Skip to main content

Trend Micro Vision One V3.

This Integration is part of the Trend Micro Vision One Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection. V3 version of the app includes everything that the previous app had and adds more capabilities. It leverages V3 of Trend Micro APIs and introduces further ability to manage domain accounts with addition of 4 domain account actions for enabling/disabling user account, forcing sign-out and password resets for compromised accounts. This app is in active development. We previously added 4 actions, one to fetch email activity data with count, one to fetch endpoint activity data with count and an action to restore a quarantined email message. In this release we have added 6 new custom script actions allowing the user to fetch a list of available custom scripts in XDR portal, ability to run a custom script on a specified endpoint, capacity to add, download, update and delete a custom script from XDR portal. This integration was integrated and tested with version 3 API of Trend Micro Vision One.

Configure Trend Micro Vision One V3. in Cortex#

ParameterDescriptionRequired
API URL (e.g. https://api.xdr.trendmicro.com)The base url for the Trend Micro Vision One APITrue
API KeyThe API token to access dataTrue
Fetch incidentsFalse
Incidents Fetch IntervalFalse
Incident typeFalse
Sync On First Run (days)False
Max IncidentsFalse
Use system proxy settingsFalse
Trust any certificate (not secure)False
Source ReliabilityReliability of the source providing the intelligence data.False
SeveritySeverity of the incident being fetched.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

trendmicro-visionone-enable-user-account#


Allows the user to sign in to new application and browser sessions. Supported IAM systems -> Azure AD and Active Directory (on-premises).

Base Command#

trendmicro-visionone-enable-user-account

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"enable"}].Required

Context Output#

PathTypeDescription
VisionOne.User_Account.statusnumberStatus of request to enable user account.
VisionOne.User_Account.task_idstringTask ID generated after enabling user account.

trendmicro-visionone-disable-user-account#


Signs the user out of all active application and browser sessions, and prevents the user from signing in any new session. Supported IAM systems -> Azure AD and Active Directory (on-premises).

Base Command#

trendmicro-visionone-disable-user-account

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"disable"}].Required

Context Output#

PathTypeDescription
VisionOne.User_Account.statusnumberStatus of request to disable user account.
VisionOne.User_Account.task_idstringTask ID generated after disabling user account.

trendmicro-visionone-force-signout#


Signs the user out of all active application and browser sessions. Supported IAM systems -> Azure AD.

Base Command#

trendmicro-visionone-force-signout

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"sign-out"}].Required

Context Output#

PathTypeDescription
VisionOne.Force_Sign_Out.statusnumberStatus of request to sign out user.
VisionOne.Force_Sign_Out.task_idstringTask ID generated after signing out user.

trendmicro-visionone-force-password-reset#


Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. Supported IAM systems -> Azure AD and Active Directory (on-premises).

Base Command#

trendmicro-visionone-force-password-reset

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"reset"}].Required

Context Output#

PathTypeDescription
VisionOne.Force_Password_Reset.statusnumberStatus of request to reset user password.
VisionOne.Force_Password_Reset.task_idstringTask ID generated after resetting user password.

trendmicro-visionone-add-to-block-list#


Adds a domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections.

Base Command#

trendmicro-visionone-add-to-block-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) made up of object_type (domain,ip,file_sha1,url,sender_mail_address), object_value and optional description. e.g. [{"object_type":"domain","object_value":"www.yahoo.com"}].Required

Context Output#

PathTypeDescription
VisionOne.BlockList.statusnumberStatus of adding domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List.
VisionOne.BlockList.task_idstringTask ID generated after adding domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List.

trendmicro-visionone-remove-from-block-list#


Removes a domain, ip, file_sha1, url, sender_mail_address from the User-Defined Suspicious Objects List.

Base Command#

trendmicro-visionone-remove-from-block-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) made up of object_type (domain,ip,file_sha1,url,sender_mail_address), object_value and optional description. e.g. [{"object_type":"domain","object_value":"www.yahoo.com"}].Required

Context Output#

PathTypeDescription
VisionOne.BlockList.statusnumberStatus of removing domain, ip, file_sha1, url, sender_mail_address that was added to the User-Defined Suspicious Objects List from block list.
VisionOne.BlockList.task_idstringTask ID generated after removing domain, ip, file_sha1, url, sender_mail_address from the User-Defined Suspicious Objects List.

trendmicro-visionone-quarantine-email-message#


Moves a message from a mailbox to the quarantine folder.

Base Command#

trendmicro-visionone-quarantine-email-message

Input#

Argument NameDescriptionRequired
email_identifiersList of object(s) containing message_id (<mailMsgId>), mailbox (mailbox ID) and description or unique_id (msgUuid) and optional description from Trend Micro Vision One message activity data. e.g. [{"message_id":"xasbjAgs72912-asdjnaj","mailbox":"mailbox-name","description":"quarantine"}].Required

Context Output#

PathTypeDescription
VisionOne.Email.statusnumberStatus of moving a message from a mailbox to the quarantine folder.
VisionOne.Email.task_idstringTask ID generated after moving a message from a mailbox to the quarantine folder.

trendmicro-visionone-delete-email-message#


Deletes a message from a mailbox.

Base Command#

trendmicro-visionone-delete-email-message

Input#

Argument NameDescriptionRequired
email_identifiersList of object(s) containing message_id (<mailMsgId>), mailbox (mailbox ID) and description or unique_id (msgUuid) and optional description from Trend Micro Vision One message activity data. e.g. [{"message_id":"xasbjAgs72912-asdjnaj","mailbox":"mailbox-name","description":"disable":"delete"}].Required

Context Output#

PathTypeDescription
VisionOne.Email.statusnumberStatus of deleting a message from a mailbox.
VisionOne.Email.task_idstringTask ID generated after deleting a message from a mailbox.

trendmicro-visionone-restore-email-message#


Restores a quarantined message. Deleted messages cannot be restored.

