Skip to main content

Trend Micro Vision One V3.

This Integration is part of the Trend Micro Vision One Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection. V3 version of the app includes everything that the previous app had and adds more capabilities. It leverages V3 of Trend Micro APIs and introduces further ability to manage domain accounts with addition of 4 domain account actions for enabling/disabling user account, forcing sign-out and password resets for compromised accounts. This app is in active development. In this new release 3 actions have been added, one to fetch email activity data with count, one to fetch endpoint activity data with count and one action to restore a quarantined email message. This integration was integrated and tested with version 3 API of Trend Micro Vision One.

Configure Trend Micro Vision One V3. on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Trend Micro Vision One V3..

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API URL (e.g. https://api.xdr.trendmicro.com)The base url for the Trend Micro Vision One APITrue
    API KeyThe API token to access dataTrue
    Fetch incidentsFalse
    Incidents Fetch IntervalFalse
    Incident typeFalse
    Sync On First Run (days)False
    Max IncidentsFalse
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
    Source ReliabilityReliability of the source providing the intelligence data.False
    SeveritySeverity of the incident being fetched.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

trendmicro-visionone-enable-user-account#


Allows the user to sign in to new application and browser sessions. Supported IAM systems -> Azure AD and Active Directory (on-premises).

Base Command#

trendmicro-visionone-enable-user-account

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"enable"}].Required

Context Output#

PathTypeDescription
VisionOne.User_Account.statusnumberStatus of request to enable user account.
VisionOne.User_Account.task_idstringTask ID generated after enabling user account.

trendmicro-visionone-disable-user-account#


Signs the user out of all active application and browser sessions, and prevents the user from signing in any new session. Supported IAM systems -> Azure AD and Active Directory (on-premises).

Base Command#

trendmicro-visionone-disable-user-account

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"disable"}].Required

Context Output#

PathTypeDescription
VisionOne.User_Account.statusnumberStatus of request to disable user account.
VisionOne.User_Account.task_idstringTask ID generated after disabling user account.

trendmicro-visionone-force-signout#


Signs the user out of all active application and browser sessions. Supported IAM systems -> Azure AD.

Base Command#

trendmicro-visionone-force-signout

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"sign-out"}].Required

Context Output#

PathTypeDescription
VisionOne.Force_Sign_Out.statusnumberStatus of request to sign out user.
VisionOne.Force_Sign_Out.task_idstringTask ID generated after signing out user.

trendmicro-visionone-force-password-reset#


Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. Supported IAM systems -> Azure AD and Active Directory (on-premises).

Base Command#

trendmicro-visionone-force-password-reset

Input#

Argument NameDescriptionRequired
account_identifiersList of object(s) containing account_name and optional description. e.g. [{"account_name":"some-account","description":"reset"}].Required

Context Output#

PathTypeDescription
VisionOne.Force_Password_Reset.statusnumberStatus of request to reset user password.
VisionOne.Force_Password_Reset.task_idstringTask ID generated after resetting user password.

trendmicro-visionone-add-to-block-list#


Adds a domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections.

Base Command#

trendmicro-visionone-add-to-block-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) made up of object_type (domain,ip,file_sha1,url,sender_mail_address), object_value and optional description. e.g. [{"object_type":"domain","object_value":"www.yahoo.com"}].Required

Context Output#

PathTypeDescription
VisionOne.BlockList.statusnumberStatus of adding domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List.
VisionOne.BlockList.task_idstringTask ID generated after adding domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List.

trendmicro-visionone-remove-from-block-list#


Removes a domain, ip, file_sha1, url, sender_mail_address from the User-Defined Suspicious Objects List.

Base Command#

trendmicro-visionone-remove-from-block-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) made up of object_type (domain,ip,file_sha1,url,sender_mail_address), object_value and optional description. e.g. [{"object_type":"domain","object_value":"www.yahoo.com"}].Required

Context Output#

PathTypeDescription
VisionOne.BlockList.statusnumberStatus of removing domain, ip, file_sha1, url, sender_mail_address that was added to the User-Defined Suspicious Objects List from block list.
VisionOne.BlockList.task_idstringTask ID generated after removing domain, ip, file_sha1, url, sender_mail_address from the User-Defined Suspicious Objects List.

trendmicro-visionone-quarantine-email-message#


Moves a message from a mailbox to the quarantine folder.

Base Command#

trendmicro-visionone-quarantine-email-message

Input#

Argument NameDescriptionRequired
email_identifiersList of object(s) containing message_id (<mailMsgId>), mailbox (mailbox ID) and description or unique_id (msgUuid) and optional description from Trend Micro Vision One message activity data. e.g. [{"message_id":"xasbjAgs72912-asdjnaj","mailbox":"mailbox-name","description":"quarantine"}].Required

Context Output#

PathTypeDescription
VisionOne.Email.statusnumberStatus of moving a message from a mailbox to the quarantine folder.
VisionOne.Email.task_idstringTask ID generated after moving a message from a mailbox to the quarantine folder.

trendmicro-visionone-delete-email-message#


Deletes a message from a mailbox.

