list updated

Removed the following unused permission:

apigee.proxyrevisions.list

For the full list of required GCP permissions, see here.

Updated Azure Rule: Microsoft Defender Standard Pricing Tier now excludes deprecated KubernetesService

Thu, 30 May 2024 00:00:00 GMT

May 30, 2024, Conformity—Rule Update

Azure

SecurityCenter-001: Enable Microsoft Defender Standard Pricing Tier: This rule has been updated not to check a deprecated KubernetesService.

Template Scanner now accurately detects Cluster Deletion Protection settings in CloudFormation

Mon, 03 Jun 2024 00:00:00 GMT

June 03, 2024, Conformity—Template Scanner Updates

RDS-035: Cluster Deletion Protection: Fixed a bug where Template Scanner indicated that DeletionProtection was not enabled incorrectly. Template Scanner will now correctly return `SUCCESS` for `RDS-035` if `DeletionProtection` is set to `true` in CloudFormation.

CloudSQL now supports SSL/TLS for incoming connections

Mon, 03 Jun 2024 00:00:00 GMT

June 03, 2024, Conformity—Bug Fix

GCP

CloudSQL-004: Enable SSL/TLS for Cloud SQL Incoming Connections:

Fixed a bug where the rule generated false positive checks while CloudSQL instance is configured correctly to only allow SSL connections.

Deprecation of Azure Well-Architected Framework in Compliance Reports

Mon, 03 Jun 2024 00:00:00 GMT

June 03, 2024, Conformity—Standards and Compliance Reports

Following up on previous notification (05 March 2024), as of 03 June 2024, the following compliance standard have been deprecated:

Azure Well-Architected Framework (Deprecated) (updated July 2022)

This compliance standard is no longer accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest version of the Azure Well-Architected Framework.

Updated AWS account permissions now include wafv2:GetWebACL

Tue, 04 Jun 2024 00:00:00 GMT

June 04, 2024, Conformity—AWS account permission list updated

Added the following permission:

wafv2:GetWebACL

Filter Checks and Download Compliance Reports for AWS, Azure, and GCP environments

Tue, 04 Jun 2024 00:00:00 GMT

June 04, 2024, Conformity—Standards and Compliance Reports

You can now filter Checks and download Compliance Reports to ensure your AWS, Azure and GCP cloud environments comply with the following standards:

NIST Cybersecurity Framework v2.0

Upgrade to Python Lambda runtime version 3.12 for improved AWS account templates

Wed, 05 Jun 2024 00:00:00 GMT

June 05, 2024, Cloud Account Management—Python Lambda runtime has been upgraded from version 3.8 to 3.12. You need to update your connected AWS accounts with the most recent template.

Upcoming AWS Lambda Rule Update: Removal of 'nodejs16.x' Runtime Version

Wed, 12 Jun 2024 00:00:00 GMT

June 12, 2024, Conformity—Upcoming Rule Update

The following rule update will be released soon. These changes may affect your checks and compliance scores:

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Removed 'nodejs16.x' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

Improved CSV and PDF report generation with fixed user filter display issues

Mon, 17 Jun 2024 00:00:00 GMT

June 17, 2024, Conformity—Bug Fixes

CSV Reports:
Fixed a bug in generated CSV reports where values for user selected filters for 'Region', 'Providers' and 'Risk Levels' were not displayed in the same format as the values of the respective data columns of the report.
Fixed a bug in generated CSV reports where user selected filters for 'Standards & Frameworks controls' were not displayed.
PDF Reports:
Fixed a bug in generated PDF reports where user selected filters for 'Rules' were not displayed.
Fixed a bug in generated PDF reports where user selected filters for 'Categories' and 'Risk Levels' were not displayed in the same format as they appear in the 'List of Performed Checks'.

Fixed issue with Terraform Template Scanner for scanning plans with only modules

Tue, 18 Jun 2024 00:00:00 GMT

June 18, 2024, Conformity—Bug Fixes

Template Scanner:

Fixed an issue with Terraform Template Scanner where attempting to scan plans which contained only modules and no resources produced an error.

Conformity RTM Update: Google Cloud Platform Runtime Changes for Node.js 16

Tue, 18 Jun 2024 00:00:00 GMT

June 18, 2024, Conformity—Cloud Functions Runtime Changes for Google Cloud Platform (GCP) RTM

The current Cloud Functions runtime version used for Conformity RTM is Node.js 16 and will be decommissioned by Google Cloud on 30 January 2025. This change will affect Conformity GCP Real Time Monitoring (RTM) configurations but does not immediately affect the existing Conformity customers.

We have updated the GCP Real-Time Monitoring installation template to use the latest 1st generation Runtime version.

Please follow the Real-time Monitoring Settings > RTM for GCP to install RTM for GCP again to upgrade the existing configuration before 30 January 2025.

Bug Fix for SSM Managed Instances Check in AWS Conformity

Wed, 19 Jun 2024 00:00:00 GMT

June 19, 2024, Conformity—Rule Update

AWS

SSM-003: Check for SSM Managed Instances:

Fixed a bug that generated false negative checks for a recently created instance despite being correctly managed by the AWS Systems Manager.

New Azure API Management rule enforces secure TLS version configuration for API gateways

Thu, 20 Jun 2024 00:00:00 GMT

June 20, 2024, Conformity—New Rule

Azure

APIManagement-007: Check the TLS Version Configured for API Gateways: This rule ensures that Azure API Management API gateways are not configured to use weak and deprecated TLS protocols.

Conformity Terraform Template Scanner now available with Cloud Formation resources

Mon, 24 Jun 2024 00:00:00 GMT

June 24, 2024, Conformity—Terraform Template Scanner support for Cloud Formation Template Scanner Resources now Generally Available

Conformity Terraform Template Scanner is now Generally Available with parity of coverage of the following Cloud Formation Template Scanner resource types:

Autoscaling Group
CF Stack
CloudTrail
Kinesis Stream
Lambda Function
SNS Topic
SQS Queue
API Gateway RestAPI
ELBv2
ES Domain
Workspaces
ELB Classic
Redshift Cluster
EMR Cluster
ElacticCache
EFS File System

Enable MFA for Azure VM privileged identities for enhanced security

Mon, 24 Jun 2024 00:00:00 GMT

June 24, 2024, Conformity—New Rules

Azure

VirtualMachines-041: Enable MFA for Privileged Identities with Access to Virtual Machines: Ensure that only MFA-enabled identities can access your Azure virtual machine (VM) instances.

Template Scanner now supports scanning provider-level tags in Terraform AWS provider block

Wed, 26 Jun 2024 00:00:00 GMT

June 26, 2024, Conformity—Template Scanner Updates

Template Scanner now supports scanning provider-level tags in Terraform AWS provider configuration block.

Red Hat Enterprise Linux 8.6 (PowerPC) Support Added in Deep Security Agent 20

Wed, 26 Jun 2024 00:00:00 GMT

June 26, 2024, Workload Security—Deep Security Agent version 20.0.1-12510 (20 LTS Update 2024-06-26) and later supports Red Hat Enterprise Linux 8.6 (PowerPC little-endian).

Updated validation logic for RDS Publicly Accessible security groups

Mon, 01 Jul 2024 00:00:00 GMT

July 01, 2024, Conformity—Bug Fix

AWS

RDS-008: RDS Publicly Accessible: Updated the rule logic to validate the security groups correctly.

Updated GCP account permissions feature new apigee.proxyrevisions.get permission

Mon, 01 Jul 2024 00:00:00 GMT

July 01, 2024, Conformity—GCP account permission list updated

New permissions

apigee.proxyrevisions.get

For the full list of required GCP permissions, see here.

Enhanced Webhook Communication with Static IP Allow-listing

Tue, 02 Jul 2024 00:00:00 GMT

July 02, 2024, Conformity—Communication Channels Update

Webhook Communication: You can now allow-list static IP addresses used by Webhook communication channel to ensure reliable connection from Conformity to your webhook endpoint. See Conformity IP addresses for more details.

Template Scanner now supports additional AWS S3 Terraform resources

Tue, 02 Jul 2024 00:00:00 GMT

July 02, 2024, Conformity—Template Scanner Updates

Template Scanner now supports `aws_s3_bucket_versioning`, `aws_s3_bucket_acl` and `aws_s3_bucket_logging` Terraform resources.

New GCP permissions added for account permission list

Wed, 03 Jul 2024 00:00:00 GMT

July 03, 2024, Conformity—GCP account permission list updated

New permissions

`bigtable.instances.list`
`bigtable.clusters.list`
`bigtable.instances.getIamPolicy`

For a full list of GCP permissions, see Add a GCP Account.

New GCP Rule for PostgreSQL Database Instances: Configure "log_statement" Flag for Compliance

Mon, 08 Jul 2024 00:00:00 GMT

July 08, 2024, Conformity—New Rule

GCP

CloudSQL-032:Configure "log_statement" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the 'log_statement' flag.

AWS Custom Policy Updated to Version 1.53 with Permissions Removal

Thu, 11 Jul 2024 00:00:00 GMT

July 11, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.53. The following permissions are removed:

`iam:GenerateServiceLastAccessedDetails`
`iam:GetServiceLastAccessedDetails`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

Maintenance Scheduled for Trend Cloud One in US and Germany Regions on July 20, 2024

Fri, 12 Jul 2024 00:00:00 GMT

July 12, 2024, General—System maintenance for Trend Cloud One is scheduled for US region (us-1) and Germany region (de-1) between 03:00 and 10:00 UTC on Saturday, July 20, 2024. During this maintenance period, console and API access for some Trend Cloud One services will be unavailable. For more information or to be notified of scheduled maintenance, see Trend Cloud One maintenance.

Improved handling of API timeouts for Azure Sql-007 Threat Detection Types

Mon, 15 Jul 2024 00:00:00 GMT

July 15, 2024, Conformity—Upcoming Rule Update

Azure

Sql-007: Enable All Threat Detection Types: Improved this rule to smoothly handle API timeout.

Template Scanner now supports new Terraform resources for AWS configurations

Wed, 17 Jul 2024 00:00:00 GMT

July 17, 2024, Conformity—Template Scanner Updates

Template Scanner now supports the following Terraform resources.

`aws_rds_cluster_instance`
`aws_security_group`
`aws_vpc_security_group_ingress_rule`

Deep Security Agent now displays most recent component update date

Wed, 17 Jul 2024 00:00:00 GMT

July 17, 2024, Workload Security—Deep Security Agent shows the date for the most recent component update.

Agent testing connection to management server for enhanced security maintenance

Wed, 17 Jul 2024 00:00:00 GMT

July 17, 2024, Workload Security—Deep Security Agent can test the connection to the management server.

Customize malware detection messages in Deep Security console

Wed, 17 Jul 2024 00:00:00 GMT

July 17, 2024, Workload Security—Deep Security can show customized malware detection messages. Set up custom messages in the management console (Administration > System Settings > Agents > Agent Notification).

File Storage Security now supports Calgary region on AWS

Fri, 19 Jul 2024 00:00:00 GMT

July 19, 2024, File Storage Security—File Storage Security now supports the Calgary (ca-west-1) region on AWS. For more information, see What's supported in AWS.

SUSE Linux Enterprise Server 15 Arm v8 support added in Deep Security Agent

Sat, 20 Jul 2024 00:00:00 GMT

July 20, 2024, Workload Security—Deep Security Agent version 20.0.1-14610 (20 LTS Update 2024-07-20) and later supports SUSE Linux Enterprise Server 15 for Arm v8. This requires Deep Security Manager version 20.0.935 or later.

Updated Replay API endpoint now supports replaying checks for account with org-level setting

Mon, 22 Jul 2024 00:00:00 GMT

Updated the Replay API endpoint to support replaying checks for an account using organisation-level communication setting.

Updated encryption validation for GKE clusters' application-layer secrets

Tue, 30 Jul 2024 00:00:00 GMT

July 30, 2024, Conformity—Bug Fix

GCP

GKE-002: Enable Encryption for Application-Layer Secrets for GKE Clusters: Updated the rule logic to validate the Application-layer secrets encryption correctly.

Azure Machine Learning Workspaces now require High Business Impact for sensitive data

Tue, 30 Jul 2024 00:00:00 GMT

July 30, 2024, Conformity—New Rule

Azure

MachineLearning-001: Enable High Business Impact for Machine Learning Workspaces: This rule ensures that High Business Impact (HBI) feature is enabled for Azure Machine Learning (ML) workspaces with sensitive data to limit the data collection by Microsoft Azure for diagnostic purposes.

Updated Azure AppService rule to validate incoming client certificates correctly

Wed, 31 Jul 2024 00:00:00 GMT

July 31, 2024, Conformity—Bug Fix

Azure

AppService-008: Check that the Azure App requests incoming client certificates: Updated the rule logic to validate the configuration of incoming client cetrificates correctly.

