Skip to main content

Trend Micro Apex One

This Integration is part of the Trend Micro Apex One Pack.#

Trend Micro Apex One central automation to manage agents and User-Defined Suspicious Objects

This integration was integrated and tested with version 2019 hotfix 5449 of Trend Micro Apex One Central

Configure Trend Micro Apex One in Cortex#

ParameterDescriptionRequired
urlServer URL (e.g. https://vxsuz5.manage.trendmicro.com\)True
application_idApplication IDTrue
tokenAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

trendmicro-apex-udso-list#


Retrieve a list of User-Defined Suspicious Objects from the Apex One Central server.

Base Command#

trendmicro-apex-udso-list

Input#

Argument NameDescriptionRequired
typeThe suspicious object type to queryOptional
content_filterFilters the list to suspicious objects that match the specified stringOptional

Context Output#

PathTypeDescription
TrendMicroApex.UDSO.typeStringIndicator type of the UDSO object, for example: ip, file, file_sha1, url, domain.
TrendMicroApex.UDSO.contentStringIndicator content of the UDSO object.
TrendMicroApex.UDSO.notesStringIndicator notes of the UDSO object.
TrendMicroApex.UDSO.scan_actionStringScan action of the UDSO object, for example: log, block, quarantine.
TrendMicroApex.UDSO.expiration_utc_dateDateExpiration date of the UDSO object in UTC.

Command Example#

!trendmicro-apex-udso-list

Context Example#

{
"TrendMicroApex": {
"UDSO": [
{
"content": "A94A8FE5CCB19BA61C4C0873D391E987982FBBD3",
"expiration_utc_date": null,
"notes": "Documentation",
"scan_action": "log",
"type": "file"
},
{
"content": "8.8.8.8",
"expiration_utc_date": null,
"notes": "Documentation",
"scan_action": "log",
"type": "ip"
}
]
}
}

Human Readable Output#

Apex UDSO List#

contentexpiration_utc_datenotesscan_actiontype
A94A8FE5CCB19BA61C4C0873D391E987982FBBD3Documentationlogfile
8.8.8.8Documentationlogip

trendmicro-apex-udso-add#


Add suspicious file SHA-1, IP address, domain, or URL objects to the User-Defined Suspicious Object list.

Base Command#

trendmicro-apex-udso-add

Input#

Argument NameDescriptionRequired
typeThe suspicious object typeRequired
contentThe suspicious object content for the specified type, for example 8.8.8.8 (for type "file", provide the binary content of the suspicious file as a base64 string)Required
scan_actionThe scan action to perform on the suspicious object (The "quarantine" scan action is only available for file type objects)Required
notesDescription of the object.Optional
expirationThe UTC expiration date and time of the suspicious object, for example: 2020-01-25T09:00:00ZOptional

Context Output#

There is no context output for this command.

Command Example#

!trendmicro-apex-udso-add type="ip" content="8.8.8.8" scan_action="log" notes="Documentation"

Context Example#

{}

Human Readable Output#

UDSO "8.8.8.8" of type "ip" was added successfully with scan action "log"#

trendmicro-apex-udso-delete#


Delete suspicious file SHA-1, IP address, domain, or URL objects from the User-Defined Suspicious Object list.

Base Command#

trendmicro-apex-udso-delete

Input#

Argument NameDescriptionRequired
typeThe suspicious object typeRequired
contentThe suspicious object content for the specified typeRequired
notesDescription of the object (maximum length: 256 characters).Optional
scan_actionThe scan action to perform on the suspicious object.Optional

Context Output#

There is no context output for this command.

Command Example#

!trendmicro-apex-udso-delete type=ip content=8.8.8.8

Context Example#

{}

Human Readable Output#

UDSO "8.8.8.8" of type "ip" was deleted successfully#

trendmicro-apex-isolate#


Isolate an agent from the network

Base Command#

trendmicro-apex-isolate

Input#

Argument NameDescriptionRequired
multi_matchWhether to allow multiple matches or not. If this parameter is set to "false", and the provided parameters match multiple agents, the action will be unsuccessful.Optional
entity_idThe GUID of the managed product agentOptional
ip_addressThe IP address of the managed product agentOptional
mac_addressThe MAC address of the managed product agentOptional
host_nameThe endpoint name of the managed product agentOptional
productThe Trend Micro product on the server instanceOptional

Context Output#

There is no context output for this command.