Base Command#

trendmicro-visionone-restore-email-message

Input#

Argument NameDescriptionRequired
email_identifiersList of object(s) containing message_id (<mailMsgId>), mailbox (mailbox ID) and description or unique_id (msgUuid) and optional description from Trend Micro Vision One message activity data. e.g. [{"message_id":"xasbjAgs72912-asdjnaj","mailbox":"mailbox-name"}].Required

Context Output#

PathTypeDescription
VisionOne.Email.statusnumberStatus of restoring a message.
VisionOne.Email.task_idstringTask ID generated after restoring a message.

trendmicro-visionone-isolate-endpoint#


Disconnects an endpoint from the network (but allows communication with the managing Trend Micro product).

Base Command#

trendmicro-visionone-isolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint_identifiersList of object(s) containing endpoint (hostname) and description or agent_guid and description. e.g. [{"endpoint":"test-endpoint","description":"isolate endpoint"}].Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.statusnumberStatus of isolating endpoint(s).
VisionOne.Endpoint_Connection.task_idstringTask ID generated after isolating endpoint(s).

trendmicro-visionone-restore-endpoint-connection#


Restores network connectivity to an endpoint that applied the "isolate endpoint" action.

Base Command#

trendmicro-visionone-restore-endpoint-connection

Input#

Argument NameDescriptionRequired
endpoint_identifiersList of object(s) containing endpoint (hostname) and description or agent_guid and description. e.g. [{"endpoint":"test-endpoint","description":"restore endpoint"}].Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.statusnumberStatus of restoring endpoint(s).
VisionOne.Endpoint_Connection.task_idstringTask ID generated after restoring endpoint(s).

trendmicro-visionone-add-objects-to-exception-list#


Adds domain, ip, url, file_sha1, file_sha256, sender_mail_address to the Exception List and prevents these objects from being added to the Suspicious Object List.

Base Command#

trendmicro-visionone-add-objects-to-exception-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address), object_value and description. e.g. [{"object_type":"ip","object_value":"5.5.5.5"}, {"object_type":"domain","object_value":"www.yahoo.com"}].Required

Context Output#

PathTypeDescription
VisionOne.Exception_List.messagestringSuccess or fail response message.
VisionOne.Exception_List.multi_response.statusnumberStatus of adding item(s) to exception list.
VisionOne.Exception_List.multi_response.task_idstringTask ID generated after adding item(s) to exception list.
VisionOne.Exception_List.total_itemsnumberCount of total items present in exception list.

trendmicro-visionone-delete-objects-from-exception-list#


Deletes domain, ip, url, file_sha1, file_sha256, sender_mail_address from the Exception List.

Base Command#

trendmicro-visionone-delete-objects-from-exception-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address), object_value and description. e.g. [{"object_type":"ip","object_value":"5.5.5.5","description":"exception list"}].Required

Context Output#

PathTypeDescription
VisionOne.Exception_List.messagestringSuccess or fail response message.
VisionOne.Exception_List.multi_response.statusnumberstatus code of response.
VisionOne.Exception_List.multi_response.task_idstringTask ID generated after removing item(s) from exception list.
VisionOne.Exception_List.total_itemsnumbercount of item present in exception list.

trendmicro-visionone-add-objects-to-suspicious-list#


Adds domain, ip, url, file_sha1, file_sha256, sender_mail_address to the Suspicious Object List.

Base Command#

trendmicro-visionone-add-objects-to-suspicious-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address), object_value, scan_action, risk_level, expiry_days and description. e.g. [{"object_type":"ip","object_value":"5.5.5.5","scan_action":"block","risk_level":"medium","expiry_days":7}].Required

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.messagestringSuccess or fail response message.
VisionOne.Suspicious_List.multi_response.statusnumberStatus of request to add item(s) to suspicious list.
VisionOne.Suspicious_List.multi_response.task_idstringTask ID generated after adding item(s) to suspicious list.
VisionOne.Suspicious_List.total_itemsnumberCount of total items present in suspicious object list.

trendmicro-visionone-delete-objects-from-suspicious-list#


Deletes domain, ip, url, file_sha1, file_sha256, sender_mail_address from the Suspicious Object List.

Base Command#

trendmicro-visionone-delete-objects-from-suspicious-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address) and object_value. e.g. [{"object_type":"ip","object_value":"5.5.5.5"}].Required

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.messagestringSuccess or fail response message.
VisionOne.Suspicious_List.multi_response.statusnumberStatus of request to remove item(s) from suspicious object list.
VisionOne.Suspicious_List.multi_response.task_idstringTask ID generated after removing item(s) from suspicious object list.
VisionOne.Suspicious_List.total_itemsnumberCount of total items present in suspicious object list.

trendmicro-visionone-get-endpoint-info#


Retrieves information about a specific endpoint.

Base Command#

trendmicro-visionone-get-endpoint-info

Input#

Argument NameDescriptionRequired
endpointFilter (A dictionary object with key/value used to create a query string) for retrieving a subset of endpoint information e.g. endpoint={"endpointName":"test-endpoint1", "ip":"52.72.139.96"}. Multiple endpoints can be queried but unique keys need to be supplied (e.g. endpointName, ip, etc.). For complete list of keys check (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1eiqs~1endpoints/get).Required
query_opConditional operator used to build request that allows user to retrieve a subset of collected endpoint(s). Possible values: and/or. Ex. or: the results retrieved will contain information for endpoint(s) matching endpointName OR ip. and: results retrieved will contain endpoint information for endpoint matching endpointName AND ip.Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Info.agent_guidstringAgent Guid of the endpoint.
VisionOne.Endpoint_Info.login_account.valuestringAccount currently logged on to the endpoint.
VisionOne.Endpoint_Info.endpoint_name.valuestringHostname of the endpoint queried.
VisionOne.Endpoint_Info.mac_address.valuestringMAC address of the endpoint queried.
VisionOne.Endpoint_Info.ip.valuestringIP address of the endpoint queried.
VisionOne.Endpoint_Info.os_namestringOperating System name of the endpoint queried.
VisionOne.Endpoint_Info.os_versionstringOperating System version of the endpoint queried.
VisionOne.Endpoint_Info.os_descriptionstringDescription of the Operating System of the endpoint queried.
VisionOne.Endpoint_Info.product_codestringProduct code of the Trend Micro product running on the endpoint.
VisionOne.Endpoint_Info.installed_product_codesstringProduct code of the Trend Micro product installed on the endpoint.
VisionOne.Endpoint_Info.component_update_policystringThe update policy for the module/pattern of the agent installed on the endpoint.
VisionOne.Endpoint_Info.component_update_statusstringThe status of the module/pattern updates of the agent installed on the endpoint.
VisionOne.Endpoint_Info.component_versionstringThe agent component version.
VisionOne.Endpoint_Info.policy_namestringThe name of a policy for an event.
VisionOne.Endpoint_Info.protection_managerstringThe name of your protection manager.

