Trellix AX

the trellix ax connector allows for automated malware analysis and threat intelligence gathering by interfacing with the trellix ax platform trellix ax is a cutting edge malware analysis solution that provides comprehensive insights into security threats this connector enables swimlane turbine users to automate the submission and retrieval of malware analysis, enhancing incident response capabilities by integrating with trellix ax, users can efficiently manage submission queues, analyze malware with detailed reports, and track submission statuses, all within the swimlane ecosystem this streamlines security operations by providing actionable intelligence and reducing manual intervention prerequisites to effectively utilize the trellix ax connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the trellix ax api username your trellix ax account username password your trellix ax account password capabilities this connector provides the following capabilities submission queue size request submission results by uuid request submission results request submission results request by virtual execution submission status by sha list submission status by time range submission status by uuid submission status by uuid result submission status request submission status request by virtual execution submit file request submit file request by virtual execution submit malware object request submit malware object request by virtual execution submit url request configurations trellix ax http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions submission queue size request retrieve the total count of running and queued submissions in trellix ax endpoint url /wsapis/v2 0 0/submissions/queuesize method get output parameter type description status code number http status code of the response reason string response reason phrase queuesize number output field queuesize example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "queuesize" 1138 } } ] submission results by uuid request retrieves the submission results for a specific alert by uuid in trellix ax, requiring the unique identifier as a path parameter endpoint url /wsapis/v2 0 0/submissions/v2/result/{{uuid}} method get input argument name type required description uuid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase appliance id string unique identifier anomaly types array type of the resource sha256 string output field sha256 submitted time string time value type string type of the resource uuid string unique identifier mitre mapping array output field mitre mapping example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "appliance id" "ac1f6b6e6e60", "anomaly types" \[], "sha256" "140417ba2238dde6de6b541ad75dae6a96fec5d7482054dc154242a1992c9b2f", "submitted time" "2022 01 14t05 46 34 861637", "type" "docx", "uuid" "5e9e81e4 c48a 481e b4ec 02c3f917f9a5", "mitre mapping" \[] } } ] submission results request retrieve a detailed xml malware analysis report from trellix ax using the provided submission key endpoint url /wsapis/v2 0 0/submissions/results/{{submission key}} method get input argument name type required description submission key string required parameter for submission results request output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" "b'\<?xml version=\\"1 0\\" encoding=\\"utf 8\\" standalone=\\"yes\\"?>\u2028\<alerts appliance=\\"cms " } ] submission results request by virtual execution retrieve a detailed xml report of a malware file analysis from trellix ax using the provided submission key endpoint url /wsapis/mvx/v2 0 0/submissions/results/{{submission key}} method get input argument name type required description submission key string required parameter for submission results request by virtual execution info level string optional parameter for submission results request by virtual execution output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" "b'\<?xml version=\\"1 0\\" encoding=\\"utf 8\\" standalone=\\"yes\\"?>\u2028\<alerts appliance=\\"cms " } ] submission status by sha list retrieves the status of submissions for a list of sha 256 values in trellix ax, requiring the 'sha256' parameter endpoint url /wsapis/mvx/v2 0 0/submissions/cluster/done method get input argument name type required description sha256 string required one or more comma separated sha256 values output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] submission status by time range retrieve the status of trellix ax submissions within a specified time range, using start and end times as parameters endpoint url /wsapis/mvx/v2 0 0/submissions/cluster/done method get input argument name type required description start time string required time value end time string required time value output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] submission status by uuid retrieve the status of a submission in trellix ax using the specified uuid endpoint url /wsapis/mvx/v2 0 0/submissions/status method get input argument name type required description uuid string required one or more comma separated uuid values output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] submission status by uuid result retrieve the analysis result for a specific submission by uuid in trellix ax, requiring the submission's unique identifier endpoint url /wsapis/v2 0 0/submissions/cluster/done/{{uuid}}/result method get input argument name type required description uuid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase verdict string output field verdict uuid string unique identifier done time string time value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "verdict" "non malicious", "uuid" "90f0f5b1 2981 4942 ab92 a15f7c316481", "done time" "2021 03 23t20 09 19+0000" } } ] submission status request checks the status of a submission in trellix ax using the provided submission key endpoint url /wsapis/v2 0 0/submissions/status/{{submission key}} method get input argument name type required description submission key string required parameter for submission status request output parameter type description status code number http status code of the response reason string response reason phrase submissionstatus string status value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "submissionstatus" "in progress" } } ] submission status request by virtual execution checks the status of a specific submission in trellix ax using the provided submission uuid endpoint url /wsapis/mvx/v2 0 0/submissions/status/{{submission uuid}} method get input argument name type required description submission uuid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase submissionstatus string status value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "submissionstatus" "done" } } ] submit file request submit a file to trellix ax for detailed analysis, specifying type, priority, profiles, and timeout options