Trellix HX Endpoint Security

the trellix hx endpoint security connector enables automated interactions with the trellix hx platform for enhanced endpoint protection and incident response trellix hx endpoint security is a robust platform designed for advanced threat detection and response by integrating with swimlane turbine, users can automate critical security operations tasks such as host containment, detailed searches, file acquisition, and alert management this connector empowers security teams to swiftly isolate threats, conduct comprehensive investigations, and manage alerts efficiently, thereby reducing response times and bolstering overall security posture the trellix hx endpoint security connector is capable of interacting with the trellix hx endpoint security rest api to run various triage, acquisition, alert, and contain tasks prerequisites before you can utilize the trellix hx endpoint security connector for turbine, ensure you have the following http basic authentication with these parameters url the endpoint url for the trellix hx api username your trellix hx account username password your trellix hx account password capabilities this trellix hx endpoint security connector provides the following capabilities contain host containment cancellation create search download file acqusition get alert by id get alert groups get alerted hosts get containment state by agent id get containment status get hosts get list of triages get quarantine by id get search results get triage acquisition by id get triage collection by id and so on asset setup trellix hx endpoint security must be configured to allow access to the api after logging into trellix hx endpoint security as an administrator, navigate to admin > appliance settings > user accounts select the api admin account , change the drop down from local login disabled to password set , type in your new password, and click update user swimlane will expect the username api admin , the password you just set, and the host with the port included ( https //myhost 3000 ) you may also use the api analyst user or any other user for swimlane by following the same process and ensuring the user roll is one of api analyst or api admin there are permissions differences between the two different api roles api admin is less restrictive and allows actions like containing hosts and maintaining custom policy channels notes https //docs trellix com/bundle/hx api 2020 2/page/uuid e2c37f22 ed87 8470 e318 90c52ddaafdb html https //fireeye dev/apis/lighthouse/ configurations trellix hx http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions contain host initiates containment of a specified host using its agent id to prevent access to other systems on the network endpoint url /hosts/{{agent id}}/containment method post input argument name type required description path parameters agent id string required the agent running on the host the agent id is listed on the host details tab for the host endpoint the agent id is automatically generated when the agent first signs on to the primary hx series appliance input example {"path parameters" {"agent id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase details array output field details route string output field route message string response message output example {"status code" 202,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"details" \[],"route" "/hx/api/v3/hosts/agent id/containment","message" "accepted"}} containment cancellation release a specific host from containment in trellix hx endpoint security using the agent's id endpoint url /hosts/{{agent id}}/containment method delete input argument name type required description path parameters agent id string required the agent running on the host the agent id is listed on the host details tab for the host endpoint the agent id is automatically generated when the agent first signs on to the primary hx series appliance input example {"path parameters" {"agent id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "no content","response text" ""} create search initiates an enterprise search in trellix hx endpoint security, with options for quick or exhaustive searches endpoint url /searches method post input argument name type required description host set object optional parameter for create search host set id number optional unique identifier hosts array optional parameter for create search hosts id string optional unique identifier indicator string optional parameter for create search exhaustive object optional parameter for create search exhaustive override array optional unique identifier exhaustive override item type string optional unique identifier exhaustive override name string optional unique identifier exhaustive override value boolean optional unique identifier query array optional parameter for create search query field string optional parameter for create search query operator string optional parameter for create search query value string optional value for the parameter input example {"json body" {"host set" {" id" 0},"hosts" \[{" id" "string"}],"indicator" "string","exhaustive" {"override" \[{"item type" "cookiehistoryitem","name" "string","value"\ true}]},"query" \[{"field" "application name","operator" "equals","value" "string"}]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data state string response data data scripts array response data data scripts id number response data data scripts url string response data data scripts download string response data data scripts platform string response data data update time string response data data create time string response data data update actor object response data data update actor id number response data data update actor username string response data data create actor object response data data create actor id number response data data create actor username string response data data error array response data data revision string response data data input type string input data for the