Skip to main content

Cyware Orchestrate

Trend Micro Vision One V2

App Vendor: Trend Micro

Connector Category: Data Enrichment and Threat Intelligence | Endpoint | Network Security | Vulnerability Management

Connector Version: 1.3.0

API Version: 2.0.0

About App

Trend Micro Vision One V2 app allows security teams to integrate with Trend Micro Vision One enterprise app to work with and manage alerts, endpoints, and observables across the extended detection and response lifecycle.

Trend Micro Vision One V2 app is configured with Orchestrate to perform the following actions:

Action Name

Description

Add Alert Notes 

This action adds notes to an alert.

Add Objects 

This action adds domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list.

Add Objects to Exception List 

This action adds domains, file SHA-1 values, IP addresses, or URLs to the exception list and prevents these objects from being added to the suspicious object list.

Add to Block List 

This action blocks the objects on the Trend Micro application.

Collect File 

This action compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform.

Delete objects 

This action deletes domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list.

Delete Objects from Exception List 

This action is used to delete domains, file SHA-1 values, IP addresses, or URLs from the exception list.

Get Alert Details 

This action retrieves the details of an alert.

Get Alert Notes 

This action retrieves the notes of an alert.

Get Detailed History Alert 

This action retrieves detailed information about alerts.

Get Download Information for Collected File 

This action retrieves a URL and other information required to download a collected file.

Get File Analysis Report 

This action retrieves the analysis report, investigation package, or suspicious object list of a submitted file.

Get File Analysis Status 

This action retrieves the status of a submitted file.

Get Observed Attack Techniques 

This action retrieves the observed attack techniques.

Get Response Task Details 

This action retrieves information about a specific response task.

Isolate Endpoint 

This action isolates an endpoint on the Trend Micro application.

List Alerts 

This action lists the alerts.

Query Agent Information 

This action retrieves the information of agents (computer IDs and user accounts).

Query Information for Single Endpoint 

This action retrieves information from an endpoint that matches the specified computer ID.

Remove from Block List 

This action removes a file SHA-1, IP address, domain, or URL object that was added to the user-defined suspicious objects list.

Restore Endpoint 

This action restores network connectivity to an endpoint.

Search Data 

This action searches data on the Trend Micro application.

Submit File to Sandbox 

This action submits a file to the sandbox for analysis.

Terminate Process 

This action terminates a process that is running on an endpoint.

Update Alert Status 

This action updates an alert status.

Delete Alert Notes 

This action deletes a note from the specified alert.

List Response Task 

This action retrieves a list of response tasks.

Get Details for Multiple Endpoints 

This action retrieves information on endpoints that match the specified computer IDs.

Query Operating System Info 

This action retrieves operating system information for all agents active in the last seven days.

Get Exception List 

This action retrieves information about domains, file SHA-1 values, IP addresses, or URLs that are in the exception list and displays the information in a paginated list.

Download Custom Intelligence Report 

This action downloads a custom intelligence report as a STIX bundle.

Trigger Sweeping Task 

This action performs a search of your environment or third-party data sources that support STIX-shifter for threat indicators specified in a custom intelligence report.

Download Sweeping Task 

This action downloads the results of a sweeping task, including matched indicators and associated entities.

Get Suspicious Object 

This action retrieves information about domains, file SHA-1 values, IP addresses, or URLs that are in the suspicious object list.

Generic Action 

This is a generic action to perform any additional use case that you want on Trend Micro Vision One V2.

Configuration Parameters

The following configuration parameters are required for the Trend Micro Vision One V2 app to communicate with the Trend Micro Vision One enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL 

Enter a region-specific base URL to connect to the Trend Micro Vision One V2 app.

Example:

"https://api.xdr.trendmicro.com"

Text

Required

API Token 

Enter the API token to authenticate to Trend Micro Vision One V2.

Password

Required

Action: Add Alert Notes

This action adds notes to an alert.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workbench ID

Enter an alert workbench ID.

Example:

"WB-9233-20210716-00000"

Text

Required

You can retrieve a Workbench ID using Action: List Alert.

Note

Enter a note to add to the alert.

Example:

"Sample alert note"

Text

Required

Action: Add objects

This action adds domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Data

Enter the suspicious objects that you need to add to the suspicious object list.

Example:

$JSON[{'description': 'your_description (string)','expiredday': 'your_expiredday (integer)','risklevel': 'your_risklevel (string)','scanaction': 'your_scanaction (string)','type': 'your_type (string)','value': 'your_value (string)'}]

Any

Required

Action: Add Objects to Exception List

This action adds domains, file SHA-1 values, IP addresses, or URLs to the exception list and prevents these objects from being added to the suspicious object list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Data

Enter an object that you need to add to the exception list.

