Supported Cortex XSOAR versions: 6.2.0 and later.
Integration Author: Trend Micro#
Support and maintenance for this integration are provided by the author. Please use the following contact details:
Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection.
Configure Trend Micro Vision One on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for Trend Micro Vision One.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|
| Name | Unique name for this Trend Micro Vision One instance | True |
| Fetch Incidents | Choose if the integration should sync incidents | True |
| API URL | Base URL for Trend Micro Vision One API | True |
| API Key | API token for authentication | True |
| Incidents Fetch Interval (minutes) | How often do you want to check for new incidents | False |
| Sync On First Run (days) | How many days to go back during first sync | False |
| Max Incidents | Maximum Number of Workbenches to Retrieve | False |
| Use system proxy settings | Connect to Trend Micro Vision One APIs via system proxy | False |
| Trust any certificate (not secure) | Trust any certificate | False |
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
Base Command#
trendmicro-visionone-add-to-block-list
Input#
| Argument Name | Description | Required |
|---|
| value_type | "file_sha1", "ip", "domain", "url" or "mailbox" | Required |
| target_value | The object you would like to add that matches the value-type | Required |
| product_id | Target product | Optional |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.BlockList.actionId | String | The action id |
| VisionOne.BlockList.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
trendmicro-visionone-remove-from-block-list
Input#
| Argument Name | Description | Required |
|---|
| value_type | "file_sha1", "ip", "domain", "url" or "mailbox" | Required |
| target_value | The object you would like to add that matches the value-type | Required |
| product_id | Target product | Optional |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.BlockList.actionId | String | The action id |
| VisionOne.BlockList.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
trendmicro-visionone-quarantine-email-message
Input#
| Argument Name | Description | Required |
|---|
| message_id | Email Message ID from Trend Micro Vision One message activity data | Required |
| mail_box | Email mailbox where the message will be quarantied from | Required |
| message_delivery_time | Email message's original delivery time | Required |
| product_id | Target product | Optional |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Email.actionId | String | The action id |
| VisionOne.Email.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
trendmicro-visionone-delete-email-message
Input#
| Argument Name | Description | Required |
|---|
| message_id | Email Message ID from Trend Micro Vision One message activity data | Required |
| mail_box | Email mailbox where the message will be deleted from | Required |
| message_delivery_time | Email message's original delivery time | Required |
| product_id | Target product | Optional |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Email.actionId | String | The action id |
| VisionOne.Email.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
trendmicro-visionone-isolate-endpoint
Input#
| Argument Name | Description | Required |
|---|
| endpoint | "hostname", "macaddr" or "ip" of the endpoint to isolate | Required |
| product_id | Target product: "sao" or "sds". Default: "sao". | Required |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Endpoint_Connection.actionId | String | The action id |
| VisionOne.Endpoint_Connection.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.
trendmicro-visionone-restore-endpoint-connection
Input#
| Argument Name | Description | Required |
|---|
| endpoint | "hostname", "macaddr" or "ip" of the endpoint to restore connectivity | Required |
| product_id | Target product: "sao" or "sds". Default: "sao". | Required |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Endpoint_Connection.actionId | String | The action id |
| VisionOne.Endpoint_Connection.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.
