Cyware Orchestrate

Add to Block List 

This action blocks an IOC on Trend Micro Vision One.

Add to Suspicious Object Exception List 

This action adds an IOC to the suspicious object exception list on Trend Micro Vision One.

Add to Suspicious Object List 

This action adds an item to the suspicious object list on Trend Micro Vision One.

Bind a Data Type to Pipeline 

This action binds a data type to a pipeline.

Delete Custom Intelligence Report 

This action deletes the specified custom intelligence report.

Download Analysis Report 

This action downloads the analysis report of a submission in PDF format.

Download Custom Intelligence Report 

This action downloads the custom intelligence report as a STIX bundle.

Get Analysis Report 

This action retrieves the analysis report of a submission.

Get Package Details 

This action retrieves the details of the specified package.

Get Pipeline Information 

This action retrieves the information of the specified data pipeline.

Get Submission Details 

This action retrieves the details of the specified sandbox submission.

Get Task Results 

This action retrieves the result of the specified task.

Isolate Endpoints 

This action disconnects one or more endpoints from the network on Trend Micro Vision One.

List All Analysis Results 

This action lists all analysis results.

List All Bound Data Pipelines 

This action lists all the data pipelines that have a data type assigned.

List Available Packages 

This action lists all the available packages from the specified data pipeline.

List Custom Intelligence Report 

This action lists the custom intelligence reports.

List Submissions 

This action lists all the sandbox submissions.

List Tasks 

This action lists the tasks.

Remove from Blocklist 

This action removes an IOC from the blocklist on Trend Micro Vision One.

Remove from Suspicious Object Exception List 

This action removes an IOC from the suspicious object exception list on Trend Micro Vision One.

Remove from Suspicious Object List 

This action removes an IOC from the suspicious object list on Trend Micro Vision One.

Restore Endpoints 

This action restores network connection to one or more endpoints on Trend Micro Vision One.

Submit URLs for Analysis 

This action submits URLs to the sandbox for analysis.

Unbind Data Type from Pipeline 

This action unbinds a data type from the specified pipeline.

Update Pipeline Settings 

This action updates the settings of the specified data pipeline.

Base URL 

Enter the base URL to access Trend Micro Vision One. This is region specific. 

Example: 

https://xdr.trendmicro.com

Text

Required

API Token 

Enter the API token for authentication.

Password

Required

Verify 

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, this is enabled.

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Trend Micro Vision One.

Integer

Optional

Allowed range:

15-120

Default value:

15

Indicator Type 

Enter the indicator type to block. 

Text

Required

Allowed values: 

arp-batchSuspiciousObjectUrl, arp-batchSuspiciousObjectDomain, arp-batchSuspiciousObjectFileSha1, arp-batchSuspiciousObjectEmailSender, arp-batchSuspiciousObjectIp.

Indicator 

Enter the indicator to block. 

Example: 

https://sampledomain.com

Text

Required

Description 

Enter the reason for blocking the indicator. 

Example: 

this is malicious

Text

Required

Indicator Type 

Enter the indicator type to add to the suspicious object exception list. 

Text

Required

Allowed values:

atl-v3-suspiciousObjectAddExceptionUrl, atl-v3-suspiciousObjectAddExceptionDomain, atl-v3-suspiciousObjectAddExceptionIp, atl-v3-suspiciousObjectAddExceptionSenderMailAddress, atl-v3-suspiciousObjectAddExceptionFileSha1, atl-v3-suspiciousObjectAddExceptionFileSha256

Indicator 

Enter the indicator to add to the suspicious object exception list. 

Example:

https://*.sampledomain.com/path1/*

Text

Required

Description 

Enter the reason for adding the IOC to the suspicious object exception list. 

Example: 

This might be malicious

Text

Required

Indicator Type 

Enter the indicator type of the item to be added. 

Text

Required

Allowed values:

atl-v3-suspiciousObjectSettingsUrl, atl-v3-suspiciousObjectSettingsDomain, atl-v3-suspiciousObjectSettingsSenderMailAddress, atl-v3-suspiciousObjectSettingsIp, atl-v3-suspiciousObjectSettingsFileSha1, atl-v3-suspiciousObjectSettingsFileSha256

Indicator 

Enter the indicator to add to the suspicious object list.

Example:

http://sampledomain.com

Text

Required

Description 

Enter the description for adding an item to the suspicious object list. 

Example:

This might be malicious

Text

Required

Scan Action 

Enter the action to perform. 

Text

Required

The allowed values are block and log.

Risk Level 

Enter the risk level of the suspicious object. 

Text

Required

The allowed values are high, medium, and low.

Days to Expire 

Enter the number of days before the object expires. Set this to -1 to ensure that the suspicious object never expires. 

Example:

30

Integer

Required

Type 

Enter the data type to bind to the pipeline. 

Text

Required

The allowed values are telemetry and detection.

Description 

Enter notes or a description for the pipeline.

Text

Optional

Sub Type 

Specify the sub-type of data to retrieve the data type. 

List

Optional

Allowed values: 

endpointActivity, cloudActivity, emailActivity, mobileActivity, networkActivity, containerActivity, identityActivity, all

By default, the pipeline retrieves all available data types.

Report ID 

Enter the report ID to delete the custom intelligence report.

Example:

report--2c1091ba-a7d2-46b2-bf97-4137916c30cb

Text

Required

You can retrieve this using the action List Custom Intelligence Report.

Analysis ID 

Enter the analysis ID to download the report. 

Example: 

8559a7ce-2b85-451b-8742-4b943ad76a22

Text

Required

You can retrieve this using the action List All Analysis Results.

Report ID 

Enter the report ID to download the report. 

Example: 

report--2c1091ba-a7d2-46b2-bf97-4137916c30cb

Text

Required

You can retrieve this using the action List Custom Intelligence Report.

Analysis ID 

Enter the analysis ID to download the report. 

Example: 

8559a7ce-2b85-451b-8742-4b943ad76a22

Text

Required

You can retrieve this using the action List All Analysis Results.

Report ID 

Enter the report ID to download the report. 

Example: 

report--2c1091ba-a7d2-46b2-bf97-4137916c30cb

Text

Required

You can retrieve this using the action List Custom Intelligence Report.

Analysis ID 

Enter the analysis ID to retrieve the report. 

Example: 

8559a7ce-2b85-451b-8742-4b943ad76a22

Text

Required

You can retrieve this using the action List All Analysis Results.

Data Pipeline ID 

Enter the data pipeline ID to retrieve the package details. 

Example: 

8746fc45-6b9d-4923-b476-931aec6e06eb

Text

Required

You can retrieve this using the action List All Bound Data Pipelines.

Package ID 

Enter the ID of the package stored in a data pipeline to retrieve its details. 

Example: 

2021103019-7898c20d-fc91-443b-9a4e-f8ec3ab745ab

Text

Required

You can retrieve this using the action List Available Packages.

Data Pipeline ID 

Enter the ID of the data pipeline to retrieve its information.

Example:

8746fc45-6b9d-4923-b476-931aec6e06eb

Text

Required

You can retrieve this using the action List All Bound Data Pipelines.

Submission ID 

Enter the ID of the sandbox submission to retrieve the status. 

Example:

012e4eac-9bd9-4e89-95db-77e02f75a611

Text

Required

You can retrieve this using the action List Submissions.

Task ID 

Enter the task ID to retrieve the results. 

Example:

43597ab5-b8b4-415d-87dc-24c94df82012

Text

Required

You can retrieve this using the action List Tasks.

Endpoint Type 

Enter the endpoint type to isolate. 

Text

Required

Allowed values:

arp-batchbyagentguid, arp-batchbyendpointname

Endpoint 

Enter the endpoint to isolate. 

Example:

cb9c8412-1f64-4fa0-a36b-76bf41a07ede

Text

Required

Description 

Enter the description for isolating an endpoint. 

Example: 

Suspicious behaviour detected

Text

Required

Filters 

Specify the filters to narrow down the response.

Example:

filter=(riskLevel eq 'high') or (riskLevel eq 'medium')

Text

Optional

Allowed keys:

'sha1' - SHA-1 hash value of an object, 'sha256' - SHA-256 hash value of an object, 'md5' - MD5 hash value of an object, 'riskLevel' - The risk level assigned to the object by the sandbox. Possible values: 'high', 'medium', 'low', and ‘noRisk’, 'type' - Object type and the possible values are ‘file’ and ‘url’, 'id' - Unique alphanumeric string that identifies the analysis results of a submission, 'eq' - Abbreviation of the operator ‘equal to’, 'and' - Operator ‘and’, 'or' - Operator ‘or’, 'not' - Operator ‘not’, '( )' - Symbols for grouping operands with their correct operator

Order By 

Enter the order to sort the response in ascending or descending order.  

Example: 

orderBy=analysisCompletionDateTime desc

Text

Optional

Allowed fields and operators:

analysisCompletionDateTime, riskLevel

Default value:

analysisCompletionDateTime desc

Start time 

Enter the start time in ISO 8601 format to retrieve submissions from the specified date. 

Example: 

startdatetime=2021-04-05T08:22:37Z

Text

Optional

By default, this value is set to 180 days prior to the request date

End time 

Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. 

Example:

enddatetime=2021-04-06t08:22:37z

Text

Optional

By default, this value is set to the request date. 

Top 

Enter the number of records to return on each page.  

Example:

top=100

Integer

Optional

Allowed values:

50, 100, and 200

Default value:

50

Data Pipeline ID 

Enter the data pipeline ID to retrieve the packages. 

Example: 

8746fc45-6b9d-4923-b476-931aec6e06eb

Text

Required

You can retrieve this using the action List All Bound Data Pipelines.

Filters 

Specify the filters to narrow down the response. 

Example: 

filter=id eq 'report--2c1091ba-a7d2-46b2-bf97-4137916c30cb' and name eq 'report1'

Text

Optional

Allowed values:

'id' - Unique alphanumeric string that identifies a custom intelligence report, 'name' - Title of a custom intelligence report, 'eq' - Abbreviation of the operator “equal to”, 'and' - Operator “and”, 'or' - Operator “or”, 'not' - Operator “not”, '( )' - Symbols for grouping operands with their correct operator

Order By 

Enter the order to sort the response in ascending or descending order.

Example: 

orderby=createddatetime desc

Text

Optional

Allowed fields and operators:

updatedDateTime, asc, desc

Default value:

createdDateTime desc

Start Time 

Enter the start time in ISO 8601 format to retrieve submissions from the specified date. 

Example: 

startdatetime=2021-04-05t08:22:37z

Text

Optional

By default, this value is set to the earliest available value for ‘updatedDateTime’. 

End Time 

Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. 

Example: 

enddatetime=2021-04-06t08:22:37z

Text

Optional

By default, this value is set to the request date.

Top 

Enter the number of records to return on each page.

Example:

top=100

Integer

Optional

Allowed values: 

50, 100, and 200

Default value:

100

Filters 

Specify the filters to narrow down the response. 

Example: 

filter=status eq 'succeeded'

Text

Optional

Allowed fields:

'status' - Analysis status of an object. Possible values: 'succeeded', 'running', and ‘failed’, 'action' - Action applied to an object. Possible values: ‘analyzeFile’ and ‘analyzeUrl’, 'sha1' - SHA-1 hash value of an object, 'sha256' - SHA-256 hash value of an object, 'md5' - MD5 hash value of an object, 'id' - Submission ID , 'eq' - Abbreviation of the operator ‘equal to’, 'and' - Operator ‘and’, 'or' - Operator ‘or’, 'not' - Operator ‘not’, '( )' - Symbols for grouping operands with their correct operator

Order By 

Enter the order to sort the response in ascending or descending order.  

Example: 

orderby=lastActionDateTime desc, createdDateTime desc

Text

Optional

Allowed fields:

createdDateTime, lastActionDateTime

Default value: 

createdDateTime desc

Start Time 

Enter the start time in ISO 8601 format to retrieve submissions from the specified date. 

Example: 

startdatetime=2021-12-17t12:00:00z

Text

Optional

By default, this value is set to 180 days prior to the request date. 

End Time 

Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. 

Example: 

enddatetime=2022-06-15t12:00:00z

Text

Optional

By default, this value is set to the request date. 

Time Target 

Enter the parameter to specify the field used to sort the submission list. 

Text

Optional

Allowed values: 

createdDateTime, lastActionDateTime

Default value: 

createdDateTime

Top 

Enter the number of records to return on each page. 

Integer

Optional

Allowed values:

50, 100, and 200

Default value:

50

Filters 

Specify the filters to narrow down the response. 