trendmicro-visionone-get-endpoint-activity-data#


Displays search results from the Endpoint Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-endpoint-activity-data

Input#

Argument NameDescriptionRequired
fieldsFilter (A dictionary object with key/value used to create a query string) for retrieving a subset of endpoint activity data e.g. {"endpointName":"sample-host","dpt": 443}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1endpointActivities/get).Required
query_opConditional operator used to build request that allows user to retrieve a subset of collected endpoint activity data. Possible values: and/or. Ex. or: the results retrieved will contain activity data for endpoint(s) matching endpointName OR dpt. and: will contain activity data for endpoint matching endpointName AND dpt. Defaults to and.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made. e.g. start="2023-10-01T08:00:00Z".Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made. e.g. end="2023-12-01T08:00:00Z".Optional
topNumber of records displayed on a page. e.g. top=5.Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields. e.g. select="dpt,dst,endpointHostName".Optional
fetch_max_countMax results to be fetched by call.Optional
fetch_allDo you want to fetch all matching records or only records matching the top value.Optional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Activity_Data.dptstringDestination port.
VisionOne.Endpoint_Activity_Data.dststringDestination IP address.
VisionOne.Endpoint_Activity_Data.endpoint_guidstringendpoint GUID for identity.
VisionOne.Endpoint_Activity_Data.endpoint_host_namestringHostname of the endpoint on which the event was generated.
VisionOne.Endpoint_Activity_Data.endpoint_ipstringEndpoint IP address list.
VisionOne.Endpoint_Activity_Data.event_idstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.event_sub_idstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.object_integrity_levelstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.object_true_typestringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.object_sub_true_typestringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.win_event_idstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.event_timestringLog collect time utc format.
VisionOne.Endpoint_Activity_Data.event_time_d_tstringLog collect time.
VisionOne.Endpoint_Activity_Data.host_namestringHostname of the endpoint on which the event was generated.
VisionOne.Endpoint_Activity_Data.logon_userstringLogon user name.
VisionOne.Endpoint_Activity_Data.object_cmdstringCommand line entry of target process.
VisionOne.Endpoint_Activity_Data.object_file_hash_sha1stringThe SHA1 hash of target process image or target file.
VisionOne.Endpoint_Activity_Data.object_file_pathstringFile path location of target process image or target file.
VisionOne.Endpoint_Activity_Data.object_host_namestringServer name where Internet event was detected.
VisionOne.Endpoint_Activity_Data.object_ipstringIP address of internet event.
VisionOne.Endpoint_Activity_Data.object_ipsstringIP address list of internet event.
VisionOne.Endpoint_Activity_Data.object_portstringThe port number used by internet event.
VisionOne.Endpoint_Activity_Data.object_registry_datastringThe registry value data.
VisionOne.Endpoint_Activity_Data.object_registry_key_handlestringThe registry key.
VisionOne.Endpoint_Activity_Data.object_registry_valuestringRegistry value name.
VisionOne.Endpoint_Activity_Data.object_signerstringCertificate signer of object process or file.
VisionOne.Endpoint_Activity_Data.object_signer_validstringValidity of certificate signer.
VisionOne.Endpoint_Activity_Data.object_userstringThe owner name of target process / The logon user name.
VisionOne.Endpoint_Activity_Data.osstringSystem.
VisionOne.Endpoint_Activity_Data.parent_cmdstringThe command line that parent process.
VisionOne.Endpoint_Activity_Data.parent_file_hash_sha1stringThe SHA1 hash of parent process.
VisionOne.Endpoint_Activity_Data.parent_file_pathstringThe file path location of parent process.
VisionOne.Endpoint_Activity_Data.process_cmdstringThe command line used to launch this process.
VisionOne.Endpoint_Activity_Data.process_file_hash_sha1stringThe process file sha1.
VisionOne.Endpoint_Activity_Data.process_file_pathstringThe process file path.
VisionOne.Endpoint_Activity_Data.requeststringRequest URL (normally detected by Web Reputation Services).
VisionOne.Endpoint_Activity_Data.search_d_lstringSearch data lake.
VisionOne.Endpoint_Activity_Data.sptstringSource port.
VisionOne.Endpoint_Activity_Data.srcstringSource IP address.
VisionOne.Endpoint_Activity_Data.src_file_hash_sha1stringSource file sha1.
VisionOne.Endpoint_Activity_Data.src_file_pathstringSource file path.
VisionOne.Endpoint_Activity_Data.tagsstringDetected by Security Analytics Engine filters.
VisionOne.Endpoint_Activity_Data.uuidstringLog unique identity.

trendmicro-visionone-get-endpoint-activity-data-count#


Displays total count of search results from the Endpoint Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-endpoint-activity-data-count

Input#

Argument NameDescriptionRequired
fieldsFilter (A dictionary object with key/value used to create a query string) for retrieving endpoint activity data count e.g. {"endpointName":"sample-host","dpt":443}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1endpointActivities/get).Required
query_opConditional operator used to build request that allows user to retrieve a count of collected endpoint activity. Possible values: and/or. Ex. or: the results retrieved will contain activity count for endpoint(s) matching endpointName OR dpt. and: the results retrieved will contain activity count for endpoint matching endpointName AND dpt. Defaults to and.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made. e.g. start="2023-10-01T08:00:00Z".Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made. e.g. end="2023-12-01T08:00:00Z".Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields. e.g. select="dpt,dst,endpointHostName".Optional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Activity_Data_Count.endpoint_activity_countstringTotal count for endpoint activity queried.

