Trend Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Vision One prevents the majority of attacks with automated protection
Welcome to the open-source repository for Splunk> Phantom’s trendmicrovisionone App.
Please have a look at our Contributing Guide if you are interested in contributing, raising issues, or learning more about open-source Phantom apps.
This Phantom App is licensed under the Apache 2.0 license. Please see our Contributing Guide for further details.
Support and maintenance for this integration are provided by the author. Please use the following contact details:
- Email : integrations@trendmicro.com
The app uses HTTPS protocol for communicating with the VisionOne API server. Below are the default ports used by the Splunk SOAR Connector.
| SERVICE NAME | TRANSPORT PROTOCOL | PORT |
|---|---|---|
| https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Trend Vision One asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| api_url | required | string | The URL for your ETP instance |
| api_key | required | password | API key |
- Navigate to Apps > Unconfigured Apps .
- Search for Trend Vision One.
- Click CONFIGURE NEW ASSET to create and configure a new integration instance.
- ALternatively click on INSTALL APP and drop a tarball of the app
| Parameter | Description | Required |
|---|---|---|
| Asset name | Unique name for this Trend Vision One instance runner asset | True |
| Asset description | Short description of the asset’s purpose | True |
| Product vendor | Trend Micro | True |
| Product name | Vision One | True |
| Tags | Optional tags to use in Playbooks | False |
| API_URL | Vision One API URL | True |
| API_TOKEN | Vision One API Token | True |
| Polling interval (minutes) | How often should security incident events be updated from Vision One | False |
- Click TEST CONNECTIVITY to validate the URLs, token, and connection.
Test Connectivity - Validate the asset configuration for connectivity using supplied configuration
Get Endpoint Info - Gather information about an endpoint
Quarantine Device - Quarantine the endpoint
Unquarantine Device - Unquarantine the endpoint
On Poll - Callback action for the on_poll ingest functionality
Status Check - Checks the status of a task
Add To Blocklist - Adds an item to the Suspicious Objects list in Vision One
Remove From Blocklist - Removes an item from the Suspicious Objects list
Quarantine Email Message - Quarantine the email message
Delete Email Message - Delete the email message
Terminate Process - Terminate the process running on the endpoint
Add To Exception - Add object to exception list
Delete From Exception - Delete object from exception list
Add To Suspicious - Add suspicious object to suspicious list
Delete From Suspicious - Delete the suspicious object from suspicious list
Check Analysis Status - Get the status of file analysis based on task id
Download Analysis Report - Get the analysis report of a file based on report id
Collect Forensic File - Collect forensic file
Forensic File Info - Get the download information for collected forensic file
Start Analysis - Submit file to sandbox for analysis. For supported file types, check here
Add Note - Adds a note to an existing workbench alert
Update Status - Updates the status of an existing workbench alert
Get Alert Details - Displays information about the specified alert
Urls To Sandbox - Submits URLs to the sandbox for analysis
Enable Account - Allows the user to sign in to new application and browser sessions
Disable Account - Signs the user out of all active application and browser sessions, and prevents the user from signing in any new session
Restore Email Message - Restore quarantined email messages
Sign Out Account - Signs the user out of all active application and browser sessions
Force Password Reset - Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt
Sandbox Suspicious List - Downloads the suspicious object list associated to the specified object
Sandbox Analysis Result - Displays the analysis results of the specified object
Sandbox Investigation Package - Downloads the Investigation Package of the specified object
Get Suspicious List - Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs in the Suspicious Object List and displays the information in a paginated list
Get Exception List - Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception List and displays it in a paginated list
You can execute these commands from the Splunk SOAR CLI, as part of an automation, or in a playbook.
Validate the asset configuration for connectivity using supplied configuration variables.
Type: test
Read only: True
| Argument Name | Description | Required |
|---|---|---|
| N/A |
| Path | Type | Description |
|---|---|---|
| N/A |
Add object(s) to blocklist.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Add to block list
Suspicious Object Management
- View, filter, and search
- Manage lists and configure settings
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| block_objects | Object made up of object_type, object_value and description |
Required |
Example input:
Block Objects
[{
"object_type": "ip",
"object_value": "6.6.6.6",
"description": "Block IP"
},{
"object_type": "domain",
"object_value": "hello.com",
}]
Note: description is optional and a default value is automatically provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated for the action |
Note: To get the complete task status run polling command status check giving taskId as input parameter.