action data url string response data data host set object response data data host set id number response data data host set url string response data output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {" id" 0,"state" "string","scripts" \[],"update time" "2024 06 12t10 17 31 972z","create time" "2024 06 12t10 17 31 972z","update actor" {},"create actor" {},"error" \[]," revision" "string","input type" "string","url" "string","host set" {},"stats" {},"settings" {}},"message" "string","details" \[{}],"route" "string"}} download file acqusition initiates the download of a specified file from an endpoint using trellix hx, requiring agent id, path, and filename endpoint url /hosts/{{agent id}}/files method post input argument name type required description path parameters agent id string required parameters for the download file acqusition action req path string optional path of the file that you want to acquire req filename string optional name of the file that you want to acquire comment string optional general comment req use api boolean optional whether to use the api or raw external id string optional external correlation id from a siem solution input example {"json body" {"req path" "c \\\\$extend\\\\$rmmetadata\\\\$txflog\\\\","req filename" "$txflog blf","comment" "this is a comment","req use api"\ true,"external id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase file object attachments file file string output field file file file file name string name of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 5 jun 2024 20 37 23 gmt"},"reason" "ok","file" \[]} get alert by id retrieves a specific alert from trellix hx endpoint security using the provided alert id endpoint url /alerts/{{id}} method get input argument name type required description path parameters id string required unique alert id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data agent object response data data appliance object response data data appliance id string response data data condition object response data data condition id string response data data condition url string response data data condition enabled boolean response data data condition uuid string response data data condition tests string response data data condition event type string response data data indicator object response data data indicator id string response data data indicator url string response data data indicator name string response data data indicator uri name string response data data indicator display name string response data data indicator signature string response data data indicator category number response data data event id string response data data event type string response data data event values object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {" id" 0,"agent" {},"appliance" {},"condition" {},"indicator" {},"event id" "string","event type" "string","event values" {},"event at" "2024 06 10t10 14 47 547z","matched at" "2024 06 10t10 14 47 547z","reported at" "2024 06 10t10 14 47 547z","source" "string","subtype" "string","matched source alerts" \[],"has share mode" "unre get alert groups retrieve a list of all alert groups from trellix hx endpoint security to streamline incident analysis and response endpoint url /alert groups method get input argument name type required description parameters offset number optional specifies which record to start with in the response the default is 0 parameters limit number optional specifies how many records are returned the default is 50 parameters sort array optional sorts the results by the specified field in ascending or descending order the default is sorting by id in descending order sort fields may be followed by " \ asc " or " \ desc " to indicate ascending or descending order multiple sort fields may be specified parameters id string optional unique alert group id parameters host id string optional unique host id parameters host hostname string optional name of the host parameters host primary ip address string optional primary ip address of the host parameters assessment string optional brief assessment of the potential threat parameters file full path string optional full path of the suspect file parameters acknowledgement acknowledged boolean optional the alert has been acknowledged parameters acknowledgement acknowledged by string optional user who has been acknowledged the alert parameters acknowledgement acknowledged time string optional time alert was acknowledged parameters source string optional source of alert valid values include "ioc" (indicator of compromise), "exd" (exploit detection), and "mal" (malware alert), etc parameters has fp disposition boolean optional identifies which alert groups have an associated fp filter parameters last alert resolution string optional resolution of the most recent alert parameters grouped by md5sum string optional md5 hash from the alert group filter parameters filterquery string optional the filterquery parameter allows for very specific filtering of search results this must be an url encoded json object input example {"parameters" {"offset" 0,"limit" 50,"sort" \[" id\ desc"]," id" "","host id" "","host hostname" "","host primary ip address" "","assessment" "","file full path" "","acknowledgement acknowledged"\ true,"acknowledgement acknowledged by" "","acknowledgement acknowledged time" "","source" "","has fp disposition"\ true,"last alert resolution" "","grouped by md5sum" "","filterquery" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data total number response data data query object response data data sort object response data data offset number response data data limit number response data data entries array response data data entries id string response data data entries url string response data data entries host object response data data entries host id string response data data entries host url string response data data entries host hostname string response data data entries host primary ip address string response