Example:

$JSON[{'type': 'domain','value': '1.alisiosanguera.com.cn','description': 'example object added as to the exception list.'}]

Any

Required

Action: Add to Block List

This action blocks the objects on Trend Micro.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Value Type

Enter the block item value type.

Example:

"file_sha1"

Text

Required

Allowed values:

  • file_sha1

  • ip

  • domain

  • url

  • mailbox

Target Value

Enter the target value for the specified Value Type.

Example:

"2de5c1125d5f991842727ed8ea8b5fda0ffa249b"

Text

Required

Product ID

Enter the target product.

Example:

  • "sao"

  • "xes"

Text

Optional

Description

Enter the action description.

Text

Optional

Action: Collect File

This action compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Computer ID

Enter a computer ID.

Example:

"cb9c8412-1f64-4fa0-a36b-76bf41a07ede"

Text

Required

You can retrieve a Computer ID using Action: Query Agent Information.

File Path

Enter a filepath.

Text

Required

Product ID

Enter a target product.

Example:

  • "sao"

  • "xes"

  • "sds"

Text

Required

OS

Enter an operating system.

Example:

  • "windows"

  • "mac"

  • "linux"

Text

Required

Description

Enter a description.

Text

Optional

Action: Delete objects

This action deletes domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Objects

Enter the suspicious objects to be deleted from the suspicious object list.

Example:

$JSON[{'type': 'your_type (string)', 'value': 'your_value (string)'}]

Any

Required

Action: Delete Objects from Exception List

This action deletes domains, file SHA-1 values, IP addresses, or URLs from the exception list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Objects

Enter the objects that you need to delete from the exception list.

Example:

$JSON[{'type': 'domain','value': '1.alisiosanguera.com.cn'}]

Any

Required

Action: Get Alert Details

This action retrieves details of an alert.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workbench ID

Enter an alert workbench ID.

Example:

"WB-14-20190709-00003"

Text

Required

You can retrieve a Workbench ID using Action: List Alert.

Action: Get Alert Notes

This action retrieves notes of an alert.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workbench ID

Enter an alert workbench ID.

Example:

"WB-14-20190709-00003"

Text

Required

You can retrieve a Workbench ID using Action: List Alert.

Action: Get Detailed History Alert

This action retrieves detailed information about alerts.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Start Time

Enter the start time in ISO 8601 format (yyyy-mm-ddthh:mm:ss.mmmz in UTC).

Example:

"2020-06-15t10:00:00.000z"

Text

Required

End Time

Enter the end time in ISO 8601 format (yyyy-mm-ddthh:mm:ss.mmmz in UTC).

Example:

"2020-06-16t10:00:00.000z"

Text

Required

Sort

Enter to sort details.

Text

Optional

If you need to display records in descending order, then add a hypeh (-) before a value that needs to be displayed.

Allowed values:

  • investigationstatus

  • score

  • wbname

  • wbid

  • createdtime

  • severity

Investigation Status

Enter the investigation status.

Example:

0

Text

Optional

Allowed Values:

  • 0: new

  • 1: In Progress

  • 2: Resolved - True Positive

  • 3: Resolved - False Positive

Query Time Field

Enter the timestamp between the start time and the end time to be used for retrieving alert data.

Example:

"updatedtime"

Text

Optional

Allowed values:

  • createdtime

  • updatedtime

Default value:

createdtime

Search by

Enter a value for searching keywords in alert data.

Example:

"impactscope"

Text

Optional

Use Search by in conjunction with keyword for optimal results.

Keyword

Enter a keyword in the range of 1 to 300 characters to search from threat data.

Example:

"document.lnk"

Text

Optional

  • Keywords that contain special characters must be URL-encoded. This parameter supports partial matching.

  • Use Keyword in conjunction with Search By for optimal results.

Starting Position

Enter the starting position (offset) of a record in the dataset.

Example:

4

Integer

Optional

Default value:

0 (zero) indicates the first record

Limit

Enter the maximum number of records that needs to be displayed per page.

Example:

20

Integer

Optional

Default value:

100

Action: Get Download Information for Collected File

This action retrieves a URL and the information required to download a collected file.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action ID

Enter an action ID.

Example:

"88139521"

Text

Required

You can retrieve an Action ID using Action: Add to Block List.

Action: Get File Analysis Report

This action retrieves the analysis report, investigation package, or suspicious object list of a submitted file.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter a report ID.

Text

Required

You can retrieve a Report ID using Action: Get File Analysis Status.

Report Type

Enter a report type that you need to retrieve.

Example:

"vareport"

Text

Required

Allowed values:

  • vareport

  • investigationpackage

  • suspiciousobject

Action: Get File Analysis Status

This action retrieves the status of a submitted file.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter a task ID to retrieve the status of a file.

Example:

"012e4eac-9bd9-4e89-95db-77e02f75a6f3"

Text

Required

You can retrieve a Task ID using Action: Submit File to Sandbox.

Action: Get Observed Attack Techniques

This action retrieves the observed attack techniques.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

From Timestamp

Enter a start timestamp to retrieve the observed attack techniques.

Example:

"1628159233"

Integer

Required

To timestamp

Enter an end timestamp to retrieve the observed attack techniques.

Example:

"1628159633"

Integer

Required

Size

Enter the maximum number of records to retrieve.

Integer

Required

Extra Params

Enter the extra parameters.

Key Value

Optional

Allowed Keys:

  • ingestStart

  • ingestEnd

  • riskLevels

  • endpointName

  • tacticIds

  • techniqueIds

  • filterNames

  • nextBatchToken

For more information on the supported extra parameters, see Search Observed Attack Techniques event list.

Action: Get Response Task Details

This action retrieves information about a specific response task.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action ID

Enter an action ID.

Exampole:

"88139521"

Text

Required

You can retrieve an Action ID using Action: Add to Block List.

Action: Isolate Endpoint

This action isolates an endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Computer ID

Enter a computer ID that you need to isolate.

Example:

"cb9c8412-1f64-4fa0-a36b-76bf41a07ede"

Text

Required

You can retrieve a Computer ID using Action: Query Agent Information.

Product ID

Enter the target product.

Example:

  • "sao"

  • "xes"

Text

Required

Description

Enter a description for isolating an endpoint.

Text

Optional

Action: List Alerts

This action lists all alerts

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit

Enter the maximum number of alerts that you need to retrieve.

Integer

Optional

Offset

Enter an offset to return data from.

Text

Optional

0 (zero) indicates the first record.

Source

Enter the data source.

Text

Optional

By default, data from all applicable sources are retrieved.

Query Time Field

Enter a query for the time field.

Example:

querytimefield=createdtime

Text

Optional

Sort by

Enter a method to sort by.

Example:

sortby=-createdtime

Text

Optional

Investigation Status

Enter a list of investigation statuses to retrieve alerts.

Example:

$LIST[0,2]

List

Optional

Allowed values:

  • 0: New

  • 1: In-Progress

  • 2: Resolved- True Positive

  • 3: Resolved-False Positive

End time

Enter an end time to retrieve alerts.

Example:

2020-06-15t10:00:00.000z

Text

Optional

Start time

Enter a start time to retrieve alerts.

Example:

"2020-06-15t10:00:00.000z"

Text

Optional

Action: Query Agent Information

This action retrieves the information of agents (computer IDs and user accounts).

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Criteria

Enter the object to be added to the exception list.

Example:

$DICT[{'field': 'hostname','value': 'string'}]

Key Value

Required

Action: Query Information for Single Endpoint

This action retrieves information from an endpoint that matches the specified computer ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Computer ID

Enter a computer ID.

Text

Required

Action: Remove from Block List

This action removes a file SHA-1, IP address, domain, or URL object that was added to the user-defined suspicious objects list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Value Type

Enter the block item value type.

Example:

Text

Required

Allowed values:

  • file_sha1

  • ip

  • domain

  • url

  • mailbox

Target Value

Enter the target value.

Example:

"2de5c1125d5f991842727ed8ea8b5fda0ffa249b"

Text

Required

Product ID

Enter the target product.

Example:

  • sao

  • xes

Text

Optional

Description

Enter the action description.

Text

Optional

Action: Restore Endpoint

This action restores the network connectivity of an endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Computer ID

Enter a computer ID.

Example:

"cb9c8412-1f64-4fa0-a36b-76bf41a07ede"

Text

Required

Product ID

Enter the target product.

Example:

"sao "

Text

Required

Description

Enter a description.

Text

Optional

Action: Search Data

This action searches data on the Trend Micro app.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

From Time Stamp

Enter a timestamp to search from.

Example:

1628159233

Integer

Required

To Timestamp

Enter a timestamp to search till.

Example:

1628159233

Integer

Required

Query

Enter a query to search for.

Example:

hostname:*

Text

Required

Source

Enter a source grouping to search in.

Example:

"endpointactivitydata"

Text

Required

Allowed values:

  • endpointactivitydata

  • messageactivitydata

  • detections

  • networkactivitydata

Fields

Enter a list of fields to return.

Example: ["dpt","dst","endpointguid","endpointhostname"]

List

Optional

By default, values from all fields are retrieved.

Offset

Enter an offset value.

Integer

Optional

Default value:

0

Action: Submit File to Sandbox

This action submits a file to the sandbox for analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filename

Enter a file name.

Text

Required

File Path

Enter a file path.

Example:

"/tmp/<GUID>/attachment.pdf`"

Text

Required

Document Password

Enter a document password for decrypting the submitted document-type1 sample.

Text

Optional

The value of the document password must be base64-encoded.