trendmicro-visionone-get-email-activity-data#


Displays search results from the Email Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-email-activity-data

Input#

Argument NameDescriptionRequired
fieldsFilter (A dictionary object with key/value used to create a query string) for retrieving a subset of email activity data e.g. {"mailMsgSubject":"spam","mailSenderIp":"192.169.1.1"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1emailActivities/get).Required
query_opConditional operator used to build request that allows user to retrieve a subset of email activity data. Possible values: and/or. Ex. or: the results retrieved will contain activity data for email(s) matching mailMsgSubject OR mailSenderIp. and: the results retrieved will contain activity data for email matching mailMsgSubject AND mailSenderIp. Defaults to and.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made. e.g. start="2023-10-01T08:00:00Z".Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made. e.g. end="2023-12-01T08:00:00Z".Optional
topNumber of records displayed on a page. e.g. top=5.Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields. e.g. select="mailMsgSubject,mailFromAddresses,mailToAddresses".Optional
fetch_max_countMax results to be fetched by call.Optional
fetch_allDo you want to fetch all matching records or only records matching the top value.Optional

Context Output#

PathTypeDescription
VisionOne.Email_Activity_Data.mail_msg_subjectstringSubject of the email message.
VisionOne.Email_Activity_Data.mail_msg_idstringInternet message ID of the email message.
VisionOne.Email_Activity_Data.msg_uuidstringUnique ID of the email message.
VisionOne.Email_Activity_Data.mailboxstringMailbox where the email message is.
VisionOne.Email_Activity_Data.mail_sender_ipstringSource IP address of the email message.
VisionOne.Email_Activity_Data.mail_from_addressesstringSender email address of the email message.
VisionOne.Email_Activity_Data.mail_whole_headerstringInformation about the header of the email message.
VisionOne.Email_Activity_Data.mail_to_addressesstringA list of recipient email addresses of the email message.
VisionOne.Email_Activity_Data.mail_source_domainstringSource domain of the email message.
VisionOne.Email_Activity_Data.search_d_lstringSearch data lake.
VisionOne.Email_Activity_Data.scan_typestringEmail activity scan type.
VisionOne.Email_Activity_Data.event_timestringDate and time UTC.
VisionOne.Email_Activity_Data.org_idstringUnique ID used to identify an organization.
VisionOne.Email_Activity_Data.mail_urls_visible_linkstringVisible link in email message.
VisionOne.Email_Activity_Data.mail_urls_real_linkstringReal link in email message.

trendmicro-visionone-get-email-activity-data-count#


Displays search results from the Email Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-email-activity-data-count

Input#

Argument NameDescriptionRequired
fieldsFilter (A dictionary object with key/value used to create a query string) for retrieving email activity data count e.g. {"mailMsgSubject":"spam","mailSenderIp":"192.169.1.1"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1emailActivities/get).Required
query_opConditional operator used to build request that allows user to retrieve a count of collected email activity. Possible values: and/or. Ex. or: the results retrieved will contain activity count for email(s) matching mailMsgSubject OR mailSenderIp. and: the results retrieved will contain activity count for email matching mailMsgSubject AND mailSenderIp. Defaults to and.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made. e.g. start="2023-10-01T08:00:00Z".Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made. e.g. end="2023-12-01T08:00:00Z".Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields. e.g. select="mailMsgSubject,mailFromAddresses,mailToAddresses".Optional

Context Output#

PathTypeDescription
VisionOne.Email_Activity_Data_Count.email_activity_countstringTotal count of email activity.

trendmicro-visionone-terminate-process#


Terminates a process that is running on an endpoint.

Base Command#

trendmicro-visionone-terminate-process

Input#

Argument NameDescriptionRequired
process_identifiersList of object(s) consisting of endpoint (hostname) or agent_guid, file_sha1, filename and description. e.g. [{"endpoint":"test-endpoint","file_sha1":"fb5608fa03de204a12fe1e9e5275e4a682107471","filename":"test.txt","description":"terminate process"}].Required

Context Output#

PathTypeDescription
VisionOne.Terminate_Process.statusnumberStatus of request to terminate process.
VisionOne.Terminate_Process.task_idstringTask Id generated after terminating a process.

trendmicro-visionone-get-file-analysis-status#


Retrieves the status of a sandbox analysis submission.

Base Command#

trendmicro-visionone-get-file-analysis-status

Input#

Argument NameDescriptionRequired
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox command output. e.g. task_id="012e4eac-9bd9-4e89-95db-77e02f75a611".Required

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Status.idstringSubmission ID of the file submitted for sandbox analysis.
VisionOne.File_Analysis_Status.statusstringResponse code for the action call.
VisionOne.File_Analysis_Status.actionstringAction performed on the submitted file.
VisionOne.File_Analysis_Status.errorstringError code and message for the submission.
VisionOne.File_Analysis_Status.digeststringThe hash values of file analyzed.
VisionOne.File_Analysis_Status.created_date_timestringCreate date time for the sandbox analysis.
VisionOne.File_Analysis_Status.last_action_date_timestringDate and time for last action performed on the submission.
VisionOne.File_Analysis_Status.resource_locationstringLocation of the submitted file.
VisionOne.File_Analysis_Status.is_cachedstringIs the file cached or not (True or False).
VisionOne.File_Analysis_Status.argumentsstringArguments for the file submitted.

trendmicro-visionone-get-file-analysis-result#


Retrieves the sandbox submission analysis result.

Base Command#

trendmicro-visionone-get-file-analysis-result

Input#

Argument NameDescriptionRequired
report_idreport_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status command. e.g. report_id="012e4eac-9bd9-4e89-95db-77e02f75a611".Required
pollIf script should wait until the task is finished before returning the result, enabled by default. poll=true. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available. e.g. poll_time_sec=45.Optional

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Result.idstringReport ID for the submission.
VisionOne.File_Analysis_Result.typestringType of object.
VisionOne.File_Analysis_Result.digeststringThe hash values of file analyzed.
VisionOne.File_Analysis_Result.risk_levelstringRisk Level of suspicious object.
VisionOne.File_Analysis_Result.analysis_completion_date_timestringAnalyze time of suspicious object.
VisionOne.File_Analysis_Result.argumentsstringArguments for the suspicious object.
VisionOne.File_Analysis_Result.detection_namesstringDetection name for the suspicious object.
VisionOne.File_Analysis_Result.threat_typesstringThreat type of the suspicious object.
VisionOne.File_Analysis_Result.true_file_typestringFile type for the suspicious object.
VisionOne.File_Analysis_Result.DBotScore.ScorenumberThe DBot score.
VisionOne.File_Analysis_Result.DBotScore.VendorstringThe Vendor name.
VisionOne.File_Analysis_Result.DBotScore.ReliabilitystringThe reliability of an intelligence-data source.

trendmicro-visionone-collect-forensic-file#


Compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform.

Base Command#

trendmicro-visionone-collect-forensic-file

Input#

Argument NameDescriptionRequired
collect_filesList of object(s) containing endpoint (hostname) or agent_guid, file_path and description. e.g. [{"endpoint":"test-endpoint","file_path":"C:/test_dir/test.txt","filename":"test.txt","description":"collect file"}].Required

Context Output#

PathTypeDescription
VisionOne.Collect_Forensic_File.statusnumberStatus of request to collect file from endpoint.
VisionOne.Collect_Forensic_File.task_idstringTask ID generated after collecting file for forensic analysis.

trendmicro-visionone-download-information-for-collected-forensic-file#


Retrieves a URL and other information required to download a collected file via the trendmicro-visionone-collect-forensic-file command.

Base Command#

trendmicro-visionone-download-information-for-collected-forensic-file

Input#

Argument NameDescriptionRequired
task_idtaskId output from the collect forensic file command. e.g. task_id="00000012".Required
pollIf script should wait until the task is finished before returning the result, enabled by default. e.g. poll=true. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available. e.g. poll_time_sec=45.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Information_For_Collected_Forensic_File.statusstringStatus of action performed (succeeded, running or failed).
VisionOne.Download_Information_For_Collected_Forensic_File.created_date_timestringThe create date time for the file.
VisionOne.Download_Information_For_Collected_Forensic_File.idstringTask ID used to query for forensic file information.
VisionOne.Download_Information_For_Collected_Forensic_File.last_action_date_timestringTime and date of last action on file.
VisionOne.Download_Information_For_Collected_Forensic_File.descriptionstringTask description.
VisionOne.Download_Information_For_Collected_Forensic_File.actionstringAction performed on file.
VisionOne.Download_Information_For_Collected_Forensic_File.accountstringThe account associated with the request.
VisionOne.Download_Information_For_Collected_Forensic_File.agent_guidstringAgentGuid of the endpoint used to collect file.
VisionOne.Download_Information_For_Collected_Forensic_File.endpoint_namestringhostname of the endpoint used to collect file.
VisionOne.Download_Information_For_Collected_Forensic_File.file_pathstringFile path for the file that was collected.
VisionOne.Download_Information_For_Collected_Forensic_File.file_sha1stringThe fileSha1 for the collected file.
VisionOne.Download_Information_For_Collected_Forensic_File.file_sha256stringThe fileSha256 for the collected file.
VisionOne.Download_Information_For_Collected_Forensic_File.file_sizenumberThe file size of the file collected.
VisionOne.Download_Information_For_Collected_Forensic_File.resource_locationstringURL location of the file collected that can be used to download.
VisionOne.Download_Information_For_Collected_Forensic_File.expired_date_timestringThe expiration date and time of the file.
VisionOne.Download_Information_For_Collected_Forensic_File.passwordstringThe password for the file collected.
VisionOne.Download_Information_For_Collected_Forensic_File.errorstringError response generated for the request.

trendmicro-visionone-download-investigation-package#


Downloads the investigation package based on submission ID.

Base Command#

trendmicro-visionone-download-investigation-package

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis. e.g. submission_id="012e4eac-9bd9-4e89-95db-77e02f75a611".Required
pollIf script should wait until the task is finished before returning the result, enabled by default. e.g. poll=true. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available. e.g. poll_time_sec=45.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Investigation_Package.submission_idstringThe submission for the file.
VisionOne.Download_Investigation_Package.result_codenumberResult code of making a request to download investigation package.
VisionOne.Download_Investigation_Package.messagenumberMessage notifying user that investigation package is ready for download.

trendmicro-visionone-download-suspicious-object-list#


Downloads the suspicious object list associated to the specified object. Note ~ Suspicious Object Lists are only available for objects with a high risk level.

Base Command#

trendmicro-visionone-download-suspicious-object-list

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis. e.g. submission_id="012e4eac-9bd9-4e89-95db-77e02f75a611".Required
pollIf script should wait until the task is finished before returning the result, enabled by default. e.g. poll=true. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available. e.g. poll_time_sec=45.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Suspicious_Object_list.typestringThe type of suspicious object.
VisionOne.Download_Suspicious_Object_list.valuestringValue of the suspicious object.
VisionOne.Download_Suspicious_Object_list.risk_levelstringRisk level of the analyzed object.
VisionOne.Download_Suspicious_Object_list.root_sha1stringstatus code for the command.
VisionOne.Download_Suspicious_Object_list.analysis_completion_date_timestringThe analysis completion date and time.
VisionOne.Download_Suspicious_Object_list.expired_date_timestringThe expiration date and time for the suspicious object.

trendmicro-visionone-download-analysis-report#


Downloads the analysis report for an object submitted to sandbox for analysis based on the submission ID.