Remove object(s) from blocklist.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Add to block list
Suspicious Object Management
- View, filter, and search
- Manage lists and configure settings
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| block_objects | Object made up of object_type, object_value and description |
Required |
Example input:
Block Objects
[{
"description": "Remove from blocklist",
"object_type": "ip",
"object_value": "6.6.6.3"
}, {
"object_type": "domain",
"object_value": "hello.com",
}]
Note: description is optional and a default value is automatically provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated for the action |
Note: To get the complete task status run polling command status check giving taskId as input parameter.
Quarantine email message(s).
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Quarantine/Restore messages
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| email_identifiers | Object containing message_id, mailbox and description or unique_id and description |
Required |
Example input:
Email Identifiers
Call using Message ID.
[{
"message_id": "<AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AAhCCNvg5sEua0nNjgfLS2AABNpgTSQAA>",
"mailbox": "jdoe@testemailtest.com",
"description": "Quarantine email message"
}]
Call using unique ID.
[{
"unique_id": "AAAAAAHYQDEapmEc2byACqAC-EWg0AAhCCNvg5sEua0",
"description": "Quarantine email message"
}]
Note: description is optional and a default value is automatically provided. If Unique ID is being passed then the mailbox ID is not needed.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated for quarantining email message |
Note: To get the complete task status run polling command status check giving taskId as input parameter.
Delete email message(s).
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Delete messages
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| email_identifiers | Object containing message_id, mailbox and description or unique_id and description |
Required |
Example input:
Email Identifiers
Call using message ID.
[{
"message_id": "<AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AAhCCNvg5sEua0nNjgfLS2AABNpgTSQAA>",
"mailbox": "jdoe@testemailtest.com",
"description": "Delete email message"
}]
Call using unique ID.
[{
"unique_id": "AAAAAAHYQDEapmEc2byACqAC-EWg0AAhCCNvg5sEua0",
"description": "Delete email message"
}]
Note: description is optional and a default value is automatically provided. If Unique ID is being passed then the mailbox ID is not needed.
| Path | Type | Description |
|---|---|---|
| action_result.data.*status | Numeric | HTTP status code for the action |
| action_result.data.*task_id | String | Task ID generated for deleting email message |
Note: To get the complete task status run polling command status check giving taskId as input parameter.
Quarantine endpoint(s).
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Isolate endpoint
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| endpoint_identifiers | Object containing of endpoint (hostname) and description or agent_guid and description |
Required |
Example input:
Endpoint Identifiers
[{
"endpoint": "endpoint123",
"description": "quarantine device"
}, {
"agent_guid": "94632-7d79-451d-9ef8-2a2129e2",
"description": "quarantine device"
}]
Note: endpoint accepts agentGuid or hostname. description is optional and a default value is automatically provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*status | Numeric | HTTP status code for the action |
| action_result.data.*task_id | String | Task ID generated for quarantining endpoint |
Note: To get the complete task status run polling command status check giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes .
Restore endpoint(s) connectivity.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Isolate endpoint
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| endpoint_identifiers | Object containing of endpoint (hostname) and description or agent_guid and description |
Required |
Example input:
Endpoint Identifiers
[{
"endpoint": "endpoint123",
"description": "Restore endpoint"
}, {
"agent_guid": "94632-7d79-451d-9ef8-2a2129e2",
"description": "Restore endpoint"
}]
Note: endpoint accepts either agent_guid or hostname. description is optional and a default value is automatically provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated for restoring endpoint |
Note: To get the complete task status run polling command status check giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes .
This polls information about workbench alerts that match the specified criteria in a paginated list.
