Skip to main content

Trend Micro Vision One

This Integration is part of the Trend Micro Vision One Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

Integration Author: Trend Micro#

Support and maintenance for this integration are provided by the author. Please use the following contact details:


Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection.

Configure Trend Micro Vision One on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Trend Micro Vision One.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
NameUnique name for this Trend Micro Vision One instanceTrue
Fetch IncidentsChoose if the integration should sync incidentsTrue
API URLBase URL for Trend Micro Vision One APITrue
API KeyAPI token for authenticationTrue
Incidents Fetch Interval (minutes)How often do you want to check for new incidentsFalse
Sync On First Run (days)How many days to go back during first syncFalse
Max IncidentsMaximum Number of Workbenches to RetrieveFalse
Use system proxy settingsConnect to Trend Micro Vision One APIs via system proxyFalse
Trust any certificate (not secure)Trust any certificateFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.

Base Command#

  1. trendmicro-visionone-add-to-block-list

Input#

Argument NameDescriptionRequired
value_type"file_sha1", "ip", "domain", "url" or "mailbox"Required
target_valueThe object you would like to add that matches the value-typeRequired
product_idTarget productOptional
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.BlockList.actionIdStringThe action id
VisionOne.BlockList.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.

  1. trendmicro-visionone-remove-from-block-list

Input#

Argument NameDescriptionRequired
value_type"file_sha1", "ip", "domain", "url" or "mailbox"Required
target_valueThe object you would like to add that matches the value-typeRequired
product_idTarget productOptional
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.BlockList.actionIdStringThe action id
VisionOne.BlockList.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.

  1. trendmicro-visionone-quarantine-email-message

Input#

Argument NameDescriptionRequired
message_idEmail Message ID from Trend Micro Vision One message activity dataRequired
mail_boxEmail mailbox where the message will be quarantied fromRequired
message_delivery_timeEmail message's original delivery timeRequired
product_idTarget productOptional
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.Email.actionIdStringThe action id
VisionOne.Email.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.

  1. trendmicro-visionone-delete-email-message

Input#

Argument NameDescriptionRequired
message_idEmail Message ID from Trend Micro Vision One message activity dataRequired
mail_boxEmail mailbox where the message will be deleted fromRequired
message_delivery_timeEmail message's original delivery timeRequired
product_idTarget productOptional
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.Email.actionIdStringThe action id
VisionOne.Email.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.

  1. trendmicro-visionone-isolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint"hostname", "macaddr" or "ip" of the endpoint to isolateRequired
product_idTarget product: "sao" or "sds". Default: "sao".Required
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.actionIdStringThe action id
VisionOne.Endpoint_Connection.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.

  1. trendmicro-visionone-restore-endpoint-connection

Input#

Argument NameDescriptionRequired
endpoint"hostname", "macaddr" or "ip" of the endpoint to restore connectivityRequired
product_idTarget product: "sao" or "sds". Default: "sao".Required
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.actionIdStringThe action id
VisionOne.Endpoint_Connection.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.

  1. trendmicro-visionone-add-objects-to-exception-list

Input#

Argument NameDescriptionRequired
typeThe object type: "domain", "ip", "sha1", or "url"Required
valueFull and partial matches supported. Domain partial match, (with a wildcard as the subdomain, example, .example.com) IP partial match, (IP range example, 192.168.35.1-192.168.35.254, cidr example, 192.168.35.1/24) URL partial match, (Supports wildcards 'http://.'', 'https://.'' at beginning, or ''' at the end. Multiple wild cards also supported, such as , https://.example.com/path1/) SHA1 only full match"Required
descriptionDescriptionOptional

Context Output#

PathTypeDescription
VisionOne.Exception_List.messageStringStatus message of existing task
VisionOne.Exception_List.status_codeStringResponse code of existing task
VisionOne.Exception_List.total_itemsStringNumber of items present in the exception list.
  1. trendmicro-visionone-delete-objects-from-exception-list

Input#

Argument NameDescriptionRequired
typeThe object type: "domain", "ip", "sha1", or "url"Required
valueThe object valueRequired

