Trend Micro Vision One
App Vendor: Trend Micro Vision One
App Category: Analytics & SIEM
Connector Version: 2.0.0
API Version: v3
About App
The Trend Micro Vision One app enables security teams to manage and respond to alerts, endpoints, and observables with enhanced XDR capabilities.
The Trend Micro Vision One app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add to Block List | This action blocks an IOC on Trend Micro Vision One. |
Add to Suspicious Object Exception List | This action adds an IOC to the suspicious object exception list on Trend Micro Vision One. |
Add to Suspicious Object List | This action adds an item to the suspicious object list on Trend Micro Vision One. |
Bind a Data Type to Pipeline | This action binds a data type to a pipeline. |
Delete Custom Intelligence Report | This action deletes the specified custom intelligence report. |
Download Analysis Report | This action downloads the analysis report of a submission in PDF format. |
Download Custom Intelligence Report | This action downloads the custom intelligence report as a STIX bundle. |
Get Analysis Report | This action retrieves the analysis report of a submission. |
Get Package Details | This action retrieves the details of the specified package. |
Get Pipeline Information | This action retrieves the information of the specified data pipeline. |
Get Submission Details | This action retrieves the details of the specified sandbox submission. |
Get Task Results | This action retrieves the result of the specified task. |
Isolate Endpoints | This action disconnects one or more endpoints from the network on Trend Micro Vision One. |
List All Analysis Results | This action lists all analysis results. |
List All Bound Data Pipelines | This action lists all the data pipelines that have a data type assigned. |
List Available Packages | This action lists all the available packages from the specified data pipeline. |
List Custom Intelligence Report | This action lists the custom intelligence reports. |
List Submissions | This action lists all the sandbox submissions. |
List Tasks | This action lists the tasks. |
Remove from Blocklist | This action removes an IOC from the blocklist on Trend Micro Vision One. |
Remove from Suspicious Object Exception List | This action removes an IOC from the suspicious object exception list on Trend Micro Vision One. |
Remove from Suspicious Object List | This action removes an IOC from the suspicious object list on Trend Micro Vision One. |
Restore Endpoints | This action restores network connection to one or more endpoints on Trend Micro Vision One. |
Submit URLs for Analysis | This action submits URLs to the sandbox for analysis. |
Unbind Data Type from Pipeline | This action unbinds a data type from the specified pipeline. |
Update Pipeline Settings | This action updates the settings of the specified data pipeline. |
Configuration Parameters
The following configuration parameters are required for the Trend Micro Vision One app to communicate with the Trend Micro Vision One enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Trend Micro Vision One. This is region specific. Example: https://xdr.trendmicro.com | Text | Required | |
API Token | Enter the API token for authentication. | Password | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, this is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Trend Micro Vision One. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add to Block List
This action blocks an IOC on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Type | Enter the indicator type to block. | Text | Required | Allowed values: arp-batchSuspiciousObjectUrl, arp-batchSuspiciousObjectDomain, arp-batchSuspiciousObjectFileSha1, arp-batchSuspiciousObjectEmailSender, arp-batchSuspiciousObjectIp. |
Indicator | Enter the indicator to block. Example: https://sampledomain.com | Text | Required | |
Description | Enter the reason for blocking the indicator. Example: this is malicious | Text | Required |
Action: Add to Suspicious Object Exception List
This action adds an IOC to the suspicious object exception list on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Type | Enter the indicator type to add to the suspicious object exception list. | Text | Required | Allowed values: atl-v3-suspiciousObjectAddExceptionUrl, atl-v3-suspiciousObjectAddExceptionDomain, atl-v3-suspiciousObjectAddExceptionIp, atl-v3-suspiciousObjectAddExceptionSenderMailAddress, atl-v3-suspiciousObjectAddExceptionFileSha1, atl-v3-suspiciousObjectAddExceptionFileSha256 |
Indicator | Enter the indicator to add to the suspicious object exception list. Example: https://*.sampledomain.com/path1/* | Text | Required | |
Description | Enter the reason for adding the IOC to the suspicious object exception list. Example: This might be malicious | Text | Required |
Action: Add to Suspicious Object List
This action adds an item to the suspicious object list on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Type | Enter the indicator type of the item to be added. | Text | Required | Allowed values: atl-v3-suspiciousObjectSettingsUrl, atl-v3-suspiciousObjectSettingsDomain, atl-v3-suspiciousObjectSettingsSenderMailAddress, atl-v3-suspiciousObjectSettingsIp, atl-v3-suspiciousObjectSettingsFileSha1, atl-v3-suspiciousObjectSettingsFileSha256 |
Indicator | Enter the indicator to add to the suspicious object list. Example: http://sampledomain.com | Text | Required | |
Description | Enter the description for adding an item to the suspicious object list. Example: This might be malicious | Text | Required | |
Scan Action | Enter the action to perform. | Text | Required | The allowed values are block and log. |
Risk Level | Enter the risk level of the suspicious object. | Text | Required | The allowed values are high, medium, and low. |
Days to Expire | Enter the number of days before the object expires. Set this to -1 to ensure that the suspicious object never expires. Example: 30 | Integer | Required |
Action: Bind a Data Type to Pipeline
This action binds a data type to a pipeline. The pipeline saves the data type for seven days.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Type | Enter the data type to bind to the pipeline. | Text | Required | The allowed values are telemetry and detection. |
Description | Enter notes or a description for the pipeline. | Text | Optional | |
Sub Type | Specify the sub-type of data to retrieve the data type. | List | Optional | Allowed values: endpointActivity, cloudActivity, emailActivity, mobileActivity, networkActivity, containerActivity, identityActivity, all By default, the pipeline retrieves all available data types. |
Action: Delete Custom Intelligence Report
This action deletes the specified custom intelligence report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to delete the custom intelligence report. Example: report--2c1091ba-a7d2-46b2-bf97-4137916c30cb | Text | Required | You can retrieve this using the action List Custom Intelligence Report. |
Action: Download Analysis Report
This action downloads the analysis report of a submission in PDF format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analysis ID | Enter the analysis ID to download the report. Example: 8559a7ce-2b85-451b-8742-4b943ad76a22 | Text | Required | You can retrieve this using the action List All Analysis Results. |
Action: Download Custom Intelligence Report
This action downloads the custom intelligence report as a STIX bundle.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to download the report. Example: report--2c1091ba-a7d2-46b2-bf97-4137916c30cb | Text | Required | You can retrieve this using the action List Custom Intelligence Report. |
Action: Download Analysis Report
This action downloads the analysis report of a submission in PDF format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analysis ID | Enter the analysis ID to download the report. Example: 8559a7ce-2b85-451b-8742-4b943ad76a22 | Text | Required | You can retrieve this using the action List All Analysis Results. |
Action: Download Custom Intelligence Report
This action downloads the custom intelligence report as a STIX bundle.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to download the report. Example: report--2c1091ba-a7d2-46b2-bf97-4137916c30cb | Text | Required | You can retrieve this using the action List Custom Intelligence Report. |
Action: Get Analysis Report
This action retrieves the analysis report of a submission.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analysis ID | Enter the analysis ID to retrieve the report. Example: 8559a7ce-2b85-451b-8742-4b943ad76a22 | Text | Required | You can retrieve this using the action List All Analysis Results. |
Action: Get Package Details
This action retrieves the details of the specified package.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data Pipeline ID | Enter the data pipeline ID to retrieve the package details. Example: 8746fc45-6b9d-4923-b476-931aec6e06eb | Text | Required | You can retrieve this using the action List All Bound Data Pipelines. |
Package ID | Enter the ID of the package stored in a data pipeline to retrieve its details. Example: 2021103019-7898c20d-fc91-443b-9a4e-f8ec3ab745ab | Text | Required | You can retrieve this using the action List Available Packages. |
Action: Get Pipeline Information
This action retrieves the information of the specified data pipeline.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data Pipeline ID | Enter the ID of the data pipeline to retrieve its information. Example: 8746fc45-6b9d-4923-b476-931aec6e06eb | Text | Required | You can retrieve this using the action List All Bound Data Pipelines. |
Action: Get Submission Details
This action retrieves the details of the specified sandbox submission.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Submission ID | Enter the ID of the sandbox submission to retrieve the status. Example: 012e4eac-9bd9-4e89-95db-77e02f75a611 | Text | Required | You can retrieve this using the action List Submissions. |
Action: Get Task Results
This action retrieves the result of the specified task.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the task ID to retrieve the results. Example: 43597ab5-b8b4-415d-87dc-24c94df82012 | Text | Required | You can retrieve this using the action List Tasks. |
Action: Isolate Endpoints
This action disconnects one or more endpoints from the network on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint Type | Enter the endpoint type to isolate. | Text | Required | Allowed values: arp-batchbyagentguid, arp-batchbyendpointname |
Endpoint | Enter the endpoint to isolate. Example: cb9c8412-1f64-4fa0-a36b-76bf41a07ede | Text | Required | |
Description | Enter the description for isolating an endpoint. Example: Suspicious behaviour detected | Text | Required |
Action: List All Analysis Results
This action lists all analysis results.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Specify the filters to narrow down the response. Example: filter=(riskLevel eq 'high') or (riskLevel eq 'medium') | Text | Optional | Allowed keys: 'sha1' - SHA-1 hash value of an object, 'sha256' - SHA-256 hash value of an object, 'md5' - MD5 hash value of an object, 'riskLevel' - The risk level assigned to the object by the sandbox. Possible values: 'high', 'medium', 'low', and ‘noRisk’, 'type' - Object type and the possible values are ‘file’ and ‘url’, 'id' - Unique alphanumeric string that identifies the analysis results of a submission, 'eq' - Abbreviation of the operator ‘equal to’, 'and' - Operator ‘and’, 'or' - Operator ‘or’, 'not' - Operator ‘not’, '( )' - Symbols for grouping operands with their correct operator |
Order By | Enter the order to sort the response in ascending or descending order. Example: orderBy=analysisCompletionDateTime desc | Text | Optional | Allowed fields and operators: analysisCompletionDateTime, riskLevel Default value: analysisCompletionDateTime desc |
Start time | Enter the start time in ISO 8601 format to retrieve submissions from the specified date. Example: startdatetime=2021-04-05T08:22:37Z | Text | Optional | By default, this value is set to 180 days prior to the request date |
End time | Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. Example: enddatetime=2021-04-06t08:22:37z | Text | Optional | By default, this value is set to the request date. |
Top | Enter the number of records to return on each page. Example: top=100 | Integer | Optional | Allowed values: 50, 100, and 200 Default value: 50 |
Action: List All Bound Data Pipelines
This action lists all the data pipelines that have a data type assigned.
