Skip to main content

Trend Micro Vision One V3.

This Integration is part of the Trend Micro Vision One Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Integration Author: Trend Micro#

Support and maintenance for this integration are provided by the author. Please use the following contact details:


Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection.

Configure Trend Micro Vision One V3. on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Trend Micro Vision One V3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API URL (e.g. https://api.xdr.trendmicro.com)The base url for the Trend Micro Vision One APITrue
    API KeyThe API token to access dataTrue
    Fetch incidentsFalse
    Incidents Fetch IntervalFalse
    Incident typeFalse
    Sync On First Run (days)False
    Max IncidentsFalse
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

trendmicro-visionone-enable-user-account#


Allows the user to sign in to new application and browser sessions. Supported IAM systems -> Azure AD and Active Directory (on-premises)

Base Command#

trendmicro-visionone-enable-user-account

Input#

Argument NameDescriptionRequired
accountNameThe User account that needs to be enabled.Required
descriptionDescription of a response task.Optional

Context Output#

PathTypeDescription
VisionOne.User_Account.status_codenumberTask status code of request to enable user account
VisionOne.User_Account.taskIdstringTask ID of enabling user account

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-disable-user-account#


Signs the user out of all active application and browser sessions, and prevents the user from signing in any new session. Supported IAM systems -> Azure AD and Active Directory (on-premises)

Base Command#

trendmicro-visionone-disable-user-account

Input#

Argument NameDescriptionRequired
accountNameThe User account that needs to be disabled.Required
descriptionDescription of a response task.Optional

Context Output#

PathTypeDescription
VisionOne.User_Account.status_codenumberTask status code of request to disable user account
VisionOne.User_Account.taskIdstringTask ID of disabling user account

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-force-signout#


Signs the user out of all active application and browser sessions. Supported IAM systems -> Azure AD

Base Command#

trendmicro-visionone-force-signout

Input#

Argument NameDescriptionRequired
accountNameThe User account to sign out.Required
descriptionDescription of a response task.Optional

Context Output#

PathTypeDescription
VisionOne.User_Account.status_codenumberTask status code of request to sign out user
VisionOne.User_Account.taskIdstringTask ID of signing out user

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-force-password-reset#


Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. Supported IAM systems -> Azure AD and Active Directory (on-premises)

Base Command#

trendmicro-visionone-force-password-reset

Input#

Argument NameDescriptionRequired
accountNameThe User account for which the password needs to be reset.Required
descriptionDescription of a response task.Optional

Context Output#

PathTypeDescription
VisionOne.User_Account.status_codenumberTask status code of request to reset user password
VisionOne.User_Account.taskIdstringTask ID of resetting user password

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-add-to-block-list#


Adds a file SHA-1, IP address, domain, or URL object to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections

Base Command#

trendmicro-visionone-add-to-block-list

Input#

Argument NameDescriptionRequired
value_typeThe type of object you would like to add to the block list: "file_sha1", "ip", "domain", "url" or "mailbox". Possible values are: file_sha1, domain, ip, url, mailbox.Required
target_valueThe object you would like to add that matches the value-type.Required
descriptionOptional description for reference.Optional

Context Output#

PathTypeDescription
VisionOne.BlockList.taskIdstringTask ID of action of adding file SHA-1, IP address, domain, or URL to the User-Defined Suspicious Objects List
VisionOne.BlockList.statusnumberTask status of adding file SHA-1, IP address, domain, or URL object to the User-Defined Suspicious Objects List

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-remove-from-block-list#


Removes a file SHA-1, IP address, domain, or URL from the User-Defined Suspicious Objects List

Base Command#

trendmicro-visionone-remove-from-block-list

Input#

Argument NameDescriptionRequired
value_typeThe type of object you would like to remove from the block list: "file_sha1", "ip", "domain", "url" or "mailbox". Possible values are: file_sha1, domain, ip, url, mailbox.Required
target_valueThe object you would like to add that matches the value-type.Required
descriptionOptional description for reference.Optional

Context Output#

PathTypeDescription
VisionOne.BlockList.taskIdstringTask ID of action of removing file SHA-1, IP address, domain, or URL object from the User-Defined Suspicious Objects List
VisionOne.BlockList.statusnumberTask Status of removing file SHA-1, IP address, domain, or URL object that was added to the User-Defined Suspicious Objects List from block list

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-quarantine-email-message#


Moves a message from a mailbox to the quarantine folder

Base Command#

trendmicro-visionone-quarantine-email-message

Input#

Argument NameDescriptionRequired
message_idEmail Message ID from Trend Micro Vision One message activity data.Required
uniqueIdUnique alphanumeric string that identifies an email message within one mailbox.Required
mailboxEmail mailbox where the message will be quarantined from.Optional
descriptionOptional description for reference.Optional

Context Output#

PathTypeDescription
VisionOne.Email.taskIdstringThe Task Id of moving a message from a mailbox to the quarantine folder
VisionOne.Email.statusnumberThe status of moving a message from a mailbox to the quarantine folder

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-delete-email-message#


Deletes a message from a mailbox

Base Command#

trendmicro-visionone-delete-email-message

Input#

Argument NameDescriptionRequired
message_idEmail Message ID from Trend Micro Vision One message activity data.Required
uniqueIdUnique alphanumeric string that identifies an email message within one mailbox.Required
mailboxEmail mailbox where the message will be quarantined from.Optional
descriptionOptional description for reference.Optional

Context Output#

PathTypeDescription
VisionOne.Email.taskIdstringThe Task id of deleting a message from a mailbox
VisionOne.Email.statusnumberThe task status of deleting a message from a mailbox

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter.

trendmicro-visionone-isolate-endpoint#


Disconnects an endpoint from the network (but allows communication with the managing Trend Micro product)

Base Command#

trendmicro-visionone-isolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint"hostname" or "agentGuid" of the endpoint to isolate.Required
descriptionDescription.Optional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.taskIdstringThe task ID of isolate endpoint task
VisionOne.Endpoint_Connection.taskStatusnumberThe task status of isolate endpoint

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.

trendmicro-visionone-restore-endpoint-connection#


Restores network connectivity to an endpoint that applied the "isolate endpoint" action

Base Command#

trendmicro-visionone-restore-endpoint-connection

Input#

Argument NameDescriptionRequired
endpoint"hostname" or "agentGuid" of the endpoint to restore.Required
descriptionDescription.Optional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.taskIdstringThe task ID of the restore endpoint connection
VisionOne.Endpoint_Connection.taskStatusnumberThe task status of restore endpoint connection

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.

trendmicro-visionone-add-objects-to-exception-list#


Adds domains, file SHA-1 values, IP addresses, or URLs to the Exception List and prevents these objects from being added to the Suspicious Object List

Base Command#

trendmicro-visionone-add-objects-to-exception-list

Input#

Argument NameDescriptionRequired
typeObject type: "domain", "ip", "fileSha1", "fileSha256", "senderMailAddress" or "url". Possible values are: domain, ip, fileSha1, fileSha256, senderMailAddress, url.Required
valueThe object value. Full and partial matches supported. Domain partial match, (with a wildcard as the subdomain, example, .example.com) IP partial match, (IP range example, 192.168.35.1-192.168.35.254, cidr example, 192.168.35.1/24) URL Partial match, (Supports wildcards 'http://.'', 'https://.'' at beginning, or ''' at the end. Multiple wild cards also supported, such as , https://.example.com/path1/) SHA1 Only full match".Required
descriptionException description.Optional

Context Output#

PathTypeDescription
VisionOne.Exception_List.status_codenumberstatus code of response
VisionOne.Exception_List.total_itemsnumbercount of item present in exception list

trendmicro-visionone-delete-objects-from-exception-list#


Deletes domains, file SHA-1 values, IP addresses, or URLs from the Exception List.

Base Command#

trendmicro-visionone-delete-objects-from-exception-list

Input#

Argument NameDescriptionRequired
typeObject type: "domain", "ip", "fileSha1", "fileSha256", "senderMailAddress" or "url". Possible values are: domain, ip, fileSha1, fileSha256, senderMailAddress, url.Required
valueThe object value.Required

Context Output#

PathTypeDescription
VisionOne.Exception_List.status_codenumberstatus code of response
VisionOne.Exception_List.total_itemsnumbercount of item present in exception list

trendmicro-visionone-add-objects-to-suspicious-list#


Adds domains, file SHA-1/SHA-256 values, IP addresses, senderMailAddress, or URLs to the Suspicious Object List.

