Trellix IPS

the trellix ips connector enables seamless integration with swimlane turbine, allowing users to automate network security tasks and policy management trellix ips is a robust intrusion prevention system that provides advanced network security through detailed policy management and telemetry capture this connector enables seamless integration with swimlane turbine, allowing users to automate the addition, update, and deletion of firewall and ips policies, manage quarantined hosts, and handle scanning exceptions by leveraging this connector, security teams can enhance their threat detection capabilities and streamline their response workflows within the swimlane platform limitations none to date supported versions this trellix ips connector uses the latest version api additional docs trellix ips api documentation link https //docs trellix com/bundle/ips landing page/page/uuid 4225da7f 1ba0 1b55 b589 fc49fb8cc882 html configuration prerequisites before integrating trellix ips with swimlane turbine, ensure you have the following prerequisites trellix ips authentication using the following parameters url the endpoint url for the trellix ips api username the username credential for trellix ips authentication password the password credential for trellix ips authentication authentication methods trellix ips authentication url the endpoint url for the trellix ips api username your trellix ips username with sufficient permissions password the password associated with your trellix ips account capabilities this trellix ips connector provides the following capabilities add firewall policy create new ips policy create a new scanning exception at sensor create or update light weight policy delete firewall policy delete ips policy delete light weight policy delete scanning exception on a sensor enable or disable scanning exception on a sensor get firewall policies in domain get firewall policy get ips policies in a domain get ips policy details get light weight policy details get quarantined host details and so on configurations trellix ips authentication trellix ips authentication configuration parameters parameter description type required url url string required username username used to authenticate with the nsm api string required password password for the nsm user account string required verify ssl verify ssl certificates when making requests to nsm boolean optional http proxy proxy server to route requests through string optional actions add firewall policy adds a new firewall policy to trellix ips with customizable access rules, domain id, visibility, editability, and member details endpoint url /firewallpolicy method post input argument name type required description name string required name of the resource domainid number required unique identifier visibletochild boolean required parameter for add firewall policy description string optional parameter for add firewall policy lastmodifiedtime string optional time value iseditable boolean required parameter for add firewall policy policytype string required type of the resource policyversion number optional parameter for add firewall policy lastmodifieduser string optional parameter for add firewall policy memberdetails object required parameter for add firewall policy memberrulelist array required parameter for add firewall policy description string required parameter for add firewall policy enabled boolean required parameter for add firewall policy response string required parameter for add firewall policy islogging boolean required parameter for add firewall policy direction string required parameter for add firewall policy sourceaddressobjectlist array required parameter for add firewall policy ruleobjectid string required unique identifier name string required name of the resource ruleobjecttype string required type of the resource destinationaddressobjectlist array required parameter for add firewall policy ruleobjectid string required unique identifier name string required name of the resource ruleobjecttype string required type of the resource sourceuserobjectlist array required parameter for add firewall policy output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "createdresourceid" 120 } } ] create a new scanning exception at sensor creates a new scanning exception for a specified sensor in trellix ips using the provided scanningexceptiondetailselement endpoint url /sensor/{{sensor id}}/scanningexception method post input argument name type required description sensor id number required sensor id scanningexceptiondetailselement object required object that contains the details of the field to be sent scanningexceptiondetails object required object that contains the details of the field to be sent forwardtype string optional can be one of these tcp/udp/vlan portinfo object optional contains the tcp/udp port informations portrange object optional contains the port range information portnumber object optional contains the port number information vlaninfo object optional contains the vlan information portpairname object required name of the port pair on which scanning exception of vlan type should be created vlanids object optional contains the vlan information output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] create new ips policy creates a new global ips policy in trellix ips with details like name, description, visibility, rule sets, and sensitivity level endpoint url /sdkapi/domain/{{domain id}}/ipspolicies/createips method post input argument name type required description domain id number required the unique identifier