Trellix AX

the trellix ax connector allows for automated malware analysis and threat intelligence gathering by interfacing with the trellix ax platform trellix ax is a cutting edge malware analysis solution that provides comprehensive insights into security threats this connector enables swimlane turbine users to automate the submission and retrieval of malware analysis, enhancing incident response capabilities by integrating with trellix ax, users can efficiently manage submission queues, analyze malware with detailed reports, and track submission statuses, all within the swimlane ecosystem this streamlines security operations by providing actionable intelligence and reducing manual intervention prerequisites to effectively utilize the trellix ax connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the trellix ax api username your trellix ax account username password your trellix ax account password capabilities this connector provides the following capabilities submission queue size request submission results by uuid request submission results request submission results request by virtual execution submission status by sha list submission status by time range submission status by uuid submission status by uuid result submission status request submission status request by virtual execution submit file request submit file request by virtual execution submit malware object request submit malware object request by virtual execution submit url request notes https //docs trellix com/bundle/api ref/page/uuid 4897b2d0 7ac5 3dd4 d3b4 357ae060a0f7 html configurations trellix ax http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions submission queue size request retrieve the total count of running and queued submissions in trellix ax endpoint url /wsapis/v2 0 0/submissions/queuesize method get output parameter type description status code number http status code of the response reason string response reason phrase queuesize number output field queuesize output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"queuesize" 1138}} submission results by uuid request retrieves the submission results for a specific alert by uuid in trellix ax, requiring the unique identifier as a path parameter endpoint url /wsapis/v2 0 0/submissions/v2/result/{{uuid}} method get input argument name type required description path parameters uuid string required parameters for the submission results by uuid request action input example {"path parameters" {"uuid" "5e9e81e4 c48a 481e b4ec 02c3f917f9a5"}} output parameter type description status code number http status code of the response reason string response reason phrase appliance id string unique identifier anomaly types array type of the resource sha256 string output field sha256 submitted time string time value type string type of the resource uuid string unique identifier mitre mapping array output field mitre mapping output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"appliance id" "ac1f6b6e6e60","anomaly types" \[{}],"sha256" "140417ba2238dde6de6b541ad75dae6a96fec5d7482054dc154242a1992c9b2f","submitted time" "2022 01 14t05 46 34 861637","type" "docx","uuid" "5e9e81e4 c48a 481e b4ec 02c3f917f9a5","mitre mapping" \[{}]}} submission results request retrieve a detailed xml malware analysis report from trellix ax using the provided submission key endpoint url /wsapis/v2 0 0/submissions/results/{{submission key}} method get input argument name type required description path parameters submission key string required parameters for the submission results request action input example {"path parameters" {"submission key" "3831 5"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" "b'\<?xml version=\\"1 0\\" encoding=\\"utf 8\\" standalone=\\"yes\\"?>\u2028\<alerts appliance=\\"cms "} submission results request by virtual execution retrieve a detailed xml report of a malware file analysis from trellix ax using the provided submission key endpoint url /wsapis/mvx/v2 0 0/submissions/results/{{submission key}} method get input argument name type required description path parameters submission key string required parameters for the submission results request by virtual execution action parameters info level string optional parameters for the submission results request by virtual execution action input example {"parameters" {"info level" "extended"},"path parameters" {"submission key" "3831 5"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" "b'\<?xml version=\\"1 0\\" encoding=\\"utf 8\\" standalone=\\"yes\\"?>\u2028\<alerts appliance=\\"cms "} submission status by sha list retrieves the status of submissions for a list of sha 256 values in trellix ax, requiring the 'sha256' parameter endpoint url /wsapis/mvx/v2 0 0/submissions/cluster/done method get input argument name type required description parameters sha256 string required one or more comma separated sha256 values input example {"parameters" {"sha256" "e03 ef03fd007a8f44cc9d9f7535450cd4a9c3ce7ac56e62f7a848ab919a75397,1f6de691fe5ce64 874c373ab1685e6c13d89a2abbe445fcc78ac94f474102dee"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"sha256" "1f6de691fe5ce64874c373ab1685e6c13d89a2abbe445fcc78ac94f474102dee","verdict" "non malicious","uuid" "fb346aef de0b 414e 9830 8f5237bd4e3e","done time" "2021 03 23t20 09 46+0000"}]} submission status by time range retrieve the status of trellix ax submissions within a specified time range, using start and end times as parameters endpoint url /wsapis/mvx/v2 0 0/submissions/cluster/done method get input argument name type required description parameters start time string required parameters for the submission status by time range action parameters end time