Context Output#

PathTypeDescription
VisionOne.Exception_List.messageStringStatus message of existing task
VisionOne.Exception_List.status_codeStringResponse code of existing task
VisionOne.Exception_List.total_itemsStringNumber of items present in the exception list.
  1. trendmicro-visionone-add-objects-to-suspicious-list

Input#

Argument NameDescriptionRequired
typeThe object type: "domain", "ip", "sha1", or "url"Required
valueThe object valueRequired
descriptionDescriptionOptional
scan_actionThe action to take if object is found. If you don't use this parameter, the scan action specified in default_settings.riskLevel.type will be used instead. "block" or "log"Optional
risk_levelThe Suspicious Object risk level. If you don't use this parameter, high will be used instead. "high", "medium", or "low"Optional
expiry_daysThe number of days to keep the object in the Suspicious Object List. If you don't use this parameter, the default_settings.expiredDay scan action will be used instead.Optional

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.messageStringStatus message of existing task
VisionOne.Suspicious_List.status_codeStringResponse code of existing task
VisionOne.Suspicious_List.total_itemsStringNumber of items present in the exception list.
  1. trendmicro-visionone-delete-objects-from-suspicious-list

Input#

Argument NameDescriptionRequired
typeThe object type: "domain", "ip", "sha1", or "url"Required
valueThe object valueRequired

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.messageStringStatus message of existing task
VisionOne.Suspicious_List.status_codeStringResponse code of existing task
VisionOne.Suspicious_List.total_itemsStringNumber of items present in the exception list.
  1. trendmicro-visionone-terminate-process
Argument NameDescriptionRequired
endpoint"hostname", "macaddr" or "ip" of the endpoint to terminate process onRequired
file_sha1SHA1 hash of the process to terminateRequired
product_idTarget product. Default: "sao"Optional
descriptionDescriptionOptional
filenameOptional file name list for logOptional

Context Output#

PathTypeDescription
VisionOne.Terminate_Process.actionIdStringThe action id
VisionOne.Terminate_Process.taskStatusStringStatus of existing task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout is 20 minutes.

  1. trendmicro-visionone-get-file-analysis-status
Argument NameDescriptionRequired
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox command outputRequired

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Status.messageStringMessage status
VisionOne.File_Analysis_Status.codeStringCode status of the task
VisionOne.File_Analysis_Status.task_idStringTask id
VisionOne.File_Analysis_Status.taskStatusStringTask status
VisionOne.File_Analysis_Status.digestStringHash value of task
VisionOne.File_Analysis_Status.analysis_completion_timeStringTask completion time
VisionOne.File_Analysis_Status.risk_levelStringRisk level of task
VisionOne.File_Analysis_Status.descriptionStringDescription of task
VisionOne.File_Analysis_Status.detection_name_listStringList of task detected
VisionOne.File_Analysis_Status.threat_type_listStringThreat type list
VisionOne.File_Analysis_Status.file_typeStringType of file
VisionOne.File_Analysis_Status.report_idStringReport ID of task.
  1. trendmicro-visionone-get-file-analysis-report
Argument NameDescriptionRequired
report_idreport_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status commandRequired
typeType of report to retrieve: "vaReport", "investigationPackage", or "suspiciousObject"Required

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Report.messageStringMessage status
VisionOne.File_Analysis_Report.codeStringCode status of task
VisionOne.File_Analysis_Report.typeStringtype of report
VisionOne.File_Analysis_Report.valueStringvalue of the above type
VisionOne.File_Analysis_Report.risk_levelStringrisk level of the file
VisionOne.File_Analysis_Report.analysis_completion_timeStringFinal analysed time of report
VisionOne.File_Analysis_Report.expired_timeStringExpiry time of report
VisionOne.File_Analysis_Report.root_file_sha1Stringsha value of the root file
  1. trendmicro-visionone-collect-forensic-file
Argument NameDescriptionRequired
endpoint"hostname", "macaddr" or "ip" of the endpoint to collect file fromRequired
product_idProduct: "sao" "xes" "sds"Required
file_pathPath of the file to collectRequired
os"windows", "mac" or "linux"Required
descriptionDescription of file collectedOptional

Context Output#

PathTypeDescription
VisionOne.Collect_Forensic_File.actionIdStringAction id of the running task
VisionOne.Collect_Forensic_File.taskStatusStringStatus of the running task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.