data data entries assessment string response data data entries file full path string response data data entries acknowledgement object response data data entries acknowledgement acknowledged boolean response data data entries acknowledgement acknowledged by string response data data entries acknowledgement acknowledged time string response data data entries stats object response data data entries stats events number response data data entries first event at string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"total" 0,"query" {},"sort" {},"offset" 0,"limit" 0,"entries" \[]},"message" "string","details" \[{}],"route" "string"}} get alerted hosts retrieves a list of hosts with alert conditions linked to a specific source alert id in trellix hx endpoint security endpoint url /source alerts/{{id}}/alerted hosts method get input argument name type required description path parameters id string required unique alert id parameters offset number optional specifies which record to start with in the response the default is 0 parameters limit number optional specifies how many records are returned the default is 50 parameters sort array optional sorts the results by the specified field in ascending or descending order the default is sorting by id in descending order sort fields may be followed by " \ asc " or " \ desc " to indicate ascending or descending order multiple sort fields may be specified parameters id string optional unique agent id parameters agent version string optional agent version parameters containment queued boolean optional containment requested parameters containment state string optional containment state parameters last audit timestamp string optional time when the most recent system information audit was performed parameters last alert timestamp string optional the time stamp of the most recent alert for the host parameters hostname string optional name of the host parameters domain string optional network domain parameters gmt offset seconds number optional how many seconds the offset is from greenwich mean time (gmt) parameters timezone string optional timezone name parameters os product name string optional operating system name parameters os patch level string optional operating system patch parameters os bitness string optional operating system word size parameters os platform string optional family of operating systems parameters reported clone boolean optional indicates more than one host has this same agent id parameters stats alerting conditions number optional number of alerting conditions parameters stats acqs number optional number of file acquisition requests parameters stats alerts number optional total number of alerts, including exploit detection alerts parameters stats exploit alerts number optional number of exploit alerts, partially blocked exploits, and blocked exploits parameters stats malware alerts number optional the number of malware alerts on the host parameters stats generic alerts number optional the number of generic alerts on the host input example {"parameters" {"offset" 0,"limit" 50,"sort" \[" id\ desc"]," id" "","agent version" "","containment queued"\ true,"containment state" "normal","last audit timestamp" "","last alert timestamp" "","hostname" "","domain" "","gmt offset seconds" 1,"timezone" "","os product name" "","os patch level" "","os bitness" "64 bit","os platform" "win","reported clone"\ true,"stats alerting conditions" 1,"stats acqs" 3,"stats alerts" 2,"stats exploit alerts" 4,"stats malware alerts" 5,"stats generic alerts" 6,"stats malware cleaned count" 2,"stats malware quarantined count" 2,"last poll timestamp" "","host sets id" "","host sets query" "","has alerts"\ true,"has exploit alerts"\ false,"has exploit blocks"\ true,"has malware alerts"\ false,"has generic alerts"\ false,"has active threats"\ false,"has malware quarantined"\ false,"has malware cleaned"\ false,"has presence alerts"\ false,"has execution alerts"\ false,"search row" "","has share mode" "","filterquery" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data total number response data data query object response data data query host sets query object response data data query host sets query operator string response data data query host sets query operands array response data data query host sets query operands setid number response data data query host sets query operands operator string response data data query host sets query operands operands array response data data sort object response data data offset number response data data limit number response data data entries array response data data entries id string response data data entries agent version string response data data entries excluded from containment boolean response data data entries containment missing software boolean response data data entries containment queued boolean response data data entries containment state string response data data entries stats object response data data entries stats acqs number response data data entries stats malware cleaned count number response data data entries stats malware quarantined count number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"total" 1,"query" {},"sort" {},"offset" 0,"limit" 50,"entries" \[]},"message" "ok","details" \[{}],"route" "/hx/api/v3/host policies/channels/id/hosts"}} get containment state by agent id fetches the containment state of a specific agent in trellix hx endpoint security using the agent id endpoint url /hosts/{{agent id}}/containment method get input argument name type required description path parameters agent id string required the agent running on the host the agent id is listed on the host details tab for the host endpoint the agent id is automatically generated when the agent first signs on to the primary hx series appliance input example {"path parameters" {"agent id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase details array output field details route string output field route data object response data