Base Command#

trendmicro-visionone-download-analysis-report

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis. e.g. submission_id="012e4eac-9bd9-4e89-95db-77e02f75a611".Required
pollIf script should wait until the task is finished before returning the result, enabled by default. e.g. poll=true. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available. e.g. poll_time_sec=45.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Analysis_Report.submission_idstringThe submission ID for the sandbox object.
VisionOne.Download_Analysis_Report.result_codestringResult code of making a request to download analysis report.
VisionOne.Download_Analysis_Report.messagestringMessage notifying user that analysis report is ready for download.

trendmicro-visionone-submit-file-to-sandbox#


Submits a file to the sandbox for analysis (Note. For more information about the supported file types, see the Trend Micro Vision One Online Help. Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)

Base Command#

trendmicro-visionone-submit-file-to-sandbox

Input#

Argument NameDescriptionRequired
file_urlURL pointing to the location of the file to be submitted. e.g. file_url="https://someurl.com/test.txt".Required
file_nameName of the file (including extension) to be analyzed. e.g. file_name="some-file.txt".Required
document_passwordThe Base64 encoded password for decrypting the submitted document sample. e.g. document_password="dGVzdA==".Optional
archive_passwordThe Base64 encoded password for decrypting the submitted archive. e.g. archive_password="dGVzdA==".Optional
argumentsParameter that allows you to specify Base64-encoded command line arguments to run the submitted file. e.g. arguments="LS10ZXN0IA==".Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_to_Sandbox.messagestringResult code of submitting file to sandbox for analysis.
VisionOne.Submit_File_to_Sandbox.codestringHTTP status code of the request made to submit file to sandbox.
VisionOne.Submit_File_to_Sandbox.task_idstringID generated for submitting file to sandbox for analysis.
VisionOne.Submit_File_to_Sandbox.digeststringThe hash value of the file.
VisionOne.Submit_File_to_Sandbox.argumentsstringCommand line arguments to run the submitted file.

trendmicro-visionone-submit-file-entry-to-sandbox#


Submits a file to the sandbox for analysis (Note. For more information about the supported file types, see the Trend Micro Vision One Online Help. Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)

Base Command#

trendmicro-visionone-submit-file-entry-to-sandbox

Input#

Argument NameDescriptionRequired
entry_idEntry ID of the file to be submitted. e.g. entry_id="104@49493d71".Required
document_passwordThe Base64 encoded password for decrypting the submitted document sample. e.g. document_password="dGVzdA==".Optional
archive_passwordThe Base64 encoded password for decrypting the submitted archive. e.g. archive_password="dGVzdA==".Optional
argumentsParameter that allows you to specify Base64-encoded command line arguments to run the submitted file. e.g. arguments="LS10ZXN0IA==".Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_Entry_to_Sandbox.messagestringResult code of submitting file entry to sandbox for analysis.
VisionOne.Submit_File_Entry_to_Sandbox.codestringHTTP status code of the request made to submit file entry to sandbox.
VisionOne.Submit_File_Entry_to_Sandbox.task_idstringID of the submitted file.
VisionOne.Submit_File_Entry_to_Sandbox.digeststringThe hash value of the file.
VisionOne.Submit_File_Entry_to_Sandbox.filenamestringThe name of the file submitted.
VisionOne.Submit_File_Entry_to_Sandbox.file_pathstringThe path to the file associated to incident.
VisionOne.Submit_File_Entry_to_Sandbox.entry_idstringThe Entry ID for the file.
VisionOne.Submit_File_Entry_to_Sandbox.argumentsstringCommand line arguments to run the submitted file.

trendmicro-visionone-submit-urls-to-sandbox#


Sends URL(s) to sandbox for analysis.

Base Command#

trendmicro-visionone-submit-urls-to-sandbox

Input#

Argument NameDescriptionRequired
urlsList of URLs to be sent for analysis. e.g. urls="https://test.com,https://dummydomain.com".Required

Context Output#

PathTypeDescription
VisionOne.Submit_Urls_to_Sandbox.idstringID generated for the URL sent to sandbox for analysis.
VisionOne.Submit_Urls_to_Sandbox.urlstringURL sent to sandbox for analysis.
VisionOne.Submit_Urls_to_Sandbox.digeststringDigest value generated for the URL sent to sandbox for analysis.
VisionOne.Submit_Urls_to_Sandbox.statusstringHTTPS status code of making the request.
VisionOne.Submit_Urls_to_Sandbox.task_idstringTask ID generated for the URL sent to sandbox for analysis.

trendmicro-visionone-get-alert-details#


Fetches details for a specific alert.

Base Command#

trendmicro-visionone-get-alert-details

Input#

Argument NameDescriptionRequired
workbench_idWorkbench ID for the alert to query. e.g. workbench_id="WB-14-20190709-00003".Required

Context Output#

PathTypeDescription
VisionOne.Alert_Details.etagstringThe ETag of the resource you want to update.
VisionOne.Alert_Details.alert.idstringID of the workbench alert.
VisionOne.Alert_Details.alert.modelstringName of the detection model that triggered the alert.
VisionOne.Alert_Details.alert.scorenumberOverall severity assigned to the alert based on the severity of the matched detection model and the impact scope.
VisionOne.Alert_Details.alert.severitystringWorkbench alert severity.
VisionOne.Alert_Details.alert.indicatorsstringThe indicators refer to those objects which are found by RCA or sweeping.
VisionOne.Alert_Details.alert.descriptionstringDescription of the detection model that triggered the alert.
VisionOne.Alert_Details.alert.impact_scopestringAffected entities information.
VisionOne.Alert_Details.alert.matched_rulesstringThe rules are triggered.
VisionOne.Alert_Details.alert.alert_providerstringAlert provider.
VisionOne.Alert_Details.alert.schema_versionstringThe version of the JSON schema, not the version of alert trigger content.
VisionOne.Alert_Details.alert.workbench_linkstringWorkbench URL.
VisionOne.Alert_Details.alert.created_date_timestringDatetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert.
VisionOne.Alert_Details.alert.updated_date_timestringDatetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the last updated date time of the alert.
VisionOne.Alert_Details.alert.investigation_statusstringWorkbench alert status.
VisionOne.Alert_Details.alert.first_investigated_date_timestringThe date and time the case status was changed to 'In progress' in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ, UTC).
VisionOne.Alert_Details.alert.incident_idstringThe unique identifier of an incident.
VisionOne.Alert_Details.alert.case_idstringThe unique identifier of a case.
VisionOne.Alert_Details.alert.owner_idsstringThe owners of the Workbench alert.
VisionOne.Alert_Details.alert.model_idstringID of the detection model that triggered the alert.
VisionOne.Alert_Details.alert.model_typestringType of the detection model that triggered the alert.
VisionOne.Alert_Details.alert.statusstringThe status of a case or investigation.
VisionOne.Alert_Details.alert.investigation_resultstringThe findings of a case or investigation.

trendmicro-visionone-run-sandbox-submission-polling#


Runs a polling command to retrieve the status of a sandbox analysis submission.