of the domain for which the ips policy is being created policyname string required the name of the ips policy to be created description string required a brief description of the ips policy isvisibletochildren boolean required indicates if the policy is visible to child domains inboundruleset string required the rule set to apply for inbound traffic outboundruleset string required the rule set to apply for outbound traffic dosresponsesensitivitylevel number required sensitivity level for dos response (e g , 1 for low, 2 for medium, etc ) direction number required the direction of the policy (e g , 1 for inbound, 2 for outbound) output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "createdresourceid" 105 } } ] create or update light weight policy create or update a lightweight policy on trellix ips for a given interface using sensor id, interface id, and policydescriptor endpoint url /sensor/{{sensor id}}/interface/{{interface id}}/localipspolicy method post input argument name type required description sensor id number required the unique identifier of the sensor for which the policy is being created or updated interface id number required the unique identifier of the interface for which the policy is being created or updated policydescriptor object required the policy descriptor containing the configuration details for the light weight policy policyname string required the name of the policy description string required a brief description of the policy isvisibletochildren boolean required indicates whether this policy is visible to child entities in the hierarchy inboundruleset string required the name of the inbound rule set associated with this policy outboundruleset string required the name of the outbound rule set associated with this policy attackcategory object required the category of attacks that this policy is configured to handle expolitattacklist array required list of exploits and attacks for the policy attackname string required the name of the attack nspid string required the unique identifier for the attack severity number required the severity level of the attack isseveritycustomized boolean required indicates whether the severity level has been customized for this attack isenabled boolean required indicates whether this attack is enabled in the policy isalertcustomized boolean required indicates whether the alert settings for this attack have been customized isrecommendedforsmartblocking boolean required indicates whether this attack is recommended for smart blocking attackresponse object required the response actions to be taken for this attack notification object required the notification settings for this attack, including email, pager, script, auto acknowledgment, snmp, and syslog protocollist array required parameter for create or update light weight policy benigntriggerprobability string required parameter for create or update light weight policy blockingtype string required type of the resource subcategory string required parameter for create or update light weight policy direction string required parameter for create or update light weight policy isattackcustomized boolean required parameter for create or update light weight policy output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "createdresourceid" 105 } } ] delete firewall policy removes a specified firewall policy from trellix ips using the unique policy id provided in path parameters endpoint url /firewallpolicy/{{policy id}} method delete input argument name type required description policy id number required the unique identifier of the firewall policy to be deleted output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] delete ips policy removes a specified intrusion prevention system policy from trellix ips using the provided policy id endpoint url /ipspolicy/{{policyid}} method delete input argument name type required description policyid number required the unique identifier of the ips policy to be deleted output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "createdresourceid" 120 } } ] delete light weight policy removes a local intrusion prevention system policy from a specified sensor interface in trellix ips using sensor and interface ids endpoint url /sensor/{{sensor id}}/interface/{{interface id}}/localipspolicy method delete input argument name type required description sensor id number required the unique identifier of the sensor for which the policy is being created or updated interface id number required the unique identifier of the interface for which the policy is being created or updated output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] delete scanning exception on a sensor removes a specified scanning exception from a trellix ips sensor using the sensor's id and the scanningexceptiondeleteelement endpoint url /sensor/{{sensor id}}/scanningexception method delete input argument name type required description sensor id number required sensor id scanningexceptiondeleteelement string required object that contains the details of the field to be sent output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] enable or disable scanning exception on a sensor enable or disable the scanning exception for a specific sensor in trellix ips using the sensor id and status element endpoint url /sensor/{{sensor id}}/scanningexception/status method put input argument name type required description sensor id number required sensor id scanningexceptionstatuselement object required object that contains the details of the field to be sent enabled boolean required indicates