Command Example#

!trendmicro-apex-isolate multi_match="true" ip_address="8.8.8.8"

Context Example#

{}

Human Readable Output#

No agents were affected.#

trendmicro-apex-restore#


Restore an isolated agent connection to the network.

Base Command#

trendmicro-apex-restore

Input#

Argument NameDescriptionRequired
multi_matchWhether to allow multiple matches or not. If this argument is set to "false", and the provided parameters match multiple agents, the action will be unsuccessful.Optional
entity_idThe GUID of the managed product agentOptional
ip_addressThe IP address of the managed product agentOptional
mac_addressThe MAC address of the managed product agentOptional
host_nameThe endpoint name of the managed product agentOptional
productThe Trend Micro product on the server instanceOptional

Context Output#

There is no context output for this command.

Command Example#

!trendmicro-apex-restore multi_match="true" ip_address="8.8.8.8"

Context Example#

{}

Human Readable Output#

No agents were affected.#

trendmicro-apex-list-logs#


Retrieves a maximum of 1000 logs of detection types from the server. The Pattern Update Status and Engine Update Status log types returns all logs (no maximum) from the specified "since_time". In some cases the command might return alerts that were created before the specified time. This is a known issue with the API.

Base Command#

trendmicro-apex-list-logs

Input#

Argument NameDescriptionRequired
page_tokenThe log ID of the first record to query. Note: For Pattern Update Status and Engine Update Status logs, the value of page_token must be "0".Optional
since_timeThe date/time of the first record to query, in one of the following formats: '2020-06-21T08:00:00Z', 'Jun 21 2020 08:00:00 GMT+00:00'. In some cases the command might return logs that were created before the specified time. This is a known issue with the API.Optional
log_typeThe type of log data to retrieve.Required
limitThe number of items to return. Default is 50.Optional

Context Output#

PathTypeDescription
TrendMicroApex.Log.LogVersionNumberThe version of the log.
TrendMicroApex.Log.EventNameStringThe name of the event.
TrendMicroApex.Log.EventIDStringThe event ID.
TrendMicroApex.Log.ApplianceVersionNumberThe version of the appliance.
TrendMicroApex.Log.ApplianceProductStringThe product name.
TrendMicroApex.Log.ApplianceVendorStringThe vendor name.

Command Example#

!trendmicro-apex-list-logs log_type="Web Violation" limit=2 since_time="Jun 21 2020 07:56:09 GMT+00:00"

Context Example#

{
"TrendMicroApex": {
"Log": [
{
"ApplianceProduct": "Apex Central",
"ApplianceVendor": "Trend Micro",
"ApplianceVersion": "2019",
"CreationTime": "Jun 21 2020 07:56:09 GMT+00:00",
"EventID": "WB:36",
"EventName": "36",
"LogVersion": "0",
"SLF_PolicyName": "Internal User Policy",
"SLF_SeverityLevel": "100 ",
"Severity": "3",
"Web_Reputation_Rating": "49",
"act": "2",
"app": "5",
"cat": "36",
"cnt": "1",
"deviceDirection": "2",
"deviceExternalId": "1",
"deviceFacility": "Apex One",
"deviceProcessName": "C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe",
"dpt": "80",
"duser": "TRENDMICROAPEX-\\\\admin",
"dvchost": "CU-PRO1-8254-2",
"request": "http://www.eicar.org/download/eicar.com.txt",
"shost": "TRENDMICROAPEX-",
"src": "10.128.0.11"
},
{
"ApplianceProduct": "Apex Central",
"ApplianceVendor": "Trend Micro",
"ApplianceVersion": "2019",
"CreationTime": "Jun 21 2020 07:56:28 GMT+00:00",
"EventID": "WB:36",
"EventName": "36",
"LogVersion": "0",
"SLF_PolicyName": "Internal User Policy",
"SLF_SeverityLevel": "100 ",
"Severity": "3",
"Web_Reputation_Rating": "49",
"act": "2",
"app": "5",
"cat": "36",
"cnt": "1",
"deviceDirection": "2",
"deviceExternalId": "2",
"deviceFacility": "Apex One",
"deviceProcessName": "C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe",
"dpt": "80",
"duser": "TRENDMICROAPEX-\\\\admin",
"dvchost": "CU-PRO1-8254-2",
"request": "http://www.eicar.org/download/eicar.com",
"shost": "TRENDMICROAPEX-",
"src": "10.128.0.11"
}
]
}
}

Human Readable Output#

Trend Micro Apex One - Web Violation Logs#

EventNameEventIDCreationTimeLogVersionApplianceVersionApplianceProductApplianceVendor
36WB:36Jun 21 2020 07:56:09 GMT+00:0002019Apex CentralTrend Micro
36WB:36Jun 21 2020 07:56:28 GMT+00:0002019Apex CentralTrend Micro

trendmicro-apex-udso-file-add#


Adds the uploaded file information to the User-Defined Suspicious Objects list. If the file already exists, it will be updated with the new arguments.

Base Command#

trendmicro-apex-udso-file-add

Input#

Argument NameDescriptionRequired
file_scan_actionThe scan action to perform. Can be 'Log', 'Block' or 'Quarantine'. Default is 'Log'.Required
noteAdditional information.Optional
entry_idThe entry ID of the file to upload.Required

Context Output#

There is no context output for this command.

Command Example#

!trendmicro-apex-udso-file-add entry_id=10378@f6e9c46f-e2e9-446f-8cd9-909bd5f72dbf file_scan_action=Log note="Documentation"

Context Example#

{}

Human Readable Output#

The file "test" was added to the UDSO list successfully#

trendmicro-apex-managed-servers-list#


Retrieves a list of managed product servers reporting to Apex One Central.

Base Command#

trendmicro-apex-managed-servers-list

Input#

Argument NameDescriptionRequired
entity_idThe GUID of the managed product server.Optional
ip_addressThe IP address of the endpoint.Optional
mac_addressThe MAC address of the endpoint.Optional
host_nameThe name of the endpoint.Optional
productThe Trend Micro product name.Optional

Context Output#

PathTypeDescription
TrendMicroApex.Server.entity_idStringThe GUID of the managed product server.
TrendMicroApex.Server.productStringThe Trend Micro product on the server instance.
TrendMicroApex.Server.ad_domainStringThe Active Directory domain that the server belongs to (if applicable).
TrendMicroApex.Server.ip_address_listStringThe IP address list on the server.
TrendMicroApex.Server.host_nameStringThe hostname of the server.
TrendMicroApex.Server.capabilitiesStringThe API actions that can be performed on the server.

Command Example#

!trendmicro-apex-managed-servers-list

Context Example#

{
"TrendMicroApex": {
"Server": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "E9DF20C5-F060-4BC5-8A4B-5452163A1C77",
"host_name": "cu-pro1-8254-2",
"ip_address_list": [
"8.8.8.8"
],
"product": "SLF_PRODUCT_PLS_TMSM"
},
{
"ad_domain": "",
"capabilities": [
"cmd_deploy_update_sources"
],
"entity_id": "B220EB61-6240-44B4-9B94-4AC3F22E6A62",
"host_name": "CU-PRO1-8254-2",
"ip_address_list": [
"8.8.8.8"
],
"product": "SLF_PRODUCT_OFFICESCAN_CE"
},
{
"ad_domain": "",
"capabilities": [],
"entity_id": "DA010000-0000-0004-6B00-FFFFFFFFFFFF",
"host_name": "",
"ip_address_list": [
""
],
"product": "SLF_PRODUCT_HEADLESS_DSM"
}
]
}
}