trendmicro-visionone-add-objects-to-exception-list
Input#
| Argument Name | Description | Required |
|---|
| type | The object type: "domain", "ip", "sha1", or "url" | Required |
| value | Full and partial matches supported. Domain partial match, (with a wildcard as the subdomain, example, .example.com) IP partial match, (IP range example, 192.168.35.1-192.168.35.254, cidr example, 192.168.35.1/24) URL partial match, (Supports wildcards 'http://.'', 'https://.'' at beginning, or ''' at the end. Multiple wild cards also supported, such as , https://.example.com/path1/) SHA1 only full match" | Required |
| description | Description | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Exception_List.message | String | Status message of existing task |
| VisionOne.Exception_List.status_code | String | Response code of existing task |
| VisionOne.Exception_List.total_items | String | Number of items present in the exception list. |
trendmicro-visionone-delete-objects-from-exception-list
Input#
| Argument Name | Description | Required |
|---|
| type | The object type: "domain", "ip", "sha1", or "url" | Required |
| value | The object value | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Exception_List.message | String | Status message of existing task |
| VisionOne.Exception_List.status_code | String | Response code of existing task |
| VisionOne.Exception_List.total_items | String | Number of items present in the exception list. |
trendmicro-visionone-add-objects-to-suspicious-list
Input#
| Argument Name | Description | Required |
|---|
| type | The object type: "domain", "ip", "sha1", or "url" | Required |
| value | The object value | Required |
| description | Description | Optional |
| scan_action | The action to take if object is found. If you don't use this parameter, the scan action specified in default_settings.riskLevel.type will be used instead. "block" or "log" | Optional |
| risk_level | The Suspicious Object risk level. If you don't use this parameter, high will be used instead. "high", "medium", or "low" | Optional |
| expiry_days | The number of days to keep the object in the Suspicious Object List. If you don't use this parameter, the default_settings.expiredDay scan action will be used instead. | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Suspicious_List.message | String | Status message of existing task |
| VisionOne.Suspicious_List.status_code | String | Response code of existing task |
| VisionOne.Suspicious_List.total_items | String | Number of items present in the exception list. |
trendmicro-visionone-delete-objects-from-suspicious-list
Input#
| Argument Name | Description | Required |
|---|
| type | The object type: "domain", "ip", "sha1", or "url" | Required |
| value | The object value | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Suspicious_List.message | String | Status message of existing task |
| VisionOne.Suspicious_List.status_code | String | Response code of existing task |
| VisionOne.Suspicious_List.total_items | String | Number of items present in the exception list. |
trendmicro-visionone-terminate-process
| Argument Name | Description | Required |
|---|
| endpoint | "hostname", "macaddr" or "ip" of the endpoint to terminate process on | Required |
| file_sha1 | SHA1 hash of the process to terminate | Required |
| product_id | Target product. Default: "sao" | Optional |
| description | Description | Optional |
| filename | Optional file name list for log | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Terminate_Process.actionId | String | The action id |
| VisionOne.Terminate_Process.taskStatus | String | Status of existing task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout is 20 minutes.
trendmicro-visionone-get-file-analysis-status
| Argument Name | Description | Required |
|---|
| task_id | task_id from the trendmicro-visionone-submit-file-to-sandbox command output | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.File_Analysis_Status.message | String | Message status |
| VisionOne.File_Analysis_Status.code | String | Code status of the task |
| VisionOne.File_Analysis_Status.task_id | String | Task id |
| VisionOne.File_Analysis_Status.taskStatus | String | Task status |
| VisionOne.File_Analysis_Status.digest | String | Hash value of task |
| VisionOne.File_Analysis_Status.analysis_completion_time | String | Task completion time |
| VisionOne.File_Analysis_Status.risk_level | String | Risk level of task |
| VisionOne.File_Analysis_Status.description | String | Description of task |
| VisionOne.File_Analysis_Status.detection_name_list | String | List of task detected |
| VisionOne.File_Analysis_Status.threat_type_list | String | Threat type list |
| VisionOne.File_Analysis_Status.file_type | String | Type of file |
| VisionOne.File_Analysis_Status.report_id | String | Report ID of task. |
trendmicro-visionone-get-file-analysis-report
| Argument Name | Description | Required |
|---|
| report_id | report_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status command | Required |
| type | Type of report to retrieve: "vaReport", "investigationPackage", or "suspiciousObject" | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.File_Analysis_Report.message | String | Message status |
| VisionOne.File_Analysis_Report.code | String | Code status of task |
| VisionOne.File_Analysis_Report.type | String | type of report |
| VisionOne.File_Analysis_Report.value | String | value of the above type |
| VisionOne.File_Analysis_Report.risk_level | String | risk level of the file |
| VisionOne.File_Analysis_Report.analysis_completion_time | String | Final analysed time of report |
| VisionOne.File_Analysis_Report.expired_time | String | Expiry time of report |
| VisionOne.File_Analysis_Report.root_file_sha1 | String | sha value of the root file |
trendmicro-visionone-collect-forensic-file
| Argument Name | Description | Required |
|---|
| endpoint | "hostname", "macaddr" or "ip" of the endpoint to collect file from | Required |
| product_id | Product: "sao" "xes" "sds" | Required |
| file_path | Path of the file to collect | Required |
| os | "windows", "mac" or "linux" | Required |
| description | Description of file collected | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Collect_Forensic_File.actionId | String | Action id of the running task |
| VisionOne.Collect_Forensic_File.taskStatus | String | Status of the running task |
Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving actionId as input parameter.
Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.
trendmicro-visionone-download-information-for-collected-forensic-file
| Argument Name | Description | Required |
|---|
| actionId | actionId output from the collect command used to collect the file | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Download_Information_For_Collected_Forensic_File.url | String | URL of the collected file |
| VisionOne.Download_Information_For_Collected_Forensic_File.expires | String | URL expiration date |
| VisionOne.Download_Information_For_Collected_Forensic_File.password | String | Archive password for the protected forensic file |
| VisionOne.Download_Information_For_Collected_Forensic_File.filename | String | Name of the collected file |
Note: The URL received from the 'trendmicro-visionone-download-information-for-collected-forensic-file' will be valid for only 60 seconds
trendmicro-visionone-submit-file-to-sandbox
| Argument Name | Description | Required |
|---|
| file_url | URL pointing to the location of the file to be submitted. | Required |
| filename | Name of the file to be analyzed. | Required |
| document_password | The password for decrypting the submitted document. The value must be Base64-encoded. The maximum password length is 128 bytes prior to encoding. | Optional |
| archive_password | The password for decrypting the submitted archive. The value must be Base64-encoded. The maximum password length is 128 bytes prior to encoding. | Optional |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Submit_File_to_Sandbox.message | String | Message status of the sandbox file |
| VisionOne.Submit_File_to_Sandbox.code | String | Code status of the sandbox file |
| VisionOne.Submit_File_to_Sandbox.task_id | String | Task ID of the running task |
| VisionOne.Submit_File_to_Sandbox.digest | Object | Sha value of the file |
trendmicro-visionone-check-task-status
| Argument Name | Description | Required |
|---|
| polling | If the command is to run at the polling interval. | Optional |
| actionId | Action ID of the task you would like to get the status of. | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Endpoint_Connection.actionId | String | The action id |
| VisionOne.Endpoint_Connection.taskStatus | String | Status of existing task |
trendmicro-visionone-get-endpoint-info
| Argument Name | Description | Required |
|---|
| endpoint | "hostname", "macaddr" or "ip" of the endpoint to query | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Endpoint_Info.message | String | Message information from the request. |
| VisionOne.Endpoint_Info.errorCode | Integer | Error code. |
| VisionOne.Endpoint_Info.status | String | Status of the request. |
| VisionOne.Endpoint_Info.logonAccount | String | Account currently logged on to the endpoint. |
| VisionOne.Endpoint_Info.hostname | String | Hostname. |
| VisionOne.Endpoint_Info.macAddr | String | MAC address. |
| VisionOne.Endpoint_Info.ip | String | IP address. |
| VisionOne.Endpoint_Info.osName | String | Operating System name. |
| VisionOne.Endpoint_Info.osVersion | String | Operating System version. |
| VisionOne.Endpoint_Info.osDescription | String | Description of the Operating System. |
| VisionOne.Endpoint_Info.productCode | String | Product code of the Trend Micro product running on the endpoint. |
trendmicro-visionone-add-note
| Argument Name | Description | Required |
|---|
| workbench_id | The ID of the workbench alert that you would like to add the note to. | Required |
| content | The note content that you would like to add. | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Add_Note.Workbench_Id | String | Workbench ID that the action was executed on. |
| VisionOne.Add_Note.noteId | String | Note ID. |
| VisionOne.Add_Note.response_code | String | Response code for the request. |
| VisionOne.Add_Note.response_msg | String | Response message for the request. |
trendmicro-visionone-update-status
| Argument Name | Description | Required |
|---|
| workbench_id | The ID of the workbench alert that you would like to update the status for. | Required |
| status | The status to assign to the workbench alert: new, in_progress, resolved_false_positive, resolved_true_positive | Required |
Context Output#
| Path | Type | Description |
|---|
| VisionOne.Update_Status.Workbench_Id | String | Workbench ID that the action was executed on. |
| VisionOne.Update_Status.response_code | String | Response code for the request. |
| VisionOne.Update_Status.response_msg | String | Response message for the request. |
View Integration Documentation