Base Command#

trendmicro-visionone-add-objects-to-suspicious-list

Input#

Argument NameDescriptionRequired
typeObject type: "domain", "ip", "fileSha1", "fileSha256", "senderMailAddress" or "url". Possible values are: domain, ip, fileSha1, fileSha256, senderMailAddress, url.Required
valueThe object value.Required
descriptionDescription.Optional
scan_actionThe action to take if object is found. If you don't use this parameter, the scan action specified in default_settings.riskLevel.type will be used instead. "block" or "log". Possible values are: block, log.Optional
risk_levelThe Suspicious Object risk level. If you don't use this parameter, high will be used instead. "high", "medium" or "low". Possible values are: high, medium, low.Optional
expiry_daysThe number of days to keep the object in the Suspicious Object List. If you don't use this parameter, the default_settings.expiredDay scan action will be used instead.Optional

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.status_codenumberResponse code of adding item to suspicious object list
VisionOne.Suspicious_List.total_itemsnumberNumber of items present in suspicious object list

trendmicro-visionone-delete-objects-from-suspicious-list#


Deletes domains, file SHA-1 values, IP addresses, or URLs from the Suspicious Object List

Base Command#

trendmicro-visionone-delete-objects-from-suspicious-list

Input#

Argument NameDescriptionRequired
typeObject type: "domain", "ip", "fileSha1", "fileSha256", "senderMailAddress" or "url". Possible values are: domain, ip, fileSha1, fileSha256, senderMailAddress, url.Required
valueThe object value.Required

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.status_codenumberResponse code of removing item from suspicious object list
VisionOne.Suspicious_List.total_itemsnumberNumber of items present in suspicious object list

trendmicro-visionone-get-endpoint-info#


Retrieves information about a specific endpoint

Base Command#

trendmicro-visionone-get-endpoint-info

Input#

Argument NameDescriptionRequired
endpoint"hostname", "macAddress", "agentGuid" or "ip" of the endpoint to query.Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Info.statusstringStatus of the request
VisionOne.Endpoint_Info.logonAccountstringAccount currently logged on to the endpoint
VisionOne.Endpoint_Info.hostnamestringHostname
VisionOne.Endpoint_Info.macAddrstringMAC address
VisionOne.Endpoint_Info.ipstringIP address
VisionOne.Endpoint_Info.osNamestringOperating System name
VisionOne.Endpoint_Info.osVersionstringOperating System version
VisionOne.Endpoint_Info.osDescriptionstringDescription of the Operating System
VisionOne.Endpoint_Info.productCodestringProduct code of the Trend Micro product running on the endpoint
VisionOne.Endpoint_Info.agentGuidstringAgentGuid of the endpoint
VisionOne.Endpoint_Info.installedProductCodesstringProduct code of the Trend Micro product installed on the endpoint

trendmicro-visionone-terminate-process#


Terminates a process that is running on an endpoint

Base Command#

trendmicro-visionone-terminate-process

Input#

Argument NameDescriptionRequired
endpoint"hostname" or "agentGuid" of the endpoint to terminate process on.Required
file_sha1SHA1 hash of the process to terminate.Required
descriptionDescription.Optional
filenameOptional file name list for log.Optional

Context Output#

PathTypeDescription
VisionOne.Terminate_Process.taskIdstringTask Id of the current running task
VisionOne.Terminate_Process.taskStatusnumberStatus of current running task

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout is 20 minutes.

trendmicro-visionone-get-file-analysis-status#


Retrieves the status of a sandbox analysis submission

Base Command#

trendmicro-visionone-get-file-analysis-status

Input#

Argument NameDescriptionRequired
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox or trendmicro-visionone-submit-file-entry-to-sandbox command output.Required

