Skip to main content

Cyware Orchestrate

Trend Micro Cloud App Security

Trend Micro Cloud App Security app is an advanced threat and data protection solution that improves the efficiency of cloud services that enables security analysts to obtain specific service data, launch investigations for known and unknown threats, and perform operations on email messages and user accounts as necessary.

App Vendor: Trend Micro

App Category: Cloud Security

Connector Version: 1.0.0

API Version: 1.0.0

About App

The Trend Micro Cloud App Security app is configured with Orchestrate to perform the following actions:

Action Name

Description

Action on Email Messages

This action deletes, quarantines, or restores an email message.

Action on User Account

This action performs actions on a user account such as disabling a user account, enabling multi-factor authentication (MFA) for a user account, resetting the password for a user account, and terminating all sign-in sessions of Microsoft services for a user account.

Get Blocked Lists

This action retrieves the blocked senders, URLs, SHA-1 hash values, and SHA-256 hash values.

Get Quarantine Events

This action retrieves quarantine events of the services that the Trend Micro Cloud App Security application protects.

Get Security Logs

This action retrieves security event logs of the services that the Trend Micro Cloud App Security application protects.

Query Results

This action queries the results of actions on specified email messages or user accounts.

Sweep Email Messages

This action searches email messages in the Trend Micro Cloud App Security application-protected mailboxes.

Update Block Lists

This action adds or removes senders, URLs, SHA-1 hash values, or SHA-256 hash values to or from the blocked lists on the Trend Micro Cloud App Security application.

Configuration Parameters

The following configuration parameters are required for the Trend Micro Cloud App Security app to communicate with the Trend Micro Cloud App Security enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL

Enter the base URL.

Example:

  • api.tmcas.trendmicro.com (U.S. global)

  • api-eu.tmcas.trendmicro.com (EU)

  • api.tmcas.trendmicro.co.jp (Japan)

  • api-au.tmcas.trendmicro.com (Australia and New Zealand)

  • api.tmcas.trendmicro.co.uk (UK)

  • api-ca.tmcas.trendmicro.com (Canada)

  • api.tmcas.trendmicro.com.sg (Singapore)

  • api-in.tmcas.trendmicro.com (India)

Text

Required

API Token

Enter the API token.

Password

Required

Action: Action on Email Messages

This action deletes, quarantines, or restores an email message.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action Type

Enter the action type to perform on a user account.

Text

Required

Allowed values:

  • MAIL_DELETE

  • MAIL_QUARANTINE

  • MAIL_RESTORE

Service

Enter the name of the protected service to which the API applies.

Text

Required

Allowed values:

  • exchange

  • gmail

Account Provider

Enter the account provider.

Text

Required

Allowed values:

  • office365

  • google

Mailbox

Enter the email address of an email message to perform an action.

Example:

"user2@example2.com"

Text

Required

Mail Message Delivery Time

Enter the date and time when an email message is sent to perform an action on the email.

Text

Required

You can retrieve the mail message delivery time using the actions Sweep Email Messages or Get Quarantine Events.

Mail Message ID

Enter the internet message ID of an email message to perform an action.

Text

Optional

You can retrieve the mail message ID using the actions Sweep Email Messages or Get Quarantine Events.

Mail Unique ID

Enter the unique ID of an email message to take perform an action.

Text

Optional

You can retrieve the mail unique ID using the actions Sweep Email Messages or Get Quarantine Events.

Detection Time

Enter the date and time when the security event was detected.

Text

Optional

This parameter is required while restoring an email (mail_restore) and its value can be retrieved using the action Get Quarantine Events.

Mail Log ID

Enter the mail log ID that uniquely identifies a log.

Text

Optional

This parameter is required while restoring an email (mail_restore) and its value can be retrieved using the action Get Quarantine Events.

Action: Action on User Account

This action performs actions on a user account such as disabling a user account, enabling multi-factor authentication (MFA) for a user account, resetting the password for a user account, and terminating all sign-in sessions of Microsoft services for a user account.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action Type

Enter the action type to perform on a user account.

