Trellix Enterprise Security Manager

this connector integrates trellix enterprise security manager v2's rest api with swimlane turbine prerequisites the trellix esm requires a host , username and password for authentication capabilities the trellix esm connector has the following capabilities add watchlist values execute query detail get alarms get correlated event for id get event details get query results get query status get triggered alarms get triggered alarm details get watchlist query ips remove watchlist values total events configurations trellix esm http basic authentication authenticates using username and password configuration parameters parameter description type required url a target url string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add watchlist values adds specified values to a watchlist in trellix enterprise security manager using provided json body data endpoint url /sysaddwatchlistvalues method post input argument name type required description watchlist number optional id of the watchlist values array optional list of string values to be added to a watchlist output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] execute query detail executes a detailed query in trellix enterprise security manager to retrieve specific event information endpoint url /qryexecutedetail method post input argument name type required description type string optional the type of query to execute, either event or flow reverse boolean optional whether to reverse the order of the results config object optional the parameters to apply to the query including filters, ordering, fields, etc timerange string optional parameter for execute query detail customstart string optional parameter for execute query detail customend string optional parameter for execute query detail order array optional parameter for execute query detail direction string optional parameter for execute query detail field object optional parameter for execute query detail name string optional name of the resource typebits number optional type of the resource id string optional unique identifier includetotal boolean optional parameter for execute query detail fields array optional parameter for execute query detail name string optional name of the resource typebits number optional type of the resource id string optional unique identifier filters array optional parameter for execute query detail type string optional type of the resource field object optional parameter for execute query detail name string optional name of the resource operator string optional parameter for execute query detail values array optional value for the parameter type string optional type of the resource watchlist number optional parameter for execute query detail output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] fetch alarms fetch triggered alarms input argument name type required description timerange string optional the time period for the search customstart string optional if the timerange argument is set to custom, the start time for the time is considered range customend string optional if the timerange argument is set to custom, the end time for the time is considered range output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] get correlated event for id retrieve source events and flows associated with a specified correlated event id in trellix esm endpoint url /qrygetcorreventdataforid method post input argument name type required description querytype string optional either event or flow depending on the events needed eventid string required the event id whose source events are needed fields array optional the list of fields to provide in the returned rows name string optional name of the resource typebits number optional type of the resource id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get event details retrieve detailed alert data from trellix enterprise security manager using a specific event id endpoint url /ipsgetalertdata method post input argument name type required description id string required the ipsidalertid of the event output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get query results retrieve the results of a specified query from trellix enterprise security manager endpoint url /qrygetresults method post input argument name type required description startpos number optional the start position of the requested data numrows number optional the number of rows requested resultid string optional the result id whose data is being requested output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get query status retrieve the execution status of a specific query in trellix enterprise security manager using the resultid endpoint url /qrygetstatus method post input argument name type required description resultid string required the id of the results, gotten from the esmactivequery returned from qryexecutequery() output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get triggered alarm details retrieve detailed information for a specific triggered alarm in trellix enterprise security manager using the alarm's id endpoint url /notifygettriggerednotificationdetail method post input argument name type required description id number required the alarm to get the details for output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get triggered alarms retrieve a paged list of triggered alarms from trellix enterprise security manager endpoint url /alarmgettriggeredalarms method post input argument name type required description triggeredtimerange string optional filter the list of alarms by those that where triggered in this time range customstart string optional if triggeredtimerange is custom, start time for the time range (ignored if triggeredtimerange is not custom) customend string optional if triggeredtimerange is custom, end time for the time range (ignored if triggeredtimerange is not custom) status string optional can be (case sensitive) 'acknowledged', 'unacknowledged', "" or null > all (default is null) pagesize string optional the number of alarms to return per page (default is 1000, max is 5000) pagenumber string optional which page of alarms we want to return (default is 1) assigneduser object optional the userid assigned to handle this triggered alarm (default is current user) username string optional name of the resource id number optional unique identifier locked boolean optional parameter for get triggered alarms loggedincount number optional count value email string optional parameter for get triggered alarms emailid number optional unique identifier sms string optional parameter for get triggered alarms smsid number optional unique identifier master boolean optional parameter for get triggered alarms admin boolean optional parameter for get triggered alarms alias string optional parameter for get triggered alarms type string optional type of the resource groups array optional parameter for get triggered alarms output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get watchlist retrieves basic information for all watchlists within the trellix enterprise security manager system endpoint url /sysgetwatchlists method post input argument name type required description hidden boolean optional whether to show hidden watchlists dynamic boolean optional whether to show dynamic watchlists writeonly boolean optional whether to only show modifiable watchlists indexedonly boolean optional whether to show indexed watchlists filters array optional list of fields/types used to filter the list of watchlists returned name string optional name of the resource id number optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] query ips retrieve all events correlating to an ip address input argument name type required description target ip string required parameter for query ips time range string required parameter for query ips custom start string optional parameter for query ips custom end string optional parameter for query ips limit number optional parameter for query ips output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] remove watchlist values removes specified values from a watchlist in trellix enterprise security manager, requiring a 'watchlist' parameter endpoint url /sysremovewatchlistvalues method post input argument name type required description watchlist number required id of the watchlist values array optional list of string values to be removed from a watchlist output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] total events retrieve total events correlating to an ip address input argument name type required description target ip string required parameter for total events time range string required parameter for total events custom start string optional parameter for total events custom end string optional parameter for total events limit number optional parameter for total events output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt notes the ip query may take some time while trellix esm processes the request this connector supports product version 10 0, 10 1, 10 2, 10 3, 11 1, 11 3