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Status.idstringSubmission ID of the file submitted for sandbox analysis
VisionOne.File_Analysis_Status.statusstringResponse code for the action call
VisionOne.File_Analysis_Status.actionstringAction performed on the submitted file
VisionOne.File_Analysis_Status.errorstringError code and message for the submission
VisionOne.File_Analysis_Status.digeststringThe hash values of file analyzed
VisionOne.File_Analysis_Status.createdDateTimestringCreate date time for the sandbox analysis
VisionOne.File_Analysis_Status.lastActionDateTimestringDate and time for last action performed on the submission
VisionOne.File_Analysis_Status.resourceLocationstringLocation of the submitted file
VisionOne.File_Analysis_Status.isCachedstringIs the file cached or not (True or False)
VisionOne.File_Analysis_Status.argumentsstringArguments for the file submitted

trendmicro-visionone-get-file-analysis-result#


Retrieves the sandbox submission analysis result

Base Command#

trendmicro-visionone-get-file-analysis-result

Input#

Argument NameDescriptionRequired
report_idreport_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status command.Required

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Result.status_codestringstatus code of file report
VisionOne.File_Analysis_Result.typestringSuspicious object type
VisionOne.File_Analysis_Result.digeststringThe hash values of file analyzed
VisionOne.File_Analysis_Result.risk_levelstringRisk Level of suspicious object
VisionOne.File_Analysis_Result.analysisCompletionDateTimestringAnalyze time of suspicious object
VisionOne.File_Analysis_Result.argumentsstringArguments for the suspicious object
VisionOne.File_Analysis_Result.detectionNamesstringDetection name for the suspicious object
VisionOne.File_Analysis_Result.threatTypesstringThreat type of the suspicious object
VisionOne.File_Analysis_Result.trueFileTypestringFile type for the suspicious object.
VisionOne.File_Analysis_Result.DBotScore.ScorenumberThe DBot score.
VisionOne.File_Analysis_Result.DBotScore.VendorstringThe Vendor name.
VisionOne.File_Analysis_Result.DBotScore.ReliabilitystringThe Reliability of an intelligence-data source.

trendmicro-visionone-collect-forensic-file#


Compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform

Base Command#

trendmicro-visionone-collect-forensic-file

Input#

Argument NameDescriptionRequired
endpoint"hostname" or "macaddr" of the endpoint to collect file from.Required
file_pathPath to the file to collect.Required
descriptionDescription of the file.Optional

Context Output#

PathTypeDescription
VisionOne.Collect_Forensic_File.taskIdstringTask ID of the particular file.
VisionOne.Collect_Forensic_File.taskStatusnumberTask status of collected file

Note: To get the complete task status run polling command trendmicro-visionone-check-task-status giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes.

trendmicro-visionone-download-information-for-collected-forensic-file#


Retrieves a URL and other information required to download a collected file via the trendmicro-visionone-collect-forensic-file command

Base Command#

trendmicro-visionone-download-information-for-collected-forensic-file

Input#

Argument NameDescriptionRequired
task_idtaskId output from the collect command used to collect the file.Required

Context Output#

PathTypeDescription
VisionOne.Download_Information_For_Collected_Forensic_File.statusstringStatus of action performed (succeeded, running or failed)
VisionOne.Download_Information_For_Collected_Forensic_File.createdDateTimestringThe create date time for the file
VisionOne.Download_Information_For_Collected_Forensic_File.taskIdstringThe task ID for the response of collect file
VisionOne.Download_Information_For_Collected_Forensic_File.lastActionDateTimestringTime and date of last action on file
VisionOne.Download_Information_For_Collected_Forensic_File.descriptionstringTask description
VisionOne.Download_Information_For_Collected_Forensic_File.actionstringAction performed on file
VisionOne.Download_Information_For_Collected_Forensic_File.accountstringThe account associated with the request
VisionOne.Download_Information_For_Collected_Forensic_File.agentGuidstringAgentGuid of the endpoint used to collect file
VisionOne.Download_Information_For_Collected_Forensic_File.endpointNamestringhostname of the endpoint used to collect file
VisionOne.Download_Information_For_Collected_Forensic_File.filePathstringFile path for the file that was collected
VisionOne.Download_Information_For_Collected_Forensic_File.fileSha1stringThe fileSha1 for the collected file
VisionOne.Download_Information_For_Collected_Forensic_File.fileSha256stringThe fileSha256 for the collected file
VisionOne.Download_Information_For_Collected_Forensic_File.fileSizenumberThe file size of the file collected
VisionOne.Download_Information_For_Collected_Forensic_File.resourceLocationstringURL location of the file collected that can be used to download
VisionOne.Download_Information_For_Collected_Forensic_File.expiredDateTimestringThe expiration date and time of the file
VisionOne.Download_Information_For_Collected_Forensic_File.passwordstringThe password for the file collected