string required parameters for the submission status by time range action input example {"parameters" {"start time" "2021 03 23t19 51 00 000 00 00","end time" "2021 03 23t20 51 00 000 00 00"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"verdict" "non malicious","uuid" "59b503a9 f626 4ae1 bff3 5056d013577c","done time" "2021 03 23t19 53 17+0000"}]} submission status by uuid retrieve the status of a submission in trellix ax using the specified uuid endpoint url /wsapis/mvx/v2 0 0/submissions/status method get input argument name type required description parameters uuid string required one or more comma separated uuid values input example {"parameters" {"uuid" "8d319361 f482 446d a371 0edd1f565988"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"verdict" "non malicious","uuid" "90f0f5b1 2981 4942 ab92 a15f7c316481","done time" "2021 03 23t20 09 19+0000"}]} submission status by uuid result retrieve the analysis result for a specific submission by uuid in trellix ax, requiring the submission's unique identifier endpoint url /wsapis/v2 0 0/submissions/cluster/done/{{uuid}}/result method get input argument name type required description path parameters uuid string required parameters for the submission status by uuid result action input example {"path parameters" {"uuid" "8d319361 f482 446d a371 0edd1f565988"}} output parameter type description status code number http status code of the response reason string response reason phrase verdict string output field verdict uuid string unique identifier done time string time value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"verdict" "non malicious","uuid" "90f0f5b1 2981 4942 ab92 a15f7c316481","done time" "2021 03 23t20 09 19+0000"}} submission status request checks the status of a submission in trellix ax using the provided submission key endpoint url /wsapis/v2 0 0/submissions/status/{{submission key}} method get input argument name type required description path parameters submission key string required parameters for the submission status request action input example {"path parameters" {"submission key" "3831 5"}} output parameter type description status code number http status code of the response reason string response reason phrase submissionstatus string status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"submissionstatus" "in progress"}} submission status request by virtual execution checks the status of a specific submission in trellix ax using the provided submission uuid endpoint url /wsapis/mvx/v2 0 0/submissions/status/{{submission uuid}} method get input argument name type required description path parameters submission uuid string required parameters for the submission status request by virtual execution action input example {"path parameters" {"submission uuid" "7709"}} output parameter type description status code number http status code of the response reason string response reason phrase submissionstatus string status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"submissionstatus" "done"}} submit file request submit a file to trellix ax for detailed analysis, specifying type, priority, profiles, and timeout options endpoint url /wsapis/v2 0 0/submissions/file method post input argument name type required description enable vnc string optional specifies whether to enable vnc to the vm during the analysis false—disables vnc true—enables vnc application string optional specifies the id of the application to be used for the analysis to determine the available applications for a specific profile, use the malware analysis configuration request timeout string optional sets the analysis timeout (in seconds) priority string optional sets the analysis priority 0—normal adds analysis to the bottom of queue 1—urgent places the analysis at the top of the queue (default normal) profiles array optional selects the malware analysis profile to use for analysis to determine the available profiles, use the malware analysis configuration request analysistype string optional specifies the analysis mode 1—live analyze suspected files live within the malware analysis multi vector virtual execution (ivx) analysis engine 2—sandbox analyze suspected files in a closed, protected environment force string optional specifies whether to perform an analysis on the file even if the file exactly matches an analysis that has already been performed in most cases, it is not necessary to reanalyze malware false—do not analyze duplicate files true—force analysis (default false) prefetch string optional specifies whether to determine the file target based on an internal determination rather than browsing to the target location 0—no 1—yes note string optional text description about the malware analysis submission notes are shared with the dynamic threat intelligence (dti) cloud params string optional file type of malware that is analyzed by the appliance the malware analysis appliance analyzes dlls or other file types that might be a malware dropper dll file types are the default prefetch must be enabled when submitting dlls or other files with parameters for analysis you can specify a function name (such as an entry point) and the file to be opened as part of the dll parameter definition for example, you can enter mshtml dll, openas rundll htmlfile html files object required file to be uploaded files file string optional parameter for submit file request files file name string optional name of the resource input example {"enable vnc" "true","application" "2","timeout" "500","priority" "0","profiles" \["win7 sp1"],"analysistype" "1","force" "true","prefetch" "0","note" "note","params" "mshtml dll"} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier submission details object output field submission details submission details vnc port array output field submission details vnc port submission details job ids array unique identifier submission details id number unique identifier submission details uuid string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 3 dec 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" "32826","submission details" {"vnc port" \[],"job ids" \[],"id" 32826,"uuid" "fc1f55bb aee3 44c7 a164 6f2b01c88d4c"}}} submit file request by virtual execution submits a file for analysis to trellix ax with options like analysis type, priority, profiles, and timeout settings endpoint url /wsapis/mvx/v2 0 0/submissions/file method post input argument name type required description attachments object required file to be uploaded attachments file string required parameter for submit file request by virtual execution attachments file name string required name of the resource analysistype string optional type of the resource priority string optional parameter for submit file request by virtual execution profiles array optional parameter for submit file request by virtual execution force string optional parameter for submit file request by virtual execution application string optional parameter for submit file request by virtual execution prefetch string optional parameter for submit file request by virtual execution timeout string optional parameter for submit file request by virtual execution input example {"json body" {"analysistype" "1","priority" "0","profiles" \["win7 sp1"],"force" "true","application" "69","prefetch" "0","timeout" "500"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" "7709"}]} submit malware object request uploads a file to trellix ax for detailed malware analysis, allowing specification of type, priority, profiles, and additional scan options endpoint url /wsapis/v2 0 0/submissions method post input argument name type required description attachments object required file to be uploaded attachments file string required parameter for submit malware object request attachments file name string required name of the resource analysistype string optional type of the resource priority string optional parameter for submit malware object request profiles array optional parameter for submit malware object request force string optional parameter for submit malware object request application string optional parameter for submit malware object request prefetch string optional parameter for submit malware object request timeout string optional parameter for submit malware object request enable vnc string optional parameter for submit malware object request input example {"json body" {"analysistype" "1","priority" "0","profiles" \["win7 sp1"],"force" "true","application" "69","prefetch" "0","timeout" "500","enable vnc" "true"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" "3831 5"}]} submit malware object request by virtual execution uploads a file to trellix ax for virtual execution scanning, with options for analysis type, priority, profiles, force, application, prefetch, and timeout endpoint url /wsapis/mvx/v2 0 0/submissions method post input argument name type required description attachments object required file to be uploaded attachments file string required parameter for submit malware object request by virtual execution attachments file name string required name of the resource analysistype string optional type of the resource priority string optional parameter for submit malware object request by virtual execution profiles array optional parameter for submit malware object request by virtual execution force string optional parameter for submit malware object request by virtual execution application string optional parameter for submit malware object request by virtual execution prefetch string optional parameter for submit malware object request by virtual execution timeout string optional parameter for submit malware object request by virtual execution enable vnc string optional parameter for submit malware object request by virtual execution input example {"json body" {"analysistype" "1","priority" "0","profiles" \["win7 sp1"],"force" "true","application" "69","prefetch" "0","timeout" "500","enable vnc" "true"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier brokerid string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"uuid" "57ee22a2 0ae2 44df a8a4 a5fef41881cc","brokerid" "0cc47a39d7d0"}} submit url request submits a url to trellix ax for analysis with options such as type, priority, profiles, and timeout settings endpoint url /wsapis/v2 0 0/submissions/url method post input argument name type required description timeout number optional parameter for submit url request priority number optional parameter for submit url request profiles array optional parameter for submit url request application number optional parameter for submit url request force boolean optional parameter for submit url request analysistype number optional type of the resource prefetch number optional parameter for submit url request urls array optional url endpoint for the request input example {"json body" {"timeout" 200,"priority" 1,"profiles" \["win7 sp1","winxp sp3"],"application" 2,"force"\ true,"analysistype" 2,"prefetch" 1,"urls" \["http //172 16 225 87/malsust/file share/treasury65malware/ 1134220120630 letter pdf xdp","http //172 16 225 87/malsust/file share/ treasury65malware/contagioencryptedxls d116c745fe94c202934ef49f59d19950 xls"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" "l135 5"}]} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 3 dec 2024 20 37 23 gmt