Trend Vision One
Integration version: 2.0
Integrate Trend Vision One with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
| API Root | Required
API root of the Trend Vision One instance. Default value is |
| API Token | Required
API Key of the Trend Vision One account. |
| Verify SSL | If checked, the integration verifies if the SSL certificate for the connection to the Trend Vision One server is valid. Checked by default |
How to generate API Token
For more information about how to generate API Token, see Obtain the Authentication Token of an Account.
Actions
Enrich Entities
Enrich entities using information from Trend Vision One.
Entities
This action runs on the following entities:
- Hostname
- IP Address
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"agentGuid": "3b3ff9df-d588-45a2-bb90-d73904accf46",
"osName": "Example OS",
"osVersion": "6.1.1111",
"osDescription": "Example OS Professional (64 bit) build 1111",
"productCode": "xes",
"loginAccount": {
"value": [
"EXAMPLE\\devs"
],
"updatedDateTime": "2022-12-26T17:28:51.000Z"
},
"endpointName": {
"value": "EXAMPLE",
"updatedDateTime": "2022-12-27T17:47:17.000Z"
},
"macAddress": {
"value": [
"01:23:45:ab:cd:ef",
"01:23:45:67:ab:cd:ef:gh"
],
"updatedDateTime": "2022-12-27T17:47:17.000Z"
},
"ip": {
"value": [
"198.51.100.1"
],
"updatedDateTime": "2022-12-27T17:47:17.000Z"
},
"installedProductCodes": [
"xes"
]
}
Entity enrichment – Prefix: TrendMicroVisionOne_
| Enrichment Field Name | Source (JSON key) | Logic - When to apply |
|---|---|---|
| os | osDescription | When available in JSON |
| login_account | Csv of loginAccount.value | When available in JSON |
| endpoint_name | endpointName.value | When available in JSON |
| ip | Csv ip.value | When available in JSON |
| installedProductCodes | Csv of installedProductCodes | When available in JSON |
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully enriched the following entities using information from Trend Micro Vision One: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "Enrich Entities". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Case wall table
Name: ENTITY_IDENTIFIER
Columns:
- Key
- Value
Execute Custom Script
Execute custom script on the endpoint in Trend Vision One.
Entities
This action runs on the following entities:
- Hostname
- IP Address.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Script Name |
Required
Name of the script that needs to be executed on the endpoints. |
Script Parameters |
Parameters for the script. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
The JSON result is available even if the action fails.
{
"Entity": "qweqwe",
"EntityResult": {
"task_id": "{task id}"
"status": "{task status}"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully executed custom script "SCRIPT_NAME" on the following endpoints in Trend Micro Vision One: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "Execute Custom Script". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Execute Custom Script". Reason: script with name "SCRIPT_NAME" wasn't found. | Action returned an error.
Check the script name. |
| Error executing action "Execute Custom Script". Reason: action ran into a timeout during execution. Please increase the timeout in IDE. | Action returned an error. Increase the timeout value in IDE. |
Execute Email Action
Execute email action on the endpoint in Trend Vision One.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Action |
The action for the email. Default value is
|
Message ID |
Required ID of the message used in the action. |
Mailbox |
The mailbox related to the message. |
Description |
A description for the performed action. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"id": "RM-20231017-00001",
"status": "running",
"createdDateTime": "2023-10-17T05:25:37Z",
"lastActionDateTime": "2023-10-17T05:25:37Z",
"description": "task description",
"action": "quarantineMessage",
"account": "API key",
"tasks": [
{
"messageId": "<64e32256-fae1-4652-9f7a-8e514ec86d5a@example.com>",
"mailBox": "example.user@example.com",
"messageSubject": "Example Service has merged the incidents detected in your environment",
"uniqueId": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A28vWY1XUyUyUUvI8a3APqAADxR_EPAAA",
"organizationId": "40c52b8c-062a-4095-bd74-e46a5eb48308",
"status": "running",
"lastActionDateTime": "2023-10-17T05:25:38Z"
}
]
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully executed action on the message ID in Trend Micro Vision One. | Action is successful. |
| Error executing action "Execute Email Action". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Execute Email Action". Reason: action ran into a timeout during execution. Please increase the timeout in IDE. | Action returned an error. Increase the timeout value in IDE. |
Isolate Endpoint
Isolate endpoints in Trend Vision One.
Entities
This action runs on the following entities:
- IP Address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Description |
The reasoning for the isolation of the endpoints. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
The JSON result is shown even if the action fails.
{
"Entity": "qweqwe",
"EntityResult": {
"status": "{task status}"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully isolated the following endpoints in Trend Micro Vision One: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "Isolate Endpoints". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Isolate Endpoints". Reason: action ran into a timeout during execution. Pending endpoints: PENDING_ENDPOINTS. Please increase the timeout in IDE. | Action returned an error. Increase the timeout value in IDE. |
Submit File
Submit file in Trend Vision One.