Action Input Parameters
No input parameters are required for this action.
Action: List Available Packages
This action lists all the available packages from the specified data pipeline.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data Pipeline ID | Enter the data pipeline ID to retrieve the packages. Example: 8746fc45-6b9d-4923-b476-931aec6e06eb | Text | Required | You can retrieve this using the action List All Bound Data Pipelines. |
Action: List Custom Intelligence Report
This action lists the custom intelligence reports.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Specify the filters to narrow down the response. Example: filter=id eq 'report--2c1091ba-a7d2-46b2-bf97-4137916c30cb' and name eq 'report1' | Text | Optional | Allowed values: 'id' - Unique alphanumeric string that identifies a custom intelligence report, 'name' - Title of a custom intelligence report, 'eq' - Abbreviation of the operator “equal to”, 'and' - Operator “and”, 'or' - Operator “or”, 'not' - Operator “not”, '( )' - Symbols for grouping operands with their correct operator |
Order By | Enter the order to sort the response in ascending or descending order. Example: orderby=createddatetime desc | Text | Optional | Allowed fields and operators: updatedDateTime, asc, desc Default value: createdDateTime desc |
Start Time | Enter the start time in ISO 8601 format to retrieve submissions from the specified date. Example: startdatetime=2021-04-05t08:22:37z | Text | Optional | By default, this value is set to the earliest available value for ‘updatedDateTime’. |
End Time | Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. Example: enddatetime=2021-04-06t08:22:37z | Text | Optional | By default, this value is set to the request date. |
Top | Enter the number of records to return on each page. Example: top=100 | Integer | Optional | Allowed values: 50, 100, and 200 Default value: 100 |
Action: List Submissions
This action lists all the sandbox submissions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Specify the filters to narrow down the response. Example: filter=status eq 'succeeded' | Text | Optional | Allowed fields: 'status' - Analysis status of an object. Possible values: 'succeeded', 'running', and ‘failed’, 'action' - Action applied to an object. Possible values: ‘analyzeFile’ and ‘analyzeUrl’, 'sha1' - SHA-1 hash value of an object, 'sha256' - SHA-256 hash value of an object, 'md5' - MD5 hash value of an object, 'id' - Submission ID , 'eq' - Abbreviation of the operator ‘equal to’, 'and' - Operator ‘and’, 'or' - Operator ‘or’, 'not' - Operator ‘not’, '( )' - Symbols for grouping operands with their correct operator |
Order By | Enter the order to sort the response in ascending or descending order. Example: orderby=lastActionDateTime desc, createdDateTime desc | Text | Optional | Allowed fields: createdDateTime, lastActionDateTime Default value: createdDateTime desc |
Start Time | Enter the start time in ISO 8601 format to retrieve submissions from the specified date. Example: startdatetime=2021-12-17t12:00:00z | Text | Optional | By default, this value is set to 180 days prior to the request date. |
End Time | Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. Example: enddatetime=2022-06-15t12:00:00z | Text | Optional | By default, this value is set to the request date. |
Time Target | Enter the parameter to specify the field used to sort the submission list. | Text | Optional | Allowed values: createdDateTime, lastActionDateTime Default value: createdDateTime |
Top | Enter the number of records to return on each page. | Integer | Optional | Allowed values: 50, 100, and 200 Default value: 50 |
Action: List Tasks
This action lists the tasks.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Specify the filters to narrow down the response. Example: filter=sweeptype eq 'manual' and ishit eq true | Text | Optional | Allowed values: id - Unique alphanumeric string of the sweeping task, sweepType - Type of sweeping task. Possible values: "schedule", "manual", and “stixShifter”, isHit - States whether indicators were matched during a sweeping task (boolean), status - Status of a sweeping task. Possible values: "notstarted", "running", "succeeded", and, “failed”, 'eq' - Abbreviation of the operator “equal to”, 'and' - Operator “and”, 'or' - Operator “or”, 'not' - Operator “not”, '( )' - Symbols for grouping operands with their correct operator |
Order By | Enter the order to sort the response in ascending or descending order. Example: orderby=lastActionDateTime desc | Text | Optional | Allowed fields: lastActionDateTime, asc, desc Default value: lastActionDateTime desc |
Start Time | Enter the start time in ISO 8601 format to retrieve submissions from the specified date. Example: startdatetime=2021-04-05t08:22:37z | Text | Optional | By default, this value is set to the earliest available value for 'createddatetime'. |
End Time | Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. Example: enddatetime=2021-04-06t08:22:37z | Text | Optional | By default, this value is set to the request date. |
Top | Enter the number of records to return on each page. Example: top=100 | Integer | Optional | Allowed values: 50, 100, and 200 Default value: 100 |
Action: Remove from Blocklist
This action removes an IOC from the blocklist on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Type | Enter the indicator type to remove it from the blocklist. | Text | Required | Allowed values: arp-batchSuspiciousObjectUrl, arp-batchSuspiciousObjectDomain, arp-batchSuspiciousObjectFileSha1, arp-batchSuspiciousObjecteMailSender, arp-batchSuspiciousObjectIp |
Indicator | Enter the indicator to remove it from the blocklist. Example: https://dummyurl.com | Text | Required | |
Description | Enter the reason to remove an IOC from the blocklist. Example: added to test | Text | Required |
Action: Remove from Suspicious Object Exception List
This action removes an IOC from the suspicious object exception list on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Type | Enter the indicator type to remove it from the suspicious object exception list. | Text | Required | Allowed values: atl-v3-suspiciousObjectExceptionUrl, atl-v3-suspiciousObjectExceptionDomain, atl-v3-suspiciousObjectExceptionFileSha1, atl-v3-suspiciousObjectExceptionSenderMailAddress, atl-v3-suspiciousObjectExceptionIp, atl-v3-suspiciousObjectExceptionFileSha256 |
Indicator | Enter the indicator to remove from the suspicious object exception list. Example: https://*.example.com/path1/* | Text | Required |
Action: Remove from Suspicious Object List
This action removes an IOC from the suspicious object list on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Type | Enter the indicator type to remove it from the suspicious object list. | Text | Required | Allowed values: atl-v3-suspiciousObjectUrl, atl-v3-suspiciousObjectDomain, atl-v3-suspiciousObjectSenderMailAddress, atl-v3-suspiciousObjectIp, atl-v3-suspiciousObjectFileSha1, atl-v3-suspiciousObjectFileSha256 |
Indicator | Enter the indicator to remove it from the suspicious object list. Example: http://sampledomain.com | Text | Required |
Action: Restore Endpoints
This action restores network connection to one or more endpoints on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint Type | Enter the type of the endpoint to restore. | Text | Required | Allowed values: arp-batchByAgentGuid, arp-batchByEndpointName |
Endpoint | Enter the name of the endpoint to restore. | Text | Required | |
Description | Enter the description for restoring the endpoint. Example: This endpoint is no more suspicious. | Text | Required |
Action: Submit URLs for Analysis
This action submits URLs to the sandbox for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URLs | Enter the list of URLs to submit for analysis. | List | Required | You can submit up to 10 URLs in each request. |
Action: Unbind Data Type from Pipeline
This action unbinds a data type from the specified pipeline.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data Pipeline ID | Enter one or more data pipeline IDs to unbind the data type from the pipeline. | List | Required | You can retrieve this message using the action List All Bound Data Pipelines. |
Action: Update Pipeline Settings
This action updates the settings of the specified data pipeline.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data Pipeline ID | Enter the data pipeline ID to update the settings. Example: 8746fc45-6b9d-4923-b476-931aec6e06eb | Text | Required | You can retrieve this using the action List All Bound Data Pipelines. |
Type | Enter the data type of the data pipeline to update the settings. | Text | Optional | Allowed values: telemetry and detection |
Sub Type | Specify the sub type of the pipeline to retrieve data type. | Text | Optional | Allowed values: endpointActivity, cloudActivity, emailActivity, mobileActivity, networkActivity, containerActivity, identityActivity, all By default, the pipeline retrieves all available data types. |
Description | Enter the description about the pipeline to update. | Text | Optional |