Base Command#

trendmicro-visionone-delete-email-message

Input#

Argument NameDescriptionRequired
email_identifiersList of object(s) containing message_id (<mailMsgId>), mailbox (mailbox ID) and description or unique_id (msgUuid) and optional description from Trend Micro Vision One message activity data. e.g. [{"message_id":"xasbjAgs72912-asdjnaj","mailbox":"mailbox-name","description":"disable":"delete"}].Required

Context Output#

PathTypeDescription
VisionOne.Email.statusnumberStatus of deleting a message from a mailbox.
VisionOne.Email.task_idstringTask ID generated after deleting a message from a mailbox.

trendmicro-visionone-restore-email-message#


Restores a quarantined message. Deleted messages cannot be restored.

Base Command#

trendmicro-visionone-restore-email-message

Input#

Argument NameDescriptionRequired
email_identifiersList of object(s) containing message_id (<mailMsgId>), mailbox (mailbox ID) and description or unique_id (msgUuid) and optional description from Trend Micro Vision One message activity data. e.g. [{"message_id":"xasbjAgs72912-asdjnaj","mailbox":"mailbox-name"}].Required

Context Output#

PathTypeDescription
VisionOne.Email.statusnumberStatus of restoring a message.
VisionOne.Email.task_idstringTask ID generated after restoring a message.

trendmicro-visionone-isolate-endpoint#


Disconnects an endpoint from the network (but allows communication with the managing Trend Micro product).

Base Command#

trendmicro-visionone-isolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint_identifiersList of object(s) containing endpoint (hostname) and description or agent_guid and description. e.g. [{"endpoint":"test-endpoint","description":"isolate endpoint"}].Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.statusnumberStatus of isolating endpoint(s).
VisionOne.Endpoint_Connection.task_idstringTask ID generated after isolating endpoint(s).

trendmicro-visionone-restore-endpoint-connection#


Restores network connectivity to an endpoint that applied the "isolate endpoint" action.

Base Command#

trendmicro-visionone-restore-endpoint-connection

Input#

Argument NameDescriptionRequired
endpoint_identifiersList of object(s) containing endpoint (hostname) and description or agent_guid and description. e.g. [{"endpoint":"test-endpoint","description":"restore endpoint"}].Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Connection.statusnumberStatus of restoring endpoint(s).
VisionOne.Endpoint_Connection.task_idstringTask ID generated after restoring endpoint(s).

trendmicro-visionone-add-objects-to-exception-list#


Adds domain, ip, url, file_sha1, file_sha256, sender_mail_address to the Exception List and prevents these objects from being added to the Suspicious Object List.

Base Command#

trendmicro-visionone-add-objects-to-exception-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address), object_value and description. e.g. [{"object_type":"ip","object_value":"5.5.5.5"}, {"object_type":"domain","object_value":"www.yahoo.com"}].Required

Context Output#

PathTypeDescription
VisionOne.Exception_List.messagestringSuccess or fail response message.
VisionOne.Exception_List.multi_response.statusnumberStatus of adding item(s) to exception list.
VisionOne.Exception_List.multi_response.task_idstringTask ID generated after adding item(s) to exception list.
VisionOne.Exception_List.total_itemsnumberCount of total items present in exception list.

trendmicro-visionone-delete-objects-from-exception-list#


Deletes domain, ip, url, file_sha1, file_sha256, sender_mail_address from the Exception List.

Base Command#

trendmicro-visionone-delete-objects-from-exception-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address), object_value and description. e.g. [{"object_type":"ip","object_value":"5.5.5.5","description":"exception list"}].Required

Context Output#

PathTypeDescription
VisionOne.Exception_List.messagestringSuccess or fail response message.
VisionOne.Exception_List.multi_response.statusnumberstatus code of response.
VisionOne.Exception_List.multi_response.task_idstringTask ID generated after removing item(s) from exception list.
VisionOne.Exception_List.total_itemsnumbercount of item present in exception list.

trendmicro-visionone-add-objects-to-suspicious-list#


Adds domain, ip, url, file_sha1, file_sha256, sender_mail_address to the Suspicious Object List.

Base Command#

trendmicro-visionone-add-objects-to-suspicious-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address), object_value, scan_action, risk_level, expiry_days and description. e.g. [{"object_type":"ip","object_value":"5.5.5.5","scan_action":"block","risk_level":"medium","expiry_days":7}].Required

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.messagestringSuccess or fail response message.
VisionOne.Suspicious_List.multi_response.statusnumberStatus of request to add item(s) to suspicious list.
VisionOne.Suspicious_List.multi_response.task_idstringTask ID generated after adding item(s) to suspicious list.
VisionOne.Suspicious_List.total_itemsnumberCount of total items present in suspicious object list.

trendmicro-visionone-delete-objects-from-suspicious-list#


Deletes domain, ip, url, file_sha1, file_sha256, sender_mail_address from the Suspicious Object List.

Base Command#

trendmicro-visionone-delete-objects-from-suspicious-list

Input#

Argument NameDescriptionRequired
block_objectsList of object(s) consisting of object_type (domain,ip,url,file_sha1,file_sha256,sender_mail_address) and object_value. e.g. [{"object_type":"ip","object_value":"5.5.5.5"}].Required

Context Output#

PathTypeDescription
VisionOne.Suspicious_List.messagestringSuccess or fail response message.
VisionOne.Suspicious_List.multi_response.statusnumberStatus of request to remove item(s) from suspicious object list.
VisionOne.Suspicious_List.multi_response.task_idstringTask ID generated after removing item(s) from suspicious object list.
VisionOne.Suspicious_List.total_itemsnumberCount of total items present in suspicious object list.

trendmicro-visionone-get-endpoint-info#


Retrieves information about a specific endpoint.

Base Command#

trendmicro-visionone-get-endpoint-info

Input#

Argument NameDescriptionRequired
endpointcomma separated string containing Hostname, IP, macAddress or agentGuid of the endpoint(s) to query.Required
query_opOperator used to build request header query that allows you to retrieve a subset of the collected endpoint(s). e.g. endpointName eq sample-host or macAddress eq 00:11:22:33:44:55. Possible values are: and, or.Required

Context Output#

PathTypeDescription
VisionOne.Endpoint_Info.agent_guidstringAgent Guid of the endpoint.
VisionOne.Endpoint_Info.login_account.valuestringAccount currently logged on to the endpoint.
VisionOne.Endpoint_Info.endpoint_name.valuestringHostname of the endpoint queried.
VisionOne.Endpoint_Info.mac_address.valuestringMAC address of the endpoint queried.
VisionOne.Endpoint_Info.ip.valuestringIP address of the endpoint queried.
VisionOne.Endpoint_Info.os_namestringOperating System name of the endpoint queried.
VisionOne.Endpoint_Info.os_versionstringOperating System version of the endpoint queried.
VisionOne.Endpoint_Info.os_descriptionstringDescription of the Operating System of the endpoint queried.
VisionOne.Endpoint_Info.product_codestringProduct code of the Trend Micro product running on the endpoint.
VisionOne.Endpoint_Info.installed_product_codesstringProduct code of the Trend Micro product installed on the endpoint.

trendmicro-visionone-get-endpoint-activity-data#


Displays search results from the Endpoint Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-endpoint-activity-data