API key role permissions required: Workbench
- View, filter, and search
Type: ingest
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| starttime | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the start of the data retrieval time range. The available oldest value is “1970-01-01T00:00:00Z” | False |
| endtime | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the end of the data retrieval time range. Ensure that “endDateTime” is not earlier than “startDateTime” | False |
Example input:
Start Time
2020-01-01T10:00:00Z
End Time
2023-01-01T10:00:00Z
| Path | Type | Description |
|---|---|---|
| action_result.data.*.serialized_alerts | [] List of SAE or TI Alerts | Array of alerts retrieved (awb-workbenchAlertV3) |
Add object(s) to exception list.
API key role permissions required: Suspicious Object Management
- View, filter, and search
- Manage lists and configure settings
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| block_objects | Object consisting of object_type, object_value and description |
Required |
Example input:
Block Objects
[{"object_type": "ip","object_value": "1.2.6.9", "description": "Add to exception list"},
{"object_type": "ip","object_value": "1.1.1.1"}]
Note: description is optional and a default value is automatically provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.multi_response.*.status | Numeric | HTTP status code for the action |
| action_result.data.multi_response.*.task_id | N/A | Null |
| action_result.data.multi_response.*.total_count | Numeric | Total count of items in exception list |
Delete object(s) from exception list.
API key role permissions required: Suspicious Object Management
- View, filter, and search
- Manage lists and configure settings
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| block_objects | Object consisting of object_type, object_value |
Required |
Example input:
Block Objects
[{
"object_type": "ip",
"object_value": "1.6.6.3"
}]
| Path | Type | Description |
|---|---|---|
| action_result.data.multi_response.*.status | Numeric | HTTP status code for the action |
| action_result.data.multi_response.*.task_id | N/A | Null |
| action_result.data.multi_response.*.total_count | Numeric | Total count of objects in exception list |
Add object(s) to suspicious list.
API key role permissions required: Suspicious Object Management
- View, filter, and search
- Manage lists and configure settings
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| block_objects | Object consisting of object_type, object_value and scan_action, risk_level, expiry_days and description |
Required |
Example input:
Block Objects
[{
"object_type": "ip",
"risk_level": "high",
"object_value": "6.6.6.3"
"expiry_days": "30",
"scan_action": "block",
"description": "Add to suspicious list"
}]
Note: scan_action, risk_level, expiry_days and description are optional and default values are provided for each.
| Path | Type | Description |
|---|---|---|
| action_result.data.multi_response.*.status | Numeric | HTTP status code for the action |
| action_result.data.multi_response.*.task_id | N/A | Null |
| action_result.data.multi_response.*.total_count | Numeric | Total count of objects in suspicious list |
Delete object(s) from suspicious list.
API key role permissions required: Suspicious Object Management
- View, filter, and search
- Manage lists and configure settings
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| block_objects | Object consisting of object_type and object_value |
Required |
Example input:
Block Objects
[{
"object_type": "ip",
"object_value": "6.6.6.4"
}]
| Path | Type | Description |
|---|---|---|
| action_result.data.multi_response.*.status | Numeric | HTTP status code for the action |
| action_result.data.multi_response.*.task_id | N/A | Null |
| action_result.data.multi_response.*.total_count | Numeric | Total count of objects in suspicious list |
Terminate process(es) running on endpoint(s).
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Terminate process
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| process_identifiers | Object consisting of endpoint (hostname) or agent_guid, file_sha1, filename and description |
Required |
Example input:
Process Identifiers
[{
"endpoint": "endpoint123",
"file_sha1": "984afc7.......95b519a081321"
"description": "terminate process",
"filename": "exmaplename.txt"
}]
Note: description and filename are optional and a default value is provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated after terminating a process |
Note: To get the complete task status run polling command status check giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout is 20 minutes .