Text

Required

Allowed values:

  • ACCOUNT_DISABLE

  • ACCOUNT_ENABLE_MFA

  • ACCOUNT_RESET_PASSWORD

  • ACCOUNT_REVOKE_SIGNIN_SESSIONS

Account User Email

Enter the email address used to create the user account.

Example: "user2@example2.com"

Text

Required

Action: Get Blocked Lists

This action retrieves the blocked senders, URLs, SHA-1 hash values, and SHA-256 hash values.

Action Input Parameters

This action does not require any action input parameter.

Action: Get Quarantine Events

This action retrieves quarantine events of the services that cloud app security protects.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Start Time

Enter the start time to retrieve quarantine events.

Example:

"2016-07-22T01:51:31Z"

Text

Optional

Allowed format:

ISO 8601 timestamp to the second or millisecond (optional) in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z.

  • You can retrieve results within a seven days range.

  • If the start time and end time parameter are not specified, then the results within the last day from API execution time is retrieved.

  • If only the start time parameter is specified, then results within one day after the start time is retrieved.

Example:

  • 2016-07-22T01:51:31Z

  • 2016-07-22T01:51:31.001Z

End Time

Enter the end time to retrieve quarantine events.

Example:

"2016-07-23T01:51:31Z"

Text

Optional

Allowed format:

ISO 8601 timestamp to the second or millisecond (optional) in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z.

  • You can retrieve results within a seven days range.

  • If the start time and end time parameters are not specified, then the results within the last day are retrieved.

  • The end time cannot be earlier than the start time.

  • If only the end time parameter is specified, then results from within one day before the end time is retrieved.

Example:

  • 2016-07-22T01:51:31Z

  • 2016-07-22T01:51:31.001Z

Limit

Enter the maximum number of quarantine events to retrieve.

Integer

Optional

Default value:

500

Maximum allowed value:

500

Next Link

Enter the next link to retrieve the remaining log items for the previous request.

Text

Optional

  • Use the next link URL to retrieve additional results other than the display limit.

  • Use the next link URL to perform this action for a second time and onwards to retrieve the remaining results.

Action: Get Security Logs

This action retrieves security event logs of the services that the Trend Micro Cloud App Security

protects.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Service

Enter the name of the protected service whose logs you need to retrieve.

Text

Required

Allowed values:

  • exchange (This covers only Exchange Online related logs.)

  • sharepoint

  • onedrive

  • dropbox

  • box

  • googledrive

  • gmail

  • teams

  • exchangeserver (This covers Exchange Server related logs from ScanMail for Microsoft Exchange after your ScanMail server is registered to Cloud App Security)

  • salesforce_sandbox

  • salesforce_production

  • teams_chat

Event

Enter the type of security event whose logs you need to retrieve.

Text

Required

Allowed values:

  • securityrisk

  • virtualanalyzer

  • ransomware

  • dlp

Start Time

Enter the start time from which to retrieve security logs.

Example:

"2016-07-22T01:51:31Z"

Text

Optional

Allowed format:

ISO 8601 timestamp to the second or millisecond (optional) in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z.

  • You can retrieve results within a 72 hours range.

  • If the start time and end time parameter are not specified, then the results within the five minutes from API execution time is retrieved.

  • If only the start time parameter is specified, then results within five minutes after the start time is retrieved.

Example:

  • 2016-07-22T01:51:31Z

  • 2016-07-22T01:51:31.001Z

End Time

Enter the end time till when to retrieve security logs.

Example:

"2016-07-23T01:51:31Z"

Text

Optional

Allowed format:

ISO 8601 timestamp to the second or millisecond (optional) in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z.

  • You can retrieve results within a 72 hours range.

  • If the start time and end time parameters are not specified, then the results within the five minutes are retrieved.

  • The end time cannot be earlier than the start time.

  • If only the end time parameter is specified, then results from within five minutes before the end time is retrieved.

Example:

  • 2016-07-22T01:51:31Z

  • 2016-07-22T01:51:31.001Z

Limit

Enter the maximum number of logs to retrieve.