Input#

Argument NameDescriptionRequired
fieldsStatement that allows you to retrieve a subset of the collected endpoint activity data. e.g. {"endpointName":"sample-host","macAddress":"00:11:22:33:44:55"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1endpointActivities/get).Required
query_opOperator used to build request header query that allows you to retrieve a subset of the collected endpoint activity data. e.g. endpointName:sample-host or src:192.169.1.1. Possible values are: and, or.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made.Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made.Optional
topNumber of records displayed on a page.Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields.Optional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Activity_Data.dptstringDestination port.
VisionOne.Endpoint_Activity_Data.dststringDestination IP address.
VisionOne.Endpoint_Activity_Data.endpoint_guidstringendpoint GUID for identity.
VisionOne.Endpoint_Activity_Data.endpoint_host_namestringHostname of the endpoint on which the event was generated.
VisionOne.Endpoint_Activity_Data.endpoint_ipstringEndpoint IP address list.
VisionOne.Endpoint_Activity_Data.event_idstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.event_sub_idstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.object_integrity_levelstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.object_true_typestringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.object_sub_true_typestringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.win_event_idstringID corresponding to data field mapping.
VisionOne.Endpoint_Activity_Data.event_timestringLog collect time utc format.
VisionOne.Endpoint_Activity_Data.event_time_d_tstringLog collect time.
VisionOne.Endpoint_Activity_Data.host_namestringHostname of the endpoint on which the event was generated.
VisionOne.Endpoint_Activity_Data.logon_userstringLogon user name.
VisionOne.Endpoint_Activity_Data.object_cmdstringCommand line entry of target process.
VisionOne.Endpoint_Activity_Data.object_file_hash_sha1stringThe SHA1 hash of target process image or target file.
VisionOne.Endpoint_Activity_Data.object_file_pathstringFile path location of target process image or target file.
VisionOne.Endpoint_Activity_Data.object_host_namestringServer name where Internet event was detected.
VisionOne.Endpoint_Activity_Data.object_ipstringIP address of internet event.
VisionOne.Endpoint_Activity_Data.object_ipsstringIP address list of internet event.
VisionOne.Endpoint_Activity_Data.object_portstringThe port number used by internet event.
VisionOne.Endpoint_Activity_Data.object_registry_datastringThe registry value data.
VisionOne.Endpoint_Activity_Data.object_registry_key_handlestringThe registry key.
VisionOne.Endpoint_Activity_Data.object_registry_valuestringRegistry value name.
VisionOne.Endpoint_Activity_Data.object_signerstringCertificate signer of object process or file.
VisionOne.Endpoint_Activity_Data.object_signer_validstringValidity of certificate signer.
VisionOne.Endpoint_Activity_Data.object_userstringThe owner name of target process / The logon user name.
VisionOne.Endpoint_Activity_Data.osstringSystem.
VisionOne.Endpoint_Activity_Data.parent_cmdstringThe command line that parent process.
VisionOne.Endpoint_Activity_Data.parent_file_hash_sha1stringThe SHA1 hash of parent process.
VisionOne.Endpoint_Activity_Data.parent_file_pathstringThe file path location of parent process.
VisionOne.Endpoint_Activity_Data.process_cmdstringThe command line used to launch this process.
VisionOne.Endpoint_Activity_Data.process_file_hash_sha1stringThe process file sha1.
VisionOne.Endpoint_Activity_Data.process_file_pathstringThe process file path.
VisionOne.Endpoint_Activity_Data.requeststringRequest URL (normally detected by Web Reputation Services).
VisionOne.Endpoint_Activity_Data.search_d_lstringSearch data lake.
VisionOne.Endpoint_Activity_Data.sptstringSource port.
VisionOne.Endpoint_Activity_Data.srcstringSource IP address.
VisionOne.Endpoint_Activity_Data.src_file_hash_sha1stringSource file sha1.
VisionOne.Endpoint_Activity_Data.src_file_pathstringSource file path.
VisionOne.Endpoint_Activity_Data.tagsstringDetected by Security Analytics Engine filters.
VisionOne.Endpoint_Activity_Data.uuidstringLog unique identity.

trendmicro-visionone-get-endpoint-activity-data-count#


Displays total count of search results from the Endpoint Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-endpoint-activity-data-count

Input#

Argument NameDescriptionRequired
fieldsStatement that allows you to retrieve a subset of the collected endpoint activity data. e.g. {"endpointName":"sample-host","macAddress":"00:11:22:33:44:55"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1endpointActivities/get).Required
query_opOperator used to build request header query that allows you to retrieve a subset of the collected endpoint activity data. e.g. endpointName:sample-host or src:192.169.1.1.. Possible values are: and, or.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made.Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made.Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields.Optional

Context Output#

PathTypeDescription
VisionOne.Endpoint_Activity_Data_Count.endpoint_activity_countstringTotal count for endpoint activity queried.

trendmicro-visionone-get-email-activity-data#


Displays search results from the Email Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-email-activity-data

Input#

Argument NameDescriptionRequired
fieldsStatement that allows you to retrieve a subset of the collected email activity data. e.g. {"mailMsgSubject":"spam","mailSenderIp":"192.169.1.1"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1emailActivities/get).Required
query_opOperator used to build request header query that allows you to retrieve a subset of the collected email activity data. e.g. mailMsgSubject:spam and mailSenderIp:192.169.1.1..'. Possible values are: and, or.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made.Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made.Optional
topNumber of records displayed on a page.Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields.Optional

Context Output#

PathTypeDescription
VisionOne.Email_Activity_Data.mail_msg_subjectstringSubject of the email message.
VisionOne.Email_Activity_Data.mail_msg_idstringInternet message ID of the email message.
VisionOne.Email_Activity_Data.msg_uuidstringUnique ID of the email message.
VisionOne.Email_Activity_Data.mailboxstringMailbox where the email message is.
VisionOne.Email_Activity_Data.mail_sender_ipstringSource IP address of the email message.
VisionOne.Email_Activity_Data.mail_from_addressesstringSender email address of the email message.
VisionOne.Email_Activity_Data.mail_whole_headerstringInformation about the header of the email message.
VisionOne.Email_Activity_Data.mail_to_addressesstringA list of recipient email addresses of the email message.
VisionOne.Email_Activity_Data.mail_source_domainstringSource domain of the email message.
VisionOne.Email_Activity_Data.search_d_lstringSearch data lake.
VisionOne.Email_Activity_Data.scan_typestringEmail activity scan type.
VisionOne.Email_Activity_Data.event_timestringDate and time UTC.
VisionOne.Email_Activity_Data.org_idstringUnique ID used to identify an organization.
VisionOne.Email_Activity_Data.mail_urls_visible_linkstringVisible link in email message.
VisionOne.Email_Activity_Data.mail_urls_real_linkstringReal link in email message.

trendmicro-visionone-get-email-activity-data-count#


Displays search results from the Email Activity Data source that match the parameters provided.