Get the status of a sandbox submission based on task_id.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| task_id | Unique alphanumeric string that identifies the analysis results of a submission | Required |
Example input:
Task ID
8559a7ce-2b85-451b-8742-4b943ad76a22
| Path | Type | Description |
|---|---|---|
| action_result.data.*.id | String | Unique alphanumeric string that identifies a submission |
| action_result.data.*.status | String | Action applied to a submitted object. Possible values: succeeded, running, failed |
| action_result.data.*.created_date_time | String | Timestamp in ISO 8601 that indicates the object was submitted to the sandbox |
| action_result.data.*.last_action_date_time | String | Timestamp in ISO 8601 format that indicates when the information about a submission was last updated |
| action_result.data.*.action | String | Action applied to a submitted object |
| action_result.data.*.resource_location | String | Location of the submitted file |
| action_result.data.*.is_cached | String | Parameter that indicates if an object has been analyzed before by the Sandbox Analysis App. Submissions marked as cached do not count toward the daily reserve |
| action_result.data.*.digest | String | object (sandbox-digest) |
| action_result.data.*.arguments | String | Arguments for the file submitted |
| action_result.data.*.error | String | Error code and message for the submission |
Get the analysis report of a file based on report id.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| submit_id | Unique alphanumeric string that identifies the analysis results of a submission | Required |
| poll | If script should wait until the task is finished before returning the result (enabled by default) | Optional |
| poll_time_sec | Maximum time to wait for the result to be available | Optional |
Example input:
Submit ID
8559a7ce-2b85-451b-8742-4b943ad76a22
Poll
true
Poll Time Sec
30
| Path | Type | Description |
|---|---|---|
| action_result.data.*.file_added | String | Name of the PDF file added to Vault |
Collect forensic file.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Collect file
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| collect_files | Object containing endpoint (hostname) or agent_guid, file_path and description |
Required |
Example input:
Collect Files
[{
"endpoint": "endpoint123",
"file_path": "C:/virus.exe",
"description": "collect malicious file"
}, {
"agent_guid": "94632-7d79-451d-9ef8-2a2129e2",
"file_path": "C:/some_file.exe"
}]
Note: description is optional and a default value is provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated after collecting a file |
Note: To get the complete task status run polling command status check giving taskId as input parameter. Note: The above command should be added with execution timeout in the advanced field of playbook execution. The recommended timeout be 20 minutes .
Get the download information for collected forensic file.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Download task result
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| task_id | task_id output from the collect forensic file command used to collect the file | Required |
| poll | If script should wait until the task is finished before returning the result (enabled by default) | Optional |
| poll_time_sec | Maximum time to wait for the result to be available | Optional |
Example input:
Task ID
00000012
Poll
True
Poll Time Sec
30
| Path | Type | Description |
|---|---|---|
| action_result.data.*.id | String | Unique numeric string that identifies a response task |
| action_result.data.*.status | String | The status of the command sent to the managing server. Possible task statuses: queued, running,succeeded, failed |
| action_result.data.*.created_date_time | String | Task completion time |
| action_result.data.*.last_action_date_time | String | Timestamp in ISO 8601 format that indicates when the information about a submission was last updated |
| action_result.data.*.action | String | Action applied to a submitted object |
| action_result.data.*.description | String | Description of a response task |
| action_result.data.*.account | String | User that triggered the response |
| action_result.data.*.agent_guid | String | Unique alphanumeric string that identifies an installed agent |
| action_result.data.*.endpoint_name | String | Endpoint name of the target endpoint |
| action_result.data.*.file_path | String | File path of the file to be collected from the target |
| action_result.data.*.file_sha1 | String | string (arp-sha1) |
| action_result.data.*.file_sha256 | String | string (arp-sha256) |
| action_result.data.*.file_size | String | Size of the collected file in bytes |
| action_result.data.*.resource_location | String | URL to download the collected file |
| action_result.data.*.expired_date_time | String | Timestamp in ISO 8601 format |
| action_result.data.*.password | String | Password to get the resource |
| action_result.data.*.error | String | Object that contains information about the unsuccessful task. response |
Note: The URL received from the ‘trendmicro-visionone-download-information-for-collected-forensic-file’ will be valid for only 60 seconds
Submit file to sandbox for analysis.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| file_url | URL pointing to the location of the file to be submitted | Required |