Note: The URL received from the trendmicro-visionone-download-information-for-collected-forensic-file will be valid for only 60 seconds

trendmicro-visionone-download-investigation-package#


Downloads the investigation package based on submission ID.

Base Command#

trendmicro-visionone-download-investigation-package

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis.Required
filenameOptional name for the package to be downloaded.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Investigation_Package.submissionIdstringThe submission for the file
VisionOne.Download_Investigation_Package.codenumberResponse status code for the command

trendmicro-visionone-download-suspicious-object-list#


Downloads the suspicious object list associated to the specified object. Note ~ Suspicious Object Lists are only available for objects with a high risk level.

Base Command#

trendmicro-visionone-download-suspicious-object-list

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis.Required

Context Output#

PathTypeDescription
VisionOne.Download_Suspicious_Object_list.codenumberstatus code for the command
VisionOne.Download_Suspicious_Object_list.riskLevelstringRisk level of the analyzed object
VisionOne.Download_Suspicious_Object_list.analysisCompletionDateTimestringThe analysis completion date and time
VisionOne.Download_Suspicious_Object_list.expiredDateTimestringThe expiration date and time for the suspicious object
VisionOne.Download_Suspicious_Object_list.rootSha1stringThe rootSha1 value for the object
VisionOne.Download_Suspicious_Object_list.ipstringThe endpoint ip associated with the submission

trendmicro-visionone-download-analysis-report#


Downloads the analysis report for an object submitted to sandbox for analysis based on the submission ID.

Base Command#

trendmicro-visionone-download-analysis-report

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis.Required
filenameOptional name for the package to be downloaded.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Analysis_Report.submissionIdstringThe submission for the file
VisionOne.Download_Analysis_Report.codenumberResponse status code for the command

trendmicro-visionone-submit-file-to-sandbox#


Submits a file to the sandbox for analysis (Note. For more information about the supported file types, see the Trend Micro Vision One Online Help. Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)

Base Command#

trendmicro-visionone-submit-file-to-sandbox

Input#

Argument NameDescriptionRequired
file_pathURL pointing to the location of the file to be submitted.Required
filenameName of the file to be analyzed.Optional
document_passwordThe Base64 encoded password for decrypting the submitted document. sample.Optional
archive_passwordThe Base64 encoded password for decrypting the submitted archive.Optional
argumentsParameter that allows you to specify Base64-encoded command line arguments to run the submitted file.Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_to_Sandbox.codenumberstatus code of the file submitted to sandbox
VisionOne.Submit_File_to_Sandbox.task_idstringTask ID of the submitted file
VisionOne.Submit_File_to_Sandbox.digeststringThe hash value of the file
VisionOne.Submit_File_to_Sandbox.argumentsstringCommand line arguments to run the submitted file

trendmicro-visionone-submit-file-entry-to-sandbox#


Submits a file to the sandbox for analysis (Note. For more information about the supported file types, see the Trend Micro Vision One Online Help. Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)