Entities
The action does not run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
File Paths |
Required A comma-separated list of paths for the files to submit. |
Archive Password |
The password for the archive. |
Document Password |
The password for the document. |
Arguments |
Arguments for the submitted file. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"Entity": "file path",
"EntityResult": {
"id": "3daefed8-466f-46c6-849a-4dd46edb94b4",
"type": "file",
"digest": {
"md5": "f90a614c2ec8f72c55c2f50c0af923f3",
"sha1": "d3f75803673b19c0c736efbaf6a8d3891ae18a10",
"sha256": "3ba41b6e5c2ee4e9a2710976b177cf0db1080eb0277c554aa7d6ef1f0b04b33f"
},
"analysisCompletionDateTime": "2023-10-16T17:38:21Z",
"riskLevel": "noRisk",
"detectionNames": [],
"threatTypes": [],
"trueFileType": "Shell Script"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully submitted the following files in Trend Micro Vision One: FILE_PATHS | Action is successful. |
| Error executing action "Submit file". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Submit File". Reason: the following files weren't found or not accessible: LIST_OF_FILE_PATHS | Action returned an error. Check the file paths. |
Submit URL
Submit URL in Trend Vision One.
Entities
This action runs on a URL entity.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Action |
The action for the email. Default value is
|
Message ID |
Required ID of the message used in the action. |
Mailbox |
The mailbox related to the message. |
Description |
A description for the performed action. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"Entity": "url",
"EntityResult": {
"id": "3daefed8-466f-46c6-849a-4dd46edb94b4",
"type": "file",
"digest": {
"md5": "f90a614c2ec8f72c55c2f50c0af923f3",
"sha1": "d3f75803673b19c0c736efbaf6a8d3891ae18a10",
"sha256": "3ba41b6e5c2ee4e9a2710976b177cf0db1080eb0277c554aa7d6ef1f0b04b33f"
},
"analysisCompletionDateTime": "2023-10-16T17:38:21Z",
"riskLevel": "noRisk",
"detectionNames": [],
"threatTypes": [],
"trueFileType": "Shell Script"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully submitted the following URLs in Trend Micro Vision One: LIST_OF_URLS | Action is successful. |
| Error executing action "Submit URL". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Submit URL". Reason: action ran into a timeout during execution. Pending files: FILES_STILL_IN_PROGRESS. Please increase the timeout in IDE. | Action returned an error. Increase the timeout value in IDE. |
Unisolate Endpoint
Unisolate endpoints in Trend Vision One.
Entities
The action runs on the following entities:
- IP Address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
| Description | The reason to unisolate of the endpoints. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
The JSON result is shown even if the action fails.
{
"Entity": "qweqwe",
"EntityResult": {
"status": "{task status}"
}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully unisolated the following endpoints in Trend Micro Vision One: ENTITY_IDENTIFIER | Action is successful. |
| Error executing action "Unisolate Endpoints". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
| Error executing action "Unisolate Endpoints". Reason: action ran into a timeout during execution. Pending endpoints: PENDING_ENDPOINTS. Please increase the timeout in IDE. | Action returned an error. Increase the timeout value in IDE. |
Update Workbench Alert
Update a workbench alert in Trend Vision One.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Alert ID
|
Required ID of the alert that needs to be updated. |
Status |
Required The status to be set for the alert. Default
value is
|
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"artifacts": [],
"assignedTo": "tip.labops",
"assignee": {
"displayName": "tip.labops@example.com",
"username": "tip.labops"
},
"closed": "2022-03-23T11:04:33.731971",
"closedBy": "tip.labops",
"confidence": 0.1,
"created": "2022-03-11T08:48:26.030204",
"description": "Detects multiple failed login attempts from a single source with unique usernames over a 24 hour timeframe. This is designed to catch both slow and quick password spray type attacks. The threshold and time frame can be adjusted based on the customer's environment.",
"entity": {
"entityType": "_ip",
"hostname": null,
"id": "_ip-198.51.100.1",
"macAddress": null,
"name": "198.51.100.1",
"sensorZone": "",
"value": "198.51.100.1"
},
"id": "dbc30c20-6d99-4f6f-8580-157ce70368a5",
"lastUpdated": "2022-03-23T11:04:33.740470",
"lastUpdatedBy": null,
"name": "Initial Access",
"orgId": "example",
"readableId": "INSIGHT-13927",
"recordSummaryFields": [],
"resolution": "False Positive",
"severity": "CRITICAL",
"signals": [
{
"allRecords": [
{
"action": "failed password attempt",
"bro_dns_answers": [],
"bro_file_bytes": {},
"bro_file_connUids": [],
"bro_flow_service": [],