| file_name | Name of the file to be analyzed | Required |
| document_pass | The password for decrypting the submitted document. The value must be Base64-encoded. The maximum password length is 128 bytes prior to encoding | Optional |
| archive_pass | The password for decrypting the submitted archive. The value must be Base64-encoded. The maximum password length is 128 bytes prior to encoding | Optional |
| arguments | Parameter that allows you to specify Base64-encoded command line arguments to run the submitted file. The maximum argument length before encoding is 1024 bytes. Arguments are only available for Portable Executable (PE) files and script files | Optional |
Example input:
File Url
https://someurl.com/file=somefile.bat
File Name
some_file.bat
Document Password
cGFzc3dvcmQK
Archive Password
cGFzc3dvcmQK
Arguments
IFMlYztbQA==
| Path | Type | Description |
|---|---|---|
| action_result.data.*.id | String | Unique alphanumeric string that identifies a submission |
| action_result.data.*.digest | String | object (sandbox-digest) |
| action_result.data.*.arguments | String | Command line arguments encoded in Base64 of the submitted file |
Check the status of a task.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Download task result
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| task_id | Unique numeric string that identifies a response task | Required |
| poll | If script should wait until the task is finished before returning the result (enabled by default) | Optional |
| poll_time_sec | Maximum time to wait for the result to be available | Optional |
Example input:
Task ID
00000012
Poll
True
Poll Time Sec
30
| Path | Type | Description |
|---|---|---|
| action_result.data.*..id | String | Unique numeric string that identifies a response task |
| action_result.data.*..status | String | The status of the command sent to the managing server. Possible task statuses: queued, running,succeeded, failed |
| action_result.data.*..created_date_time | String | Task completion time |
| action_result.data.*..last_action_date_time | String | Timestamp in ISO 8601 format that indicates when the information about a submission was last updated |
| action_result.data.*..action | String | Action applied to a submitted object |
| action_result.data.*..description | String | Description of a response task |
| action_result.data.*..account | String | User that triggered the response |
Gather information about an endpoint.
API key role permissions required: Endpoint Inventory
- View
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| endpoint | List of hostname, macAddress, agentGuid or IP of the endpoint to query |
Required |
| query_op | Logical operator to employ in the query. (AND/OR) | Required |
Example input:
Endpoint
127.127.127.127,endpoint2,endpoint4
Query Op
or
| Path | Type | Description |
|---|---|---|
| action_result.data.*.agent_guid | String | AgentGuid for the endpoint |
| action_result.data.*.login_account | String | Login Account for the endpoint |
| action_result.data.*.endpoint_name | String | Hostname of the endpoint |
| action_result.data.*.mac_address | String | MacAddress for the endpoint |
| action_result.data.*.ip | String | IP address for the endpoint |
| action_result.data.*.os_name | String | Operating system installed on an endpoint |
| action_result.data.*.os_version | String | Version of the operating system installed on an endpoint |
| action_result.data.*.os_description | String | Description of the operating system installed on an endpoint |
| action_result.data.*.product_code | String | 3-character code that identifies Trend Micro products |
| action_result.data.*.installed_product_codes | String | 3-character code that identifies the installed Trend Micro products on an endpoint |
Adds a note to an existing workbench alert.
API key role permissions required: Workbench
- Modify alert details
Type: generic
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| workbench_id | Workbench id of security incident in Vision One | Required |
| content | note to be added to the workbench event | Required |
Example input:
Alert ID
WB-14-20190709-00003
Content
Suspected False Positive, please verify
| Path | Type | Description |
|---|---|---|
| action_result.data.*.note_id | String | ID of the newly created note |
| action_result.data.*.message | String | Response message for the action taken |
Updates the status of an existing workbench alert.
API key role permissions required: Workbench
- Modify alert details
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| workbench_id | The ID of the workbench alert that you would like to update the status for | Required |
| status | The status to assign to the workbench alert: new, in_progress, true_positive, false_positive, benign_true_positive, closed |
Required |
| if_match | The target resource will be updated only if it matches ETag of the target |
Required |
Example input:
Workbench ID
WB-14-20190709-00003
If Match
33a64df551425fcc55e4d42a148795d9f25f89d4
Status
New
Note: if_match is the etag value provided by the get-alert-details action.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.message | String | Message notifying of success or failure |
Displays information about a specified alert.