Human Readable Output#

Trend Micro Apex Servers List#

Entity IdProductHost NameIp Address ListCapabilities
E9DF20C5-F060-4BC5-8A4B-5452163A1C77SLF_PRODUCT_PLS_TMSMcu-pro1-8254-28.8.8.8
B220EB61-6240-44B4-9B94-4AC3F22E6A62SLF_PRODUCT_OFFICESCAN_CECU-PRO1-8254-28.8.8.8cmd_deploy_update_sources
DA010000-0000-0004-6B00-FFFFFFFFFFFFSLF_PRODUCT_HEADLESS_DSM

trendmicro-apex-security-agents-list#


Retrieves a list of Security Agents.

Base Command#

trendmicro-apex-security-agents-list

Input#

Argument NameDescriptionRequired
entity_idThe GUID of the Security Agent.Optional
ip_addressThe IP address of the endpoint.Optional
mac_addressThe MAC address of the endpoint.Optional
host_nameThe name of the endpoint.Optional
productThe Trend Micro product name.Optional
managing_server_idThe GUID of the product server that manages the Security Agent.Optional

Context Output#

PathTypeDescription
TrendMicroApex.Agent.entity_idStringThe GUID of the Security Agent.
TrendMicroApex.Agent.productStringThe Trend Micro product name.
TrendMicroApex.Agent.managing_server_idStringThe GUID of the product server that manages the Security Agent.
TrendMicroApex.Agent.ad_domainStringThe Active Directory domain that the agent belongs to (if applicable).
TrendMicroApex.Agent.folder_pathStringThe folder path of the agent in the machine.
TrendMicroApex.Agent.ip_address_listStringThe IP address list on the server.
TrendMicroApex.Agent.mac_address_listStringThe MAC address of the endpoint.
TrendMicroApex.Agent.host_nameStringThe name of the endpoint.
TrendMicroApex.Agent.isolation_statusStringThe isolation status of the agent.
TrendMicroApex.Agent.capabilitiesStringLists the API actions that can be performed on the agent.

Command Example#

!trendmicro-apex-security-agents-list

Context Example#

{
"TrendMicroApex": {
"Agent": {
"ad_domain": "",
"capabilities": [
"cmd_restore_isolated_agent",
"cmd_isolate_agent",
"cmd_relocate_agent",
"cmd_uninstall_agent"
],
"entity_id": "b59e624c-2cf0-4180-83d7-e08abbf9ad54",
"folder_path": "Workgroup",
"host_name": "TRENDMICROAPEX-",
"ip_address_list": [
"10.128.0.11"
],
"isolation_status": "normal",
"mac_address_list": "42-01-0A-80-00-0B",
"managing_server_id": "B220EB61-6240-44B4-9B94-4AC3F22E6A62",
"product": "SLF_PRODUCT_OFFICESCAN_CE"
}
}
}

Human Readable Output#

Trend Micro Apex One Agents List#

CapabilitiesEntity IdFolder PathHost NameIp Address ListIsolation StatusMac Address ListManaging Server IdProduct
cmd_restore_isolated_agent,
cmd_isolate_agent,
cmd_relocate_agent,
cmd_uninstall_agent
b59e624c-2cf0-4180-83d7-e08abbf9ad54WorkgroupTRENDMICROAPEX-8.8.8.8normal42-01-0A-80-00-0BB220EB61-6240-44B4-9B94-4AC3F22E6A62SLF_PRODUCT_OFFICESCAN_CE

trendmicro-apex-endpoint-sensors-list#


Retrieves a list of Security Agents with the Endpoint Sensor feature enabled.

Base Command#

trendmicro-apex-endpoint-sensors-list

Input#

Argument NameDescriptionRequired
limitThe number of records to retrieve. Default is 50.Optional
offsetThe page from which to start retrieving records. Default is 0.Optional
filter_by_endpoint_nameFilter the agents by endpoint name (partial string match).Optional
filter_by_endpoint_typeFilter the agents by endpoint type. Can be "Desktop" or "Server".Optional
filter_by_ip_addressFilter the agents by endpoint IP address range represented by comma separated ranges list. Example: "Starting_IP_Address,Ending_IP_Address"Optional
filter_by_operating_systemFilter the agents by operating system.Optional

Context Output#

PathTypeDescription
TrendMicroApex.EndpointSensorSecurityAgent.agentGuidStringThe GUID of the agent.
TrendMicroApex.EndpointSensorSecurityAgent.serverGuidStringThe GUID of the server that manages the agent.
TrendMicroApex.EndpointSensorSecurityAgent.machineNameStringThe hostname of the endpoint.
TrendMicroApex.EndpointSensorSecurityAgent.isImportantBooleanWhether the agent is tagged as important.
TrendMicroApex.EndpointSensorSecurityAgent.isOnlineBooleanWhether the agent is online.
TrendMicroApex.EndpointSensorSecurityAgent.ipStringThe IP address of the agent.
TrendMicroApex.EndpointSensorSecurityAgent.machineGuidStringThe GUID of the endpoint.
TrendMicroApex.EndpointSensorSecurityAgent.machineTypeStringThe endpoint type.
TrendMicroApex.EndpointSensorSecurityAgent.machineLabelsNumberThe machine labels.
TrendMicroApex.EndpointSensorSecurityAgent.machineOSStringThe operating system of the endpoint.
TrendMicroApex.EndpointSensorSecurityAgent.isolateStatusStringThe isolation status of the agent.
TrendMicroApex.EndpointSensorSecurityAgent.isEnableBooleanWhether the agent is enabled.
TrendMicroApex.EndpointSensorSecurityAgent.userNameStringThe user name of the agent.
TrendMicroApex.EndpointSensorSecurityAgent.userGuidStringThe GUID of the user.
TrendMicroApex.EndpointSensorSecurityAgent.productTypeNumberThe Trend Micro product type on the server instance.

Command Example#

!trendmicro-apex-endpoint-sensors-list

Context Example#

{
"TrendMicroApex": {
"EndpointSensorSecurityAgent": {
"agentGuid": "b59e624c-2cf0-4180-83d7-e08abbf9ad54",
"ip": "8.8.8.8",
"isEnable": true,
"isImportant": false,
"isOnline": true,
"isolateStatus": 0,
"machineGuid": "4C80331A-E39E-4584-A1B7-5237B3F0F239",
"machineLabels": null,
"machineName": "TRENDMICROAPEX-",
"machineOS": "Windows Server 2019",
"machineType": "Server",
"productType": 15,
"serverGuid": "B220EB61-6240-44B4-9B94-4AC3F22E6A62",
"userGuid": "DC15EA904-03CC-E3A2-9CC0-BA57D814772",
"userName": "TRENDMICROAPEX-\\admin"
}
}
}

Human Readable Output#

Trend Micro Apex Security Agents with Endpoint Sensor enabled#

agentGuidipisEnableisImportantisOnlineisolateStatusmachineGuidmachineNamemachineOSmachineTypeproductTypeserverGuiduserGuiduserName
b59e624c-2cf0-4180-83d7-e08abbf9ad548.8.8.8truefalsetrue04C80331A-E39E-4584-A1B7-5237B3F0F239TRENDMICROAPEX-Windows Server 2019Server15B220EB61-6240-44B4-9B94-4AC3F22E6A62DC15EA904-03CC-E3A2-9CC0-BA57D814772TRENDMICROAPEX-\admin

trendmicro-apex-historical-investigation-create#


Creates a new historical investigation on all Security Agents with Endpoint Sensor enabled using the specified criteria, search operator, and match condition.