Base Command#

trendmicro-visionone-get-email-activity-data-count

Input#

Argument NameDescriptionRequired
fieldsStatement that allows you to retrieve a subset of the collected email activity data. e.g. {"mailMsgSubject":"spam","mailSenderIp":"192.169.1.1"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1emailActivities/get).Required
query_opOperator used to build request header query that allows you to retrieve a subset of the collected email activity data. e.g. mailMsgSubject:spam and mailSenderIp:192.169.1.1.. Possible values are: and, or.Optional
startTimestamp in ISO 8601 format that indicates the start of the data retrieval range. If no value is specified, start defaults to 24 hours before the request is made.Optional
endTimestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, end defaults to the time the request is made.Optional
selectList of fields to include in the search results. If no fields are specified, the query returns all supported fields.Optional

Context Output#

PathTypeDescription
VisionOne.Email_Activity_Data_Count.email_activity_countstringTotal count of email activity.

trendmicro-visionone-terminate-process#


Terminates a process that is running on an endpoint.

Base Command#

trendmicro-visionone-terminate-process

Input#

Argument NameDescriptionRequired
process_identifiersList of object(s) consisting of endpoint (hostname) or agent_guid, file_sha1, filename and description. e.g. [{"endpoint":"test-endpoint","file_sha1":"fb5608fa03de204a12fe1e9e5275e4a682107471","filename":"test.txt","description":"terminate process"}].Required

Context Output#

PathTypeDescription
VisionOne.Terminate_Process.statusnumberStatus of request to terminate process.
VisionOne.Terminate_Process.task_idstringTask Id generated after terminating a process.

trendmicro-visionone-get-file-analysis-status#


Retrieves the status of a sandbox analysis submission.

Base Command#

trendmicro-visionone-get-file-analysis-status

Input#

Argument NameDescriptionRequired
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox command output.Required

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Status.idstringSubmission ID of the file submitted for sandbox analysis.
VisionOne.File_Analysis_Status.statusstringResponse code for the action call.
VisionOne.File_Analysis_Status.actionstringAction performed on the submitted file.
VisionOne.File_Analysis_Status.errorstringError code and message for the submission.
VisionOne.File_Analysis_Status.digeststringThe hash values of file analyzed.
VisionOne.File_Analysis_Status.created_date_timestringCreate date time for the sandbox analysis.
VisionOne.File_Analysis_Status.last_action_date_timestringDate and time for last action performed on the submission.
VisionOne.File_Analysis_Status.resource_locationstringLocation of the submitted file.
VisionOne.File_Analysis_Status.is_cachedstringIs the file cached or not (True or False).
VisionOne.File_Analysis_Status.argumentsstringArguments for the file submitted.

trendmicro-visionone-get-file-analysis-result#


Retrieves the sandbox submission analysis result.

Base Command#

trendmicro-visionone-get-file-analysis-result

Input#

Argument NameDescriptionRequired
report_idreport_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status command.Required
pollIf script should wait until the task is finished before returning the result, enabled by default. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available.Optional

Context Output#

PathTypeDescription
VisionOne.File_Analysis_Result.idstringReport ID for the submission.
VisionOne.File_Analysis_Result.typestringType of object.
VisionOne.File_Analysis_Result.digeststringThe hash values of file analyzed.
VisionOne.File_Analysis_Result.risk_levelstringRisk Level of suspicious object.
VisionOne.File_Analysis_Result.analysis_completion_date_timestringAnalyze time of suspicious object.
VisionOne.File_Analysis_Result.argumentsstringArguments for the suspicious object.
VisionOne.File_Analysis_Result.detection_namesstringDetection name for the suspicious object.
VisionOne.File_Analysis_Result.threat_typesstringThreat type of the suspicious object.
VisionOne.File_Analysis_Result.true_file_typestringFile type for the suspicious object.
VisionOne.File_Analysis_Result.DBotScore.ScorenumberThe DBot score.
VisionOne.File_Analysis_Result.DBotScore.VendorstringThe Vendor name.
VisionOne.File_Analysis_Result.DBotScore.ReliabilitystringThe reliability of an intelligence-data source.

trendmicro-visionone-collect-forensic-file#


Compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform.

Base Command#

trendmicro-visionone-collect-forensic-file

Input#

Argument NameDescriptionRequired
collect_filesList of object(s) containing endpoint (hostname) or agent_guid, file_path and description. e.g. [{"endpoint":"test-endpoint","file_path":"C:/test_dir/test.txt","filename":"test.txt","description":"collect file"}].Required

Context Output#

PathTypeDescription
VisionOne.Collect_Forensic_File.statusnumberStatus of request to collect file from endpoint.
VisionOne.Collect_Forensic_File.task_idstringTask ID generated after collecting file for forensic analysis.

trendmicro-visionone-download-information-for-collected-forensic-file#


Retrieves a URL and other information required to download a collected file via the trendmicro-visionone-collect-forensic-file command.

Base Command#

trendmicro-visionone-download-information-for-collected-forensic-file

Input#

Argument NameDescriptionRequired
task_idtaskId output from the collect forensic file command.Required
pollIf script should wait until the task is finished before returning the result, enabled by default. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Information_For_Collected_Forensic_File.statusstringStatus of action performed (succeeded, running or failed).
VisionOne.Download_Information_For_Collected_Forensic_File.created_date_timestringThe create date time for the file.
VisionOne.Download_Information_For_Collected_Forensic_File.idstringTask ID used to query for forensic file information.
VisionOne.Download_Information_For_Collected_Forensic_File.last_action_date_timestringTime and date of last action on file.
VisionOne.Download_Information_For_Collected_Forensic_File.descriptionstringTask description.
VisionOne.Download_Information_For_Collected_Forensic_File.actionstringAction performed on file.
VisionOne.Download_Information_For_Collected_Forensic_File.accountstringThe account associated with the request.
VisionOne.Download_Information_For_Collected_Forensic_File.agent_guidstringAgentGuid of the endpoint used to collect file.
VisionOne.Download_Information_For_Collected_Forensic_File.endpoint_namestringhostname of the endpoint used to collect file.
VisionOne.Download_Information_For_Collected_Forensic_File.file_pathstringFile path for the file that was collected.
VisionOne.Download_Information_For_Collected_Forensic_File.file_sha1stringThe fileSha1 for the collected file.
VisionOne.Download_Information_For_Collected_Forensic_File.file_sha256stringThe fileSha256 for the collected file.
VisionOne.Download_Information_For_Collected_Forensic_File.file_sizenumberThe file size of the file collected.
VisionOne.Download_Information_For_Collected_Forensic_File.resource_locationstringURL location of the file collected that can be used to download.
VisionOne.Download_Information_For_Collected_Forensic_File.expired_date_timestringThe expiration date and time of the file.
VisionOne.Download_Information_For_Collected_Forensic_File.passwordstringThe password for the file collected.
VisionOne.Download_Information_For_Collected_Forensic_File.errorstringError response generated for the request.

trendmicro-visionone-download-investigation-package#


Downloads the investigation package based on submission ID.

Base Command#

trendmicro-visionone-download-investigation-package

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis.Required
pollIf script should wait until the task is finished before returning the result, enabled by default. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Investigation_Package.submission_idstringThe submission for the file.
VisionOne.Download_Investigation_Package.result_codenumberResult code of making a request to download investigation package.
VisionOne.Download_Investigation_Package.messagenumberMessage notifying user that investigation package is ready for download.

trendmicro-visionone-download-suspicious-object-list#


Downloads the suspicious object list associated to the specified object. Note ~ Suspicious Object Lists are only available for objects with a high risk level.

Base Command#

trendmicro-visionone-download-suspicious-object-list

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis.Required
pollIf script should wait until the task is finished before returning the result, enabled by default. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Suspicious_Object_list.typestringThe type of suspicious object.
VisionOne.Download_Suspicious_Object_list.valuestringValue of the suspicious object.
VisionOne.Download_Suspicious_Object_list.risk_levelstringRisk level of the analyzed object.
VisionOne.Download_Suspicious_Object_list.root_sha1stringstatus code for the command.
VisionOne.Download_Suspicious_Object_list.analysis_completion_date_timestringThe analysis completion date and time.
VisionOne.Download_Suspicious_Object_list.expired_date_timestringThe expiration date and time for the suspicious object.

trendmicro-visionone-download-analysis-report#


Downloads the analysis report for an object submitted to sandbox for analysis based on the submission ID.

Base Command#

trendmicro-visionone-download-analysis-report

Input#

Argument NameDescriptionRequired
submission_idThe submission ID for the object submitted to sandbox for analysis.Required
pollIf script should wait until the task is finished before returning the result, enabled by default. Possible values are: true, false.Optional
poll_time_secMaximum time to wait for the result to be available.Optional

Context Output#

PathTypeDescription
VisionOne.Download_Analysis_Report.submission_idstringThe submission ID for the sandbox object.
VisionOne.Download_Analysis_Report.result_codestringResult code of making a request to download analysis report.
VisionOne.Download_Analysis_Report.messagestringMessage notifying user that analysis report is ready for download.

trendmicro-visionone-submit-file-to-sandbox#


Submits a file to the sandbox for analysis (Note. For more information about the supported file types, see the Trend Micro Vision One Online Help. Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)