  1. trendmicro-visionone-download-information-for-collected-forensic-file
Argument NameDescriptionRequired
actionIdactionId output from the collect command used to collect the fileRequired

Context Output#

PathTypeDescription
VisionOne.Download_Information_For_Collected_Forensic_File.urlStringURL of the collected file
VisionOne.Download_Information_For_Collected_Forensic_File.expiresStringURL expiration date
VisionOne.Download_Information_For_Collected_Forensic_File.passwordStringArchive password for the protected forensic file
VisionOne.Download_Information_For_Collected_Forensic_File.filenameStringName of the collected file

Note: The URL received from the 'trendmicro-visionone-download-information-for-collected-forensic-file' will be valid for only 60 seconds

  1. trendmicro-visionone-submit-file-to-sandbox
Argument NameDescriptionRequired
file_urlURL pointing to the location of the file to be submitted.Required
filenameName of the file to be analyzed.Required
document_passwordThe password for decrypting the submitted document. The value must be Base64-encoded. The maximum password length is 128 bytes prior to encoding.Optional
archive_passwordThe password for decrypting the submitted archive. The value must be Base64-encoded. The maximum password length is 128 bytes prior to encoding.Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_to_Sandbox.messageStringMessage status of the sandbox file
VisionOne.Submit_File_to_Sandbox.codeStringCode status of the sandbox file
VisionOne.Submit_File_to_Sandbox.task_idStringTask ID of the running task
VisionOne.Submit_File_to_Sandbox.digestObjectSha value of the file
  1. trendmicro-visionone-check-task-status
Argument NameDescriptionRequired
pollingIf the command is to run at the polling interval.Optional
actionIdAction ID of the task you would like to get the status of.Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.actionIdStringThe action id
VisionOne.Endpoint_Connection.taskStatusStringStatus of existing task
  1. trendmicro-visionone-get-endpoint-info
Argument NameDescriptionRequired
endpoint"hostname", "macaddr" or "ip" of the endpoint to queryRequired

Context Output#

PathTypeDescription
VisionOne.Endpoint_Info.messageStringMessage information from the request.
VisionOne.Endpoint_Info.errorCodeIntegerError code.
VisionOne.Endpoint_Info.statusStringStatus of the request.
VisionOne.Endpoint_Info.logonAccountStringAccount currently logged on to the endpoint.
VisionOne.Endpoint_Info.hostnameStringHostname.
VisionOne.Endpoint_Info.macAddrStringMAC address.
VisionOne.Endpoint_Info.ipStringIP address.
VisionOne.Endpoint_Info.osNameStringOperating System name.
VisionOne.Endpoint_Info.osVersionStringOperating System version.
VisionOne.Endpoint_Info.osDescriptionStringDescription of the Operating System.
VisionOne.Endpoint_Info.productCodeStringProduct code of the Trend Micro product running on the endpoint.

  1. trendmicro-visionone-add-note
Argument NameDescriptionRequired
workbench_idThe ID of the workbench alert that you would like to add the note to.Required
contentThe note content that you would like to add.Required

Context Output#

PathTypeDescription
VisionOne.Add_Note.Workbench_IdStringWorkbench ID that the action was executed on.
VisionOne.Add_Note.noteIdStringNote ID.
VisionOne.Add_Note.response_codeStringResponse code for the request.
VisionOne.Add_Note.response_msgStringResponse message for the request.

  1. trendmicro-visionone-update-status
Argument NameDescriptionRequired
workbench_idThe ID of the workbench alert that you would like to update the status for.Required
statusThe status to assign to the workbench alert: new, in_progress, resolved_false_positive, resolved_true_positiveRequired

Context Output#

PathTypeDescription
VisionOne.Update_Status.Workbench_IdStringWorkbench ID that the action was executed on.
VisionOne.Update_Status.response_codeStringResponse code for the request.
VisionOne.Update_Status.response_msgStringResponse message for the request.

View Integration Documentation