Integer

Optional

Default value:

500

Maximum allowed value:

500

Next Link

Enter the next link to retrieve the remaining log items for the previous request.

Text

Optional

  • Use the next link URL to retrieve additional results other than the display limit.

  • Use the next link URL to perform this action for a second time and onwards to retrieve the remaining results.

Action: Query Results

This action queries the results of actions on email messages or user accounts.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Email Message

Enter true to query on email messages or enter false to query on user accounts.

Boolean

Required

Allowed values:

  • true

  • false

Batch ID

Enter the unique batch ID of threat mitigation.

Text

Required

Start Time

Enter the start time from which to retrieve results.

Example:

"2016-07-22t01:51:31z"

Text

Optional

Allowed format:

ISO 8601 timestamp to the second or millisecond (optional) in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z.

  • You can retrieve results within a 72 hours range.

  • If the start time and end time parameter are not specified, then the results within the five minutes from API execution time is retrieved.

  • If only the start time parameter is specified, then results within five minutes after the start time is retrieved.

Example:

  • 2016-07-22T01:51:31Z

  • 2016-07-22T01:51:31.001Z

End Time

Enter the end time to retrieve results.

Example:

"2016-07-23t01:51:31z"

Text

Optional

Allowed format:

ISO 8601 timestamp to the second or millisecond (optional) in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z.

  • You can retrieve results within a 72 hours range.

  • If the start time and end time parameters are not specified, then the results within the five minutes are retrieved.

  • The end time cannot be earlier than the start time.

  • If only the end time parameter is specified, then results from within five minutes before the end time is retrieved.

Example:

  • 2016-07-22T01:51:31Z

  • 2016-07-22T01:51:31.001Z

Limit

Enter the maximum number of results to retrieve.

Integer

Optional

Default value:

500

Maximum allowed value:

500

Next Link

Enter the next link to retrieve the remaining results for the previous request.

Text

Optional

  • Use the next link URL to retrieve additional results other than the display limit.

  • Use the next link URL to perform this action for a second time and onwards to retrieve the remaining results.

Action: Sweep Email Messages

This action searches email messages in the Trend Micro Cloud App Security protected mailboxes.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Mailbox

Enter the email address of the mailbox to search in.

Example:

"u*ser@example.com"

Text

Optional

Subject

Enter the subject of email messages to search for.

Example:

"sample subject"

Text

Optional

To search for an exact phrase, for example, example1 example2, enclose the value in double quotes "example1 example2"; otherwise, the Trend Micro Cloud Security app performs a partial match based on the phrase.

Source IP

Enter the source IP address of email messages to search for.

Example:

  • "xx.yy.zz.ww"

  • "xx.yy.zz.ww/16"

Text

Optional

Extra Parameters

Enter the extra parameters.

Example: $dict{'sender':'u*ser@example.com','file_name':'example',..}

Key Value

Optional

Allowed keys:

  • lastndays (Do not configure lastndays and start/end at the same time)

  • start

  • end

  • file_name

  • file_sha256

  • file_sha1

  • file_extension

  • url

  • sender

  • recipient

  • message_id

  • source_ip

  • limit

  • source_domain

Next Link

Enter the next link to retrieve the meta information of the remaining email messages for the previous request.

Text

Optional

  • Use the next link URL to retrieve additional results other than the display limit.

  • Use the next link URL to perform this action for a second time and onwards to retrieve the remaining results.

Action: Update Block Lists

This action adds or removes senders, URLs, SHA-1 hash values, or SHA-256 hash values to or from the blocked lists on Trend Micro Cloud App Security.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action Type

Enter the action type to perform.

Text

Required

Allowed values:

  • create (add to the blocked lists)

  • delete (remove from the blocked lists)

Rules

Enter the key-value pairs to block the sender, URL, SHA-1 hash value, and SHA-256 hash value lists to configure.

Example:

$JSON{'senders':[value1,..],'urls':[value1,..],'filehashes':[value1,..],'file256hashes':[value1,..]}

Any

Required

Allowed keys:

  • senders

  • urls

  • filehashes

  • file256hashes