Updated Rule Mapping in CIS Azure Benchmarks for Immutable Blob Storage

Wed, 31 Jul 2024 00:00:00 GMT

July 31, 2024, Conformity—Standards and Frameworks

We have updated the rule mapping by removing rule StorageAccounts-012:Enable Immutable Blob Storage from control 3.12 of the following standards:

CIS Microsoft Azure Foundations Benchmark v1.5.0
CIS Microsoft Azure Foundations Benchmark v2.0.0

Amazon Bedrock guardrails now protect agent sessions

Thu, 01 Aug 2024 00:00:00 GMT

August 01, 2024, Conformity—New Rule

AWS

Bedrock-002: Use Guardrails to Protect Agent Sessions: This rule ensures that your Amazon Bedrock guardrails are protecting agent sessions.

Use Customer-Managed Keys to Encrypt Amazon Bedrock Guardrails in AWS

Thu, 01 Aug 2024 00:00:00 GMT

August 01, 2024, Conformity—New Rule

AWS

Bedrock-003: Use Customer-Managed Keys to Encrypt Amazon Bedrock Guardrails: This rule ensures that your Amazon Bedrock guardrails are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys.

Enable Defender for APIs in Azure API Management Services

Wed, 07 Aug 2024 00:00:00 GMT

August 07, 2024, Conformity—New Rule

Azure

SecurityCenter-042: Enable Defender for APIs: This rule ensures that Defender for APIs, a feature of Microsoft Defender for Cloud, is enabled for your Azure API Management services.

New Azure Rules for Enhanced Data Security and Compliance

Thu, 08 Aug 2024 00:00:00 GMT

August 08, 2024, Conformity—New Rules

Azure

MachineLearning-004: Machine Learning Workspace Encryption using Customer-Managed Keys: This rule ensures that Azure Machine Learning workspaces are using Customer Managed Keys (CMKs) for encryption.
AIServices-001: Use Private Endpoints for OpenAI Service Instances: This rule ensures that network access to OpenAI service instances is allowed via private endpoints only.
AIServices-005: OpenAI Encryption using Customer-Managed Keys: This rule ensures that Azure OpenAI service instances are using Customer-Managed Keys (CMKs) for encryption.

New "logging.logEntries.list" permission added to GCP account permission list

Fri, 09 Aug 2024 00:00:00 GMT

August 09, 2024, Conformity—GCP account permission list updated

New permission "logging.logEntries.list" is added. For the full list of required GCP permissions, see here.

Enable Managed Virtual Network Isolation with Internet Outbound Access in Azure Machine Learning

Mon, 12 Aug 2024 00:00:00 GMT

August 12, 2024, Conformity—New Rule

Azure

MachineLearning-005: Enable Managed Virtual Network Isolation with Internet Outbound Access: This rule ensures that managed virtual network (managed VNet) isolation with Internet outbound is enabled.

Enhanced Security with Public Network Access Disabled for Azure OpenAI Instances

Mon, 12 Aug 2024 00:00:00 GMT

August 12, 2024, Conformity—New Rule

Azure

AIServices-002: Disable Public Network Access to OpenAI Service Instances: This rule ensures that public network access (i.e. all network access) to Microsoft Azure OpenAI service instances is disabled in order to enhance security by preventing unauthorized access.

Updated Compliance Reports with CIS Azure Benchmarks v2.1.0 Available Now

Mon, 12 Aug 2024 00:00:00 GMT

August 12, 2024, Conformity—Standards and Compliance Reports

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for Azure. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Microsoft Azure Foundations Benchmark v2.1.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

As of 04 November 2024, the following compliance standard will be deprecated:

CIS Microsoft Azure Foundations Benchmark v1.5.0

This deprecated compliance standard will no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of the CIS Microsoft Azure Foundations Benchmark by 04 November 2024.

Enhanced Security with Customer-Managed Keys in Amazon Bedrock

Mon, 12 Aug 2024 00:00:00 GMT

August 12, 2024, Conformity—New Rules

AWS

Bedrock-001: Use Customer-Managed Keys to Encrypt Agent Sessions: This rule ensures that your Amazon Bedrock agent session data are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys.
Bedrock-004: Use Customer-Managed Keys to Encrypt Custom Models: This rule snsures that your Amazon Bedrock custom models are encrypted with Amazon KMS Customer-Managed Keys (CMKs) instead of AWS-managed keys.
Bedrock-005: Use Customer-Managed Keys to Encrypt Knowledge Base Transient Data: This rule ensures that your Amazon Bedrock knowledge base transient data are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys.
Bedrock-006: Use Customer-Managed Keys to Encrypt Amazon Bedrock Studio Workspaces: This rule ensures that Bedrock Studio workspaces are encrypted with Amazon KMS Customer Managed Keys (CMKs).

Diagnostic Logs Enabled for Azure OpenAI Service Instances

Tue, 13 Aug 2024 00:00:00 GMT

August 13, 2024, Conformity—New Rules

Azure

AIServices-003: Enable Diagnostic Logs for OpenAI Service Instances: This rule ensures that Diagnostic Logs are enabled for your Azure OpenAI service instances.

Updated AWS Custom Policy with New Permissions Available

Tue, 13 Aug 2024 00:00:00 GMT

August 13, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.56 and the permissions added are:

ec2:DescribeVpcEndpointConnections
ec2:DescribeVpcEndpointServices

Click here to access the new custom policy.

Azure OpenAI Service Instances now required to use Managed Identities

Wed, 14 Aug 2024 00:00:00 GMT

August 14, 2024, Conformity—New Rules

Azure

AIServices-004: Use Managed Identities for OpenAI Service Instances: This rule ensures that Azure OpenAI service instances are using managed identities.

AWS Custom Policy Updated with New Permissions

Wed, 14 Aug 2024 00:00:00 GMT

August 14, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.58 and the permissions added are:

bedrock:ListKnowledgeBases
bedrock:GetKnowledgeBases

Click here to access the new custom policy.

Rule Update for AWS VPC Endpoint Cross Account Access Check Generation

Thu, 15 Aug 2024 00:00:00 GMT

August 15, 2024, Conformity—Rule Update

AWS

VPC-006: VPC Endpoint Cross Account Access: Update the rule to generate checks correctly.

New GCP account permission added: notebooks.instances.getIamPolicy

Thu, 15 Aug 2024 00:00:00 GMT

August 15, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permission:

`notebooks.instances.getIamPolicy`

For a full list of GCP permissions, see Add a GCP Account.

Conformity now allows customization of Idle days for AWS EBS volumes

Thu, 15 Aug 2024 00:00:00 GMT

August 15, 2024, Conformity—Rule Update

AWS

EBS-008: Idle EBS Volume: Updated the rule to make Idle days for EBS volumes configurable via a new parameter in the rule settings, allowing customization based on specific requirements.

Google Cloud Vertex AI offers encryption with Customer-Managed Encryption Keys

Tue, 20 Aug 2024 00:00:00 GMT

August 20, 2024, Conformity—New Rule

GCP

VertexAI-001: Vertex AI Dataset Encryption with Customer-Managed Encryption Keys (not scored): Ensure that your Google Cloud Vertex AI datasets are encrypted using Customer-Managed Encryption Keys (CMEKs) in order to have full control over data encryption and decryption process. You can create and manage your own Customer-Managed Encryption Keys with Cloud Key Management Service (Cloud KMS).

AWS Conformity updates rule for OpenSearch Version to 2.13

Wed, 21 Aug 2024 00:00:00 GMT

August 21, 2024, Conformity—Upcoming Rule Update

AWS

ES-007: OpenSearch Version: Updated the version specified in the checking rule from OpenSearch_2.11 to OpenSearch_2.13.

Updated GCP Permissions and New Rule for Vertex AI Workbench Instances

Wed, 28 Aug 2024 00:00:00 GMT

August 28, 2024, Conformity—Updated GCP account permission list

We've added the following new GCP account permission:

`notebooks.instances.list`

For a full list of GCP permissions, see Add a GCP Account.

New Rule

GCP

VertexAI-002:Disable Root Access for Workbench Instances: This rule ensures that root access is disabled for Vertex AI Workbench Instances.

Azure now defaults to Express configuration for vulnerability assessment emails

Thu, 29 Aug 2024 00:00:00 GMT

August 29, 2024, Conformity—Rule Update

Azure

Sql-008: Configure Emails for Vulnerability Assessment Scan Reports and Alerts: Updated this rule to a not scored rule. Azure supports vulnerability assessment with `express` and `classic` configurations. Express configuration is now the default procedure and there is no need to configure notification setting with the email addresses. There is no way to check if the vulnerability assessment configuration is `express` or `classic` via API

Enable Secure Boot for Vertex AI Workbench Instances

Mon, 02 Sep 2024 00:00:00 GMT

September 02, 2024, Conformity—New Rule

GCP

VertexAI-003:Enable Secure Boot for Workbench Instances: This rule ensures that Secure Boot is enabled for your Vertex AI workbench instances.

Configure Sensitive Information Filters for Amazon Bedrock Guardrails in Conformity

Tue, 03 Sep 2024 00:00:00 GMT

September 03, 2024, Conformity—New Rule

AWS

Bedrock-007: Configure Sensitive Information Filters for Amazon Bedrock Guardrails: Ensure that Amazon Bedrock guardrails are configured to block or mask sensitive information such as Personally Identifiable Information (PII).

Enable Integrity Monitoring for Vertex AI Workbench Instances

Tue, 03 Sep 2024 00:00:00 GMT

September 03, 2024, Conformity—New Rule

GCP

VertexAI-007:Enable Integrity Monitoring for Workbench Instances: This rule ensures that the integrity monitoring is enabled for Vertex AI Workbench Instances.

Upgrade Conformity GCP RTM Configuration for Node.js 16 Decommissioning

Wed, 04 Sep 2024 00:00:00 GMT

September 04, 2024, Conformity—Reminder: Upgrade existing configuration for Google Cloud Platform (GCP) RTM

The Cloud Functions runtime version used for old Conformity RTM is Node.js 16 and will be decommissioned by Google Cloud on 30 January 2025. This change will affect Conformity GCP Real Time Monitoring (RTM) configurations but does not immediately affect the existing Conformity customers.

We have released the GCP Real-Time Monitoring installation template to use the latest 1st generation Runtime version on 2024-06-18.

Please follow the Real-time Monitoring Settings > RTM for GCP to install RTM for GCP again to upgrade the existing configuration before 30 January 2025.

Enable Virtual Trusted Platform Module (vTPM) for Vertex AI Workbench Instances

Thu, 05 Sep 2024 00:00:00 GMT

September 05, 2024, Conformity—New Rule

GCP

VertexAI-004:Enable Virtual Trusted Platform Module (vTPM) for Workbench Instances: This rule ensures that vTPM is enabled for your Vertex AI workbench instances.

VertexAI-006: Encrypt Workbench Instances with Customer-Managed Keys

Thu, 05 Sep 2024 00:00:00 GMT

September 05, 2024, Conformity—New Rule

GCP

VertexAI-006: Workbench Instance Encryption with Customer-Managed Encryption Keys: This rule ensures that your Google Cloud Vertex AI workbench instances are encrypted using Customer-Managed Encryption Keys (CMEKs).

New Managed Identity Options for Azure API Management Services

Thu, 05 Sep 2024 00:00:00 GMT

September 05, 2024, Conformity—New Rule

Azure

APIManagement-010: Use System-Assigned Managed Identities for Azure API Management Services: Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. System-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
APIManagement-011: Use User-Assigned Managed Identities for Azure API Management Services: Ensure that your Azure API Management service instances are using user-assigned managed identities for fine-grained control over access permissions.

Automatic Upgrades for Vertex AI Workbench Instances Enabled in Conformity

Thu, 05 Sep 2024 00:00:00 GMT

September 05, 2024, Conformity—New Rule

GCP

VertexAI-005: Enable Automatic Upgrades for Workbench Instances: This rule ensures that the automatic upgrades are enabled for Vertex AI Workbench Instances.

Enhanced Rule Mapping with New Encryption Requirements for Azure Compliance Standards

Mon, 09 Sep 2024 00:00:00 GMT

September 09, 2024, Conformity—Standards and Compliance Reports

We have updated the rule mapping by adding rules VirtualMachines-038:Server Side Encryption for Non-Boot Disk using CMK and VirtualMachines-039:Server Side Encryption for Boot Disk using CMK to the control 7.2/7.3 of the following standards:

CIS Microsoft Azure Foundations Benchmark v1.5.0
CIS Microsoft Azure Foundations Benchmark v2.0.0
CIS Microsoft Azure Foundations Benchmark v2.1.0

Enable Cloud Monitoring for Vertex AI Workbench Instances

Mon, 09 Sep 2024 00:00:00 GMT

September 09, 2024, Conformity—New Rule

GCP

VertexAI-009: Enable Cloud Monitoring for Workbench Instances: Ensure that Cloud Monitoring feature is enabled for your Vertex AI workbench instances.

Enable Idle Shutdown for Vertex AI Workbench Instances Available with New Rule

Mon, 09 Sep 2024 00:00:00 GMT

September 09, 2024, Conformity—New Rule

GCP

VertexAI-008:Enable Idle Shutdown for Workbench Instances: This rule ensures that idle shutdown is enabled for your Vertex AI workbench instances.