Example:

filter=sweeptype eq 'manual' and ishit eq true

Text

Optional

Allowed values:

id - Unique alphanumeric string of the sweeping task, sweepType - Type of sweeping task. Possible values: "schedule", "manual", and “stixShifter”, isHit - States whether indicators were matched during a sweeping task (boolean), status - Status of a sweeping task. Possible values: "notstarted", "running", "succeeded", and, “failed”, 'eq' - Abbreviation of the operator “equal to”, 'and' - Operator “and”, 'or' - Operator “or”, 'not' - Operator “not”, '( )' - Symbols for grouping operands with their correct operator

Order By 

Enter the order to sort the response in ascending or descending order. 

Example: 

orderby=lastActionDateTime desc

Text

Optional

Allowed fields:

lastActionDateTime, asc, desc

Default value: 

lastActionDateTime desc

Start Time 

Enter the start time in ISO 8601 format to retrieve submissions from the specified date. 

Example: 

startdatetime=2021-04-05t08:22:37z

Text

Optional

By default, this value is set to the earliest available value for 'createddatetime'.

End Time 

Enter the end time in ISO 8601 format to retrieve submissions up to the specified date. 

Example: 

enddatetime=2021-04-06t08:22:37z

Text

Optional

By default, this value is set to the request date. 

Top 

Enter the number of records to return on each page.  

Example: 

top=100

Integer

Optional

Allowed values:

50, 100, and 200

Default value:

100

Indicator Type 

Enter the indicator type to remove it from the blocklist. 

Text

Required

Allowed values:

arp-batchSuspiciousObjectUrl, arp-batchSuspiciousObjectDomain, arp-batchSuspiciousObjectFileSha1, arp-batchSuspiciousObjecteMailSender, arp-batchSuspiciousObjectIp

Indicator 

Enter the indicator to remove it from the blocklist.  

Example: 

https://dummyurl.com

Text

Required

Description 

Enter the reason to remove an IOC from the blocklist.  

Example:

added to test

Text

Required

Indicator Type 

Enter the indicator type to remove it from the suspicious object exception list. 

Text

Required

Allowed values:

atl-v3-suspiciousObjectExceptionUrl, atl-v3-suspiciousObjectExceptionDomain, atl-v3-suspiciousObjectExceptionFileSha1, atl-v3-suspiciousObjectExceptionSenderMailAddress, atl-v3-suspiciousObjectExceptionIp, atl-v3-suspiciousObjectExceptionFileSha256

Indicator 

Enter the indicator to remove from the suspicious object exception list. 

Example: 

https://*.example.com/path1/*

Text

Required

Indicator Type 

Enter the indicator type to remove it from the suspicious object list. 

Text

Required

Allowed values:

atl-v3-suspiciousObjectUrl, atl-v3-suspiciousObjectDomain, atl-v3-suspiciousObjectSenderMailAddress, atl-v3-suspiciousObjectIp, atl-v3-suspiciousObjectFileSha1, atl-v3-suspiciousObjectFileSha256

Indicator 

Enter the indicator to remove it from the suspicious object list. 

Example:

http://sampledomain.com

Text

Required

Endpoint Type 

Enter the type of the endpoint to restore. 

Text

Required

Allowed values:

arp-batchByAgentGuid, arp-batchByEndpointName

Endpoint 

Enter the name of the endpoint to restore.

Text

Required

Description 

Enter the description for restoring the endpoint. 

Example:

This endpoint is no more suspicious.

Text

Required

URLs 

Enter the list of URLs to submit for analysis. 

List

Required

You can submit up to 10 URLs in each request.

Data Pipeline ID 

Enter one or more data pipeline IDs to unbind the data type from the pipeline.

List

Required

You can retrieve this message using the action List All Bound Data Pipelines.

Data Pipeline ID 

Enter the data pipeline ID to update the settings. 

Example:

8746fc45-6b9d-4923-b476-931aec6e06eb

Text

Required

You can retrieve this using the action List All Bound Data Pipelines.

Type 

Enter the data type of the data pipeline to update the settings. 

Text

Optional

Allowed values:

telemetry and detection

Sub Type 

Specify the sub type of the pipeline to retrieve data type.  

Text

Optional

Allowed values:

endpointActivity, cloudActivity, emailActivity, mobileActivity, networkActivity, containerActivity, identityActivity, all

By default, the pipeline retrieves all available data types.

Description 

Enter the description about the pipeline to update.

Text

Optional