endpoint url /wsapis/v2 0 0/submissions/file method post input argument name type required description enable vnc string optional specifies whether to enable vnc to the vm during the analysis false—disables vnc true—enables vnc application string optional specifies the id of the application to be used for the analysis to determine the available applications for a specific profile, use the malware analysis configuration request timeout string optional sets the analysis timeout (in seconds) priority string optional sets the analysis priority 0—normal adds analysis to the bottom of queue 1—urgent places the analysis at the top of the queue (default normal) profiles array optional selects the malware analysis profile to use for analysis to determine the available profiles, use the malware analysis configuration request analysistype string optional specifies the analysis mode 1—live analyze suspected files live within the malware analysis multi vector virtual execution (ivx) analysis engine 2—sandbox analyze suspected files in a closed, protected environment force string optional specifies whether to perform an analysis on the file even if the file exactly matches an analysis that has already been performed in most cases, it is not necessary to reanalyze malware false—do not analyze duplicate files true—force analysis (default false) prefetch string optional specifies whether to determine the file target based on an internal determination rather than browsing to the target location 0—no 1—yes note string optional text description about the malware analysis submission notes are shared with the dynamic threat intelligence (dti) cloud params string optional file type of malware that is analyzed by the appliance the malware analysis appliance analyzes dlls or other file types that might be a malware dropper dll file types are the default prefetch must be enabled when submitting dlls or other files with parameters for analysis you can specify a function name (such as an entry point) and the file to be opened as part of the dll parameter definition for example, you can enter mshtml dll, openas rundll htmlfile html files object required file to be uploaded file string optional parameter for submit file request file name string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier submission details object output field submission details vnc port array output field vnc port job ids array unique identifier id number unique identifier uuid string unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 3 dec 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "id" "32826", "submission details" {} } } ] submit file request by virtual execution submits a file for analysis to trellix ax with options like analysis type, priority, profiles, and timeout settings endpoint url /wsapis/mvx/v2 0 0/submissions/file method post input argument name type required description attachments object required file to be uploaded file string required parameter for submit file request by virtual execution file name string required name of the resource analysistype string required type of the resource priority string required parameter for submit file request by virtual execution profiles array required parameter for submit file request by virtual execution force string required parameter for submit file request by virtual execution application string required parameter for submit file request by virtual execution prefetch string required parameter for submit file request by virtual execution timeout string required parameter for submit file request by virtual execution output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] submit malware object request uploads a file to trellix ax for detailed malware analysis, allowing specification of type, priority, profiles, and additional scan options endpoint url /wsapis/v2 0 0/submissions method post input argument name type required description attachments object required file to be uploaded file string required parameter for submit malware object request file name string required name of the resource analysistype string required type of the resource priority string required parameter for submit malware object request profiles array required parameter for submit malware object request force string required parameter for submit malware object request application string required parameter for submit malware object request prefetch string required parameter for submit malware object request timeout string required parameter for submit malware object request enable vnc string optional parameter for submit malware object request output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] submit malware object request by virtual execution uploads a file to trellix ax for virtual execution scanning, with options for analysis type, priority, profiles, force, application, prefetch, and timeout endpoint url /wsapis/mvx/v2 0 0/submissions method post input argument name type required description attachments object required file to be uploaded file string required parameter for submit malware object request by virtual execution file name string required name of the resource analysistype string required type of the resource priority string required parameter for submit malware object request by virtual execution profiles array required parameter for submit malware object request by virtual execution force string required parameter for submit malware object request by virtual execution application string required parameter for submit malware object request by virtual execution prefetch string required parameter for submit malware object request by virtual execution timeout string required parameter for submit malware object request by virtual execution enable vnc string optional parameter for submit malware object request by virtual execution output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier brokerid string unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "uuid" "57ee22a2 0ae2 44df a8a4 a5fef41881cc", "brokerid" "0cc47a39d7d0" } } ] submit url request submits a url to trellix ax for analysis with options such as type, priority, profiles, and timeout settings endpoint url /wsapis/v2 0 0/submissions/url method post input argument name type required description timeout number required parameter for submit url request priority number required parameter for submit url request profiles array required parameter for submit url request application number required parameter for submit url request force boolean required parameter for submit url request analysistype number required type of the resource prefetch number required parameter for submit url request urls array required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt notes trellix ax api documentation https //docs trellix com/bundle/api ref/page/uuid 4897b2d0 7ac5 3dd4 d3b4 357ae060a0f7 html