if scanning exception is enabled on the sensor output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] get firewall policies in domain retrieve all firewall policies within a specified domain in trellix ips by providing the domain id endpoint url /domain/{{domain id}}/firewallpolicy method get input argument name type required description domain id number required the unique identifier of the domain for which firewall policies are being retrieved output parameter type description status code number http status code of the response reason string response reason phrase firewallpoliciesfordomainresponselist array output field firewallpoliciesfordomainresponselist policyid number unique identifier policyname string name of the resource domainid number unique identifier visibletochild boolean output field visibletochild description string output field description iseditable boolean output field iseditable policytype string type of the resource policyversion number output field policyversion lastmoduser string output field lastmoduser example \[ { "status code" 200, "reason" "ok", "json body" { "firewallpoliciesfordomainresponselist" \[] } } ] get firewall policy retrieve details of a specific firewall policy in trellix ips using the provided policy id endpoint url /firewallpolicy/{{policy id}} method get input argument name type required description policy id number required the unique identifier of the firewall policy to be deleted output parameter type description status code number http status code of the response reason string response reason phrase firewallpolicyid number unique identifier name string name of the resource domainid number unique identifier visibletochild boolean output field visibletochild description string output field description lastmodifiedtime string time value iseditable boolean output field iseditable policytype string type of the resource policyversion number output field policyversion lastmodifieduser string output field lastmodifieduser memberdetails object output field memberdetails memberrulelist array output field memberrulelist description string output field description enabled boolean output field enabled response string output field response islogging boolean output field islogging direction string output field direction sourceaddressobjectlist array output field sourceaddressobjectlist ruleobjectid string unique identifier name string name of the resource ruleobjecttype string type of the resource destinationaddressobjectlist array output field destinationaddressobjectlist ruleobjectid string unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "firewallpolicyid" 120, "name" "testfirewallpolicy", "domainid" 0, "visibletochild" true, "description" "test the firewallpolicy", "lastmodifiedtime" "2012 12 12 12 43 54", "iseditable" true, "policytype" "advanced", "policyversion" 1, "lastmodifieduser" "admin", "memberdetails" {} } } ] get ips policies in a domain retrieves all intrusion prevention system policies within a specified domain in trellix ips, identified by the domain id endpoint url /domain/{{domain id}}/ipspolicies method get input argument name type required description domain id number required the unique identifier of the domain for which ips policies are being retrieved output parameter type description status code number http status code of the response reason string response reason phrase policydescriptordetailslist array output field policydescriptordetailslist name string name of the resource domainid string unique identifier policyid string unique identifier iseditable string output field iseditable visibletochild string output field visibletochild example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "policydescriptordetailslist" \[] } } ] get ips policy details retrieve detailed information on a specific trellix ips policy using the provided policy id, including attack sets and response actions endpoint url /ipspolicy/{{policy id}} method get input argument name type required description policy id number required the unique identifier of the ips policy for which details are being retrieved output parameter type description status code number http status code of the response reason string response reason phrase policydescriptor object output field policydescriptor policyname string name of the resource description string output field description isvisibletochildren boolean output field isvisibletochildren inboundruleset string output field inboundruleset outboundruleset string output field outboundruleset attackcategory object output field attackcategory expolitattacklist array output field expolitattacklist attackname string name of the resource nspid string unique identifier severity number output field severity isseveritycustomized boolean output field isseveritycustomized isenabled boolean output field isenabled isalertcustomized boolean output field isalertcustomized isrecommendedforsmartblocking boolean output field isrecommendedforsmartblocking attackresponse object output field attackresponse tcpreset string output field tcpreset istcpresetcustomized boolean output field istcpresetcustomized isicmpsend boolean output field isicmpsend isicmpsendcustomized boolean output field isicmpsendcustomized mcafeenacnotification string output field mcafeenacnotification ismcafeenacnotificationenabled boolean output field ismcafeenacnotificationenabled isquarantinecustomized boolean output field isquarantinecustomized example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "policydescriptor" {} } } ] get light weight policy details