Archive Password

Enter an archive password for decrypting the submitted archive-type1 sample.

Text

Optional

The value of the archive password must be base64-encoded.

Action: Update Alert Status

This action updates an alert status.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workbench ID

Enter an alert workbench ID.

Example:

"wb-14-20190709-00003"

Text

Required

Status

Enter an alert status.

Example:

1

Integer

Required

Allowed values:

  • 0: new

  • 1: in progress

  • 2: resolved: true positive

  • 3: resolved: false positive

Action: Delete Alert Notes

This action deletes a note from the specified alert. Note that, you may need special permissions to execute this action. For the workbench, enable the modify alert details permissions. 

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workbench ID

Enter the workbench ID of the alert. 

Example: 

wb-14-20190709-00003

Text

Required

You can retrieve the Workbench ID using the action List Alert.

Note IDs

Enter the note IDs that you want to delete. Use a comma-separated list to enter multiple IDs. 

Example: 

[123,234]

List

Required

You can retrieve the Note ID using the action Get Alert Notes.

Action: List Response Task

This action retrieves a list of response tasks. Note that, you may need special permissions to execute this action. For Response Management, enable the view, filter, and search (Task List tab) permissions. 

Action Input Parameters

This action does not require any input parameter. 

Action: Get Details for Multiple Endpoints

This action retrieves information about endpoints that match the specified computer IDs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Computer IDs

Enter the computer IDs to get the details about the endpoints.

List

Required

You can retrieve the Computer ID using the action Query Agent Information.

Action: Query Operating System Info

This action retrieves the operating system information for all agents active in the last seven days.

Action Input Parameters

This action does not require any input parameter. 

Action: Get Exception List

This action retrieves information about domains, file sha-1 values, IP addresses, or URLs that are in the exception list and displays the information in a paginated list. Note that, you may need special permissions to execute this action. For Suspicious Object Management, enable the view, filter, and search permissions. 

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters to filter the result. 

Example: 

limit: 100, type: ip

Key Value

Optional

 

Action: Download Custom Intelligence Report

This action downloads a custom intelligence report as a STIX bundle. Note that, you may need special permissions to execute this action. For Intelligence Reports, enable the Download STIX Intelligence Report permissions.  

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the report ID to download a custom intelligence report. 

Example: 

report--2c1091ba-a7d2-46b2-bf97-4137916c30ca

Text

Required

You can retrieve the Report ID using the action Get File Analysis Status

Action: Trigger Sweeping Task

This action searches your environment or third-party data sources that support STIX-shifter for threat indicators specified in a custom intelligence report. Note that, you may need special permissions to execute this action. For Intelligence Reports, enable the permissions to start sweeping (STIX-Shifter). 

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the report ID. 

Example: 

report--2c1091ba-a7d2-46b2-bf97-4137916c30ca

Text

Required

 

Sweep Type

Enter the type of sweeping task. 

Example:

manual

Text

Required

Allowed values:

  • manual

  • stixshifter

Action: Download Sweeping Task

This action downloads the results of a sweeping task, including matched indicators and associated entities.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the ID of the custom intelligence report. 

Example: 

report--2c1091ba-a7d2-46b2-bf97-4137916c30ca

Text

Required

 

Task ID

Enter the task ID to download. 

Example: 

43597ab5-b8b4-415d-87dc-24c94df82012

Text

Required

 

Action: Get Suspicious Object

This action retrieves information about domains, file sha-1 values, IP addresses, or URLs that are in the suspicious object list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters to filter the result. 

Example: 

limit: 100, type: ip

Key Value

Optional

 

Action: Terminate Process

This action terminates a process that is running on an endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Computer ID

Enter the computer ID. 

Example:

cb9c8412-1f64-4fa0-a36b-76bf41a07ede

Text

Required

File SHA 1

Enter the file SHA 1. 

Example:

12a08b7a3c5a10b64700c0aca1a47941b50a4f8b

Text

Required

Product ID

Enter the target product. 

Text

Optional

Default: 

sao

Description

Enter the action description.

Text

Optional

File Name

Enter the filename. 

Example: 

samplefile

Text

Optional

Action: Generic Action

This is a generic action to perform any additional use case that you want on Trend Micro Vision One.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Endpoint

Enter the endpoint to make the request to. 

Example:

'company_guid/findings'

Text

Required

 

Method

Enter the HTTP method. 

Example:

GET

Text

Required

Allowed values:

  • GET

  • POST

  • PUT

  • DELETE

Query params

Enter query parameters to filter the result. 

Example: 

limit : 10

Any

Optional

 

Payload Data

Enter the payload data to pass to the API. 

Example: 

'type': type, 'id': id

Key Value

Optional

 

Payload JSON

Enter the payload JSON to pass to the API. 

Example:

$JSON[{"sweeptype": ip}]

Any

Optional