Base Command#

trendmicro-visionone-submit-file-to-sandbox

Input#

Argument NameDescriptionRequired
file_urlURL pointing to the location of the file to be submitted.Required
file_nameName of the file (including extension) to be analyzed.Required
document_passwordThe Base64 encoded password for decrypting the submitted document. sample.Optional
archive_passwordThe Base64 encoded password for decrypting the submitted archive.Optional
argumentsParameter that allows you to specify Base64-encoded command line arguments to run the submitted file.Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_to_Sandbox.messagestringResult code of submitting file to sandbox for analysis.
VisionOne.Submit_File_to_Sandbox.codestringHTTP status code of the request made to submit file to sandbox.
VisionOne.Submit_File_to_Sandbox.task_idstringID generated for submitting file to sandbox for analysis.
VisionOne.Submit_File_to_Sandbox.digeststringThe hash value of the file.
VisionOne.Submit_File_to_Sandbox.argumentsstringCommand line arguments to run the submitted file.

trendmicro-visionone-submit-file-entry-to-sandbox#


Submits a file to the sandbox for analysis (Note. For more information about the supported file types, see the Trend Micro Vision One Online Help. Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)

Base Command#

trendmicro-visionone-submit-file-entry-to-sandbox

Input#

Argument NameDescriptionRequired
entry_idEntry ID of the file to be submitted.Required
document_passwordThe Base64 encoded password for decrypting the submitted document. sample.Optional
archive_passwordThe Base64 encoded password for decrypting the submitted archive.Optional
argumentsParameter that allows you to specify Base64-encoded command line arguments to run the submitted file.Optional

Context Output#

PathTypeDescription
VisionOne.Submit_File_Entry_to_Sandbox.messagestringResult code of submitting file entry to sandbox for analysis.
VisionOne.Submit_File_Entry_to_Sandbox.codestringHTTP status code of the request made to submit file entry to sandbox.
VisionOne.Submit_File_Entry_to_Sandbox.task_idstringID of the submitted file.
VisionOne.Submit_File_Entry_to_Sandbox.digeststringThe hash value of the file.
VisionOne.Submit_File_Entry_to_Sandbox.filenamestringThe name of the file submitted.
VisionOne.Submit_File_Entry_to_Sandbox.file_pathstringThe path to the file associated to incident.
VisionOne.Submit_File_Entry_to_Sandbox.entry_idstringThe Entry ID for the file.
VisionOne.Submit_File_Entry_to_Sandbox.argumentsstringCommand line arguments to run the submitted file.

trendmicro-visionone-submit-urls-to-sandbox#


Sends URL(s) to sandbox for analysis.

Base Command#

trendmicro-visionone-submit-urls-to-sandbox

Input#

Argument NameDescriptionRequired
urlsList of URLs to be sent for analysis.Required

Context Output#

PathTypeDescription
VisionOne.Submit_Urls_to_Sandbox.idstringID generated for the URL sent to sandbox for analysis.
VisionOne.Submit_Urls_to_Sandbox.urlstringURL sent to sandbox for analysis.
VisionOne.Submit_Urls_to_Sandbox.digeststringDigest value generated for the URL sent to sandbox for analysis.
VisionOne.Submit_Urls_to_Sandbox.statusstringHTTPS status code of making the request.
VisionOne.Submit_Urls_to_Sandbox.task_idstringTask ID generated for the URL sent to sandbox for analysis.

trendmicro-visionone-get-alert-details#


Fetches details for a specific alert.

Base Command#

trendmicro-visionone-get-alert-details

Input#

Argument NameDescriptionRequired
workbench_idWorkbench ID for the alert to query.Required

Context Output#

PathTypeDescription
VisionOne.Alert_Details.etagstringThe ETag of the resource you want to update.
VisionOne.Alert_Details.alert.idstringID of the workbench alert.
VisionOne.Alert_Details.alert.modelstringName of the detection model that triggered the alert.
VisionOne.Alert_Details.alert.scorenumberOverall severity assigned to the alert based on the severity of the matched detection model and the impact scope.
VisionOne.Alert_Details.alert.severitystringWorkbench alert severity.
VisionOne.Alert_Details.alert.indicatorsstringThe indicators refer to those objects which are found by RCA or sweeping.
VisionOne.Alert_Details.alert.descriptionstringDescription of the detection model that triggered the alert.
VisionOne.Alert_Details.alert.impact_scopestringAffected entities information.
VisionOne.Alert_Details.alert.matched_rulesstringThe rules are triggered.
VisionOne.Alert_Details.alert.alert_providerstringAlert provider.
VisionOne.Alert_Details.alert.schema_versionstringThe version of the JSON schema, not the version of alert trigger content.
VisionOne.Alert_Details.alert.workbench_linkstringWorkbench URL.
VisionOne.Alert_Details.alert.created_date_timestringDatetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert.
VisionOne.Alert_Details.alert.updated_date_timestringDatetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the last updated date time of the alert.
VisionOne.Alert_Details.alert.investigation_statusstringWorkbench alert status.

trendmicro-visionone-run-sandbox-submission-polling#


Runs a polling command to retrieve the status of a sandbox analysis submission.