New Rule Enforces Avoidance of Default VPC Network for Workbench Instances

Tue, 10 Sep 2024 00:00:00 GMT

September 10, 2024, Conformity—New Rule

GCP

VertexAI-010: Default VPC Network In Use: This rule ensures that your Workbench Instances are not created in the default Virtual Private Cloud (VPC) network.

Prevent External IP Assignments in VertexAI Notebooks

Tue, 10 Sep 2024 00:00:00 GMT

September 10, 2024, Conformity—New Rule

GCP

VertexAI-011: Prevent Assigning External IPs to Notebook Instances: This rule ensures that external IP addresses are not assigned to your Google Cloud Vertex AI workbench instances.

Update to Azure AIServices-001 Rule for Improved Check Generation

Mon, 16 Sep 2024 00:00:00 GMT

September 16, 2024, Conformity—Rule Update

Azure

AIServices-001: Use Private Endpoints for OpenAI Service Instances: Update the rule to generate checks correctly.

Azure Vulnerability Assessment Rule Updates for SQL Servers

Mon, 23 Sep 2024 00:00:00 GMT

September 23, 2024, Conformity—Rule Update

Azure

Sql-009: Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners:

Sql-017: Enable Vulnerability Assessment for Microsoft SQL Servers:

Sql-018: Enable Vulnerability Assessment Periodic Recurring Scans: Updated this rule to a not scored rule. Azure supports vulnerability assessment with `express` and `classic` configurations. Express configuration is now the default procedure and there is no need to configure notification setting with the email addresses. There is no way to check if the vulnerability assessment configuration is `express` or `classic` via API.

Deep Security Agent now supports Ubuntu 24.04 with Secure Boot compatibility

Wed, 25 Sep 2024 00:00:00 GMT

September 25, 2024, Workload Security—Deep Security Agent version 20.0.1-19250 (20 LTS Update 2024-09-18) and later supports Ubuntu 24.04, including Secure Boot. This requires Deep Security Manager version 20.0.954 or later.

Updated Service Now Connector to Xanadu Version Available in Service Now Store

Tue, 01 Oct 2024 00:00:00 GMT

October 01, 2024, Conformity—We've upgraded the Service Now connector from Vancouver version to the latest Xanadu version and you can access it through the Service Now Store under Integrations.

Amazon SageMaker now supports VPC-only mode for notebook instances

Tue, 01 Oct 2024 00:00:00 GMT

October 01, 2024, Conformity—New Rule

AWS

SageMaker-006: Notebook in VPC Only mode can access required resources: This rule ensures that Amazon SageMaker notebook instances running within a Virtual Private Cloud (VPC) can access required resources.

AWS Lambda Update: Python 3.8 Support Removed

Tue, 08 Oct 2024 00:00:00 GMT

October 08, 2024, Conformity—Upcoming Rule Update

The following rule update will be released soon. These changes may affect your checks and compliance scores:

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Removed 'Python 3.8' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

AWS Custom Policy Update: New Permission Added for bedrock:ListFoundationModels

Tue, 08 Oct 2024 00:00:00 GMT

October 08, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS custom policy will be updated soon. The new custom policy version will be 1.59 and the permissions added are:

bedrock:ListFoundationModels

Click here to access the new custom policy.

Enhanced Standards and Compliance Reporting with 5 Cloud Provider Tags per Check

Mon, 14 Oct 2024 00:00:00 GMT

October 14, 2024, Conformity—Standards and Compliance Reports

As of 21 October 2024, PDF report generated with individual checks will display a maximum of 5 cloud provider tags per check. To view a complete list of all associated tags, please refer to CSV report.

Conformity Introduces AWS Custom Policy Update with New Permissions

Mon, 14 Oct 2024 00:00:00 GMT

October 14, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS custom policy will be updated soon. The new custom policy version will be 1.60 and the permissions added are:

sagemaker:ListModels
sagemaker:DescribeModel

Click here to access the new custom policy.

AWS Lambda Runtime Update to Exclude Python 3.8 Support

Mon, 14 Oct 2024 00:00:00 GMT

October 14, 2024, Conformity— Rule Update

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Removed 'Python 3.8' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

Scheduled Maintenance for Trend Cloud One Services on October 19, 2024

Sat, 19 Oct 2024 00:00:00 GMT

October 19, 2024, General—System maintenance for Trend Cloud One is scheduled for all regions between 03:00 and 10:00 UTC on Saturday, October 19, 2024. During this maintenance period, console and API access for some Trend Cloud One services will be unavailable. For more information or to be notified of scheduled maintenance, see Trend Cloud One Maintenance.

Enhanced Standards Reports with Cloud Provider Tags Limit

Tue, 22 Oct 2024 00:00:00 GMT

October 22, 2024, Conformity—Standards and Compliance Reports

Following up on previous notification (14 October 2024), Effective October 22 2024, PDF report generated with individual checks display a maximum of 5 cloud provider tags per check. To view a complete list of all associated tags, please refer to CSV report.

Conformity AWS Custom Policy Updated with New Permissions

Wed, 23 Oct 2024 00:00:00 GMT

October 23, 2024, Conformity—AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.62 and the permissions added are:

bedrock:ListAgentKnowledgeBases
bedrock:GetAgentKnowledgeBase

Click here to access the new custom policy.

Updated Compliance Standards to Meet CIS Foundations Benchmarks for AWS

Thu, 24 Oct 2024 00:00:00 GMT

October 24, 2024, Conformity—Updated Compliance Standards: CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for AWS. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Amazon Web Services Foundations Benchmark v3.0.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

New AWS Lambda runtime versions Python 3.14 and Nodejs.22 added

Thu, 31 Oct 2024 00:00:00 GMT

October 31, 2024, Conformity—Rule Update

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Added 'Python 3.14' and 'Nodejs.22' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

Red Hat Enterprise Linux 9 (PowerPC) support for Deep Security Agent

Thu, 31 Oct 2024 00:00:00 GMT

October 31, 2024, Workload Security—Deep Security Agent version 20.0.1-21510 (20 LTS Update 2024-10-31) and later supports Anti-Malware, Activity Monitoring, and SAP Scanner for Red Hat Enterprise Linux 9 (PowerPC little-endian). This requires Deep Security Manager version 20.0.979 or later.

AWS ElastiCache Engine Update to Latest Version Available for EC-013 Compliance

Mon, 04 Nov 2024 00:00:00 GMT

November 04, 2024, Conformity—Rule Update

AWS

EC-013: ElastiCache Engine Using Stable Version: Added Valkey and update Redis/Memcached to latest version. See AWS documentation - ElastiCache Engine for further details.

Deprecated CIS Microsoft Azure Foundations Benchmark v1.5.0 for Compliance Reports

Thu, 07 Nov 2024 00:00:00 GMT

November 07, 2024, Conformity—Standards and Compliance Reports

Following up on previous notification (12 August 2024), as of 07 November 2024, the following compliance standard have been deprecated:

CIS Microsoft Azure Foundations Benchmark v1.5.0

AWS ElastiCache Engine Updated with Valkey Support and Latest Redis/Memcached Versions

Mon, 11 Nov 2024 00:00:00 GMT

November 11, 2024, Conformity—Rule Update

AWS

EC-013: ElastiCache Engine Using Stable Version: Added Valkey support and update Redis/Memcached to latest version. See AWS documentation - ElastiCache Engine for further details.

Enhanced Rule Mapping for CIS AWS Foundations Benchmark Compliance

Thu, 14 Nov 2024 00:00:00 GMT

November 14, 2024, Conformity—Standards and Compliance Reports

We have updated the rule mapping, and the rule SecurityHub-002: Security Hub Enabled is now displayed under Control 4.16 of the following standard:

CIS Amazon Web Services Foundations Benchmark v3.0.0

Updated GCP Account Permissions with New 'artifactregistry.dockerimages.list' Permission

Thu, 21 Nov 2024 00:00:00 GMT

November 21, 2024, Conformity—GCP account permission list updated

New permissions

`artifactregistry.dockerimages.list`

For a full list of GCP permissions, see Add a GCP Account.

Updated rule logic for CloudVPC-006 to validate DNS Logging configuration

Tue, 26 Nov 2024 00:00:00 GMT

November 26, 2024, Conformity—Bug Fix

GCP

CloudVPC-006: Updated the rule logic to validate the configuration of DNS Logging is enabled correctly will be updated soon.

Improved Endpoint Address Inference for RDS DB Clusters and Instances

Tue, 26 Nov 2024 00:00:00 GMT

November 26, 2024, Conformity—Template Scanner Updates

Fixed an issue where the Endpoint address was being inferred incorrectly and set as resource name for RDS DB Clusters and Instances.

AWS Lambda Runtime Environment Versions Updated to Latest for Conformity Feature

Thu, 28 Nov 2024 00:00:00 GMT

November 28, 2024, Conformity—Rule Update

AWS

Lambda-001: Lambda Runtime Environment Version: Removed 'nodejs20.x', 'python 3.12' and added 'nodejs22.x', 'python 3.13' to the default recommended list of latest runtime versions.

Updates to AWS RDS Encryption Rule: New notifications for failed checks

Thu, 28 Nov 2024 00:00:00 GMT

November 28, 2024, Conformity—Upcoming Rule Update

AWS

RDS-004: RDS Encryption Enabled: Updated the rule to generate checks correctly. You may receive a new notification for existing instances for failed checks.

Enhanced CPU Usage Control for Linux Agents in Trend Cloud One

Fri, 29 Nov 2024 00:00:00 GMT

November 29, 2024, Workload Security—On Linux, Deep Security Agents with Anti-Malware and Activity Monitoring enabled can now control the CPU usage in Trend Cloud One - Endpoint & Workload Security. This requires Deep Security Agent version 20.0.1-4540 (20 LTS Update 2024-03-20) or later.

Updated CloudVPC-006 rule logic for correct DNS Logging configuration validation

Mon, 02 Dec 2024 00:00:00 GMT

December 02, 2024, Conformity—Bug Fix

GCP

CloudVPC-006: Updated the rule logic to validate the configuration of DNS Logging is enabled correctly.

Cloudformation Template Scanner Excludes ELBv2-004 and ELBv2-008 Rules

Mon, 02 Dec 2024 00:00:00 GMT

December 02, 2024, Conformity—Bug Fix

Template Scanner Updates

Cloudformation Template Scanner has been updated to exclude rules ELBv2-004 and ELBv2-008. These rules cannot run as they require knowledge of the TargetGroup TargetHealth, which is unknown before the template is deployed.

Upgrade Google Cloud Platform RTM Configuration to Node.js 16 by 30 January 2025

Mon, 02 Dec 2024 00:00:00 GMT

December 02, 2024, Conformity—Reminder: Upgrade existing configuration for Google Cloud Platform (GCP) RTM

We have released the GCP Real-Time Monitoring installation template to use the latest 1st generation Runtime version on 2024-06-18.

Please follow the Real-time Monitoring Settings > RTM for GCP to install RTM for GCP again to upgrade the existing configuration before 30 January 2025.

Updated HITRUST CSF v11.3.0 Compliance Standards and Reports

Tue, 03 Dec 2024 00:00:00 GMT

December 03, 2024, Conformity—Standards and Compliance Reports

Updated the following Compliance Standards and Reports:

HITRUST CSF v11.3.0

AWS GuardDuty now monitors S3 Protection feature for enhanced security detection

Wed, 04 Dec 2024 00:00:00 GMT

December 04, 2024, Conformity—New Rule

AWS

GD-004: Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors: S3 Protection enables GuardDuty to monitor object-level API operations in order to identify potential security risks for data stored within your S3 buckets.

Enable Malware Protection for EC2 in Amazon GuardDuty detectors

Wed, 04 Dec 2024 00:00:00 GMT

December 04, 2024, Conformity—New Rule

AWS

GD-005: Ensure that Malware Protection for EC2 is enabled for your Amazon GuardDuty detectors: Malware Protection for EC2 helps detect potential malware in Amazon EC2 instances.

Compliance Reports and Standards Filtering for AWS, Azure, and GCP Cloud Environments

Wed, 04 Dec 2024 00:00:00 GMT

December 04, 2024, Conformity—Standards and Compliance Reports

You can now filter Checks and download Compliance Reports to ensure your AWS, Azure and GCP cloud environments comply with the following standards:

AusGov ISM Sep 2024

New GCP Rule Ensures Functions Use Latest Runtime Version

Thu, 05 Dec 2024 00:00:00 GMT

December 05, 2024, Conformity—New Rule

GCP

CloudFunction-001: GCP Function Runtime Version: This rule ensures that GCP functions are using the latest language runtime version available.

Fixed Template Scanner API errors for parameter arguments and awsNotificationArns pseudoArguments

Fri, 06 Dec 2024 00:00:00 GMT

December 06, 2024, Conformity—Bug Fixes

Template Scanner

Fixed an issue where Vision One Template Scanner API would incorrectly return an error when an argument for a parameter was passed as a number.
Fixed an issue where Vision one Template Scanner API would incorrectly return an error when pseudoArguments for `awsNotificationArns` was passed as an array of strings.