data id string response data data last sysinfo string response data data requested by actor object response data data requested on object response data data contained by actor object response data data contained on object response data data queued boolean response data data excluded boolean response data data missing software boolean response data data reported clone boolean response data data state string response data data state update time string response data data url string response data message string response message output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"details" \[{}],"route" "/hx/api/v3/hosts/agent id/containment","data" {" id" "s8y5cr4obbkbzmuyrgmicr","last sysinfo" "2020 05 28t08 15 05 898z","requested by actor"\ null,"requested on"\ null,"contained by actor"\ null,"contained on"\ null,"queued"\ false,"excluded"\ false,"missing software"\ false,"reported clone"\ false,"state" "normal","sta get containment status fetches the containment state for all known hosts within trellix hx endpoint security endpoint url /containment states method get input argument name type required description parameters state update time string optional retrieves only hosts that have state update time greater than the value specified parameters offset number optional specifies which record to start with in the response the default is 0 parameters limit number optional specifies how many records are returned the default is 50 input example {"parameters" {"state update time" "","offset" 0,"limit" 50}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data total number response data data query object response data data sort object response data data offset number response data data limit number response data data entries array response data data entries id string response data data entries last sysinfo string response data data entries requested by actor object response data data entries requested by actor id number response data data entries requested by actor username string response data data entries requested on string response data data entries contained by actor object response data data entries contained on object response data data entries queued boolean response data data entries excluded boolean response data data entries missing software boolean response data data entries reported clone boolean response data data entries state string response data data entries state update time string response data data entries url string response data message string response message output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"total" 1,"query" {},"sort" {},"offset" 0,"limit" 50,"entries" \[]},"message" "ok","details" \[{}],"route" "/hx/api/v3/containment states"}} get hosts obtain a list of hosts from the trellix hx endpoint security server for monitoring and management purposes endpoint url /hosts method get input argument name type required description parameters offset number optional specifies which record to start with in the response the default is 0 parameters limit number optional specifies how many records are returned the default is 50 parameters sort array optional sorts the results by the specified field in ascending or descending order the default is sorting by id in descending order sort fields may be followed by " \ asc " or " \ desc " to indicate ascending or descending order multiple sort fields may be specified parameters id string optional unique agent id parameters agent version string optional agent version parameters containment queued boolean optional containment requested parameters containment state string optional containment state parameters last audit timestamp string optional time when the most recent system information audit was performed parameters last alert timestamp string optional the time stamp of the most recent alert for the host parameters hostname string optional name of the host parameters domain string optional network domain parameters gmt offset seconds number optional how many seconds the offset is from greenwich mean time (gmt) parameters timezone string optional timezone name parameters os product name string optional operating system name parameters os patch level string optional operating system patch parameters os bitness string optional operating system word size parameters os platform string optional family of operating systems parameters reported clone boolean optional indicates more than one host has this same agent id parameters stats alerting conditions number optional number of alerting conditions parameters stats acqs number optional number of file acquisition requests parameters stats alerts number optional total number of alerts, including exploit detection alerts parameters stats exploit alerts number optional number of exploit alerts, partially blocked exploits, and blocked exploits parameters stats malware alerts number optional the number of malware alerts on the host parameters stats generic alerts number optional the number of generic alerts on the host parameters stats malware cleaned count number optional the number of cleaned malware on the host input example {"parameters" {"offset" 0,"limit" 50,"sort" \[" id\ desc"]," id" "","agent version" "","containment queued"\ true,"containment state" "normal","last audit timestamp" "","last alert timestamp" "","hostname" "","domain" "","gmt offset seconds" 1,"timezone" "","os product name" "","os patch level" "","os bitness" "64 bit","os platform" "win","reported clone"\ true,"stats alerting conditions" 1,"stats acqs" 3,"stats alerts" 2,"stats exploit alerts" 4,"stats malware alerts" 5,"stats generic alerts" 6,"stats malware cleaned count" 2,"stats malware quarantined count" 2,"last poll timestamp" "","source alert id" 4,"host sets id" "","host sets query" "","has alerts"\ true,"has exploit alerts"\ false,"has exploit blocks"\ true,"has malware alerts"\ false,"has generic alerts"\ false,"has active threats"\ false,"has malware quarantined"\ false,"has malware cleaned"\ false,"has presence alerts"\ false,"has execution alerts"\ false,"search row" "","has share mode" "","filterquery" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data total number response data data query object response data data query host sets query object response data data query host sets query operator string response data data query host sets query operands array response data data query host sets query operands setid number response data data query host sets query operands operator string response data data query host sets query operands operands array response data data sort object response data data offset number response data data limit number response data data entries array response data data entries id string response data data entries agent version string response data data entries excluded from containment boolean response data data entries containment missing software boolean response data data entries containment queued boolean response data data entries containment state string response data data entries stats object response data data entries stats acqs number response data data entries stats malware cleaned count number response data data entries stats malware quarantined count number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"total" 1,"query" {},"sort" {},"offset" 0,"limit" 50,"entries" \[]},"message" "ok","details" \[{}],"route" "/hx/api/v3/host policies/channels/id/hosts"}} get list of triages retrieve a list of triage entries from trellix hx endpoint security, detailing known system issues endpoint url /acqs/triages method get input argument name type required description parameters offset number optional specifies which record to start with in the response the default is 0 parameters limit number optional specifies how many records are returned the default is 50 parameters sort array optional sorts the results by the specified field in ascending or descending order the default is sorting by id in descending order sort fields may be followed by " \ asc " or " \ desc " to indicate ascending or descending order multiple sort fields may be specified parameters search string optional global search value parameters external id string optional filter triage acquisitions by external correlation id from a siem solution parameters host id string optional filter triage acquisitions by host id input example {"parameters" {"offset" 0,"limit" 1,"sort" \[" id\ desc"],"search" "","external id" "","host id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data total number response data data query object response data data sort object response data data offset number response data data limit number response data data entries array response data data entries id number response data data entries revision string response data data entries error message object response data data entries state string response data data entries md5 object response data data entries request time string response data data entries request actor object response data data entries request actor id number response data data entries request actor username string response data data entries req timestamp object response data data entries comment string response data data entries external id object response data data entries finish time object response data data entries indicator object response data data entries disable cef boolean response data data entries url string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"total" 4,"query" {},"sort" {},"offset" 0,"limit" 1,"entries" \[]},"message" "ok","details" \[{}],"route" "/hx/api/v3/acqs/triages"}} get quarantine by id retrieves details of a specific quarantine entry from trellix hx endpoint security using the provided id endpoint url /quarantines/{{id}} method get input argument name type required description path parameters id number required unique quarantine id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase details array output field details details file name string name of the resource details file string output field details file route string output field route data object response data data id number response data data agent quarantine id string response data data hit correlation id string response data data file path string response data data file md5 string response data data file sha1 string response data data reported at string response data data quarantined at string response data data alert file creation time string response data data alert infection name string response data data state string response data data update time string response data data url string response data data host object response data data host id string response data data host url string response data data alert object response data data alert id number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"details" \[],"route" "/hx/api/v3/quarantines/id","data" {" id" 106,"agent quarantine id" "23775c33 b95c 438d 94f5 48209332f35a","hit correlation id" "c4689c40 d7b5 4e2e 9ade 7c49e9718330","file path" "d \\\documents\\\samples\\\grrr exe","file md5" "0b141adba998fef7e7c99b9d97de3041","file sha1" "a94fce81574fe524002ea69f61bbe7e10838e925"," get search results retrieve a list of all enterprise searches conducted within trellix hx endpoint security endpoint url /searches method get input argument name type required description parameters offset number optional specifies which record to start with in the response the default is 0 parameters limit number optional specifies how many records are returned the default is 50 parameters sort array optional sorts the results by the specified field in ascending or descending order the default is sorting by id in descending order sort fields may be followed by " \ asc " or " \ desc " to indicate ascending or descending order multiple sort fields may be specified parameters state string optional filter by search state parameters host set id number optional filter searches by host set id parameters update actor id number optional filter