Base Command#

trendmicro-visionone-run-sandbox-submission-polling

Input#

Argument NameDescriptionRequired
pollingpolling the task for 30 seconds interval. Default is true.Optional
task_idtask_id from the trendmicro-visionone-submit-file-to-sandbox or trendmicro-visionone-submit-file-entry-to-sandbox command output.Required

Context Output#

PathTypeDescription
VisionOne.Sandbox_Submission_Polling.messagestringStatus of the sandbox analysis.
VisionOne.Sandbox_Submission_Polling.status_codestringStatus code of the request.
VisionOne.Sandbox_Submission_Polling.statusstringStatus of action to analyze file in sandbox.
VisionOne.Sandbox_Submission_Polling.report_idstringReport ID of the submission queried.
VisionOne.Sandbox_Submission_Polling.digeststringThe hash values of file analyzed.
VisionOne.Sandbox_Submission_Polling.analysis_completion_timestringSample analysis completed time.
VisionOne.Sandbox_Submission_Polling.risk_levelstringRisk Level of the analyzed file.
VisionOne.Sandbox_Submission_Polling.detection_name_liststringDetection name of this sample, if applicable.
VisionOne.Sandbox_Submission_Polling.threat_type_liststringThreat type of this sample.
VisionOne.Sandbox_Submission_Polling.file_typestringFile type of this sample.
VisionOne.Sandbox_Submission_Polling.typestringObject type.
VisionOne.Sandbox_Submission_Polling.messagestringError message for failed call.
VisionOne.Sandbox_Submission_Polling.codestringError code for failed call.
VisionOne.Sandbox_Submission_Polling.DBotScore.ScorenumberThe DBot score.
VisionOne.Sandbox_Submission_Polling.DBotScore.VendorstringThe Vendor name.
VisionOne.Sandbox_Submission_Polling.DBotScore.ReliabilitystringThe reliability of an intelligence-data source.

trendmicro-visionone-check-task-status#


Command gives the status of the running task based on the task id.

Base Command#

trendmicro-visionone-check-task-status

Input#

Argument NameDescriptionRequired
pollingpolling the task for 30 seconds interval. Default is true.Optional
task_idTask id of the task you would like to check.Required

Context Output#

PathTypeDescription
VisionOne.Task_Status.idstringTask ID of the task queried.
VisionOne.Task_Status.statusstringStatus of the task.
VisionOne.Task_Status.created_date_timestringTimestamp in ISO 8601 format.
VisionOne.Task_Status.last_action_date_timestringTimestamp in ISO 8601 format.
VisionOne.Task_Status.actionstringAction performed.
VisionOne.Task_Status.descriptionstringDescription of the task.
VisionOne.Task_Status.accountstringAccount that performed the task.
VisionOne.Task_Status.typestringValue type.
VisionOne.Task_Status.valuestringValue that was submitted.
VisionOne.Task_Status.tasksstringTask related information.
VisionOne.Task_Status.agent_guidstringAgent guid of the endpoint.
VisionOne.Task_Status.endpoint_namestringEndpoint name.

trendmicro-visionone-add-note#


Attaches a note to a workbench alert.

Base Command#

trendmicro-visionone-add-note

Input#

Argument NameDescriptionRequired
workbench_idID of the workbench you would like to attach the note to.Required
contentContents of the note to be attached.Required

Context Output#

PathTypeDescription
VisionOne.Add_Note.codestringHTTPS status code of making the request.
VisionOne.Add_Note.messagestringMessage notifying the user of note added to workbench.
VisionOne.Add_Note.note_idstringID of the note added to workbench.

trendmicro-visionone-update-status#


Updates the status of a workbench alert.

Base Command#

trendmicro-visionone-update-status

Input#

Argument NameDescriptionRequired
workbench_idID of the workbench you would like to update the status for.Required
if_matchTarget resource will be updated only if it matches ETag of the target one. Etag is one of the outputs from get_alert_details.Required
statusStatus to assign to the workbench alert. Possible values are: new, in_progress, true_positive, false_positive, benign_true_positive, closed.Required

Context Output#

PathTypeDescription
VisionOne.Update_Status.Workbench_IdstringThe ID of the workbench that had the status updated.
VisionOne.Update_Status.codestringHTTP status code of updating workbench alert status.
VisionOne.Update_Status.messagestringMessage notifying user that the alert status has been updated to user defined status.