Base Command#

trendmicro-visionone-run-sandbox-submission-polling

Input#

Argument NameDescriptionRequired
pollingpolling the task for 30 seconds interval. e.g. polling=true. Default is true.Optional
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox or trendmicro-visionone-submit-file-entry-to-sandbox command output. e.g. task_id="012e4eac-9bd9-4e89-95db-77e02f75a611".Required

Context Output#

PathTypeDescription
VisionOne.Sandbox_Submission_Polling.messagestringStatus of the sandbox analysis.
VisionOne.Sandbox_Submission_Polling.status_codestringStatus code of the request.
VisionOne.Sandbox_Submission_Polling.statusstringStatus of action to analyze file in sandbox.
VisionOne.Sandbox_Submission_Polling.report_idstringReport ID of the submission queried.
VisionOne.Sandbox_Submission_Polling.digeststringThe hash values of file analyzed.
VisionOne.Sandbox_Submission_Polling.analysis_completion_timestringSample analysis completed time.
VisionOne.Sandbox_Submission_Polling.risk_levelstringRisk Level of the analyzed file.
VisionOne.Sandbox_Submission_Polling.detection_name_liststringDetection name of this sample, if applicable.
VisionOne.Sandbox_Submission_Polling.threat_type_liststringThreat type of this sample.
VisionOne.Sandbox_Submission_Polling.file_typestringFile type of this sample.
VisionOne.Sandbox_Submission_Polling.typestringObject type.
VisionOne.Sandbox_Submission_Polling.messagestringError message for failed call.
VisionOne.Sandbox_Submission_Polling.codestringError code for failed call.
VisionOne.Sandbox_Submission_Polling.DBotScore.ScorenumberThe DBot score.
VisionOne.Sandbox_Submission_Polling.DBotScore.VendorstringThe Vendor name.
VisionOne.Sandbox_Submission_Polling.DBotScore.ReliabilitystringThe reliability of an intelligence-data source.

trendmicro-visionone-check-task-status#


Command gives the status of the running task based on the task id.

Base Command#

trendmicro-visionone-check-task-status

Input#

Argument NameDescriptionRequired
pollingpolling the task for 30 seconds interval. e.g. polling=true. Default is true.Optional
task_idTask id of the task you would like to check. e.g. task_id="00000012".Required

Context Output#

PathTypeDescription
VisionOne.Task_Status.idstringTask ID of the task queried.
VisionOne.Task_Status.statusstringStatus of the task.
VisionOne.Task_Status.created_date_timestringTimestamp in ISO 8601 format.
VisionOne.Task_Status.last_action_date_timestringTimestamp in ISO 8601 format.
VisionOne.Task_Status.actionstringAction performed.
VisionOne.Task_Status.descriptionstringDescription of the task.
VisionOne.Task_Status.accountstringAccount that performed the task.
VisionOne.Task_Status.typestringValue type.
VisionOne.Task_Status.valuestringValue that was submitted.
VisionOne.Task_Status.tasksstringTask related information.
VisionOne.Task_Status.agent_guidstringAgent guid of the endpoint.
VisionOne.Task_Status.endpoint_namestringEndpoint name.

trendmicro-visionone-add-note#


Attaches a note to a workbench alert.

Base Command#

trendmicro-visionone-add-note

Input#

Argument NameDescriptionRequired
workbench_idID of the workbench you would like to attach the note to. e.g. workbench_id="WB-14-20190709-00003".Required
contentContents of the note to be attached. e.g. content="Some details for the workbench alert.".Required

Context Output#

PathTypeDescription
VisionOne.Add_Note.codestringHTTPS status code of making the request.
VisionOne.Add_Note.messagestringMessage notifying the user of note added to workbench.
VisionOne.Add_Note.note_idstringID of the note added to workbench.

trendmicro-visionone-update-status#


Updates the status of a workbench alert.

Base Command#

trendmicro-visionone-update-status

Input#

Argument NameDescriptionRequired
workbench_idID of the workbench you would like to update the status for. e.g. workbench_id="WB-14-20190709-00003".Required
if_matchTarget resource will be updated only if it matches ETag of the target one. Etag is one of the outputs from get_alert_details. e.g. if_match="d41d8cd98f00b204e9800998ecf8427e".Required
statusStatus to assign to the workbench alert. e.g. status="true_positive". Possible values are: open, in_progress, closed.Required
inv_statusThe status of an investigation. NOTE: THIS FIELD IS DEPRECATED! e.g. inv_status="true_positive". Possible values are: new, in_progress, true_positive, false_positive, benign_true_positive, closed.Optional
inv_resultThe findings of a case or investigation. e.g. status="noteworthy". Possible values are: noteworthy, in_progress, true_positive, false_positive, benign_true_positive, other_findings, no_findings.Optional

Context Output#

PathTypeDescription
VisionOne.Update_Status.Workbench_IdstringThe ID of the workbench that had the status updated.
VisionOne.Update_Status.codestringHTTP status code of updating workbench alert status.
VisionOne.Update_Status.messagestringMessage notifying user that the alert status has been updated to user defined status.

trendmicro-visionone-run-custom-script#


Runs a custom script on the specified endpoint or agentGuid.

Base Command#

trendmicro-visionone-run-custom-script

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) made up of filename, endpoint or agent_guid and optional description and optional parameter. e.g. [{"filename":"test.ps1","endpoint":"test-endpoint1","description":"Run custom script","parameter":"some-string"}].Required

Context Output#

PathTypeDescription
VisionOne.Run_Custom_Script.statusnumberStatus of running custom script.
VisionOne.Run_Custom_Script.task_idstringTask ID generated after running custom script.

trendmicro-visionone-get-custom-script-list#


Fetches a list of all available custom scripts in V1 XDR Portal.

Base Command#

trendmicro-visionone-get-custom-script-list

Input#

Argument NameDescriptionRequired
filenameName of the custom script. e.g. filename="hello.sh".Optional
filetypeType of script, either bash or powershell. e.g. filetype="bash".Optional
query_opConditional operator used to build request that allows user to retrieve a subset of custom scripts. Possible values: and/or. Ex. or: the results retrieved will contain custom script(s) matching FileName OR FileType. and: the result retrieved will contain custom script matching FileName AND FileType. Defaults to and.Optional

Context Output#

PathTypeDescription
VisionOne.Get_Custom_Script_List.idstringThe id for custom script.
VisionOne.Get_Custom_Script_List.descriptionstringThe script description.
VisionOne.Get_Custom_Script_List.filenamestringName of the script.
VisionOne.Get_Custom_Script_List.filetypestringFile type for the script.

trendmicro-visionone-add-custom-script#


Adds a custom script to V1 portal in Response management under custom scripts.

Base Command#

trendmicro-visionone-add-custom-script

Input#

Argument NameDescriptionRequired
filenameName of the custom script. e.g. filename="hello.sh".Required
filetypeFile type of custom script. e.g. filetype="bash".Required
script_contentsThe contents of custom script to be added. script_contents="#!/bin/sh echo 'Custom script to do something'".Required
descriptionDescription of the custom script. e.g. description="This script does something.".Optional

Context Output#

PathTypeDescription
VisionOne.Add_Custom_Script.idstringID generated for the added custom script.

trendmicro-visionone-download-custom-script#


Downloads the contents of a custom script based on script ID.

Base Command#

trendmicro-visionone-download-custom-script

Input#

Argument NameDescriptionRequired
script_idID for the custom script to download. e.g. script_id="44c99cb0-8c5f-4182-af55-62135dbe32f1".Required

Context Output#

PathTypeDescription
VisionOne.Download_Custom_Script.textstringContents of the custom script.

trendmicro-visionone-delete-custom-script#


Delete a custom script based on script ID.

Base Command#

trendmicro-visionone-delete-custom-script

Input#

Argument NameDescriptionRequired
script_idID of custom script to be deleted. e.g. script_id="44c99cb0-8c5f-4182-af55-62135dbe32f1".Required

Context Output#

PathTypeDescription
VisionOne.Delete_Custom_Script.statusstringSuccess or Failure status code.

trendmicro-visionone-update-custom-script#


Updates the contents of a custom script based on script ID.

Base Command#

trendmicro-visionone-update-custom-script

Input#

Argument NameDescriptionRequired
filenameName of the custom script. e.g. filename="hello.sh".Required
filetypeThe filetype of custom script. e.g. filetype="bash".Required
script_idID of custom script to be updated. e.g. script_id="44c99cb0-8c5f-4182-af55-62135dbe32f1".Required
script_contentsThe updated contents of custom script. e.g. script_contents="#!/bin/sh echo 'Hello World'".Required
descriptionDescription of the custom script. e.g. description="Updating script to print Hello World.".Optional

Context Output#

PathTypeDescription
VisionOne.Update_Custom_Script.statusstringThe Success or Error status.

trendmicro-visionone-get-observed-attack-techniques#


Displays a list of Observed Attack Techniques events that match the specified criteria.

Base Command#

trendmicro-visionone-get-observed-attack-techniques

Input#

Argument NameDescriptionRequired
fieldsFilter (A dictionary object with key/value used to create a query string) for retrieving a subset of the collected Observed Attack Techniques events e.g. {"endpointName":"sample-host","riskLevel":"low"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques/paths/~1v3.0~1oat~1detections/get).Required
query_opConditional operator used to build request that allows user to retrieve a subset of the collected Observed Attack Techniques events. Possible values: and/or. Ex. or: the results retrieved will contain OAT events for endpoint(s) matching endpointName OR riskLevel. and: will contain OAT events data for endpoint matching endpointName AND riskLevel. Defaults to and. Possible values are: and, or.Optional
detected_startThe start of the event detection data retrieval time range in ISO 8601 format. Default: 1 hour before the time you make the request. e.g. detected_start="2023-10-01T08:00:00Z".Optional
detected_endThe end of the event detection data retrieval time range in ISO 8601 format. Default: The time you make the request. e.g. detected_end="2023-12-01T08:00:00Z".Optional
ingested_startThe beginning of the data ingestion time range in ISO 8601 format. e.g. ingested_start="2023-12-01T08:00:00Z".Optional
ingested_endThe end of the data ingestion time range in ISO 8601 format. e.g. ingested_end="2023-12-01T08:00:00Z".Optional
topNumber of records displayed on a page. e.g. top=5.Optional

Context Output#

PathTypeDescription
VisionOne.Get_Observed_Attack_Techniques.idstringUnique alphanumeric string that identifies an Observed Attack Techniques event.
VisionOne.Get_Observed_Attack_Techniques.sourcestringThe data sources associated with log types.
VisionOne.Get_Observed_Attack_Techniques.detailstringObject that contains detailed information about an Observed Attack Technique event. Object may vary depending on the products purchased by the customer and the products supported in their respective regions.
VisionOne.Get_Observed_Attack_Techniques.filtersstringList of filters and associated information.
VisionOne.Get_Observed_Attack_Techniques.endpointstringObject that contains information about an endpoint. This field is displayed only when the detection event is related to endpoints.
VisionOne.Get_Observed_Attack_Techniques.entity_namestringName associated with an entity.
VisionOne.Get_Observed_Attack_Techniques.entity_typestringEntity type associated with an event is determined by the products purchased by the customer and the products supported in their regions.
VisionOne.Get_Observed_Attack_Techniques.detected_date_timestringTimestamp in ISO 8601 format that indicates when an Observed Attack Techniques event was detected.
VisionOne.Get_Observed_Attack_Techniques.ingested_date_timestringTimestamp in ISO 8601 format that indicates when the pipeline ingested data related to an Observed Attack Techniques event. This field is displayed only when ingestedStartDateTime and ingestedEndDateTime are used to define the data retrieval time range.