Base Command#

trendmicro-apex-historical-investigation-create

Input#

Argument NameDescriptionRequired
file_name_containsFilter by file name (partial string match).Optional
file_name_isFilter by file name (exact match). Supports comma-separated values.Optional
file_path_isFilter by file path (exact match). Supports comma separated values.Optional
account_containsFilter by account (partial string match). Supports comma separated values.Optional
account_isFilter by account (exact match). Supports comma separated values.Optional
command_line_containsFilter by command line (partial string match). Supports comma separated values.Optional
command_line_isFilter by command line (exact match). Supports comma separated values. list.Optional
registry_key_containsFilter by registry key (partial string match). Supports comma separated values.Optional
registry_key_isFilter by registry key (exact match). Supports comma separated values. list.Optional
registry_name_containsFilter by registry name (partial string match). Supports comma separated values.Optional
registry_name_isFilter by registry name (exact match). Supports comma separated values. list.Optional
registry_data_containsFilter by registry data (partial string match). Supports comma separated values.Optional
registry_data_isFilter by registry data (exact match). Supports comma separated values. list.Optional
host_name_containsFilter by host name (partial string match). Supports comma separated values.Optional
host_name_isFilter by host name - (exact match). Supports comma separated values.Optional
file_path_containsFilter by file path (partial string match). Supports comma separated values.Optional
operatorOperator used in the investigation. 'AND' - return endpoints that match all the criteria specified. 'OR' - return endpoints that match one of the specified criteria.Required
criteria_kvpCriteria string to show in the auditing log.Optional
criteria_sourceThe source of criteria used to store the record in BIF. The default value is 0 (UNKNOWN).Optional
search_periodScope of the search results. For example, if the value is Three months, perform assessment on data within the last 90 days only. Can be "Default", "All", "One month", "Three months", "Six months", or "Twelve months".Optional

Context Output#

PathTypeDescription
TrendMicroApex.HistoricalInvestigation.taskIdStringTask ID received from the investigation creation request.
TrendMicroApex.HistoricalInvestigation.lastContentIdStringID used to retrieve the next set of results.
TrendMicroApex.HistoricalInvestigation.hasMoreBooleanWhether the source has more results.
TrendMicroApex.HistoricalInvestigation.serverNameStringThe name of the server.
TrendMicroApex.HistoricalInvestigation.serverGuidStringThe GUID of the server.

Command Example#

!trendmicro-apex-historical-investigation-create operator=OR file_name_is=notepad.exe criteria_kvp="File name: notepad.exe" criteria_source=56 search_period="Twelve months"

Context Example#

{
"TrendMicroApex": {
"HistoricalInvestigation": {
"content": [],
"hasMore": false,
"lastContentId": "",
"serverGuid": "B220EB61-6240-44B4-9B94-4AC3F22E6A62",
"serverName": "Apex One as a Service",
"taskId": "16545889-7708-48BF-BDFC-53A9E2A6942A"
}
}
}

Human Readable Output#

The historical investigation was created successfully#

taskIdserverNameserverGuid
16545889-7708-48BF-BDFC-53A9E2A6942AApex One as a ServiceB220EB61-6240-44B4-9B94-4AC3F22E6A62

trendmicro-apex-investigation-result-list#


Retrieves a list of all investigation results.

Base Command#

trendmicro-apex-investigation-result-list

Input#

Argument NameDescriptionRequired
limitThe number of records to retrieve. Default is 50.Optional
offsetThe page from which to start retrieving records. Default is 0.Optional
scan_schedule_idThe scan schedule ID of the investigation to retrieve.Optional
filter_by_task_nameFilter the results by task name (partial string match).Optional
filter_by_creator_nameFilter the results by creator name (partial string match).Optional
filter_by_scan_typeFilter the results by the scan method type. Can be "Search Windows registry", "Memory scan using YARA", or "Disk scan using OpenIOC".Optional
filter_by_criteria_nameFilter the results by criteria name (partial string match).Optional
scan_typeThe method used for the investigation. Supports comma-separated values. Possible values are: "Windows registry", "YARA rule file", "IOC rule file", and "Disk IOC rule file".Required