"bro_ftp_pendingCommands": [],
"bro_http_cookieVars": [],
"bro_http_origFuids": [],
"bro_http_origMimeTypes": [],
"bro_http_request_headers": {},
"bro_http_request_proxied": [],
"bro_http_response_headers": {},
"bro_http_response_respFuids": [],
"bro_http_response_respMimeTypes": [],
"bro_http_tags": [],
"bro_http_uriVars": [],
"bro_kerberos_clientCert": {},
"bro_kerberos_serverCert": {},
"bro_sip_headers": {},
"bro_sip_requestPath": [],
"bro_sip_responsePath": [],
"bro_ssl_certChainFuids": [],
"bro_ssl_clientCertChainFuids": [],
"cseSignal": {},
"day": 11,
"device_ip": "198.51.100.1",
"device_ip_ipv4IntValue": 2887698974,
"device_ip_isInternal": true,
"device_ip_version": 4,
"fieldTags": {},
"fields": {
"auth_method": "ssh2",
"endpoint_ip": "198.51.100.1",
"endpoint_username": "1ewk0XJn",
"event_message": "Failed password for invalid user",
"src_port": "59088"
},
"friendlyName": "record",
"hour": 8,
"http_requestHeaders": {},
"listMatches": [],
"matchedItems": [],
"metadata_deviceEventId": "Example_server_auth_message",
"metadata_mapperName": "Example Server Auth Message",
"metadata_mapperUid": "bcc62402-2870-49ad-ba8d-64ddf22fd342",
"metadata_parseTime": 1646987453926,
"metadata_product": "Example Product",
"metadata_productGuid": "6751ee25-4ef9-4f9f-9c8b-c39668856994",
"metadata_receiptTime": 1646987443,
"metadata_relayHostname": "centos-002",
"metadata_schemaVersion": 3,
"metadata_sensorId": "0b52e838-2dbd-4fc0-a2b5-7135a5dc72b7",
"metadata_sensorInformation": {},
"metadata_sensorZone": "default",
"metadata_vendor": "Example Vendor",
"month": 3,
"normalizedAction": "logon",
"objectType": "Authentication",
"srcDevice_ip": "198.51.100.1",
"srcDevice_ip_ipv4IntValue": 2887698974,
"srcDevice_ip_isInternal": true,
"srcDevice_ip_version": 4,
"success": false,
"timestamp": 1646987443000,
"uid": "c2e6188b-202c-5736-9b4d-248ab6ba88dd",
"user_username": "1ewk0XJn",
"user_username_raw": "1ewk0XJn",
"year": 2022
}
],
"artifacts": [],
"contentType": "ANOMALY",
"description": "Detects multiple failed login attempts from a single source with unique usernames over a 24 hour timeframe. This is designed to catch both slow and quick password spray type attacks. The threshold and time frame can be adjusted based on the customer's environment.",
"id": "b4adb0dc-1340-56ec-87aa-c6f1fc0fa247",
"name": "Password Attack",
"recordCount": 10,
"recordTypes": [],
"ruleId": "THRESHOLD-S00095",
"severity": 4,
"stage": "Initial Access",
"tags": [
"_mitreAttackTactic:TA0001"
],
"timestamp": "2022-03-11T08:31:28"
}
],
"source": "USER",
"status": {
"displayName": "Closed",
"name": "closed"
},
"subResolution": null,
"tags": [
"aaa3"
],
"teamAssignedTo": null,
"timeToDetection": 1271.030204,
"timeToRemediation": 1044967.701767,
"timeToResponse": 21.186055,
"timestamp": "2022-03-11T08:31:28"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
| Successfully updated workbench alert with ID ID in Trend Micro Vision One. | Action is successful. |
| Error executing action "Update Workbench Alert". Reason: ERROR_REASON | Action returned an error.
Check connection to the server, input parameters, or credentials. |
Connectors
For instructions about how to create and configure the Trend Vision One connector in Google Security Operations SOAR, see Configuring the connector.
Trend Vision One Workbench Alerts Connector
Pull information about workbench alerts from Trend Vision One.
Connector parameters
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Enter the source field name in order to retrieve the Product Field name. Default value is |
Event Field Name |
Required
Enter the source field name in order to retrieve the Event Field name. Default value is |
Environment Field Name |
Optional
Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Default value The parameter allows the user to manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required
Timeout limit for the python process running the current script. Default value is 180. |
API Root |
Required
API root of the Trend Vision One instance. Default value is |
API Key |
Required
API Key of the Trend Vision One account. |
Lowest Severity Score To Fetch |
Optional
Lowest severity score of the incidents to fetch. If nothing is provided, the connector ingests incidents with all severities. Possible values are:
|
Max Hours Backwards |
Optional Amount of hours from where to fetch incidents. Default value is 1 hour. |
Max Alerts To Fetch |
Optional
The number of alerts to process per one connector iteration. Default value is 10. |
Use dynamic list as a blocklist |
Required If checked, the dynamic list is used as a blocklist. Unchecked by default. |
Verify SSL |
Required If checked, verifies that the SSL certificate for the connection to the Trend Vision One server is valid. Checked by default. |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |