Trend Micro Cloud App Security

Integration version: 6.0

Product Use Cases

Perform active actions - enrich entities, search email, update block list, mitigate emails/accounts..

How to generate API token

  1. Navigate to Administration > Automation and Integration APIs.
  2. Press on the "Add" button.
  3. Select "For External Application".
  4. Provide "Name" and select all checkboxes.
  5. Press on the "Create Token".
  6. Copy "Token".
  7. Update "API Key" parameter in the integration configuration.
  8. Test the connectivity.

Configure Trend Micro Cloud App Security integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://api-eu.tmcas.trendmicro.com Yes API root of the Trend Micro Cloud App Security instance.
API Key Password N/A Yes API Key of the Trend Micro Cloud App Security instance.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Trend Micro Cloud App Security server is valid.

Actions

Ping

Description

Test connectivity to Trend Micro Cloud App Security with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

If Successful (is success = true) - Successfully connected to the Trend Micro Cloud App Security server with the provided connection parameters!

If not Successful (is success = false) - Failed to connect to the Trend Micro Cloud App Security server! Error: {0}".format(exception.stacktrace)

General

Add Entities To Blocklist

Description

Add entities to a blocklist in Trend Micro Cloud App Security. Supported entities: URL, Hash and Email (User entity that matches email address pattern).

Parameters

Name Default Value Is Mandatory Description
N/A N/A N/A N/A

Run On

This action runs on the following entities:

  • URL
  • Hash
  • Email

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Case Success Fail Message
if successful for 1 entity true false Successfully added the following entities to blocklist in Trend Micro Cloud App Security: {\n entity.identifier}
if not successful for 1 entity true false Action wasn't able to add the following entities to blocklist in Trend Micro Cloud App Security: {\n entity.identifier}
If duplicates true false The following entities are already a part of blocklist in Trend Micro Cloud App Security: {\n entity.identifier}
not successful for all false false No entities were added using information from Trend Micro Cloud App Security
Fatal error, invalid creds, API root false true Error executing action "Add Entities To Blocklist". Reason: {error traceback}

Mitigate Emails

Description

Delete or quarantine emails using Trend Micro Cloud App Security. Note: for Gmail you can only delete emails.

Parameters

Name Default Value Is Mandatory Description
Message IDs N/A Yes Specify a comma-separated list of message ids that need to be mitigated.
Mitigation Action

Delete

Possible Values:

Delete

Quarantine

Yes Specify what mitigation action should be applied.
Service

Gmail

Possible Values

Gmail

Exchange

Yes Specify the service the is used for emails.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Case Success Fail Message
if successful for 1 message_id True false Successfully mitigated the following emails in Trend Micro Cloud App Security: {\n unique message ids}
if not successful for 1 message_id True false Action wasn't able to mitigate the following emails in Trend Micro Cloud App Security: {\n unique message ids}
not successful for all false false No emails were mitigated Trend Micro Cloud App Security.
Fatal error, invalid creds, API root false true Error executing action "Mitigate Emails". Reason: {error traceback}
If "Quarantine" is selected and "Gmail" is the service false true Error executing action "Mitigate Emails". Reason: you can only delete emails in gmail service.

Description

Search emails based on entities in Trend Micro Cloud App Security. Supported entities: URL, Hash, Email (User entity that matches email address pattern), Email Subject, File Name, IP.

Parameters

Name Default Value Is Mandatory Description
Max Days Backwards 30 No Specify how many days backwards to look for emails. Maximum is 90. Default: 30.
Max Emails To Return 100 No Specify how many emails to return. Default: 100.

Run On

This action runs on the following entities:

  • URL
  • Hash
  • Email
  • Email Subject
  • File Name
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
emails=[{list of unique emails}]
Case Wall
Case Success Fail Message
if data is available: true false Successfully returned information about emails related to the provided entities in Trend Micro Cloud App Security.
if data is not available false false No information about emails related to entities were found in Trend Micro Cloud App Security.
Fatal error, invalid creds, API root false true Error executing action "Entity Email Search". Reason: {error traceback}
If "Max Days Backwards" > 90 false true Error executing action "Entity Email Search". Reason: "Max Days Backwards" should be in range from 1 to 90.

Enrich Entities

Description

Enrich entities with information from Trend Micro Cloud App Security. Supported entities: URL, Hash and Email (User entity that matches email address pattern).

Parameters

Name Default Value Is Mandatory Description
N/A N/A N/A N/A

Run On

This action runs on the following entities:

  • URL
  • Hash
  • Email

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
blocked_url = [URL entities that were found]
blocked_hashes = [hashes entities that were found]
blocked_senders = [User entities that were found]
Case Wall
Case Success Fail Message
if successful for 1 entity true false Successfully retrieved information about the following entities from Trend Micro Cloud App Security: {\n entity.identifier}
if not successful for 1 entity true false Action wasn't able to retrieve information about the following entities from Trend Micro Cloud App Security: {\n entity.identifier}
not successful for all false false No entities were enriched using information from Trend Micro Cloud App Security
Fatal error, invalid creds, API root false true Error executing action "Enrich Entities". Reason: {error traceback}

Mitigate Accounts

Description

Perform mitigation actions on the user account via Trend Micro Cloud App Security.

Parameters

Name Default Value Is Mandatory Description
Email Addresses N/A Yes Specify a comma-separated list of email addresses that need to be mitigated.
Mitigation Action

Disable Account

Enable MFA

Reset Password

Revoke Sign In Sessions

Yes Specify a what mitigation action should be applied.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Case Success Fail Message
if successful for 1 email address. true false Successfully mitigated the following accounts in Trend Micro Cloud App Security: {\n email addresses}
if not successful for 1 entity true false Action wasn't able to mitigate the following accounts in Trend Micro Cloud App Security: {\n email addresses}
not successful for all false false No account were mitigated using information from Trend Micro Cloud App Security.
Async Message false false Waiting for mitigation actions to finish…
Fatal error, invalid creds, API root false true Error executing action "Mitigate Account". Reason: {error traceback}