Trend Micro Apex Central
Integration version: 4.0
How to obtain API Key
For more information about how to obtain API Key, see Adding an Application.
Configure Trend Micro Apex Central integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | http://x.x.x.x | Yes | API root of the Trend Micro Apex Central instance. |
| Application ID | String | N/A | Yes | Application ID of the Trend Micro Apex Central instance. |
| API Key | Password | N/A | Yes | API Key of the Trend Micro Apex Central instance. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Trend Micro Apex Central server is valid. |
Actions
Ping
Description
Test connectivity to Trend Micro Apex Central with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful: Not successful: Failed to connect to the Trend Micro Apex Central server! Error: {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities with information from Trend Micro Apex Central. Supported entities: IP Address, MAC Address, Hostname, URL, Hash.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
| Create Endpoint Insight | True | No | If enabled, action will create an insight consisting of the information regarding the endpoints that were enriched. |
| Create UDSO Insight | True | No | If enabled, action will create an insight consisting of the information regarding the entities that matched UDSO. |
| Mark UDSO Entities | True | No | entityIf enable, action will mark all of the entities that were seen in the User-Defined Suspicious Objects list as suspicious. |
| Extract Domain | False | No | If enabled, action will extract domain part of the URL entity and use it for enrichment. |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Entity Enrichment
Host, IP, MAC
| Enrichment Field Name | Logic - When to apply |
|---|---|
| ip_address | Returns if it exists in JSON result. |
| mac_address | Returns if it exists in JSON result. |
| hostname | Returns if it exists in JSON result. |
| has_endpoint_sensor | Returns if it exists in JSON result. |
| isolation_status | Returns if it exists in JSON result. |
| ad_domain | Returns if it exists in JSON result. |
URL, Hash, IP
| Enrichment Field Name | Logic - When to apply |
|---|---|
| type | Returns if it exists in JSON result. |
| note | Returns if it exists in JSON result. |
| action | Returns if it exists in JSON result. |
| expiration | Returns if it exists in JSON result. |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
| Case Wall Table | Name: Found Endpoints Column: IP Address MAC Address Hostname Has Endpoint Sensor Isolation Status AD Domain |
(Host, IP, MAC) |
| Case Wall Table | Name: Found UDSO Column: Entity Note Action |
(URL, Hash, IP) |
Create File UDSO
Description
Create a User-defined suspicious object based on a file in Trend Micro Apex Central.
Known Issues
When working with .eml files, the action will not return the JSON result.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
| File Paths | N/A | Yes | Specify a comma-separated list of file paths that needs to be used to created a UDSO. |
| Action | Block Possible Values: Block Log Quarantine |
Yes | Specify what action should be applied to the UDSO. |
| Note | N/A | False | Specify an additional note for the provided UDSO. Warning: the note can't contain more than 256 characters. |
| Expire In (Days) | N/A | False | Specify in how many days the UDSO should expire. If nothing is provided, UDSO will never expire. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
| if successful for 1 file | true | false | Successfully created UDSO based on the following files in Trend Micro Apex Central: {\n file paths} |
| if not successful for 1 entity | true | false | Action wasn't able to create UDSO based on the following files in Trend Micro Apex Central: {\n file paths} |
| If already exist | true | false | The following UDSO already exist in Trend Micro Apex Central: {\n file paths} |
| not successful for all | false | false | No UDSO were created in Trend Micro Apex Central. |
| Fatal error, invalid creds, API root | false | true | Error executing action "Create File UDSO". Reason: {error traceback} |
| If note > 256 chars | false | true | Error executing action "Create File UDSO". Reason: note can't contain more than 256 characters. |
Create Entity UDSO
Description
Create a User-defined suspicious object based on the entities in Trend Micro Apex Central. Supported entities: IP, URL, Hash.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
| Action | Block Possible Values: Block Log |
Yes | Specify what action should be applied to the UDSO. |
| Note | N/A | False | Specify an additional note for the provided UDSO. Warning: the note can't contain more than 256 characters. |
| Expire In (Days) | N/A | False | Specify in how many days the UDSO should expire. If nothing is provided, UDSO will never expire. |
Run On
This action runs on the following entities:
- IP Address
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
| if successful for 1 entity | true | false | Successfully created UDSO based on the following entities in Trend Micro Apex Central: {\n entity.identifier} |
| if not successful for 1 entity | true | false | Action wasn't able to create UDSO based on the following entities in Trend Micro Apex Central: {\n entity.identifier} |
| If already exist | true | false | The following UDSO already exist in Trend Micro Apex Central: {\n entity.identifier} |
| not successful for all | false | false | No UDSO were created in Trend Micro Apex Central. |
| Fatal error, invalid creds, API root | false | true | Error executing action "Create Entity UDSO". Reason: {error traceback} |
| If note > 256 chars | false | true | Error executing action "Create Entity UDSO". Reason: note can't contain more than 256 characters. |
Unisolate Endpoints
Description
Unisolate endpoints in Trend Micro Apex Central. Supported entities: IP, Mac, Hostname.
Parameters
| Name | Default Value | Is mandatory | Description |
|---|---|---|---|
| N/A | N/A | N/A | N/A |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
| if successful for 1 entity | true | false | Successfully unisolated the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
| if not successful for 1 entity | true | false | Action wasn't able to unisolate the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
| not successful for all | false | false | No endpoints were unisolated in Trend Micro Apex Central. |
| Async Message | false | false | Initiated endpoint unisolation on the following endpoints: {entity.identifier}. Waiting for the unisolation to finish. |
| Timeout message | false | false | Action initiated unisolation, but it's still pending for the following endpoints: {entity.identifier}. Please consider increasing the timeout in the IDE. |
| Fatal error, invalid creds, API root | false | true | Error executing action "Unisolate Endpoints". Reason: {error traceback} |
Isolate Endpoints
Description
Isolate endpoints in Trend Micro Apex Central. Supported entities: IP, Mac, Hostname.
Parameters
| Name | Default Value | Is mandatory | Description |
|---|---|---|---|
| N/A | N/A | N/A | N/A |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
| if successful for 1 entity | true | false | Successfully isolated the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
| if not successful for 1 entity | true | false | Action wasn't able to isolate the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
| not successful for all | false | false | No endpoints were isolated in Trend Micro Apex Central. |
| Async Message | false | false | Initiated endpoint isolation on the following endpoints: {entity.identifier}. Waiting for the isolation to finish. |
| Timeout message | true | false | Action initiated isolation, but it's still pending for the following endpoints: {entity.identifier}. Please consider increasing the timeout in the IDE. |
| Fatal error, invalid creds, API root | false | true | Error executing action "Isolate Endpoints". Reason: {error traceback} |