API key role permissions required: Workbench
- View, filter, and search
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| workbench_id | ID of the workbench alert you would like to get the details for | Required |
Example input:
Workbench ID
WB-20837-20221111-0000
| Path | Type | Description |
|---|---|---|
| action_result.data.*.alert | String | Information associated to the workbenchID provided |
| action_result.data.*.etag | String | An identifier for a specific version of a Workbench alert resource |
Submits URLs to the sandbox for analysis.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| urls | List of URLs to be sent to sandbox for analysis. Note: You can submit a maximum of 10 URLs per request | Required |
Example input:
URLS
["www.urlurl.com","www.zurlzurl.com", "https://testurl.com"]
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Unique alphanumeric string that identifies a submission |
| action_result.data.*.url | String | The URL submitted to sandbox for analysis |
| action_result.data.*.id | String | Unique alphanumeric string that identifies a submission |
| action_result.data.*.digest | String | object (sandbox-digest) |
Allow the user(s) to sign in to new application and browser sessions.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Enable/Disable user account, force sign out, force password reset
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| account_identifiers | Object containing account_name and description |
Required |
Example input:
Account Identifiers
[{
"account_name": "jdoe@testemailtest.com",
"description": "Enable user account"
}]
Note: description is optional and a default value is provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated after enabling a user account |
Sign out user(s) of all active application and browser sessions, and prevent the user(s) from signing in any new session.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Enable/Disable user account, force sign out, force password reset
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| account_identifiers | Object containing account_name and description |
Required |
Example input:
Account Identifiers
[{
"account_name": "jdoe@testemailtrain.com",
"description": "Disable user account"},
{
"account_name": "jdoe1@testemailtrain.com"
}]
Note: description is optional and a default value is provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated after disabling a user account |
Restore quarantined email message(s).
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Quarantine/Restore messages
Type: correct
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| email_identifiers | Object containing message_id, mailbox and description or unique_id and description |
Required |
Example input:
Email Identifiers
Call with Message ID
[{
"message_id": "<AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AAhCCNvg5sEua0nNjgfLS2AABNpgTSQAA>",
"mailbox": "jdoe@testemailtest.com",
"description": "Restore email message"
}]
Call with Unique ID
[{
"unique_id": "DEapmEc2byACqAC-EWg0AAhCCNvg5sEua0n",
"description": "Restore email message"
}]
Note: description is optional and a default value is provided. When providing Unique ID, mailbox is not required. Additionally messages can only be restored if they have not been deleted.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated after restoring an email |
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Enable/Disable user account, force sign out, force password reset
Sign out user(s) out of all active application and browser sessions.
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| account_identifiers | Object containing account_name and description |
Required |
Example input:
Account Identifiers
[{
"account_name": "jdoe@testemailtest.com",
"description": "Sign out account"
}]
Note: description is optional and a default value is provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action |
| action_result.data.*.task_id | String | Task ID generated after signing out user account |
Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt.
API key role permissions required: Response Management
- View, filter, and search (Task List tab)
- Enable/Disable user account, force sign out, force password reset
Type: contain
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| account_identifiers | Object containing account_name and description |
Required |
Example input:
Account Identifiers
[{
"account_name": "jdoe@testemailtest.com",
"description": "Force password reset"
}]
Note: description is optional and a default value is provided.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.status | Numeric | HTTP status code for the action. |
| action_result.data.*.task_id | String | Task ID generated after forcing a password reset |
Downloads the suspicious object list associated to the specified object.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| submit_id | Unique alphanumeric string that identifies a submission. | Required |
| poll | If script should wait until the task is finished before returning the result (enabled by default) | Optional |
| poll_time_sec | Maximum time to wait for the result to be available | Optional |
Example input:
Submit ID
90406723-2b29-4e85-b0b2-ba58af8f63df
Poll
false
Poll Time Sec
0
Note: Suspicious Object Lists are only available for objects with a high risk level.