Base Command#

trendmicro-visionone-submit-file-entry-to-sandbox

Argument NameDescriptionRequired
entry_idEntry ID of the file to be submitted.Required
document_passwordThe Base64 encoded password for decrypting the submitted document. sample.Optional
archive_passwordThe Base64 encoded password for decrypting the submitted archive.Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_Entry_to_Sandbox.messagestringStatus message of the file submitted to sandbox.
VisionOne.Submit_File_Entry_to_Sandbox.codestringstatus code of the file submitted to sandbox
VisionOne.Submit_File_Entry_to_Sandbox.task_idstringTask ID of the submitted file
VisionOne.Submit_File_Entry_to_Sandbox.digeststringThe hash value of the file
VisionOne.Submit_File_Entry_to_Sandbox.filenamestringThe name of the file submitted
VisionOne.Submit_File_Entry_to_Sandbox.file_pathstringThe path to the file associated to incident
VisionOne.Submit_File_Entry_to_Sandbox.entryIdstringThe Entry ID for the file

trendmicro-visionone-run-sandbox-submission-polling#


Runs a polling command to retrieve the status of a sandbox analysis submission

Base Command#

trendmicro-visionone-run-sandbox-submission-polling

Input#

Argument NameDescriptionRequired
pollingpolling the task for 30 seconds interval. Default is true.Optional
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox or trendmicro-visionone-submit-file-entry-to-sandbox command output.Required

Context Output#

PathTypeDescription
VisionOne.Sandbox_Submission_Polling.messagestringStatus of the sandbox analysis
VisionOne.Sandbox_Submission_Polling.status_codestringResponse code
VisionOne.Sandbox_Submission_Polling.task_idstringtask_id of the task queried
VisionOne.Sandbox_Submission_Polling.taskStatusstringSandbox analysis status
VisionOne.Sandbox_Submission_Polling.digeststringThe hash values of file analyzed
VisionOne.Sandbox_Submission_Polling.analysis_completion_timestringSample analysis completed time.
VisionOne.Sandbox_Submission_Polling.risk_levelstringRisk Level of the analyzed file.
VisionOne.Sandbox_Submission_Polling.descriptionstringScan result description for NotAnalyzed.
VisionOne.Sandbox_Submission_Polling.detection_name_listunknownDetection name of this sample, if applicable.
VisionOne.Sandbox_Submission_Polling.threat_type_listunknownThreat type of this sample.
VisionOne.Sandbox_Submission_Polling.file_typestringFile type of this sample.
VisionOne.Sandbox_Submission_Polling.report_idstringID used to get the report and suspicious object. Empty means no report.
VisionOne.Sandbox_Submission_Polling.messagestringError message for failed call.
VisionOne.Sandbox_Submission_Polling.codestringError code for failed call.
VisionOne.Sandbox_Submission_Polling.DBotScore.ScorenumberThe DBot score.
VisionOne.Sandbox_Submission_Polling.DBotScore.VendorstringThe Vendor name.
VisionOne.Sandbox_Submission_Polling.DBotScore.ReliabilitystringThe Reliability of an intelligence-data source.

trendmicro-visionone-check-task-status#


Command gives the status of the running task based on the task id.

Base Command#

trendmicro-visionone-check-task-status

Input#

Argument NameDescriptionRequired
pollingpolling the task for 30 seconds interval. Default is true.Optional
task_idTask id of the task you would like to check.Required

Context Output#

PathTypeDescription
VisionOne.Task_Status.taskIdstringTask ID of the task queried.
VisionOne.Task_Status.taskStatusstringStatus of the task.

trendmicro-visionone-add-note#


Attaches a note to a workbench alert

Base Command#

trendmicro-visionone-add-note

Input#

Argument NameDescriptionRequired
workbench_idID of the workbench you would like to attach the note to.Required
contentContents of the note to be attached.Required

Context Output#

PathTypeDescription
VisionOne.Add_Note.Workbench_IdstringThe ID of the workbench that the note was added to.
VisionOne.Add_Note.note_idstringThe ID of the note that was added.
VisionOne.Add_Note.codestringThe response code from the command

trendmicro-visionone-update-status#


Updates the status of a workbench alert

Base Command#

trendmicro-visionone-update-status

Input#

Argument NameDescriptionRequired
workbench_idID of the workbench you would like to update the status for.Required
statusStatus to assign to the workbench alert. Possible values are: new, in progress, true positive, false positive.Required

Context Output#

PathTypeDescription
VisionOne.Update_Status.Workbench_IdstringThe ID of the workbench that had the status updated.
VisionOne.Update_Status.codestringThe response code from the command