Updated AWS, Azure, and GCP Rules for Enhanced Cloud Security

Wed, 11 Dec 2024 00:00:00 GMT

December 11, 2024, Conformity—Rules Update

AWS

EC2-011: vCPU-Based EC2 Instance Limit: Updated the rule title from 'Account Instance Limit' to 'vCPU-Based EC2 Instance Limit'.

S3-019: S3 Buckets with Website Hosting Configuration Enabled: Updated the rule title from 'S3 Buckets with Website Configuration Enabled' to 'S3 Buckets with Website Hosting Configuration Enabled'.

S3-028: Enable S3 Bucket Keys: Updated the rule title from 'Enable Amazon S3 Bucket Keys' to 'Enable S3 Bucket Keys'.

RDS-036: Amazon RDS Configuration Changes: Updated the rule title from 'RDS Configuration Changes' to 'Amazon RDS Configuration Changes'.

RDS-041: Enable Instance Storage AutoScaling: Updated the rule title from 'Enable Amazon RDS Storage AutoScaling' to 'Enable Instance Storage AutoScaling'.

IAM-013: Enable MFA for IAM Users with Console Password: Updated the rule title from 'MFA For IAM Users With Console Password' to 'Enable MFA for IAM Users with Console Password'.

IAM-023: Check for Individual IAM Users: Updated the rule title from 'IAM User Present' to 'Check for Individual IAM Users'.

IAM-036: IAM Users with Administrative Privileges: Updated the rule title from 'AWS IAM Users with Admin Privileges' to 'IAM Users with Administrative Privileges'.

IAM-046: IAM Support Role: Updated the rule title from 'Support Role' to 'IAM Support Role'.

IAM-056: IAM CreateLoginProfile detected: Updated the rule title from 'CreateLoginProfile Detected' to 'IAM CreateLoginProfile detected'.

IAM-066: IAM Groups with Administrative Privileges: Updated the rule title from 'AWS IAM Groups with Admin Privileges' to 'IAM Groups with Administrative Privileges'.

KMS-007: Monitor AWS KMS Configuration Changes: Updated the rule title from 'AWS Key Management Service (KMS) Configuration Changes' to 'Monitor AWS KMS Configuration Changes'.

CFM-004: CloudFormation Stack Failed Status: Updated the rule title from 'Stack Failed Status' to 'CloudFormation Stack Failed Status'.

ES-008: Total Number of OpenSearch Cluster Nodes: Updated the rule title from 'OpenSearch Instance Counts' to 'Total Number of OpenSearch Cluster Nodes'.

ES-009: OpenSearch Desired Instance Type(s): Updated the rule title from 'OpenSearch Desired Instance Type' to 'OpenSearch Desired Instance Type(s)'.

ES-013: OpenSearch Domains Encrypted with KMS CMKs: Updated the rule title from 'OpenSearch Domain Encrypted with KMS CMKs' to 'OpenSearch Domains Encrypted with KMS CMKs'.

SageMaker-002: Notebook Data Encrypted With KMS Customer Managed Keys: Updated the rule title from 'Notebook Data Encrypted With KMS Customer Master Keys' to 'Notebook Data Encrypted With KMS Customer Managed Keys'.

SageMaker-004: Disable Direct Internet Access for Notebook Instances: Updated the rule title from 'Notebook Direct Internet Access' to 'Disable Direct Internet Access for Notebook Instances'.

SageMaker-007: Disable Root Access for SageMaker Notebook Instances: Updated the rule title from 'SageMaker Notebook Root Access' to 'Disable Root Access for SageMaker Notebook Instances'.

Neptune-005: IAM Database Authentication for Neptune: Updated the rule title from 'IAM Database Authentication' to 'IAM Database Authentication for Neptune'.

ECR-003: Enable Automated Scanning for Amazon ECR Container Images: Updated the rule title from 'Enable Scan on Push for ECR Container Images' to 'Enable Automated Scanning for Amazon ECR Container Images'.

Backup-001: Use AWS Backup Service in Use for Amazon RDS: Updated the rule title from 'Snapshot Backup Service' to 'Use AWS Backup Service in Use for Amazon RDS'.

StorageGateway-001: Use KMS Customer Master Keys for AWS Storage Gateway File Shares: Updated the rule title from 'File Shares Encrypted With CMK' to 'Use KMS Customer Master Keys for AWS Storage Gateway File Shares'.

ECS-001: Monitor Amazon ECS Configuration Changes: Updated the rule title from 'ECS Configuration Changes' to 'Monitor Amazon ECS Configuration Changes'.

ECS-002: Amazon ECS Task Log Driver in Use: Updated the rule title from 'ECS Task Log Driver In Use' to 'Amazon ECS Task Log Driver in Use'.

WellArchitected-001: AWS Well-Architected Tool in Use: Updated the rule title from 'AWS Well-Architected Tool Is In Use' to 'AWS Well-Architected Tool in Use'.

Bedrock-007: Configure Sensitive Information Filters for Amazon Bedrock Guardrails: Updated the rule title from 'Guardrail set to mask or block PII' to 'Configure Sensitive Information Filters for Amazon Bedrock Guardrails'.

Azure

StorageAccounts-001: Enable Secure Transfer in Azure Storage: Updated the rule title from 'Secure Transfer for Azure storage account' to 'Enable Secure Transfer in Azure Storage'.

StorageAccounts-003: Enable Logging for Azure Storage Queue Service: Updated the rule title from 'Storage Logging For Queue Service' to 'Enable Logging for Azure Storage Queue Service'.

StorageAccounts-005: Allow Shared Access Signature Tokens Over HTTPS Only: Updated the rule title from 'Shared Access Signature Tokens Are Allowed Only Over Https' to 'Allow Shared Access Signature Tokens Over HTTPS Only'.

SecurityCenter-002: Enable Automatic Provisioning of the Monitoring Agent: Updated the rule title from 'Automatic Provisioning Of The Monitoring Agent' to 'Enable Automatic Provisioning of the Monitoring Agent'.

MySQL-001: Enable In-Transit Encryption for MySQL Servers: Updated the rule title from 'SSL Connection' to 'Enable In-Transit Encryption for MySQL Servers'.

PostgreSQL-001: Enable 'LOG_CHECKPOINTS' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Checkpoints' to 'Enable 'LOG_CHECKPOINTS' Parameter for PostgreSQL Servers'.

PostgreSQL-002: Enable In-Transit Encryption for PostgreSQL Database Servers: Updated the rule title from 'SSL Connection' to 'Enable In-Transit Encryption for PostgreSQL Database Servers'.

PostgreSQL-003: Enable 'LOG_CONNECTIONS' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Connections' to 'Enable 'LOG_CONNECTIONS' Parameter for PostgreSQL Servers'.

PostgreSQL-004: Enable 'LOG_DISCONNECTIONS' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Disconnections' to 'Enable 'LOG_DISCONNECTIONS' Parameter for PostgreSQL Servers'.

PostgreSQL-005: Enable 'LOG_DURATION' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Duration' to 'Enable 'LOG_DURATION' Parameter for PostgreSQL Servers'.

PostgreSQL-006: Enable 'CONNECTION_THROTTLING' Parameter for PostgreSQL Servers: Updated the rule title from 'Connection Throttling' to 'Enable 'CONNECTION_THROTTLING' Parameter for PostgreSQL Servers'.

PostgreSQL-007: Check for PostgreSQL Log Retention Period: Updated the rule title from 'Log Retention Days' to 'Check for PostgreSQL Log Retention Period'.

PostgreSQL-008: Use Microsoft Entra Admin for PostgreSQL Authentication: Updated the rule title from 'Microsoft Entra Admin' to 'Use Microsoft Entra Admin for PostgreSQL Authentication'.

Sql-001: Enable Auditing for SQL Servers: Updated the rule title from 'Auditing' to 'Enable Auditing for SQL Servers'.

Sql-002: Configure 'AuditActionGroup' for SQL Server Auditing: Updated the rule title from 'Audit Action Groups' to 'Configure 'AuditActionGroup' for SQL Server Auditing'.

Sql-003: SQL Auditing Retention: Updated the rule title from 'Auditing Retention' to 'SQL Auditing Retention'.

Sql-004: Use Microsoft Entra Admin for SQL Authentication: Updated the rule title from 'Microsoft Entra Admin' to 'Use Microsoft Entra Admin for SQL Authentication'.

Sql-007: Enable All Types of Threat Detection on SQL Servers: Updated the rule title from 'Enable All Threat Detection Types' to 'Enable All Types of Threat Detection on SQL Servers'.

Sql-009: Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners: Updated the rule title from 'Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners' to 'Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners'.

AppService-006: Enable HTTPS-Only Traffic: Updated the rule title from 'Check that the Azure App is only using HTTPS' to 'Enable HTTPS-Only Traffic'.

AppService-007: Check for TLS Protocol Latest Version: Updated the rule title from 'Check that the Azure App is using the latest TLS version' to 'Check for TLS Protocol Latest Version'.

Network-008: Check for Unrestricted MS SQL Server Access: Updated the rule title from 'Check for Unrestricted MS SQL Database Access' to 'Check for Unrestricted MS SQL Server Access'.

KeyVault-003: Set Azure Secret Key Expiration: Updated the rule title from 'Set Secret Key Expiration' to 'Set Azure Secret Key Expiration'.

APIManagement-009: Unrestricted API Access: Updated the rule title from 'Restrict Caller IPs' to 'Unrestricted API Access'.

GCP

CloudKMS-003: Detect Google Cloud KMS Configuration Changes: Updated the rule title from 'Detect GCP Cloud KMS Configuration Changes' to 'Detect Google Cloud KMS Configuration Changes'.

CloudSQL-027: Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances: Updated the rule title from 'Enable 'cloudsql.enable_pgaudit' Flag for PostgreSQL Database Instances' to 'Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances'.

CloudPubSub-001: Detect Google Cloud Pub/Sub Configuration Changes: Updated the rule title from 'Detect GCP Pub/Sub Configuration Changes' to 'Detect Google Cloud Pub/Sub Configuration Changes'.

New AWS Lambda rule enforces least privilege by restricting role sharing

Thu, 12 Dec 2024 00:00:00 GMT

December 12, 2024, Conformity—New Rule

AWS

Lambda-014: Lambda Functions Should not Share Roles that Contain Admin Privileges: This rule ensures that your Amazon Lambda functions do not share execution roles that contain admin privileges in order to promote the Principle of Least Privilege (POLP) and provide your functions the minimal amount of access required to perform their tasks.

Linux support for Deep Security Agent self-protection introduced

Fri, 13 Dec 2024 00:00:00 GMT

December 13, 2024, Workload Security—Deep Security Agent self-protection is now supported on Linux. This requires Deep Security Agent version 20.0.0-5953 (20 LTS Update 2022-11-22) or later.

Malware scan configurations now ignore excluded processes for non-real-time scans

Mon, 06 Jan 2025 00:00:00 GMT

January 06, 2025, Workload Security—Any configurationType other than REAL_TIME(0) ignores the `excludedScanProcessFileListID` column provided in a payload. This affects REST requests that add or update malware scan configurations for MANUAL(1) or SCHEDULED(2):

`POST {{c1ws_rest}}/policies/antimalware/scanConfigs`
`PUT {{c1ws_rest}}/policies/antimalware/scanConfigs/{scanConfigId}`

AWS CloudFront now enforces Origin Access Control for S3 origins

Tue, 14 Jan 2025 00:00:00 GMT

January 14, 2025, Conformity—New Rule

AWS

CF-013: Enable Origin Access Control For Distributions with S3 Origin: This rule ensuress that the Origin Access Control (OAC) feature is enabled for all your Amazon CloudFront distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.

Updated Conformity AWS Custom Policy and New Rule for Inspector2-002 Integration

Wed, 15 Jan 2025 00:00:00 GMT

January 15, 2025, Conformity—AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.70 and the permissions added are:

inspector2:ListFindings

Click here to access the new custom policy.

New Rule

AWS

Inspector2-002: Amazon Inspector 2 Findings: Amazon Inspector is an AWS service that helps improve the security and compliance of your AWS resources.

Enable Auto-Upgrade for GKE Cluster Nodes in GCP with New Rule GKE-006

Wed, 15 Jan 2025 00:00:00 GMT

January 15, 2025, Conformity—New Rule

GCP

GKE-006: Enable Auto-Upgrade for GKE Cluster Nodes: This rule ensures that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes.

Shielded GKE Cluster Nodes rule added for enhanced security in Conformity

Mon, 20 Jan 2025 00:00:00 GMT

January 20, 2025, Conformity—New Rule

GCP

GKE-004: Use Shielded GKE Cluster Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded to provide a strong cryptographic identity.

Automate GKE Cluster Version Upgrades with Release Channels

Tue, 21 Jan 2025 00:00:00 GMT

January 21, 2025, Conformity—New Rule

GCP

GKE-009: Automate Cluster Version Upgrades using Release Channels: This rule ensures that the version management is automated for your Google Kubernetes Engine (GKE) clusters using Release Channels.