Context Output#

PathTypeDescription
TrendMicroApex.InvestigationResult.scanSummaryIdNumberThe ID of the investigation.
TrendMicroApex.InvestigationResult.scanSummaryGuidStringThe GUID of the investigation.
TrendMicroApex.InvestigationResult.statusNumberStatus of the investigation.
TrendMicroApex.InvestigationResult.statusForUINumberStatus of the investigation shown in the web console.
TrendMicroApex.InvestigationResult.scanTypeStringMethod used for the investigation.
TrendMicroApex.InvestigationResult.submitTimeDateDate and time when the investigation was submitted.
TrendMicroApex.InvestigationResult.finishTimeDateDate and time when the investigation was finished.
TrendMicroApex.InvestigationResult.specificAgentTypeNumberIndicates how targets were selected for the investigation. 0-All, 1-Specific.
TrendMicroApex.InvestigationResult.progressInfo.safeCountNumberNumber of agents with "No match" status.
TrendMicroApex.InvestigationResult.progressInfo.riskCountNumberNumber of agents with "Matched" status.
TrendMicroApex.InvestigationResult.progressInfo.pendingCountNumberNumber of agents with "Pending" status.
TrendMicroApex.InvestigationResult.progressInfo.timeoutCountNumberNumber of agents with "Timeout" status.
TrendMicroApex.InvestigationResult.progressInfo.noneCountNumberNumber of agents with "None" status.
TrendMicroApex.InvestigationResult.progressInfo.processingCountNumberNumber of agents with "Processing" status.
TrendMicroApex.InvestigationResult.progressInfo.errorCountNumberNumber of agents with errors.
TrendMicroApex.InvestigationResult.progressInfo.abortCountNumberNumber of aborted agents.
TrendMicroApex.InvestigationResult.progressInfo.connectionFailCountNumberNumber of agents that fail to connect.
TrendMicroApex.InvestigationResult.nameStringThe name of the investigation.
TrendMicroApex.InvestigationResult.agentCountNumberThe number of agents in the investigation.
TrendMicroApex.InvestigationResult.matchedAgentCountNumberThe number of matched agents in the investigation.
TrendMicroApex.InvestigationResult.serverGuidListStringTrend Micro GUID list of the servers.
TrendMicroApex.InvestigationResult.creatorStringThe name of the user who created the investigation.
TrendMicroApex.InvestigationResult.scanCriteriaEntity.criteriaIdNumberUnique identifier used by the server to store the criteria.
TrendMicroApex.InvestigationResult.scanCriteriaEntity.criteriaNameStringThe name of the criteria.
TrendMicroApex.InvestigationResult.scanCriteriaEntity.criteriaContentStringThe the criteria used to perform "registry" investigation.
TrendMicroApex.InvestigationResult.errorServersStringError response if server communication is unsuccessful.

Command Example#

!trendmicro-apex-investigation-result-list scan_status=All scan_type="YARA rule file"

Context Example#

{
"TrendMicroApex": {
"InvestigationResult": {
"agentCount": 1,
"creator": "Cortex XSOAR-PANW",
"errorServers": "[]",
"finishTime": "1969-12-31T23:59:59+00:00",
"matchedAgentCount": 0,
"name": "this is a test",
"progressInfo": {
"abortCount": 0,
"connectionFailCount": 0,
"errorCount": 0,
"noneCount": 0,
"pendingCount": 0,
"processingCount": 1,
"riskCount": 0,
"safeCount": 0,
"timeoutCount": 0
},
"scanCriteriaEntity": {
"criteriaContent": "",
"criteriaId": 2,
"criteriaName": "test.yar"
},
"scanSummaryGuid": "6161bf10-f073-4762-bd10-088b0f68ad1d",
"scanSummaryId": 3,
"scanType": "YARA rule file",
"serverGuidList": [
"B220EB61-6240-44B4-9B94-4AC3F22E6A62"
],
"specificAgentType": 1,
"status": "Running",
"statusForUI": "Running",
"submitTime": "2020-09-13T12:24:05+00:00"
}
}
}

Human Readable Output#

Investigation result list:#

namescanSummaryIdscanSummaryGuidsubmitTimeserverGuidListcreator
this is a test36161bf10-f073-4762-bd10-088b0f68ad1d2020-09-13T12:24:05+00:00B220EB61-6240-44B4-9B94-4AC3F22E6A62Cortex XSOAR-PANW