| Path | Type | Description |
|---|---|---|
| action_result.data.*.risk_level | String | Risk Level of suspicious object |
| action_result.data.*.analysis_completion_date_time | String | Analyze time of suspicious object |
| action_result.data.*.expired_date_time | String | Expire time of suspicious object |
| action_result.data.*.root_sha1 | String | Sample sha1 generate this suspicious object |
| action_result.data.*.type | String | Type of item submitted to sandbox for analysis |
| action_result.data.*.value | String | Value of item submitted to sandbox for analysis |
Displays the analysis results of the specified object.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| report_id | Unique alphanumeric string that identifies a submission | Required |
| poll | If script should wait until the task is finished before returning the result (enabled by default) | Optional |
| poll_time_sec | Maximum time to wait for the result to be available | Optional |
Example input:
Report ID
90406723-2b29-4e85-b0b2-ba58af8f63df
Poll
False
Poll Time Sec
0
| Path | Type | Description |
|---|---|---|
| action_result.data.*.id | String | Unique alphanumeric string that identifies the analysis results of a submitted object |
| action_result.data.*.type | String | Object type |
| action_result.data.*.digest | String | object (sandbox-digest) |
| action_result.data.*.risk_level | String | The risk level assigned to the object by the sandbox |
| action_result.data.*.analysis_completion_date_time | String | Timestamp in ISO 8601 format that indicates when the analysis was completed |
| action_result.data.*.arguments | String | Command line arguments encoded in Base64 of the submitted file |
| action_result.data.*.detection_names | String | The name of the threat as detected by the sandbox |
| action_result.data.*.threat_types | String | The threat type as detected by the sandbox |
| action_result.data.*.true_file_type | String | File Type of the Object |
Downloads the Investigation Package of the specified object.
API key role permissions required: Sandbox Analysis
- View, filter, and search
- Submit objects
Type: investigate
Read only: False
| Argument Name | Description | Required |
|---|---|---|
| submit_id | Unique alphanumeric string that identifies a submission | Required |
| poll | If script should wait until the task is finished before returning the result (enabled by default) | Optional |
| poll_time_sec | Maximum time to wait for the result to be available | Optional |
Example input:
Submit ID
00000012
Poll
true
Poll Time Sec
30
| Path | Type | Description |
|---|---|---|
| action_result.data.*.file_added | String | Name of the .zip file added to Vault |
Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs in the Suspicious Object List and displays the information in a paginated list.
API key role permissions required: Suspicious Object Management
- View, filter, and search
Type: investigate
Read only: True
| Argument Name | Description | Required |
|---|---|---|
| N/A |
| Path | Type | Description |
|---|---|---|
| action_result.data.*.value | String | Value that was submitted to suspicious list |
| action_result.data.*.type | String | Type of object that was added to suspicious list |
| action_result.data.*.last_modified_date_time | String | Timestamp in ISO 8601 format that indicates the last time the information about a suspicious object was modified |
| action_result.data.*.description | String | Description of an object |
| action_result.data.*.scan_action | String | Action that connected products apply after detecting a suspicious object |
| action_result.data.*.risk_level | String | Risk level of a suspicious object |
| action_result.data.*.in_exception_list | String | Value that indicates if a suspicious object is in the exception list |
| action_result.data.*.expired_date_time | String | Timestamp in ISO 8601 format that indicates when the suspicious object expires |
Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception List and displays it in a paginated list.
API key role permissions required: Suspicious Object Management
- View, filter, and search
Type: investigate
Read only: True
| Argument Name | Description | Required |
|---|---|---|
| N/A |
| Path | Type | Description |
|---|---|---|
| action_result.data.*.value | String | Value that was submitted to exception list |
| action_result.data.*.type | String | Type of object that was added to exception list |
| action_result.data.*.last_modified_date_time | String | The time the object was created |
| action_result.data.*.description | String | Description of an object |
This version of the Trend Micro app is compatible with Splunk SOAR version 5.1.0 and above.
The app uses HTTPS protocol for communicating with the Trend Vision One server. For authentication a Vision One API Token is used by the Splunk SOAR Connector.