searches by user id that last updated searches parameters update actor username string optional filter searches by username that last updated searches parameters create actor id number optional filter searches by user id that created searches parameters create actor username string optional filter searches by username that created searches parameters settings mode string optional filter searches based on the search mode, the value can be host or grid parameters input type string optional filter searches based on how the search started , the value can be ui or api input example {"parameters" {"offset" 0,"limit" 50,"sort" \[" id\ desc"],"state" "","host set id" 1,"update actor id" 2,"update actor username" "","create actor id" 2,"create actor username" "","settings mode" "","input type" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data total number response data data query object response data data sort object response data data offset number response data data limit number response data data entries array response data data entries id number response data data entries url string response data data entries state string response data data entries scripts array response data data entries scripts id number response data data entries scripts url string response data data entries scripts download string response data data entries scripts platform string response data data entries host set object response data data entries host set id number response data data entries host set url string response data data entries host set name string response data data entries update time string response data data entries create time string response data data entries update actor object response data data entries update actor id number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" {"total" 0,"query" {},"sort" {},"offset" 0,"limit" 0,"entries" \[]},"message" "string","details" \[{}],"route" "string"}} get triage acquisition by id fetches details of a specific triage acquisition from trellix hx endpoint security using the provided id endpoint url /acqs/triages/{{id}} method get input argument name type required description path parameters id string required unique acquisition id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase details array output field details route string output field route data object response data data id number response data data revision string response data data error message string response data data state string response data data md5 object response data data request time string response data data request actor object response data data request actor id number response data data request actor username string response data data req timestamp object response data data comment string response data data external id object response data data finish time string response data data indicator object response data data disable cef boolean response data data url string response data data host object response data data host id string response data data host url string response data data alert object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"details" \[{}],"route" "/hx/api/v3/acqs/triages/id","data" {" id" 10," revision" "20200716133632656552107126","error message" "the triage completed with issues ","state" "complete","md5"\ null,"request time" "2020 07 16t13 28 43 887z","request actor" {},"req timestamp"\ null,"comment" "","external id"\ null,"finish time" "2020 07 16t13 36 get triage collection by id retrieves a specific triage collection (mans file) from trellix hx endpoint security using the provided id endpoint url /acqs/triages/{{id}} mans method get input argument name type required description path parameters id string required unique acquisition id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {}} new triage acquisition initiates a new triage acquisition for a specified agent in trellix hx endpoint security using the agent id endpoint url /hosts/{{agent id}}/triages method post input argument name type required description path parameters agent id string required unique agent id req timestamp string optional the triage collection for this time external id string optional external correlation id from a siem solution disable cef boolean optional when "disable cef" is set to false, and when cef logging is enabled, endpoint security will log each triage or bulk acquisition task creation, pickup, and completion when "disable cef" is true, this logging is skipped input example {"json body" {"req timestamp" "2030 10 10t17 40 13 413z","external id" "some id","disable cef"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase details array output field details route string output field route data object response data data id number response data data revision string response data data error message string response data data state string response data data md5 object response data data request time string response data data request actor object response data data request actor id number response data data request actor username string response data data req timestamp object response data data comment string response data data external id object response data data finish time string response data data indicator object response data data disable cef boolean response data data url string response data data host object response data data host id string response data data host url string response data data alert object response data output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "mon, 10 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"details" \[{}],"route" "/hx/api/v3/acqs/triages/id","data" {" id" 10," revision" "20200716133632656552107126","error message" "the triage completed with issues ","state" "complete","md5"\ null,"request time" "2020 07 16t13 28 43 887z","request actor" {},"req timestamp"\ null,"comment" "","external id"\ null,"finish time" "2020 07 16t13 36 response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated mon, 10 jun 2024 20 37 23 gmt