Enable Secure Boot for Cluster Nodes in GKE with New GCP Rule

Tue, 21 Jan 2025 00:00:00 GMT

January 21, 2025, Conformity—New Rule

GCP

GKE-005: Enable Secure Boot for Cluster Nodes: Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

Expanded Template Scanner now supports additional AWS resources

Wed, 22 Jan 2025 00:00:00 GMT

January 22, 2025, Conformity—Template Scanner Updates

New Resources Support

Template Scanner Github App for Terraform templates now supports the following resources:

APIGateway RestApi
AutoScaling Group
CloudFormation Stack
CloudTrail Trail
EC2 Network Interface
EC2 Security Group
EC2 Volume
EC2 VPC
EC2 VPC Endpoint
ECR Repository
EFS File System
ElasticCache
Elasticsearch Domain
ELB Classic Load Balancer
EMR Cluster
IAM Group
IAM Managed Policy
IAM Role
Kinesis Stream
KMS Key
Lambda Function
RDS DB Cluster
RDS DB Instance
Redshift Cluster
VPC NAT gateways
VPC Network ACL
Workspaces

Integrity Monitoring enabled for Google Kubernetes Engine cluster nodes

Thu, 23 Jan 2025 00:00:00 GMT

January 23, 2025, Conformity—New Rule

GCP

GKE-008: Enable Integrity Monitoring for Cluster Nodes: This rule ensures that the Integrity Monitoring feature is enabled for all your Google Kubernetes Engine (GKE) cluster nodes.

Enable Auto-Repair for GKE Cluster Nodes with New GCP Rule

Thu, 23 Jan 2025 00:00:00 GMT

January 23, 2025, Conformity—New Rule

GCP

GKE-007: Enable Auto-Repair for GKE Cluster Nodes: This rule ensures that the Auto-Repair feature is enabled for all your GKE cluster nodes.

Restrict Network Access for GKE with New Rule GKE-013

Fri, 24 Jan 2025 00:00:00 GMT

January 24, 2025, Conformity—New Rule

GCP

GKE-013: Restrict Network Access: Ensure that your Google Kubernetes Engine (GKE) clusters are configured with master authorised networks.

Template Scanner now supports direct scanning of Terraform HCL templates from `.zip` files

Tue, 28 Jan 2025 00:00:00 GMT

January 28, 2025, Conformity—Template Scanner Updates

Template Scanner API now supports Terraform HCL (`.tf`) templates.

Previously, Terraform HCL (`.tf`) templates were required to be transformed into HCL plan (.json) files before scanning.

With the latest API, Terraform HCL (`.tf`) templates can now be scanned directly by scanning a `.zip` file of HCL templates.

You can now use the `template-scanner/archive-scan` endpoint to POST a ZIP file containing your Terraform templates to be scanned. For more information please visit the Template Scanner API documentation

Real-time process image file list now part of exclusion list in Workload Security

Fri, 31 Jan 2025 00:00:00 GMT

January 31, 2025, Workload Security—In Trend Cloud One - Endpoint & Workload Security, the process image file list is now part of the inheritance exclusion list and is applied to real-time exclusions. The setting is available through Anti-Malware > Exclusions > Real-time > Process Image File List.

New GCP Rule: Prevent Alpha GKE Clusters for Production Workloads

Mon, 03 Feb 2025 00:00:00 GMT

February 03, 2025, Conformity—New Rule

GCP

GKE-012: Check for Alpha Clusters in Production: This rule ensures that the Alpha GKE clusters are not used for production workloads.

Conformity releases CIS AWS Foundations Benchmark 6.0

Tue, 04 Feb 2025 00:00:00 GMT

January 04, 2026—Trend Cloud One - Conformity has released the following new compliance standard.

CIS Foundations Benchmarks - CIS AWS Foundations Benchmark v6.0.0: Conformity has updated the CIS AWS compliance standard to the latest version to meet the Center of Internet Security (CIS) Foundations Benchmarks for Amazon Web Services. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks. - CIS AWS Foundations Benchmark v6.0.0.

Deprecation Notice: Conformity has deprecated the CIS AWS Foundations Benchmark v4.1.0 for removal on April 27 2026. It will no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated benchmark. If any existing report configurations include deprecated compliance standards, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. Trend Cloud One - Conformity recommends updating your report configurations to use the latest versions of CIS AWS Foundations Benchmark before April 27 2026.

Enable Binary Authorization for GKE clusters with new GCP rule

Tue, 04 Feb 2025 00:00:00 GMT

February 04, 2025, Conformity—New Rule

GCP

GKE-014: Enable Binary Authorization: This rule ensures that the Binary Authorization feature is enabled for GKE clusters.

Enable and Configure Cluster Logging for GKE with New GCP Rule

Tue, 04 Feb 2025 00:00:00 GMT

February 04, 2025, Conformity—New Rule

GCP

GKE-016: Enable and Configure Cluster Logging: This rule ensures that logging is enabled for your Google Kubernetes Engine (GKE) clusters to collect logs emitted by your Kubernetes applications and the GKE infrastructure that runs your applications.

Discontinuation of Cloud One Template Scanner (Preview) on GitHub

Tue, 04 Feb 2025 00:00:00 GMT

February 04, 2025, Conformity—Cloud One Template Scanner (Preview) Removal Notice

The Cloud One Template Scanner (Preview) Github application has been discontinued and disabled on GitHub.

We encourage former users of the preview app to use the Trend Micro Cloud One GitHub application going forward.

For more details, please visit our help documentation.

Custom Check Public API Rule Title Update and Immutability Enforcement

Tue, 04 Feb 2025 00:00:00 GMT

February 04, 2025, Conformity—Custom Check Public API Update

To avoid a rule title mismatch for custom checks, `ruleTitle` used in custom check must now match the existing rule title for the specified `ruleId`. Additionally `ruleTitle` is now an immutable field and cannot be modified once a custom check is created. For more information, see the Update Check endpoint.

Enable Intranode Visibility in GKE Clusters with New Rule GKE-018

Wed, 05 Feb 2025 00:00:00 GMT

February 05, 2025, Conformity—New Rule

GCP

GKE-018: Enable Intranode Visibility: This rule ensures that intranode visibility is enabled for your GKE clusters.

Enable Workload Vulnerability Scanning in GKE clusters for enhanced security

Thu, 06 Feb 2025 00:00:00 GMT

February 06, 2025, Conformity—New Rule

GCP

GKE-011: Enable Workload Vulnerability Scanning: This rule ensures that the Workload Vulnerability Scanning feature is enabled for your Google Kubernetes Engine (GKE) clusters.

Template Scanner now supports Terraform HCL templates for easier scanning

Thu, 06 Feb 2025 00:00:00 GMT

February 06, 2025, Conformity—Template Scanner Updates

Template Scanner now supports Terraform HCL (`.tf`) templates.

Previously, Terraform HCL (`.tf`) templates were required to be converted into Terraform plans (.json) files before scanning.

With the latest feature, Terraform HCL (`.tf`) templates can now be scanned directly by uploading a ZIP file of HCL templates.

Use the "Template Scanner" menu and click on the Terraform tab, to upload a ZIP file containing HCL templates. For more information please visit the Template Scanner documentation

Enhance GKE Security with Metadata Server Enabled in GCP

Fri, 07 Feb 2025 00:00:00 GMT

February 07, 2025, Conformity—New Rule

GCP

GKE-020: Enable GKE Metadata Server: This rule ensures that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to enhance security by restricting workload access to sensitive instance information.

Limit on Organisation-Level Communication Settings Implemented for Stability

Mon, 10 Feb 2025 00:00:00 GMT

February 10, 2025, Conformity—Organisation-Level Communication Settings Limit

To ensure reliable service, organisations are now limited to a maximum of 10 active organisation-level communication settings.

New GCP Rules for GKE Clusters: Legacy Authorization Disabled, Private Nodes Enabled

Mon, 10 Feb 2025 00:00:00 GMT

February 10, 2025, Conformity—New Rules

GCP

GKE-015: Disable Legacy Authorization: This rule ensures that legacy authorization (also known as Attribute-Based Access Control or ABAC) is disabled for your Google Kubernetes Engine (GKE) clusters to guarantee compatibility with Role-Based Access Control (RBAC).

GKE-017: Enable Private Nodes: Ensure that your Google Kubernetes Engine (GKE) clusters are configured to provision all nodes with only internal IP addresses (i.e., private nodes).

AWS Lambda IAM Role Rule Severity Updated for Better Flexibility

Thu, 13 Feb 2025 00:00:00 GMT

February 13, 2025, Conformity—Rule Update

AWS

Lambda-006: Using An IAM Role For More Than One Lambda Function: We've updated the Rule Severity from `HIGH` to `MEDIUM` to cover more scenarios and allow better flexibility for IAM Roles.

New GCP Rules for Google Kubernetes Engine Cluster Monitoring and VPC-Native Traffic Routing

Mon, 17 Feb 2025 00:00:00 GMT

February 17, 2025, Conformity—New Rules

GCP

GKE-019: Enable and Configure Cluster Monitoring: This rule ensures that Cloud Monitoring is enabled for your Google Kubernetes Engine (GKE) clusters.

GKE-022: Enable VPC-Native Traffic Routing: This rule ensures that VPC-native traffic routing is enabled for your Google Kubernetes Engine (GKE) clusters.

New GKE Rule: Use Sandbox with gVisor for Enhanced Container Security

Tue, 18 Feb 2025 00:00:00 GMT

February 18, 2025, Conformity—New Rule

GCP

GKE-023: Use Sandbox with gVisor for GKE Clusters Nodes: GKE Sandbox provides an extra layer of isolation between containers and the underlying host kernel, mitigating the risk of container escape vulnerabilities.

New GKE Rules for Enhanced Security and Control in Google Kubernetes Engine

Wed, 19 Feb 2025 00:00:00 GMT

February 19, 2025, Conformity—New Rules

GCP

GKE-021: Use GKE Clusters with Private Endpoints Only: This rule ensures to restrict the control plane access to your Google Kubernetes Engine (GKE) clusters to private endpoints only, effectively disabling external access to the Kubernetes API.

GKE-024: Use Container-Optimized OS for GKE Clusters Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster nodes use the Container-Optimized OS (cos_containerd), a managed, optimized, and hardened base OS provided by GKE to limit the host's attack surface.

New GCP account permission `container.clusters.get` added for enhanced access control

Wed, 19 Feb 2025 00:00:00 GMT

February 19, 2025, Conformity—Updated GCP account permission list

We've added the following new GCP account permission:

`container.clusters.get`

For a full list of GCP permissions, see Add a GCP Account.

Enhanced recommendation scan for optimized security rule identification

Mon, 24 Feb 2025 00:00:00 GMT

February 24, 2025, Workload Security—The enhanced recommendation scan improves upon the classic recommendation scan by optimizing efficiency, reliability, and accuracy when identifying security rules for Intrusion Prevention, Integrity Monitoring, and Log Inspection. Based on your system's required security rules, the scan delivers recommendations with optimized performance and fewer limitations. Whether run manually or scheduled for automated scanning, enhanced recommendation scan can apply recommended rules for regular protection with minimal disruption and reduced strain on system resources. For more information, see Enhanced recommendation scan.

RTM introduces GKE security rules for enhanced cluster protection

Mon, 10 Mar 2025 00:00:00 GMT

March 10, 2025, Conformity—RTM for GCP

RTM now supports the following rules:

GKE-004: Use Shielded GKE Cluster Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded to provide a strong cryptographic identity.
GKE-005: Enable Secure Boot for Cluster Nodes: Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
GKE-006: Enable Auto-Upgrade for GKE Cluster Nodes: This rule ensures that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes.

Deprecated Compliance Standards in Conformity Reports Starting 19 May 2025

Mon, 17 Mar 2025 00:00:00 GMT

March 17, 2025, Conformity—Standards and Compliance Reports

On 19 May 2025, the following compliance standards will be deprecated:

CIS Amazon Web Services Foundations Benchmark v1.5.0
CIS Amazon Web Services Foundations Benchmark v2.0
CIS Google Cloud Platform Foundation Benchmark v1.3.0

These deprecated compliance standards will be no longer accessible in the filters, preventing the creation of new reports or report-configurations with these outdated standards. If any existing report configurations include deprecated compliance standards, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of CIS Foundations Benchmark before 19 May 2025.

RTM now supports enhanced GKE security and configuration rules

Tue, 18 Mar 2025 00:00:00 GMT

March 18, 2025, Conformity—RTM for GCP

RTM now supports the following rules:

GKE-001: Enable GKE Cluster Node Encryption with Customer-Managed Keys: This rule ensures that boot disk encryption with Customer-Managed Keys is enabled for GKE cluster nodes.
GKE-013: Restrict Network Access: Ensure that your Google Kubernetes Engine (GKE) clusters are configured with master authorised networks.
GKE-014: Enable Binary Authorization: This rule ensures that the Binary Authorization feature is enabled for GKE clusters.
GKE-015: Disable Legacy Authorization: This rule ensures that legacy authorization (also known as Attribute-Based Access Control or ABAC) is disabled for your Google Kubernetes Engine (GKE) clusters to guarantee compatibility with Role-Based Access Control (RBAC).
GKE-016: Enable and Configure Cluster Logging: This rule ensures that logging is enabled for your Google Kubernetes Engine (GKE) clusters to collect logs emitted by your Kubernetes applications and the GKE infrastructure that runs your applications.
GKE-017: Enable Private Nodes: Ensure that your Google Kubernetes Engine (GKE) clusters are configured to provision all nodes with only internal IP addresses (i.e., private nodes).
GKE-018: Enable Intranode Visibility: This rule ensures that intranode visibility is enabled for your GKE clusters.
GKE-019: Enable and Configure Cluster Monitoring: This rule ensures that Cloud Monitoring is enabled for your Google Kubernetes Engine (GKE) clusters.
GKE-020: Enable GKE Metadata Server: This rule ensures that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to enhance security by restricting workload access to sensitive instance information.
GKE-021: Use GKE Clusters with Private Endpoints Only: This rule ensures to restrict the control plane access to your Google Kubernetes Engine (GKE) clusters to private endpoints only, effectively disabling external access to the Kubernetes API.

Deprecation of Outdated Compliance Standards on 26 May 2025

Wed, 26 Mar 2025 00:00:00 GMT

March 26, 2025, Conformity—Standards and Compliance Reports

On 26 May 2025, the following compliance standards will no longer be supported:

AusGov ISM March 2021
NIS Europe OES-2019

These deprecated compliance standards will be no longer be accessible in the filters, preventing the creation of new reports or report-configurations with these outdated standards. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of standards by 26 May 2025.

RTM now supports enhanced GCP rules for secure and efficient GKE clusters

Thu, 27 Mar 2025 00:00:00 GMT

March 27, 2025, Conformity—RTM for GCP

RTM now supports the following rules:

GKE-007: Enable Auto-Repair for GKE Cluster Nodes: This rule ensures that the Auto-Repair feature is enabled for all your GKE cluster nodes.
GKE-008: Enable Integrity Monitoring for Cluster Nodes: This rule ensures that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
GKE-009: Automate Cluster Version Upgrades using Release Channels: This rule ensures that Automate version management for your Google Kubernetes Engine (GKE) clusters using Release Channels.
GKE-010: Prevent Default Service Account Usage: This rule ensures that GKE clusters are not configured to use the default service account.
GKE-011: Enable Workload Vulnerability Scanning: This rule ensures that workload vulnerability scanning is enabled for Google Kubernetes Engine (GKE) clusters.
GKE-012: Check for Alpha Clusters in Production: This rule ensures that Alpha GKE clusters are not used for production workloads.
GKE-022: Enable VPC-Native Traffic Routing: This rule ensures that VPC-native traffic routing is enabled for Google Kubernetes Engine (GKE) clusters.
GKE-023: Use Sandbox with gVisor for GKE Clusters Nodes: This rule ensures that your cluster nodes are using GKE Sandbox with gVisor to isolate untrusted workloads to enhance security in the multi-tenant Google Kubernetes Engine (GKE) environments,
GKE-024: Use Container-Optimized OS for GKE Clusters Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster nodes use the Container-Optimized OS (cos_containerd), a managed, optimized, and hardened base OS provided by GKE to limit the host's attack surface.

New AWS IAM Rule Identifies Users with Compromised Credentials

Mon, 31 Mar 2025 00:00:00 GMT

March 31, 2025, Conformity—New Rule

AWS

IAM-073: Check for IAM Users with Compromised Credentials: This rule checks for Amazon IAM users with the "AWSCompromisedKeyQuarantine", "AWSCompromisedKeyQuarantineV2", and/or "AWSCompromisedKeyQuarantineV3" managed policies in order to identify IAM users with compromised or exposed credentials.

Agent Process Wildcard Exclusion Supported on Windows and Linux Versions

Mon, 31 Mar 2025 00:00:00 GMT

March 31, 2025, Workload Security—The agent process wildcard exclusion is now supported. On Linux, this requires Deep Security Agent version 20.0.1-21510 or later. On Windows, this requires Deep Security Agent version 20.0.1-25770 or later.

Azure Database for PostgreSQL now enforces Transport Encryption for enhanced security

Thu, 03 Apr 2025 00:00:00 GMT

April 03, 2025, Conformity—New Rules

Azure

PostgreSQL-015: Enable Transport Encryption for PostgreSQL Flexible Servers: This rule ensures that the databases managed with Azure Database for PostgreSQL have the Transport Encryption feature enabled.

Enable Microsoft Defender for Cloud in Azure Resource Manager for enhanced security

Tue, 08 Apr 2025 00:00:00 GMT

April 08, 2025, Conformity—New Rules

Azure

SecurityCenter-044: Enable Microsoft Defender for Cloud for Azure Resource Manager: This rule ensures that Microsoft Defender for Cloud is enabled for Azure Resource Manager.

New Azure Rules for PostgreSQL and Virtual Machine Disk Security

Tue, 08 Apr 2025 00:00:00 GMT

April 08, 2025, Conformity—New Rules

Azure

PostgreSQL-016: Enable Connection Throttling for PostgreSQL Flexible Servers: This rule ensure that connection throttling is enabled for your Azure Database for PostgreSQL flexible servers.

VirtualMachines-043: Disable Public Network Access to Virtual Machine Disks: This rule ensure that public network access (i.e., all network access) to Azure virtual machine (VM) disks is disabled in order to enhance security by preventing unauthorized access.

Custom Policy Updates: Azure Account API Permissions Updated

Thu, 10 Apr 2025 00:00:00 GMT

April 10, 2025, Conformity—Custom Policy Updates

We've updated the Azure account API permission list.

New Azure MySQL flexible server rules for transport encryption and audit logging

Mon, 14 Apr 2025 00:00:00 GMT

April 14, 2025, Conformity—New Rules

Azure

MySQL-003: Enable Transport Encryption for MySQL Flexible Servers: This rule ensures that "require_secure_transport" parameter is enabled for Azure MySQL flexible servers.

MySQL-005: Enable Audit Logging for MySQL Flexible Servers: This rule ensures that audit logging is enabled for Microsoft Azure MySQL flexible servers.

Increased Maximum TTL for POST and PATCH Checks to 99 Years

Mon, 14 Apr 2025 00:00:00 GMT

April 14, 2025, Conformity—Update Checks Endpoints

POST and PATCH Checks: The maximum configurable TTL has been increased to 99 years from the time of the request.

New Rule for PostgreSQL Flexible Servers Ensures Sufficient Log File Retention Period

Mon, 14 Apr 2025 00:00:00 GMT

April 14, 2025, Conformity—New Rules

Azure

PostgreSQL-017: Check Log Files Retention Period for PostgreSQL Flexible Servers: This rule ensures that that there is a sufficient retention period configured for log files for Azure PostgreSQL flexible database servers.

Enhanced AWS Cloud Account Scanning for Improved Resource Verification

Tue, 15 Apr 2025 00:00:00 GMT

April 15, 2025, Conformity—As a part of our commitment to improving customer experience, we will release significant system enhancements for AWS cloud account scanning. These enhancements will be rolled out gradually over the next several months.

Note: Some of these enhancements allow for more thorough and accurate scanning of account resources and verification, which may change the display of particular data with existing inconsistencies.

New GCP account permission added for compute.forwardingRules.list

Tue, 15 Apr 2025 00:00:00 GMT

April 15, 2025, Conformity—Updated GCP account permission list

We've added the following new GCP account permission:

`compute.forwardingRules.list`

For a full list of GCP permissions, see Add a GCP Account.

Restrict guest user access with new Azure rule ActiveDirectory-025

Tue, 15 Apr 2025 00:00:00 GMT

April 15, 2025, Conformity—New Rules

Azure

ActiveDirectory-025: Restrict Guest User Access to Their Own Directory Data: This rule ensures that guest user access is restricted to properties and memberships of their own directory objects in Microsoft Entra ID.

New Azure rule restricts tenant creation to admins and assigned users

Tue, 15 Apr 2025 00:00:00 GMT

April 15, 2025, Conformity—New Rules

Azure

ActiveDirectory-026: Disable Tenant Creation for Non-Admin Users: This rule ensures that only administrators or specifically assigned users (i.e., users with tenant creator roles) have permission to create Microsoft Entra ID or Azure Active Directory B2C tenants.

Install Trend Vision One Endpoint Security agent via Deep Security Agent integration

Tue, 15 Apr 2025 00:00:00 GMT

April 15, 2025, Workload Security—Trend Cloud One - Endpoint & Workload Security and Trend Vision One - Endpoint Security Server & Workload Protection can now install Trend Vision One Endpoint Security agent via Deep Security Agent. For more information, see Install Trend Vision One Endpoint Security agent via Deep Security Agent.

Enhanced Security for Open-Source Databases with Microsoft Defender for Cloud

Wed, 16 Apr 2025 00:00:00 GMT

April 16, 2025, Conformity—New Rule

Azure

SecurityCenter-043: Enable Microsoft Defender for Cloud for Open-Source Relational Databases: This rule ensures that Microsoft Defender for Cloud is enabled for open-source relational databases such as Azure Database for PostgreSQL, Azure Database for MySQL, and Azure Database for MariaDB.

Updated GCP account permissions and APIs for enhanced access control

Mon, 28 Apr 2025 00:00:00 GMT

April 28, 2025, Conformity—Updated GCP account permission and API list

We've added the following new GCP account permission and API:

`pubsub.subscriptions.get`
`networkconnectivity.hubs.getIamPolicy`
`Bigtable Admin API`

For a full list of GCP permissions, see Add a GCP Account.

New Azure Security Rules for Machine Learning and Kubernetes Services

Mon, 05 May 2025 00:00:00 GMT

May 05, 2025, Conformity—New Rule

Azure

MachineLearning-006: Enable Network Isolation for Azure Machine Learning Registries: This rule ensures that network isolation is enabled for your Azure Machine Learning registries.

AKS-007: Enable Support for Network Policies: This rule ensure that your Azure Kubernetes Service (AKS) clusters are using network policies to implement secure policy-based access control.

Restrict Guest User Invites to Admins in Azure Active Directory

Wed, 07 May 2025 00:00:00 GMT

May 07, 2025, Conformity—New Rule

Azure

ActiveDirectory-027: Limit Guest User Invites to Administrators: This rule ensures that only users with the 'User Administrator' or the 'Guest Inviter' roles can invite guest users to your Microsoft Entra directory to collaborate on resources secured by your organisation.

Updated AWS Well-Architected Framework Compliance Standards and Deprecation Notice

Mon, 12 May 2025 00:00:00 GMT

May 12, 2025, Conformity—Standards and Compliance Report

We've updated the Amazon Web Services Well-Architected Framework Compliance Standard Report and the associated rule mappings by adding the latest version of Amazon Web Services Well-Architected Framework, released in March 2025.

Deprecation Notice

As of 01 June 2025, the Amazon Web Services Well-Architected Framework (updated October 2023) Compliance Standard will no longer be available.

This deprecated compliance standard will no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of the Amazon Web Services Well-Architected Framework by 01 June 2025.

Enable Confidential Computing for Azure Virtual Machines with New Rule

Wed, 14 May 2025 00:00:00 GMT

May 14, 2025, Conformity—New Rule

Azure

VirtualMachines-044: Enable Confidential Computing for Azure Virtual Machines:This rule ensures that Azure Virtual Machines (VMs) have Confidential Computing enabled to protect data in use with hardware-based Trusted Execution Environments (TEEs).

Trend Cloud One Documentation Portal Migrating to New Site on June 7, 2025

Fri, 16 May 2025 00:00:00 GMT

May 16, 2025, Workload Security—The Trend Cloud One™ Documentation portal will migrate to a new site on June 7, 2025.

To centralize knowledge resources and improve customer experience finding information about Trend Micro products, Trend Cloud One documentation will be migrated to the Trend Micro Online Help Center. As part of this migration, Trend Cloud One API references are being moved to the Trend Micro Automation Center.

Existing external links to the Trend Cloud One documentation portal will be redirected to the corresponding content in the Online Help Center.

Trend Cloud One console links will be updated to point directly to the new documentation locations.

If you have any questions or concerns about this transition, please contact your Trend Micro Representative or our Trend Micro Technical Support.

For more information, see: Trend Cloud One™ Documentation Portal Notice of Migration

Deprecated Compliance Standards Removed for Improved Report Generation

Mon, 19 May 2025 00:00:00 GMT

May 19, 2025, Conformity—Standards and Compliance Reports

As of 19 May 2025, the following compliance standards have been deprecated:

CIS Amazon Web Services Foundations Benchmark v1.5.0
CIS Amazon Web Services Foundations Benchmark v2.0
CIS Google Cloud Platform Foundation Benchmark v1.3.0

These deprecated compliance standards are no longer accessible in the filters, preventing the creation of new reports or report-configurations with these outdated standards. If any existing report configurations include deprecated compliance standards, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of CIS Foundations Benchmark.

Enhance Kubernetes Security with Private Nodes in Azure AKS

Mon, 19 May 2025 00:00:00 GMT

May 19, 2025, Conformity—New Rule

Azure

AKS-005: Kubernetes Clusters with Private Nodes: This rule ensures that your Azure Kubernetes Service (AKS) clusters are deployed with private nodes in order to enhance your Kubernetes workload's security and isolation.

IoT enabled by default for Deep Security Agents version 20.0.2-4960 and

Mon, 19 May 2025 00:00:00 GMT

May 19, 2025, Workload Security—In Trend Cloud One - Endpoint & Workload Security, IoT is now enabled by default for every IoT-capable Deep Security Agent version 20.0.2-4960 and later. This means it is no longer required to have Activity Monitoring enabled on these agents.

Fully-qualified domain names (FQDN) requested by IoT must be allowed. For details, see Required Workload Security IP addresses and port numbers.

Support for Red Hat Enterprise Linux 9 on Arm architecture

Mon, 26 May 2025 00:00:00 GMT

May 26, 2025, Workload Security—Deep Security Agent version 20.0.2-7600 (20 LTS Update 2025-04-16) and later supports Red Hat Enterprise Linux 9 (64-bit Arm (aarch64)). This requires Deep Security Manager version 20.0.1047 (20 LTS Update 2025-05-12) or later.

Reports API bug fix improves filtering by report configuration ID

Wed, 28 May 2025 00:00:00 GMT

May 28, 2025, Conformity—Bug Fixes

Reports API

Fixed an issue where the GET Reports API would incorrectly ignore the reportConfigId parameter when provided by itself in query requests. The API now properly returns reports associated with the specified report configuration ID.

Updated Azure Custom Role permissions for Azure Key Vaults scanning

Thu, 29 May 2025 00:00:00 GMT

May 29, 2025, Conformity—Updated Azure Custom Role permission list

We've added the following permissions to Add an Azure Account - Create a Custom Role:

`Microsoft.KeyVault/vaults/keys/read`
`Microsoft.KeyVault/vaults/secrets/read`

These permissions are required for Conformity to scan the Azure Key Vaults that use the role-based access control model as the authorization system.

Deprecated AWS Compliance Standard

Thu, 26 Jun 2025 00:00:00 GMT

June 26, 2025, Conformity—Standards and Compliance Reports As of 19 June 2025, AWS Well-Architected Framework (updated October 2023) has been deprecated and is no longer accessible in the filters, preventing the creation of new reports or report configurations with this outdated standard. If any of the existing report configurations include a deprecated compliance standard, generating new PDF/CSV reports will not be possible. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of the AWS Well-Architected Framework.

File Storage Security now supports Malaysia region on AWS

Mon, 14 Jul 2025 00:00:00 GMT

July 14, 2025, File Storage Security—File Storage Security now supports the Malaysia (ap-southeast-5) region on AWS. For more information, see What's supported in AWS.

Support for Red Hat Enterprise Linux 10

Wed, 16 Jul 2025 00:00:00 GMT

July 16, 2025, Workload Security—Deep Security Agent version 20.0.2-14431 (20 LTS Update 2025-07-09) and later supports Red Hat Enterprise Linux 10 (64-bit), including SELinux, Secure Boot, and FIPS mode. This requires Deep Security Manager version 20.0.1054 (20 LTS Update 2025-06-11) or later.

Scheduled maintenance for Trend Cloud One services on July 26, 2025

Thu, 17 Jul 2025 00:00:00 GMT

July 17, 2025, General—System maintenance for Trend Cloud One is scheduled for all regions (us-1, ca-1, de-1, gb-1, in-1, sg-1, au-1, jp-1) between 03:00 and 10:00 UTC on Saturday, July 26, 2025. During this maintenance period, console and API access for some Trend Cloud One services will be unavailable. For more information or to be notified of scheduled maintenance, see Trend Cloud One Maintenance.

File Storage Security scanner now updated with library-requests version 2.32.4

Mon, 04 Aug 2025 00:00:00 GMT

August 4, 2025—File Storage Security scanner is updated with library-requests version 2.32.4 to resolve CVE-2024-47081.

Updated AWS Custom Policy 1.71

Tue, 05 Aug 2025 00:00:00 GMT

August 05, 2025, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.71, and the new permission added is: - iam:ListGroupsForUser.

Click here to access the new custom policy.

Conformity Updates - Week Ending 5 September 2025

Sat, 09 Aug 2025 00:00:00 GMT

GCP Rules

ComputeEngine-021: Check for Publicly Shared Disk Images: This rule ensures that your virtual machine disk images are not publicly shared with all other Google Cloud Platform (GCP) accounts in order to avoid exposing sensitive or confidential data.
GKE-030: Use Confidential GKE Cluster Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster node pools use confidential GKE nodes to encrypt all running workloads.
CloudRun-011: Check for the Maximum Number of Container Instances: This rule prevents uncontrolled scaling, resource exhaustion, and unexpected costs when auto-scaling.
CloudRun-001: Check for the Minimum Number of Container Instances: This rule ensures that your Google Cloud Run services have a sufficient number of container instances configured to minimize cold start latency and enhance performance.
CloudRun-003: Enable Automatic Runtime Security Updates: This rule ensures that automatic runtime security updates are enabled for your Cloud Run services in order to keep the services secure and protected against vulnerabilities without manual intervention.
CloudSQL-036: Enable "log_checkpoints" Flag for PostgreSQL Database Server Configuration: This rule ensures that "log_checkpoints" database flag is enabled for all PostgreSQL database instances available within your Google Cloud Platform (GCP) account.
SecretManager-003: Enable Rotation Schedules for Secret Manager Secrets: This rule ensures that rotation periods are configured for all Secret Manager secrets available within your Google Cloud Platform (GCP) account to minimize the risk of unauthorized access or misuse of secrets.
CloudSQL-035: Enable "slow_query_log" Flag for MySQL Database Servers: This rule ensures that the "slow_query_log" database flag is enabled for your Google Cloud MySQL database instances.
CloudSQL-039: Enable Automatic Storage Increase: This rule ensures that Automatic Storage Increase feature is enabled for your production Google Cloud SQL database instances.

Azure Rules

CosmosDB-009: Use Managed Identities for Azure Cosmos DB Accounts: This rule ensures that your Microsoft Azure Cosmos DB accounts are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure Storage accounts.

Conformity Updates - Week Ending 12 September 2025

Mon, 15 Sep 2025 00:00:00 GMT

Updated Compliance Standards - CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Alibaba Foundations Benchmarkv2.0.0
CIS AWS Foundations Benchmark v5.0.0
CIS Azure Foundations Benchmark v3.0.0
CIS GCP Foundations Benchmark v4.0.0
CIS OCI Foundations Benchmark v3.0.0

You can view the CIS certifications awarded to Trend Micro Vision One - Cloud Posture on the CIS partner website and learn more about Compliance and Conformity.

New GCP Rules

CloudRun-002: Use Labels for Resource Management: This rule ensures that user-defined labels are being used to tag, collect, and organize Cloud Run services within your Google Cloud Platform (GCP) projects.
CloudRun-004: Enable End-to-End HTTP/2 for Cloud Run Services: This rule ensures that end-to-end HTTP/2 support is enabled for your Cloud Run services.
CloudSQL-034: Allow SSL/TLS Connections Only: This rule ensures that all incoming connections to your Cloud SQL database instances are encrypted with SSL/TLS.
CloudFunction-008: Use Customer-Managed Encryption Keys for Functions Encryption: This rule ensures that your Google Cloud functions use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys.
CloudRun-008: Use Customer-Managed Encryption Keys for Services Encryption: This rule ensures that your Cloud Run services use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys.
SecretManager-004: Use Customer-Managed Encryption Keys for Secret Manager Secret Encryption: This rule ensures that your Google Cloud Secret Manager secrets are encrypted using Cloud KMS Customer-Managed Encryption Keys (CMEKs).
CloudRun-006: Enable Binary Authorization This rule ensures that Binary Authorization is enabled for Google Cloud Run services.
SecretManager-002: Enable Destruction Delay for Secret Versions: This rule ensures that a delayed destruction policy is configured for Google Secret Manager secrets.
CloudRun-007: Cloud Run Services with Inactive Service Accounts: This rule ensures that your Cloud Run services are referencing existing, active service accounts in order to prevent execution failures and operational disruptions.
CloudSQL-038: Enable Cloud SQL Instance Encryption with Customer-Managed Keys: This rule ensures that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs).
CloudRun-009: Enable Cloud SQL Instance Encryption with Customer-Managed Keys: This rule ensures that Google Cloud Run services are not publicly accessible.
CloudLogging-010: Configure Retention Policies with Bucket Lock: This rule ensures that all the retention policies attached to your Google Cloud log sink buckets are configured with the Bucket Lock feature.
CloudFunction-011: Cloud Logging Permissions for Google Cloud Functions: This rule ensures that Cloud Logging API has sufficient permissions to write logs for your Google Cloud functions.
NetworkConnectivity-001: Enable Cloud NAT for Private Subnets: This rule ensures that Cloud NAT is enabled for all private VPC subnets that require outbound access.
ResourceManager-011: Prevent Service Account Creation for Google Cloud Organizations: This rule ensure that the creation of Cloud IAM service accounts is prevented within your Google Cloud organization through the "Disable Service Account Creation" organization policy
ResourceManager-008: Require OS Login: This rule ensure that "Require OS Login" constraint policy is enforced at the GCP organization level in order to enable OS Login feature on all newly created Google Cloud projects within your organization. The OS Login provides you with centralized and automated SSH key pair management.
ResourceManager-013: Enforce Detailed Audit Logging Mode: This rule checks that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enforced at the organization level in order to enable Detailed Audit Logging feature for the supported Cloud Storage resources available within your GCP organization.

New Azure Rules

CosmosDB-012: Enable Microsoft Defender for Azure Cosmos DB Accounts: This rule ensures that Microsoft Defender for Azure Cosmos DB is enabled at the resource level.
RedisCache-006: Configure Update Channel: This rule ensure that your Microsoft Azure Cache for Redis servers are using the "Stable" update channel.
RedisCache-008: Disable Access Keys Authentication for Azure Cache for Redis Servers: This rule ensure that your Microsoft Azure Cache for Redis servers are configured to use Microsoft Entra ID for authentication rather than access keys.
ResourceManager-012: Disable Serial Port Access Support at Organization Level: This rule checks that "Disable VM serial port access" constraint policy is enabled for your Google Cloud Platform (GCP) organizations.
RedisCache-005: Enable Data Persistence for Azure Cache for Redis Servers: This rule checks that data persistence is enabled for your Microsoft Azure Cache for Redis servers to ensure resilience against unexpected cache node failures.

Updated AWS Custom Policy V1.72

Tue, 16 Sep 2025 00:00:00 GMT

September16, 2025, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.72, and the new permissions added is:

inspector2:BatchGetAccountStatus

Click here to access the new custom policy.

Log Inspection now supports glob character in directory names

Wed, 17 Sep 2025 00:00:00 GMT

September 17, 2025, Workload Security—In Log Inspection, in addition to the glob character support in file names, the glob character (wildcard) is now supported when used in the directory portion of the path no more than twice.

Support for Oracle Linux 10

Wed, 24 Sep 2025 00:00:00 GMT

September 24, 2025, Workload Security—Deep Security Agent version 20.0.2-20480 (20 LTS Update 2025-09-24) and later supports Oracle Linux 10 (64-bit), including SELinux, Secure Boot, and FIPS mode. This requires Deep Security Manager version 20.0.1081 (20 LTS Update 2025-09-15) or later.

Updated AWS Custom Policy V1.73

Mon, 29 Sep 2025 00:00:00 GMT

September 29, 2025, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.73, and the new permissions added is:

eks:DescribeAddon

Click here to access the new custom policy.

Updated AWS Custom Policy V1.74 and V1.75

Wed, 29 Oct 2025 00:00:00 GMT

October 29, 2025, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.75 along with an interim update to version 1.74:

The new permissions added for V 1.74 are:
- sagemaker:ListTrainingJobs
- sagemaker:DescribeTrainingJob
- sagemaker:ListTags
- bedrock:GetModelInvocationLoggingConfiguration
- bedrock:ListModelCustomizationJobs
- bedrock:GetModelCustomizationJob

The new permissions added for V1.75 are:
- trustedadvisor:ListChecks
- trustedadvisor:ListOrganizationRecommendationAccounts
- trustedadvisor:ListOrganizationRecommendationResources
- trustedadvisor:ListOrganizationRecommendations
- trustedadvisor:ListRecommendationResources
- trustedadvisor:ListRecommendations
- trustedadvisor:GetRecommendation
- trustedadvisor:GetOrganizationRecommendation

Click here to access the new custom policy.

Updated AWS Custom Policy V1.76

Thu, 06 Nov 2025 00:00:00 GMT

November 06, 2025, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.76.

The new permissions added are
- sagemaker:ListEndpointConfigs
- sagemaker:DescribeEndpointConfig

Click here to access the new custom policy.

Updated IAU Update Module Version in GCP Pattern Update Function

Wed, 12 Nov 2025 00:00:00 GMT

November 12, 2025—The GCP pattern update function now uses an updated version of the Trend Core Common Module – IAU Update. This change ensures compatibility with recent modifications on the IAU Update server and maintains reliable delivery of scanning pattern updates.

Conformity Releases New Template Scanner Resources

Fri, 14 Nov 2025 00:00:00 GMT

November 14, 2025—Conformity released new Google Cloud resources for Template Scanner to enable comprehensive security and compliance checks across the cloud environment. The following resources facilitate automated scanning and validation of infrastructure-as-code templates, ensuring that deployments adhere to best practices and organizational policies. For the full list of resources, see Template Scanner Coverage.

Google Cloud

ArtifactRegistry Repositories (artifactregistry-repositories)
CloudIAM Service Accounts (cloudiam-service-accounts)
CloudIAM Access Approval Settings (cloudiam-accessapproval-settings)
CloudLoadBalancing Backends (cloudloadbalancing-backends)
CloudLoadBalancing UrlMaps (cloudloadbalancing-urlmaps)
BigQuery Datasets (bigquery-datasets)
CloudLogging Log Buckets (cloudlogging-log-buckets)
Dataproc Clusters (dataproc-clusters)
Filestore Instances (filestore-instances)
CertificateManager Certificates (certificatemanager-certificates)
SecretManager Secrets (secretmanager-secrets)

Updated AWS Custom Policy V1.77

Wed, 19 Nov 2025 00:00:00 GMT

November 19, 2025, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.77.

The new permissions added are
- amplify:ListResourcesForWebACL
- apprunner:DescribeWebAclForService
- apprunner:ListAssociatedServicesForWebAcl
- cloudfront:ListDistributionsByWebACLId
- cognito-idp:ListResourcesForWebACL
- cognito-idp:GetWebACLForResource
- ec2:DescribeVerifiedAccessInstances
- ec2:DescribeVerifiedAccessInstanceWebAclAssociations
- ec2:GetVerifiedAccessInstanceWebAcl
- wafv2:ListResourcesForWebACL

Click here to access the new custom policy.

Support for Windows 11 25h2

Tue, 25 Nov 2025 00:00:00 GMT

Deep Security Agent 20.0.2-26670 and later supports Windows 11, version 25H2.

Support for Debian 13

Tue, 25 Nov 2025 00:00:00 GMT

Debian Linux 13 support: Deep Security Agent 20.0.2-26670 and later supports Debian Linux 13 including Secure Boot support and FIPS mode support. This requires Deep Security Manager 20.0.1112 or later.

Support for Rocky Linux 10

Tue, 25 Nov 2025 00:00:00 GMT

November 25, 2025—Deep Security Agent 20.0.2-26670 and later now supports Rocky Linux 10, including SELinux, Secure Boot, and FIPS mode support.

Conformity Releases New CIS Azure and AWS compliance standards

Fri, 12 Dec 2025 00:00:00 GMT

December 12, 2025—Trend Cloud One - Conformity has released the following new compliance standards

CIS Foundations Benchmarks. - CIS Azure Foundations Benchmark v4.0.0: Conformity has updated the CIS Azure compliance standard to the latest version to meet the Center of Internet Security (CIS) Foundations Benchmarks for Microsoft Azure. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks. - CIS Azure Foundations Benchmark v4.0.0.

Deprecation Notice: Conformity has deprecated the CIS Azure Foundations Benchmark v2.1.0 for removal on February 8 2026. It will no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated benchmark. If any existing report configurations include deprecated compliance standards, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. Trend Cloud One - Conformity recommends updating your report configurations to use the latest versions of CIS Azure Foundations Benchmark before February 8 2026.

AWS Well-Architected Framework Generative AI Lens: Trend Cloud One - Conformity has added support for the new Amazon Web Services Well-Architected Framework Generative AI Lens. Generative AI Lens is an extension of the AWS Well-Architected Framework, complementing the AWS WAF with Gen AI specific controls.

Conformity Releases New Template Scanner Azure Resources

Fri, 12 Dec 2025 00:00:00 GMT

December 12, 2025—Trend Cloud One Conformity Template Scanner has added the following updates to support your Azure cloud infrastructure. For the full list of resources, see Template Scanner Coverage.

New Azure resources
- DNS Zones
- DNS Private Zones
- FrontDoor Profiles
- Access Control Roles
- Acccess Control Custom Roles
- MachineLearning Learning Workspaces
- SecurityCenter Tasks
- SecurityCenter Alerts
- SecurityCenter Pricings
- CosmosDB Servers

API Management Management APIs

SQL Servers

Support for Ubuntu 24.04 AWS Arm-based Graviton2

Fri, 19 Dec 2025 00:00:00 GMT

Ubuntu 24.04 (AWS Arm-based Graviton2) support: Deep Security Agent 20.0.2-29370 and later supports Ubuntu 24.04 (AWS Arm-based Graviton2). This requires Deep Security Manager 20.0.1123 or later.

Updated AWS Custom Policy V1.78

Thu, 26 Feb 2026 00:00:00 GMT

February 26, 2026, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.78.

The new permissions added are
- bedrock-agentcore:ListAgentRuntimes

Click here to access the new custom policy.

File Storage Security for AWS auto-cleans out-of-date Lambda versions

Thu, 26 Feb 2026 00:00:00 GMT

February 26, 2026—File Storage Security now includes an auto-cleanup feature that removes older Lambda versions. You must redeploy your Client Stack to enable this feature as it requires additional IAM permissions.

Conformity Releases Support for Oracle Cloud Infrastructure Well-Architected Framework

Mon, 02 Mar 2026 00:00:00 GMT

March 02, 2026—Trend Cloud One - Conformity now supports the Oracle Cloud Infrastructure Well-Architected Framework (updated 2025). You can now sort OCI checks and generate reports based on this best practices framework to ensure their cloud environment aligns with Oracle's architectural guidance.

Conformity Releases New Template Scanner AWS Resources

Wed, 11 Mar 2026 00:00:00 GMT

March 10, 2026—Trend Cloud One Conformity Template Scanner has added the following updates to support your AWS cloud infrastructure. For the full list of resources, see Template Scanner Coverage.

The following AWS resources are now supported by Template Scanner in Terraform:

Bedrock Agent
Bedrock Custom Model
Bedrock Guardrail
Bedrock Knowledge Base
Bedrock Model Invocation Logging Configuration

IAM Certificate
IAM Account Password Policy
IAM OpenID Connect Provider
IAM SAML Provider
IAM User

SageMaker Domain
SageMaker Endpoint
SageMaker Endpoint Config
SageMaker Model
SageMaker Notebook Instance

Upcoming EKS rule updates for enhanced security and network policy validation

Thu, 12 Mar 2026 00:00:00 GMT

March 12, 2026, Conformity—Upcoming Rule Updates

Release Date: March 18, 2026

The following rules will be updated to align with the latest industry recommendations. These updates introduce stricter evaluation criteria, which may result in changes to your compliance scores. It is recommended that you review the affected rules and any newly flagged resources ahead of the effective date.

AWS

EKS-001: EKS Cluster Endpoint Public Access: Now requires endpointPrivateAccess to be enabled. See EKS-001 documentation for further details.
EKS-006: Enable Network Policies: Now validates presence of the VPC CNI addon. See EKS-006 documentation for further details.

Updated AWS Custom Policy V1.79

Mon, 16 Mar 2026 00:00:00 GMT

March 16, 2026, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.79.

The new permissions added are
- eks:DescribeNodegroup
- eks:ListNodegroups
- ec2:DescribeLaunchTemplateVersions

Click here to access the new custom policy.

Upcoming Azure rule updates for MFA scoring and Function App evaluation changes

Thu, 19 Mar 2026 00:00:00 GMT

March 19, 2026, Conformity—Upcoming Rule Updates

Release Date: March 26, 2026

Azure

The following MFA rules are now scored and will affect your compliance scores:

The following rules no longer evaluate on Function Apps:

Support for SUSE Linux Enterprise Server 16

Fri, 20 Mar 2026 00:00:00 GMT

SUSE Linux Enterprise Server 16 (64-bit) support: Deep Security Agent 20.0.3-5660 and later supports SUSE Linux Enterprise Server 16 (64-bit), including SELinux, Secure Boot, and FIPS mode.

Support for Red Hat Enterprise Linux 10 on Arm architecture

Fri, 20 Mar 2026 00:00:00 GMT

Red Hat Enterprise Linux 10 (64-bit Arm (aarch64)) support: Deep Security Agent 20.0.3-5660 and later supports Red Hat Enterprise Linux 10 (64-bit Arm (aarch64)), including SELinux and Secure Boot.

Updated compliance standard: CIS Azure Foundations Benchmark v5.0.0

Wed, 25 Mar 2026 00:00:00 GMT

Updated compliance standard: CIS Foundations Benchmarks

We have updated our compliance standards to meet the Center for Internet Security (CIS) Foundations Benchmarks for Microsoft Azure. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Azure Foundations Benchmark v5.0.0

Removal notice

CIS Azure Foundations Benchmark v3.0.0 will be removed on April 29, 2026. After this date, it will no longer be accessible in filters, and you will not be able to create new reports or report configurations with this benchmark. Previously generated PDF and CSV reports will remain available. We recommend updating your report configurations to use CIS Azure Foundations Benchmark v5.0.0 before April 29, 2026.

You can view the CIS certifications awarded to Trend Micro on the CIS partner website and find out more about compliance in Cloud Posture in our documentation.

Upcoming Azure App Service rule updates

Wed, 25 Mar 2026 00:00:00 GMT

March 25, 2026, Conformity—Upcoming Rule Updates

Release Date: March 31, 2026

Azure

All App Service rules no longer consider Azure Function resources when performing checks. This may lead to a reduction in both success and failure checks, which could influence compliance scores. Consult the App Service and Function knowledge base articles for more information.

GCP Cloud functions runtime updated in the TrendAI Cloud One File Storage Security GCP template

Mon, 30 Mar 2026 00:00:00 GMT

March 31, 2026—TrendAI™ Cloud One File Security Storage is upgrading the GCP Cloud Functions runtime from Node.js 20 to Node.js 22 in the TrendAI™ Cloud One File Security Storage (GCP) template. Google Cloud has scheduled Node.js 20 for deprecation on April 30, 2026. After this date, functions running on deprecated runtimes will no longer receive security patches and may be blocked from deployment.

Support for AlmaLinux 10

Wed, 15 Apr 2026 00:00:00 GMT

AlmaLinux 10 (64-bit) support: Deep Security Agent 20.0.3-8130 and later supports AlmaLinux 10 (64-bit), including SELinux, Secure Boot, and FIPS mode.

Updated AWS Custom Policy V1.82

Tue, 28 Apr 2026 00:00:00 GMT

April 28, 2026, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.82.

The new permissions added are
- application-autoscaling:GetPredictiveScalingForecast
- application-autoscaling:ListTagsForResource

Click here to access the new custom policy.

Updated AWS Custom Policy V1.83

Tue, 05 May 2026 00:00:00 GMT

May 05, 2026, Conformity—The Conformity AWS custom policy has been updated to the latest version - 1.83 and the permissions added are:

bedrock-agentcore:ListAgentRuntimeEndpoints
bedrock-agentcore:GetAgentRuntimeEndpoint
bedrock-agentcore:ListTagsForResource
bedrock-agentcore:GetResourcePolicy
bedrock-agentcore:ListAgentRuntimeVersions
bedrock-agentcore:ListGateways
bedrock-agentcore:GetGateway
bedrock-agentcore:ListGatewayTargets
bedrock-agentcore:GetGatewayTarget
bedrock-agentcore:ListPolicyEngines
bedrock-agentcore:GetPolicyEngine
bedrock-agentcore:ListPolicyGenerations
bedrock-agentcore:GetPolicyGeneration
bedrock-agentcore:ListPolicies
bedrock-agentcore:GetPolicy
bedrock-agentcore:ListPolicyGenerationAssets
bedrock-agentcore:ListApiKeyCredentialProviders
bedrock-agentcore:GetApiKeyCredentialProvider
bedrock-agentcore:ListOauth2CredentialProviders
bedrock-agentcore:GetOauth2CredentialProvider
bedrock-agentcore:GetTokenVault
bedrock-agentcore:ListWorkloadIdentities
bedrock-agentcore:GetWorkloadIdentity
bedrock-agentcore:ListBrowsers
bedrock-agentcore:GetBrowser
bedrock-agentcore:ListBrowserProfiles
bedrock-agentcore:GetBrowserProfile
bedrock-agentcore:ListEvaluators
bedrock-agentcore:GetEvaluator
bedrock-agentcore:ListOnlineEvaluationConfigs
bedrock-agentcore:GetOnlineEvaluationConfig
bedrock-agentcore:ListCodeInterpreters
bedrock-agentcore:GetCodeInterpreter
bedrock-agentcore:ListMemories
bedrock-agentcore:GetMemory

Click here to access the new custom policy.