retrieve lightweight policy details for a specified sensor and interface in trellix ips using sensor id and interface id endpoint url /sensor/{{sensor id}}/interface/{{interface id}}/localipspolicy method get input argument name type required description sensor id number required the unique identifier of the sensor for which the policy is being created or updated interface id number required the unique identifier of the interface for which the policy is being created or updated output parameter type description status code number http status code of the response reason string response reason phrase policydescriptor object output field policydescriptor policyname string name of the resource description string output field description isvisibletochildren boolean output field isvisibletochildren inboundruleset string output field inboundruleset outboundruleset string output field outboundruleset attackcategory object output field attackcategory expolitattacklist array output field expolitattacklist attackname string name of the resource nspid string unique identifier severity number output field severity isseveritycustomized boolean output field isseveritycustomized isenabled boolean output field isenabled isalertcustomized boolean output field isalertcustomized isrecommendedforsmartblocking boolean output field isrecommendedforsmartblocking attackresponse object output field attackresponse tcpreset string output field tcpreset istcpresetcustomized boolean output field istcpresetcustomized isicmpsend boolean output field isicmpsend isicmpsendcustomized boolean output field isicmpsendcustomized mcafeenacnotification string output field mcafeenacnotification ismcafeenacnotificationenabled boolean output field ismcafeenacnotificationenabled isquarantinecustomized boolean output field isquarantinecustomized example \[ { "status code" 200, "reason" "ok", "json body" { "policydescriptor" {} } } ] get quarantined host details retrieve details of hosts quarantined by trellix ips using the specified sensor id endpoint url /sensor/{{sensor id}}/action/quarantinehost/details method get input argument name type required description sensor id number required sensor id output parameter type description status code number http status code of the response reason string response reason phrase quarantinehostdetail array output field quarantinehostdetail ipaddress string output field ipaddress quarantinedetails object output field quarantinedetails device string output field device quarantinezone string output field quarantinezone addedtoquarantine object output field addedtoquarantine by string output field by time string time value remediate boolean output field remediate pendingrelease string output field pendingrelease example \[ { "status code" 200, "reason" "ok", "json body" { "quarantinehostdetail" \[] } } ] get quarantined hosts retrieve a list of hosts quarantined by a specific sensor in trellix ips, requiring the sensor's id as a path parameter endpoint url /sensor/{{sensor id}}/action/quarantinehost method get input argument name type required description sensor id number required sensor id output parameter type description status code number http status code of the response reason string response reason phrase quarantinehostdescriptor array output field quarantinehostdescriptor ipaddress string output field ipaddress duration number output field duration example \[ { "status code" 200, "reason" "ok", "json body" { "quarantinehostdescriptor" \[] } } ] get scanning exception details on a sensor retrieve details of scanning exceptions for a specified sensor in trellix ips using the sensor id endpoint url /sensor/{{sensor id}}/scanningexception method get input argument name type required description sensor id number required sensor id scanningexceptionresponseelement object optional object that contains the details of the field to be sent tcprules object optional object containing tcp rule settings tcpportrangelist object optional list of objects containing tcp port range setting tcpportrange string optional tcp port range in format "from to" udprules object optional object containing udp rule settings udpportrangelist object optional list of objects containing udp port range setting udpportrange string optional udp port range in format "from to" vlanrules object optional object containing vlan rule settings vlanidrangelist object optional list of objects containing vlan id range setting vlanidrange string optional vlan id range in format "from to" portpairname string optional name of the port pair output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] get scanning exception status on a sensor retrieve the scanning exception status for a specified sensor in trellix ips using the sensor id and scanningexceptionstatuselement endpoint url /sensor/{{sensor id}}/scanningexception/status method get input argument name type required description sensor id number required sensor id scanningexceptionstatuselement object required object that contains the details of the field to be sent enabled boolean required indicates if scanning exception is enabled on the sensor output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] quarantine host isolates a host for a specified duration using the trellix ips sensor with provided sensor id and ip address endpoint url /sensor/{{sensor id}}/action/quarantinehost method post input argument name type required description sensor id number required sensor id ipaddress string required ipv4/ipv6 to be quarantined duration string required duration for which the ip is to be quarantined remediate boolean optional remediate the ip along with quarantine output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] release quarantined host releases a specified host from quarantine in trellix ips using sensor id and ip address endpoint url /sensor/{{sensor id}}/action/quarantinehost/{{ipaddress}} method delete input argument name type required description sensor id number required sensor id ipaddress string required ipv4/ipv6 to be released from quarantine output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] update firewall policy updates a trellix ips firewall policy with given policy id and configuration details, including visibility and editability settings endpoint url /firewallpolicy/{{policy id}} method put input argument name type required description policy id number required the unique identifier of the firewall policy to be updated firewallpolicyid number optional unique identifier name string required name of the resource domainid number required unique identifier visibletochild boolean required parameter for update firewall policy description string optional parameter for update firewall policy lastmodifiedtime string optional time value iseditable boolean required parameter for update firewall policy policytype string required type of the resource policyversion number optional parameter for update firewall policy lastmodifieduser string optional parameter for update firewall policy memberdetails object required parameter for update firewall policy memberrulelist array required parameter for update firewall policy description string required parameter for update firewall policy enabled boolean required parameter for update firewall policy response string required parameter for update firewall policy islogging boolean required parameter for update firewall policy direction string required parameter for update firewall policy sourceaddressobjectlist array required parameter for update firewall policy ruleobjectid string required unique identifier name string required name of the resource ruleobjecttype string required type of the resource destinationaddressobjectlist array required parameter for update firewall policy ruleobjectid string required unique identifier name string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] update ips policy updates a specified trellix ips policy using the provided policy id and outboundattackcategory endpoint url /ipspolicy/{{policyid}} method put input argument name type required description policyid number required the unique identifier of the ips policy to update dosresponsesensitivitylevel number optional the sensitivity level for dos response in the policy direction number optional the direction of the policy (e g , inbound or outbound) description string optional a brief description of the ips policy iseditable boolean optional indicates if the policy is editable policyname string optional the name of the ips policy reconpolicy object optional the reconnaissance policy configuration reconattacklist array optional list of reconnaissance attacks for the policy isalertcustomized boolean optional indicates if alert settings are customized for this recon attack isquarantinecustomized boolean optional indicates if quarantine settings are customized for this recon attack severity number optional the severity level of the recon attack isthresholddurationcustomized boolean optional indicates if the threshold duration is customized for this recon attack issendalerttomanager boolean optional indicates if alerts should be sent to the manager for this recon attack nspid string optional the unique identifier for the recon attack thresholdduration number optional the duration for the threshold in seconds for this recon attack alertsuppressiontimer number optional the timer for alert suppression for this recon attack isalertsuppressiontimercustomized boolean optional indicates if the alert suppression timer is customized for this recon attack ismcafeenacnotificationenabled boolean optional indicates if mcafee nac notification is enabled for this recon attack thresholdvalue number optional the threshold value for the recon attack notification object required notification settings for this recon attack, including email, pager, script, auto acknowledgment, snmp, and syslog isautoackcustomized boolean optional indicates if auto acknowledgment setting is customized ispager boolean optional indicates if pager notifications are enabled issyslogcustomized boolean optional indicates if syslog notification setting is customized ispagercustomized boolean optional indicates if pager notification setting is customized isemail boolean optional indicates if email notifications are enabled output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ] update ips quarantine duration for a host modifies the quarantine duration for a host in trellix ips using the sensor id and specified ip address and duration endpoint url /sensor/{{sensor id}}/action/quarantinehost method put input argument name type required description sensor id number required sensor id ipaddress string required ipv4/ipv6 to be quarantined duration string required duration for which the ip is to be quarantined remediate boolean optional remediate the ip along with quarantine isoverride boolean optional override the previous data if present for the ip provided output parameter type description status code number http status code of the response reason string response reason phrase status number status value example \[ { "status code" 200, "reason" "ok", "json body" { "status" 1 } } ]