Trellix Enterprise Security Manager

this connector integrates trellix enterprise security manager v2's rest api with swimlane turbine prerequisites the trellix esm requires a host , username and password for authentication capabilities the trellix esm connector has the following capabilities add watchlist values execute query detail get alarms get correlated event for id get event details get query results get query status get triggered alarms get triggered alarm details get watchlist query ips remove watchlist values total events notes the ip query may take some time while trellix esm processes the request this connector supports product version 10 0, 10 1, 10 2, 10 3, 11 1, 11 3 configurations trellix esm http basic authentication authenticates using username and password configuration parameters parameter description type required url a target url string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add watchlist values adds specified values to a watchlist in trellix enterprise security manager using provided json body data endpoint url /sysaddwatchlistvalues method post input argument name type required description watchlist number optional id of the watchlist values array optional list of string values to be added to a watchlist input example {"json body" {"watchlist" 0,"values" \[""]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} execute query detail executes a detailed query in trellix enterprise security manager to retrieve specific event information endpoint url /qryexecutedetail method post input argument name type required description parameters type string optional the type of query to execute, either event or flow parameters reverse boolean optional whether to reverse the order of the results config object optional the parameters to apply to the query including filters, ordering, fields, etc config timerange string optional parameter for execute query detail config customstart string optional parameter for execute query detail config customend string optional parameter for execute query detail config order array optional parameter for execute query detail config order direction string optional parameter for execute query detail config order field object optional parameter for execute query detail config order field name string optional name of the resource config order field typebits number optional type of the resource config order field id string optional unique identifier config includetotal boolean optional parameter for execute query detail config fields array optional parameter for execute query detail config fields name string optional name of the resource config fields typebits number optional type of the resource config fields id string optional unique identifier config filters array optional parameter for execute query detail config filters type string optional type of the resource config filters field object optional parameter for execute query detail config filters field name string optional name of the resource config filters operator string optional parameter for execute query detail config filters values array optional value for the parameter config filters values type string optional type of the resource config filters values watchlist number optional value for the parameter input example {"parameters" {"type" "event","reverse"\ false},"json body" {"config" {"timerange" "custom","customstart" "2020 03 11t11 30 12 583z","customend" "2020 03 11t11 30 12 584z","order" \[{"direction" "ascending","field" {"name" "","typebits" 0,"id" "ab456df"}}],"includetotal"\ false,"fields" \[{"name" "","typebits" 0,"id" "ab456df"}],"filters" \[{"type" "esmfieldfilter","field" {"name" ""},"operator" "in","values" \[{"type" "esmwatchlistvalue","watchlist" 0}]}],"limit" 0,"offset" 0,"netmask" ""}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} fetch alarms fetch triggered alarms input argument name type required description timerange string optional the time period for the search customstart string optional if the timerange argument is set to custom, the start time for the time is considered range customend string optional if the timerange argument is set to custom, the end time for the time is considered range input example {"timerange" "current year"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" 42710,"acknowledgeddate" "2020 06 24t11 32 08z","acknowledgedusername" "","alarmname" "alarm test","assignee" "analyst","conditiontype" 22,"severity" 50,"summary" "event rate exceeded 10 by 17","triggereddate" "2020 06 24t13 05 43z"}]} get correlated event for id retrieve source events and flows associated with a specified correlated event id in trellix esm endpoint url /qrygetcorreventdataforid method post input argument name type required description parameters querytype string optional either event or flow depending on the events needed eventid string optional the event id whose source events are needed fields array optional the list of fields to provide in the returned rows fields name string optional name of the resource fields typebits number optional type of the resource fields id string optional unique identifier input example {"parameters" {"querytype" "event"},"json body" {"eventid" "","fields" \[{"name" "","typebits" 0,"id" "ab456df"}]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get event details retrieve detailed alert data from trellix enterprise security manager using a specific event id endpoint url /ipsgetalertdata method post input argument name type required description id string optional the ipsidalertid of the event input example {"json body" {"id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get query results retrieve the results of a specified query from trellix enterprise security manager endpoint url /qrygetresults method post input argument name type required description parameters startpos number optional the start position of the requested data parameters numrows number optional the number of rows requested resultid string optional the result id whose data is being requested input example {"parameters" {"startpos" 0,"numrows" 3},"json body" {"resultid" "123456789000"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get query status retrieve the execution status of a specific query in trellix enterprise security manager using the resultid endpoint url /qrygetstatus method post input argument name type required description resultid string optional the id of the results, gotten from the esmactivequery returned from qryexecutequery() input example {"json body" {"resultid" "123456789000"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get triggered alarm details retrieve detailed information for a specific triggered alarm in trellix enterprise security manager using the alarm's id endpoint url /notifygettriggerednotificationdetail method post input argument name type required description id number optional the alarm to get the details for input example {"json body" {"id" 0}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get triggered alarms retrieve a paged list of triggered alarms from trellix enterprise security manager endpoint url /alarmgettriggeredalarms method post input argument name type required description parameters triggeredtimerange string optional filter the list of alarms by those that where triggered in this time range parameters customstart string optional if triggeredtimerange is custom, start time for the time range (ignored if triggeredtimerange is not custom) parameters customend string optional if triggeredtimerange is custom, end time for the time range (ignored if triggeredtimerange is not custom) parameters status string optional can be (case sensitive) 'acknowledged', 'unacknowledged', "" or null > all (default is null) parameters pagesize string optional the number of alarms to return per page (default is 1000, max is 5000) parameters pagenumber string optional which page of alarms we want to return (default is 1) assigneduser object optional the userid assigned to handle this triggered alarm (default is current user) assigneduser username string optional name of the resource assigneduser id number optional unique identifier assigneduser locked boolean optional parameter for get triggered alarms assigneduser loggedincount number optional count value assigneduser email string optional parameter for get triggered alarms assigneduser emailid number optional unique identifier assigneduser sms string optional parameter for get triggered alarms assigneduser smsid number optional unique identifier assigneduser master boolean optional parameter for get triggered alarms assigneduser admin boolean optional parameter for get triggered alarms assigneduser alias string optional parameter for get triggered alarms assigneduser type string optional type of the resource assigneduser groups array optional parameter for get triggered alarms input example {"parameters" {"triggeredtimerange" "custom","customstart" "2020 03 11t11 30 12 546z","customend" "2020 03 11t11 30 12 546z","status" "acknowledged","pagesize" "1000","pagenumber" "1"},"json body" {"assigneduser" {"username" "david","id" 0,"locked"\ false,"loggedincount" 0,"email" "david\@gmail com","emailid" 0,"sms" "","smsid" 0,"master"\ false,"admin"\ false,"alias" "","type" "power","groups" \[0]}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get watchlist retrieves basic information for all watchlists within the trellix enterprise security manager system endpoint url /sysgetwatchlists method post input argument name type required description parameters hidden boolean optional whether to show hidden watchlists parameters dynamic boolean optional whether to show dynamic watchlists parameters writeonly boolean optional whether to only show modifiable watchlists parameters indexedonly boolean optional whether to show indexed watchlists filters array optional list of fields/types used to filter the list of watchlists returned filters name string optional name of the resource filters id number optional unique identifier input example {"parameters" {"hidden"\ false,"dynamic"\ false,"writeonly"\ false,"indexedonly"\ false},"json body" {"filters" \[{"name" "david","id" 0}]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} query ips retrieve all events correlating to an ip address input argument name type required description target ip string required parameter for query ips time range string required parameter for query ips custom start string optional parameter for query ips custom end string optional parameter for query ips limit number optional parameter for query ips input example {"target ip" "8 8 8 8","time range" "current year","limit" 50} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"firsttime" 42710,"lasttime" "2020 06 24t11 32 08z","eventcount" 20,"srcip" "8 8 8 8","dstip" "0 0 0 0","protocol" "http","dsidsigid" "50","rulemsg" "event rate exceeded 10 by 17","useridsrc" "","eventid" 1}]} remove watchlist values removes specified values from a watchlist in trellix enterprise security manager, requiring a 'watchlist' parameter endpoint url /sysremovewatchlistvalues method post input argument name type required description watchlist number optional id of the watchlist values array optional list of string values to be removed from a watchlist input example {"json body" {"watchlist" 0,"values" \[""]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} total events retrieve total events correlating to an ip address input argument name type required description target ip string required parameter for total events time range string required parameter for total events custom start string optional parameter for total events custom end string optional parameter for total events limit number optional parameter for total events input example {"target ip" "8 8 8 8","time range" "current year","limit" 50} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt