Trellix IPS

the trellix ips connector enables seamless integration with swimlane turbine, allowing users to automate network security tasks and policy management trellix ips is a robust intrusion prevention system that provides advanced network security through detailed policy management and telemetry capture this connector enables seamless integration with swimlane turbine, allowing users to automate the addition, update, and deletion of firewall and ips policies, manage quarantined hosts, and handle scanning exceptions by leveraging this connector, security teams can enhance their threat detection capabilities and streamline their response workflows within the swimlane platform limitations none to date supported versions this trellix ips connector uses the latest version api additional docs https //docs trellix com/bundle/ips landing page/page/uuid 4225da7f 1ba0 1b55 b589 fc49fb8cc882 html configuration prerequisites before integrating trellix ips with swimlane turbine, ensure you have the following prerequisites trellix ips authentication using the following parameters url the endpoint url for the trellix ips api username the username credential for trellix ips authentication password the password credential for trellix ips authentication authentication methods url the endpoint url for the trellix ips api username your trellix ips username with sufficient permissions password the password associated with your trellix ips account capabilities this trellix ips connector provides the following capabilities add firewall policy create new ips policy create a new scanning exception at sensor create or update light weight policy delete firewall policy delete ips policy delete light weight policy delete scanning exception on a sensor enable or disable scanning exception on a sensor get firewall policies in domain get firewall policy get ips policies in a domain get ips policy details get light weight policy details get quarantined host details and so on configurations trellix ips authentication trellix ips authentication configuration parameters parameter description type required url url string required username username used to authenticate with the nsm api string required password password for the nsm user account string required verify ssl verify ssl certificates when making requests to nsm boolean optional http proxy proxy server to route requests through string optional actions add firewall policy adds a new firewall policy to trellix ips with customizable access rules, domain id, visibility, editability, and member details endpoint url /firewallpolicy method post input argument name type required description name string optional name of the resource domainid number optional unique identifier visibletochild boolean optional parameter for add firewall policy description string optional parameter for add firewall policy lastmodifiedtime string optional time value iseditable boolean optional parameter for add firewall policy policytype string optional type of the resource policyversion number optional parameter for add firewall policy lastmodifieduser string optional parameter for add firewall policy memberdetails object optional parameter for add firewall policy memberdetails memberrulelist array required parameter for add firewall policy memberdetails memberrulelist description string required parameter for add firewall policy memberdetails memberrulelist enabled boolean required parameter for add firewall policy memberdetails memberrulelist response string required parameter for add firewall policy memberdetails memberrulelist islogging boolean required parameter for add firewall policy memberdetails memberrulelist direction string required parameter for add firewall policy memberdetails memberrulelist sourceaddressobjectlist array required parameter for add firewall policy memberdetails memberrulelist sourceaddressobjectlist ruleobjectid string required unique identifier memberdetails memberrulelist sourceaddressobjectlist name string required name of the resource memberdetails memberrulelist sourceaddressobjectlist ruleobjecttype string required type of the resource memberdetails memberrulelist destinationaddressobjectlist array required parameter for add firewall policy memberdetails memberrulelist destinationaddressobjectlist ruleobjectid string required unique identifier memberdetails memberrulelist destinationaddressobjectlist name string required name of the resource memberdetails memberrulelist destinationaddressobjectlist ruleobjecttype string required type of the resource memberdetails memberrulelist sourceuserobjectlist array required parameter for add firewall policy input example {"json body" {"name" "testfirewallpolicy","domainid" 0,"visibletochild"\ true,"description" "test the firewallpolicy","lastmodifiedtime" "2012 12 12 12 30 47","iseditable"\ true,"policytype" "advanced","policyversion" 1,"lastmodifieduser" "admin","memberdetails" {"memberrulelist" \[{"description" "test member rule","enabled"\ true,"response" "scan","islogging"\ false,"direction" "inbound","sourceaddressobjectlist" \[{"ruleobjectid" "af","name" "afghanistan","ruleobjecttype" "country"}],"destinationaddressobjectlist" \[{"ruleobjectid" "101","name" "hostdnsrule","ruleobjecttype" "host dns name"},{"ruleobjectid" "102","name" "hostipv4","ruleobjecttype" "host ipv 4"},{"ruleobjectid" "103","name" "ipv4addressrange","ruleobjecttype" "ipv 4 address range"},{"ruleobjectid" "104","name" "networkgroup","ruleobjecttype" "network group"}],"sourceuserobjectlist" \[{"ruleobjectid" " 1","name" "any","ruleobjecttype" "user"}],"serviceobjectlist" \[],"applicationobjectlist" \[{"ruleobjectid" "1308991488","name" "100bao","ruleobjecttype" "application","applicationtype" "default"},{"ruleobjectid" "106","name" "applicaiononcutomport","ruleobjecttype" "application on custom port","applicationtype" "custom"},{"ruleobjectid" "105","name" "applicationgroup","ruleobjecttype" "application group","applicationtype" "custom"}],"timeobjectlist" \[{"ruleobjectid" "107","name" "finitetimeperiod","ruleobjecttype" "finite timing period"},{"ruleobjectid" "108","name" "recuringtimeperiod","ruleobjecttype" "recurring time period"},{"ruleobjectid" "109","name" "recurringtimeperiodgroup","ruleobjecttype" "recurring time period group"}]}]}}} output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"createdresourceid" 120}} create a new scanning exception at sensor creates a new scanning exception for a specified sensor in trellix ips using the provided scanningexceptiondetailselement endpoint url /sensor/{{sensor id}}/scanningexception method post input argument name type required description path parameters sensor id number required sensor id scanningexceptiondetailselement object optional object that contains the details of the field to be sent scanningexceptiondetailselement scanningexceptiondetails object required object that contains the details of the field to be sent scanningexceptiondetailselement scanningexceptiondetails forwardtype string optional can be one of these tcp/udp/vlan scanningexceptiondetailselement scanningexceptiondetails portinfo object optional contains the tcp/udp port informations scanningexceptiondetailselement scanningexceptiondetails portinfo portrange object optional contains the port range information scanningexceptiondetailselement scanningexceptiondetails portinfo portrange from object required start port value scanningexceptiondetailselement scanningexceptiondetails portinfo portrange to object required end port value scanningexceptiondetailselement scanningexceptiondetails portinfo portnumber object optional contains the port number information scanningexceptiondetailselement scanningexceptiondetails portinfo portnumber value number required specified port value scanningexceptiondetailselement scanningexceptiondetails vlaninfo object optional contains the vlan information scanningexceptiondetailselement scanningexceptiondetails vlaninfo portpairname object required name of the port pair on which scanning exception of vlan type should be created scanningexceptiondetailselement scanningexceptiondetails vlaninfo vlanids object optional contains the vlan information scanningexceptiondetailselement scanningexceptiondetails vlaninfo vlanids vlanrange object optional contains the vlan range information scanningexceptiondetailselement scanningexceptiondetails vlaninfo vlanids vlanid object optional contains the vlan id information input example {"path parameters" {"sensor id" 123},"scanningexceptiondetailselement" {"scanningexceptiondetails" {"forwardtype" "string","portinfo" {"portrange" {},"portnumber" {}},"vlaninfo" {"portpairname" {},"vlanids" {}}}}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} create new ips policy creates a new global ips policy in trellix ips with details like name, description, visibility, rule sets, and sensitivity level endpoint url /sdkapi/domain/{{domain id}}/ipspolicies/createips method post input argument name type required description path parameters domain id number required the unique identifier of the domain for which the ips policy is being created policyname string optional the name of the ips policy to be created description string optional a brief description of the ips policy isvisibletochildren boolean optional indicates if the policy is visible to child domains inboundruleset string optional the rule set to apply for inbound traffic outboundruleset string optional the rule set to apply for outbound traffic dosresponsesensitivitylevel number optional sensitivity level for dos response (e g , 1 for low, 2 for medium, etc ) direction number optional the direction of the policy (e g , 1 for inbound, 2 for outbound) input example {"json body" {"policyname" "ips policytest1","description" "test","isvisibletochildren"\ true,"inboundruleset" "default prevention","outboundruleset" "dmz","dosresponsesensitivitylevel" 1,"direction" 1},"path parameters" {"domain id" 0}} output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier output example {"status code" 200,"reason" "ok","json body" {"createdresourceid" 105}} create or update light weight policy create or update a lightweight policy on trellix ips for a given interface using sensor id, interface id, and policydescriptor endpoint url /sensor/{{sensor id}}/interface/{{interface id}}/localipspolicy method post input argument name type required description path parameters sensor id number required the unique identifier of the sensor for which the policy is being created or updated path parameters interface id number required the unique identifier of the interface for which the policy is being created or updated policydescriptor object optional the policy descriptor containing the configuration details for the light weight policy policydescriptor policyname string required the name of the policy policydescriptor description string required a brief description of the policy policydescriptor isvisibletochildren boolean required indicates whether this policy is visible to child entities in the hierarchy policydescriptor inboundruleset string required the name of the inbound rule set associated with this policy policydescriptor outboundruleset string required the name of the outbound rule set associated with this policy policydescriptor attackcategory object required the category of attacks that this policy is configured to handle policydescriptor attackcategory expolitattacklist array required list of exploits and attacks for the policy policydescriptor attackcategory expolitattacklist attackname string required the name of the attack policydescriptor attackcategory expolitattacklist nspid string required the unique identifier for the attack policydescriptor attackcategory expolitattacklist severity number required the severity level of the attack policydescriptor attackcategory expolitattacklist isseveritycustomized boolean required indicates whether the severity level has been customized for this attack policydescriptor attackcategory expolitattacklist isenabled boolean required indicates whether this attack is enabled in the policy policydescriptor attackcategory expolitattacklist isalertcustomized boolean required indicates whether the alert settings for this attack have been customized policydescriptor attackcategory expolitattacklist isrecommendedforsmartblocking boolean required indicates whether this attack is recommended for smart blocking policydescriptor attackcategory expolitattacklist attackresponse object required the response actions to be taken for this attack policydescriptor attackcategory expolitattacklist attackresponse tcpreset string required the tcp reset action to be taken for this attack policydescriptor attackcategory expolitattacklist attackresponse istcpresetcustomized boolean required indicates whether the tcp reset action has been customized for this attack policydescriptor attackcategory expolitattacklist attackresponse isicmpsend boolean required indicates whether an icmp send action is configured for this attack policydescriptor attackcategory expolitattacklist attackresponse isicmpsendcustomized boolean required indicates whether the icmp send action has been customized for this attack policydescriptor attackcategory expolitattacklist attackresponse mcafeenacnotification string required the mcafee nac notification setting for this attack policydescriptor attackcategory expolitattacklist attackresponse ismcafeenacnotificationenabled boolean required indicates whether the mcafee nac notification is enabled for this attack policydescriptor attackcategory expolitattacklist attackresponse isquarantinecustomized boolean required indicates whether the quarantine settings for this attack have been customized input example {"path parameters" {"sensor id" 123,"interface id" 123},"policydescriptor" {"policyname" "example name","description" "string","isvisibletochildren"\ true,"inboundruleset" "string","outboundruleset" "string","attackcategory" {"expolitattacklist" \[{"attackname" "example name","nspid" "string","severity" 123,"isseveritycustomized"\ true,"isenabled"\ true,"isalertcustomized"\ true,"isrecommendedforsmartblocking"\ true,"attackresponse" {},"notification" {},"protocollist" \["string"],"benigntriggerprobability" "string","blockingtype" "string","subcategory" "string","direction" "string","isattackcustomized"\ true}]},"outboundattackcategory" {},"dospolicy" {"learningattack" \[{"attackname" "example name","nspid" "string","isseveritycustomized"\ true,"severity" 123,"isblockingsettingcustomized"\ true,"isdroppacket"\ true,"isalertcustomized"\ true,"issendalerttomanager"\ true,"direction" "string","notification" {},"isattackcustomized"\ true}],"thresholdattack" \[{"attackname" "example name","nspid" "string","isseveritycustomized"\ true,"severity" 123,"isthresholdvaluecustomized"\ true,"isthresholddurationcustomized"\ true,"thresholdvalue" 123,"thresholdduration" 123,"isalertcustomized"\ true,"issendalerttomanager"\ true,"notification" {},"direction" "string","isattackcustomized"\ true}],"timestamp" "2024 01 01t00 00 00z"},"reconpolicy" {"timestamp" {},"reconattacklist" \[{"isalertcustomized"\ true,"isseveritycustomized"\ true,"direction" {},"severity" 123,"isthresholddurationcustomized"\ true,"issendalerttomanager"\ true,"isquarantinecustomized"\ true,"attackname" "example name","thresholdduration" 123,"alertsuppressiontimer" 123,"isalertsuppressiontimercustomized"\ true,"isattackcustomized"\ true,"ismcafeenacnotificationenabled"\ true,"isthresholdvaluecustomized"\ true,"nspid" "string","mcafeenacnotification" "string","isremediateenabled"\ true,"timestamp" {},"thresholdvalue" 123,"notification" {}}]},"dosresponsesensitivitylevel" 123,"iseditable"\ true,"timestamp" "2024 01 01t00 00 00z","versionnum" 123,"islightweightpolicy"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier output example {"status code" 200,"reason" "ok","json body" {"createdresourceid" 105}} delete firewall policy removes a specified firewall policy from trellix ips using the unique policy id provided in path parameters endpoint url /firewallpolicy/{{policy id}} method delete input argument name type required description path parameters policy id number required the unique identifier of the firewall policy to be deleted input example {"path parameters" {"policy id" 120}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} delete ips policy removes a specified intrusion prevention system policy from trellix ips using the provided policy id endpoint url /ipspolicy/{{policyid}} method delete input argument name type required description path parameters policyid number required the unique identifier of the ips policy to be deleted input example {"path parameters" {"policyid" 123}} output parameter type description status code number http status code of the response reason string response reason phrase createdresourceid number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"createdresourceid" 120}} delete light weight policy removes a local intrusion prevention system policy from a specified sensor interface in trellix ips using sensor and interface ids endpoint url /sensor/{{sensor id}}/interface/{{interface id}}/localipspolicy method delete input argument name type required description path parameters sensor id number required the unique identifier of the sensor for which the policy is being created or updated path parameters interface id number required the unique identifier of the interface for which the policy is being created or updated input example {"path parameters" {"sensor id" 1001,"interface id" 501}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} delete scanning exception on a sensor removes a specified scanning exception from a trellix ips sensor using the sensor's id and the scanningexceptiondeleteelement endpoint url /sensor/{{sensor id}}/scanningexception method delete input argument name type required description path parameters sensor id number required sensor id scanningexceptiondeleteelement string optional object that contains the details of the field to be sent input example {"path parameters" {"sensor id" 123},"scanningexceptiondeleteelement" "string"} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} enable or disable scanning exception on a sensor enable or disable the scanning exception for a specific sensor in trellix ips using the sensor id and status element endpoint url /sensor/{{sensor id}}/scanningexception/status method put input argument name type required description path parameters sensor id number required sensor id scanningexceptionstatuselement object optional object that contains the details of the field to be sent scanningexceptionstatuselement enabled boolean required indicates if scanning exception is enabled on the sensor input example {"path parameters" {"sensor id" 123},"scanningexceptionstatuselement" {"enabled"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} get firewall policies in domain retrieve all firewall policies within a specified domain in trellix ips by providing the domain id endpoint url /domain/{{domain id}}/firewallpolicy method get input argument name type required description path parameters domain id number required the unique identifier of the domain for which firewall policies are being retrieved input example {"path parameters" {"domain id" 120}} output parameter type description status code number http status code of the response reason string response reason phrase firewallpoliciesfordomainresponselist array output field firewallpoliciesfordomainresponselist firewallpoliciesfordomainresponselist policyid number unique identifier firewallpoliciesfordomainresponselist policyname string name of the resource firewallpoliciesfordomainresponselist domainid number unique identifier firewallpoliciesfordomainresponselist visibletochild boolean output field firewallpoliciesfordomainresponselist visibletochild firewallpoliciesfordomainresponselist description string output field firewallpoliciesfordomainresponselist description firewallpoliciesfordomainresponselist iseditable boolean output field firewallpoliciesfordomainresponselist iseditable firewallpoliciesfordomainresponselist policytype string type of the resource firewallpoliciesfordomainresponselist policyversion number output field firewallpoliciesfordomainresponselist policyversion firewallpoliciesfordomainresponselist lastmoduser string output field firewallpoliciesfordomainresponselist lastmoduser output example {"status code" 200,"reason" "ok","json body" {"firewallpoliciesfordomainresponselist" \[{"policyid" 107,"policyname" "port firewallpolicy","domainid" 0,"visibletochild"\ false,"description" "firewall policy for port","iseditable"\ true,"policytype" "classic","policyversion" 1,"lastmoduser" "admin"},{"policyid" 105,"policyname" "interface firewallpolicy","domainid" 0,"visibletochild"\ true,"description" "firewall policy for interface","iseditable"\ true,"policytype" "advanced","policyversion" 1,"lastm get firewall policy retrieve details of a specific firewall policy in trellix ips using the provided policy id endpoint url /firewallpolicy/{{policy id}} method get input argument name type required description path parameters policy id number required the unique identifier of the firewall policy to be deleted input example {"path parameters" {"policy id" 120}} output parameter type description status code number http status code of the response reason string response reason phrase firewallpolicyid number unique identifier name string name of the resource domainid number unique identifier visibletochild boolean output field visibletochild description string output field description lastmodifiedtime string time value iseditable boolean output field iseditable policytype string type of the resource policyversion number output field policyversion lastmodifieduser string output field lastmodifieduser memberdetails object output field memberdetails memberdetails memberrulelist array output field memberdetails memberrulelist memberdetails memberrulelist description string output field memberdetails memberrulelist description memberdetails memberrulelist enabled boolean output field memberdetails memberrulelist enabled memberdetails memberrulelist response string output field memberdetails memberrulelist response memberdetails memberrulelist islogging boolean output field memberdetails memberrulelist islogging memberdetails memberrulelist direction string output field memberdetails memberrulelist direction memberdetails memberrulelist sourceaddressobjectlist array output field memberdetails memberrulelist sourceaddressobjectlist memberdetails memberrulelist sourceaddressobjectlist ruleobjectid string unique identifier memberdetails memberrulelist sourceaddressobjectlist name string name of the resource memberdetails memberrulelist sourceaddressobjectlist ruleobjecttype string type of the resource memberdetails memberrulelist destinationaddressobjectlist array output field memberdetails memberrulelist destinationaddressobjectlist memberdetails memberrulelist destinationaddressobjectlist ruleobjectid string unique identifier output example {"status code" 200,"reason" "ok","json body" {"firewallpolicyid" 120,"name" "testfirewallpolicy","domainid" 0,"visibletochild"\ true,"description" "test the firewallpolicy","lastmodifiedtime" "2012 12 12 12 43 54","iseditable"\ true,"policytype" "advanced","policyversion" 1,"lastmodifieduser" "admin","memberdetails" {"memberrulelist" \[]}}} get ips policies in a domain retrieves all intrusion prevention system policies within a specified domain in trellix ips, identified by the domain id endpoint url /domain/{{domain id}}/ipspolicies method get input argument name type required description path parameters domain id number required the unique identifier of the domain for which ips policies are being retrieved input example {"path parameters" {"domain id" 0}} output parameter type description status code number http status code of the response reason string response reason phrase policydescriptordetailslist array output field policydescriptordetailslist policydescriptordetailslist name string name of the resource policydescriptordetailslist domainid string unique identifier policydescriptordetailslist policyid string unique identifier policydescriptordetailslist iseditable string output field policydescriptordetailslist iseditable policydescriptordetailslist visibletochild string output field policydescriptordetailslist visibletochild output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"policydescriptordetailslist" \[{"name" "default ips attack settings","domainid" "0","policyid" " 1","iseditable" "true","visibletochild" "true"},{"name" "default ids","domainid" "0","policyid" "0","iseditable" "true","visibletochild" "true"},{"name" "all inclusive without audit","domainid" "0","policyid" "16","iseditable" "true","visibletochild" "true"}]}} get ips policy details retrieve detailed information on a specific trellix ips policy using the provided policy id, including attack sets and response actions endpoint url /ipspolicy/{{policy id}} method get input argument name type required description path parameters policy id number required the unique identifier of the ips policy for which details are being retrieved input example {"path parameters" {"policy id" 0}} output parameter type description status code number http status code of the response reason string response reason phrase policydescriptor object output field policydescriptor policydescriptor policyname string name of the resource policydescriptor description string output field policydescriptor description policydescriptor isvisibletochildren boolean output field policydescriptor isvisibletochildren policydescriptor inboundruleset string output field policydescriptor inboundruleset policydescriptor outboundruleset string output field policydescriptor outboundruleset policydescriptor attackcategory object output field policydescriptor attackcategory policydescriptor attackcategory expolitattacklist array output field policydescriptor attackcategory expolitattacklist policydescriptor attackcategory expolitattacklist attackname string name of the resource policydescriptor attackcategory expolitattacklist nspid string unique identifier policydescriptor attackcategory expolitattacklist severity number output field policydescriptor attackcategory expolitattacklist severity policydescriptor attackcategory expolitattacklist isseveritycustomized boolean output field policydescriptor attackcategory expolitattacklist isseveritycustomized policydescriptor attackcategory expolitattacklist isenabled boolean output field policydescriptor attackcategory expolitattacklist isenabled policydescriptor attackcategory expolitattacklist isalertcustomized boolean output field policydescriptor attackcategory expolitattacklist isalertcustomized policydescriptor attackcategory expolitattacklist isrecommendedforsmartblocking boolean output field policydescriptor attackcategory expolitattacklist isrecommendedforsmartblocking policydescriptor attackcategory expolitattacklist attackresponse object output field policydescriptor attackcategory expolitattacklist attackresponse policydescriptor attackcategory expolitattacklist attackresponse tcpreset string output field policydescriptor attackcategory expolitattacklist attackresponse tcpreset policydescriptor attackcategory expolitattacklist attackresponse istcpresetcustomized boolean output field policydescriptor attackcategory expolitattacklist attackresponse istcpresetcustomized policydescriptor attackcategory expolitattacklist attackresponse isicmpsend boolean output field policydescriptor attackcategory expolitattacklist attackresponse isicmpsend policydescriptor attackcategory expolitattacklist attackresponse isicmpsendcustomized boolean output field policydescriptor attackcategory expolitattacklist attackresponse isicmpsendcustomized policydescriptor attackcategory expolitattacklist attackresponse mcafeenacnotification string output field policydescriptor attackcategory expolitattacklist attackresponse mcafeenacnotification policydescriptor attackcategory expolitattacklist attackresponse ismcafeenacnotificationenabled boolean output field policydescriptor attackcategory expolitattacklist attackresponse ismcafeenacnotificationenabled policydescriptor attackcategory expolitattacklist attackresponse isquarantinecustomized boolean output field policydescriptor attackcategory expolitattacklist attackresponse isquarantinecustomized output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"policydescriptor" {"policyname" "ipspolicy","description" "to test the ips policy","isvisibletochildren"\ true,"inboundruleset" "testips","outboundruleset" "null","attackcategory" {},"outboundattackcategory" {},"dospolicy" {},"dosresponsesensitivitylevel" 0,"iseditable"\ false,"timestamp" "2012 06 20 18 44 55 000","versionnum" 1,"islightweightpolicy"\ false}}} get light weight policy details retrieve lightweight policy details for a specified sensor and interface in trellix ips using sensor id and interface id endpoint url /sensor/{{sensor id}}/interface/{{interface id}}/localipspolicy method get input argument name type required description path parameters sensor id number required the unique identifier of the sensor for which the policy is being created or updated path parameters interface id number required the unique identifier of the interface for which the policy is being created or updated input example {"path parameters" {"sensor id" 1001,"interface id" 501,"subinterface id" 105}} output parameter type description status code number http status code of the response reason string response reason phrase policydescriptor object output field policydescriptor policydescriptor policyname string name of the resource policydescriptor description string output field policydescriptor description policydescriptor isvisibletochildren boolean output field policydescriptor isvisibletochildren policydescriptor inboundruleset string output field policydescriptor inboundruleset policydescriptor outboundruleset string output field policydescriptor outboundruleset policydescriptor attackcategory object output field policydescriptor attackcategory policydescriptor attackcategory expolitattacklist array output field policydescriptor attackcategory expolitattacklist policydescriptor attackcategory expolitattacklist attackname string name of the resource policydescriptor attackcategory expolitattacklist nspid string unique identifier policydescriptor attackcategory expolitattacklist severity number output field policydescriptor attackcategory expolitattacklist severity policydescriptor attackcategory expolitattacklist isseveritycustomized boolean output field policydescriptor attackcategory expolitattacklist isseveritycustomized policydescriptor attackcategory expolitattacklist isenabled boolean output field policydescriptor attackcategory expolitattacklist isenabled policydescriptor attackcategory expolitattacklist isalertcustomized boolean output field policydescriptor attackcategory expolitattacklist isalertcustomized policydescriptor attackcategory expolitattacklist isrecommendedforsmartblocking boolean output field policydescriptor attackcategory expolitattacklist isrecommendedforsmartblocking policydescriptor attackcategory expolitattacklist attackresponse object output field policydescriptor attackcategory expolitattacklist attackresponse policydescriptor attackcategory expolitattacklist attackresponse tcpreset string output field policydescriptor attackcategory expolitattacklist attackresponse tcpreset policydescriptor attackcategory expolitattacklist attackresponse istcpresetcustomized boolean output field policydescriptor attackcategory expolitattacklist attackresponse istcpresetcustomized policydescriptor attackcategory expolitattacklist attackresponse isicmpsend boolean output field policydescriptor attackcategory expolitattacklist attackresponse isicmpsend policydescriptor attackcategory expolitattacklist attackresponse isicmpsendcustomized boolean output field policydescriptor attackcategory expolitattacklist attackresponse isicmpsendcustomized policydescriptor attackcategory expolitattacklist attackresponse mcafeenacnotification string output field policydescriptor attackcategory expolitattacklist attackresponse mcafeenacnotification policydescriptor attackcategory expolitattacklist attackresponse ismcafeenacnotificationenabled boolean output field policydescriptor attackcategory expolitattacklist attackresponse ismcafeenacnotificationenabled policydescriptor attackcategory expolitattacklist attackresponse isquarantinecustomized boolean output field policydescriptor attackcategory expolitattacklist attackresponse isquarantinecustomized output example {"status code" 200,"reason" "ok","json body" {"policydescriptor" {"policyname" "local policy /my company/ips ns9200/g3/1 g3/2/interface 1","description" "to test the policies","isvisibletochildren"\ true,"inboundruleset" "testruleset","outboundruleset" "null","attackcategory" {},"outboundattackcategory" {},"dospolicy" {},"reconpolicy" {},"dosresponsesensitivitylevel" 0,"iseditable"\ false,"timestamp" "2012 08 31 15 20 55 000","versionnum" 1,"islightweightpolicy"\ true}}} get quarantined host details retrieve details of hosts quarantined by trellix ips using the specified sensor id endpoint url /sensor/{{sensor id}}/action/quarantinehost/details method get input argument name type required description path parameters sensor id number required sensor id input example {"path parameters" {"sensor id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase quarantinehostdetail array output field quarantinehostdetail quarantinehostdetail ipaddress string output field quarantinehostdetail ipaddress quarantinehostdetail quarantinedetails object output field quarantinehostdetail quarantinedetails quarantinehostdetail quarantinedetails device string output field quarantinehostdetail quarantinedetails device quarantinehostdetail quarantinedetails quarantinezone string output field quarantinehostdetail quarantinedetails quarantinezone quarantinehostdetail addedtoquarantine object output field quarantinehostdetail addedtoquarantine quarantinehostdetail addedtoquarantine by string output field quarantinehostdetail addedtoquarantine by quarantinehostdetail addedtoquarantine time string time value quarantinehostdetail remediate boolean output field quarantinehostdetail remediate quarantinehostdetail pendingrelease string output field quarantinehostdetail pendingrelease output example {"status code" 200,"reason" "ok","json body" {"quarantinehostdetail" \[{}]}} get quarantined hosts retrieve a list of hosts quarantined by a specific sensor in trellix ips, requiring the sensor's id as a path parameter endpoint url /sensor/{{sensor id}}/action/quarantinehost method get input argument name type required description path parameters sensor id number required sensor id input example {"path parameters" {"sensor id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase quarantinehostdescriptor array output field quarantinehostdescriptor quarantinehostdescriptor ipaddress string output field quarantinehostdescriptor ipaddress quarantinehostdescriptor duration number output field quarantinehostdescriptor duration output example {"status code" 200,"reason" "ok","json body" {"quarantinehostdescriptor" \[{},{}]}} get scanning exception details on a sensor retrieve details of scanning exceptions for a specified sensor in trellix ips using the sensor id endpoint url /sensor/{{sensor id}}/scanningexception method get input argument name type required description path parameters sensor id number required sensor id scanningexceptionresponseelement object optional object that contains the details of the field to be sent scanningexceptionresponseelement tcprules object optional object containing tcp rule settings scanningexceptionresponseelement tcprules tcpportrangelist object optional list of objects containing tcp port range setting scanningexceptionresponseelement tcprules tcpportrangelist tcpportrange string optional tcp port range in format "from to" scanningexceptionresponseelement udprules object optional object containing udp rule settings scanningexceptionresponseelement udprules udpportrangelist object optional list of objects containing udp port range setting scanningexceptionresponseelement udprules udpportrangelist udpportrange string optional udp port range in format "from to" scanningexceptionresponseelement vlanrules object optional object containing vlan rule settings scanningexceptionresponseelement vlanrules vlanidrangelist object optional list of objects containing vlan id range setting scanningexceptionresponseelement vlanrules vlanidrangelist vlanidrange string optional vlan id range in format "from to" scanningexceptionresponseelement vlanrules vlanidrangelist portpairname string optional name of the port pair input example {"path parameters" {"sensor id" 123},"scanningexceptionresponseelement" {"tcprules" {"tcpportrangelist" {"tcpportrange" "string"}},"udprules" {"udpportrangelist" {"udpportrange" "string"}},"vlanrules" {"vlanidrangelist" {"vlanidrange" "string","portpairname" "example name"}}}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} get scanning exception status on a sensor retrieve the scanning exception status for a specified sensor in trellix ips using the sensor id and scanningexceptionstatuselement endpoint url /sensor/{{sensor id}}/scanningexception/status method get input argument name type required description path parameters sensor id number required sensor id scanningexceptionstatuselement object optional object that contains the details of the field to be sent scanningexceptionstatuselement enabled boolean required indicates if scanning exception is enabled on the sensor input example {"path parameters" {"sensor id" 123},"scanningexceptionstatuselement" {"enabled"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} quarantine host isolates a host for a specified duration using the trellix ips sensor with provided sensor id and ip address endpoint url /sensor/{{sensor id}}/action/quarantinehost method post input argument name type required description path parameters sensor id number required sensor id ipaddress string optional ipv4/ipv6 to be quarantined duration string optional duration for which the ip is to be quarantined remediate boolean optional remediate the ip along with quarantine input example {"path parameters" {"sensor id" 123},"ipaddress" "string","duration" "string","remediate"\ true} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} release quarantined host releases a specified host from quarantine in trellix ips using sensor id and ip address endpoint url /sensor/{{sensor id}}/action/quarantinehost/{{ipaddress}} method delete input argument name type required description path parameters sensor id number required sensor id path parameters ipaddress string required ipv4/ipv6 to be released from quarantine input example {"path parameters" {"sensor id" 123,"ipaddress" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} update firewall policy updates a trellix ips firewall policy with given policy id and configuration details, including visibility and editability settings endpoint url /firewallpolicy/{{policy id}} method put input argument name type required description path parameters policy id number required the unique identifier of the firewall policy to be updated firewallpolicyid number optional unique identifier name string optional name of the resource domainid number optional unique identifier visibletochild boolean optional parameter for update firewall policy description string optional parameter for update firewall policy lastmodifiedtime string optional time value iseditable boolean optional parameter for update firewall policy policytype string optional type of the resource policyversion number optional parameter for update firewall policy lastmodifieduser string optional parameter for update firewall policy memberdetails object optional parameter for update firewall policy memberdetails memberrulelist array required parameter for update firewall policy memberdetails memberrulelist description string required parameter for update firewall policy memberdetails memberrulelist enabled boolean required parameter for update firewall policy memberdetails memberrulelist response string required parameter for update firewall policy memberdetails memberrulelist islogging boolean required parameter for update firewall policy memberdetails memberrulelist direction string required parameter for update firewall policy memberdetails memberrulelist sourceaddressobjectlist array required parameter for update firewall policy memberdetails memberrulelist sourceaddressobjectlist ruleobjectid string required unique identifier memberdetails memberrulelist sourceaddressobjectlist name string required name of the resource memberdetails memberrulelist sourceaddressobjectlist ruleobjecttype string required type of the resource memberdetails memberrulelist destinationaddressobjectlist array required parameter for update firewall policy memberdetails memberrulelist destinationaddressobjectlist ruleobjectid string required unique identifier memberdetails memberrulelist destinationaddressobjectlist name string required name of the resource input example {"json body" {"name" "testfirewallpolicy","domainid" 0,"visibletochild"\ true,"description" "test the firewallpolicy","lastmodifiedtime" "2012 12 12 12 30 47","iseditable"\ true,"policytype" "advanced","policyversion" 1,"lastmodifieduser" "admin","memberdetails" {"memberrulelist" \[{"description" "test member rule","enabled"\ true,"response" "scan","islogging"\ false,"direction" "inbound","sourceaddressobjectlist" \[{"ruleobjectid" "af","name" "afghanistan","ruleobjecttype" "country"}],"destinationaddressobjectlist" \[{"ruleobjectid" "101","name" "hostdnsrule","ruleobjecttype" "host dns name"},{"ruleobjectid" "102","name" "hostipv4","ruleobjecttype" "host ipv 4"},{"ruleobjectid" "103","name" "ipv4addressrange","ruleobjecttype" "ipv 4 address range"},{"ruleobjectid" "104","name" "networkgroup","ruleobjecttype" "network group"}],"sourceuserobjectlist" \[{"ruleobjectid" " 1","name" "any","ruleobjecttype" "user"}],"serviceobjectlist" \[],"applicationobjectlist" \[{"ruleobjectid" "1308991488","name" "100bao","ruleobjecttype" "application","applicationtype" "default"},{"ruleobjectid" "106","name" "applicaiononcutomport","ruleobjecttype" "application on custom port","applicationtype" "custom"},{"ruleobjectid" "105","name" "applicationgroup","ruleobjecttype" "application group","applicationtype" "custom"}],"timeobjectlist" \[{"ruleobjectid" "107","name" "finitetimeperiod","ruleobjecttype" "finite timing period"},{"ruleobjectid" "108","name" "recuringtimeperiod","ruleobjecttype" "recurring time period"},{"ruleobjectid" "109","name" "recurringtimeperiodgroup","ruleobjecttype" "recurring time period group"}]}]}},"path parameters" {"policy id" 120}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} update ips policy updates a specified trellix ips policy using the provided policy id and outboundattackcategory endpoint url /ipspolicy/{{policyid}} method put input argument name type required description path parameters policyid number required the unique identifier of the ips policy to update dosresponsesensitivitylevel number optional the sensitivity level for dos response in the policy direction number optional the direction of the policy (e g , inbound or outbound) description string optional a brief description of the ips policy iseditable boolean optional indicates if the policy is editable policyname string optional the name of the ips policy reconpolicy object optional the reconnaissance policy configuration reconpolicy reconattacklist array optional list of reconnaissance attacks for the policy reconpolicy reconattacklist isalertcustomized boolean optional indicates if alert settings are customized for this recon attack reconpolicy reconattacklist isquarantinecustomized boolean optional indicates if quarantine settings are customized for this recon attack reconpolicy reconattacklist severity number optional the severity level of the recon attack reconpolicy reconattacklist isthresholddurationcustomized boolean optional indicates if the threshold duration is customized for this recon attack reconpolicy reconattacklist issendalerttomanager boolean optional indicates if alerts should be sent to the manager for this recon attack reconpolicy reconattacklist nspid string optional the unique identifier for the recon attack reconpolicy reconattacklist thresholdduration number optional the duration for the threshold in seconds for this recon attack reconpolicy reconattacklist alertsuppressiontimer number optional the timer for alert suppression for this recon attack reconpolicy reconattacklist isalertsuppressiontimercustomized boolean optional indicates if the alert suppression timer is customized for this recon attack reconpolicy reconattacklist ismcafeenacnotificationenabled boolean optional indicates if mcafee nac notification is enabled for this recon attack reconpolicy reconattacklist thresholdvalue number optional the threshold value for the recon attack reconpolicy reconattacklist notification object required notification settings for this recon attack, including email, pager, script, auto acknowledgment, snmp, and syslog reconpolicy reconattacklist notification isautoackcustomized boolean optional indicates if auto acknowledgment setting is customized reconpolicy reconattacklist notification ispager boolean optional indicates if pager notifications are enabled reconpolicy reconattacklist notification issyslogcustomized boolean optional indicates if syslog notification setting is customized reconpolicy reconattacklist notification ispagercustomized boolean optional indicates if pager notification setting is customized reconpolicy reconattacklist notification isemail boolean optional indicates if email notifications are enabled input example {"path parameters" {"policyid" 123},"dosresponsesensitivitylevel" 123,"direction" 123,"description" "string","iseditable"\ true,"policyname" "example name","reconpolicy" {"reconattacklist" \[{"isalertcustomized"\ true,"isquarantinecustomized"\ true,"severity" 123,"isthresholddurationcustomized"\ true,"issendalerttomanager"\ true,"nspid" "string","thresholdduration" 123,"alertsuppressiontimer" 123,"isalertsuppressiontimercustomized"\ true,"ismcafeenacnotificationenabled"\ true,"thresholdvalue" 123,"notification" {"isautoackcustomized"\ true,"ispager"\ true,"issyslogcustomized"\ true,"ispagercustomized"\ true,"isemail"\ true,"isscriptcustomized"\ true,"issnmpcustomized"\ true,"isscript"\ true,"issnmp"\ true,"isemailcustomized"\ true,"isautoack"\ true,"issyslog"\ true},"mcafeenacnotification" "string","isremediateenabled"\ true,"isseveritycustomized"\ true,"isthresholdvaluecustomized"\ true}]},"dospolicy" {"learningattack" \[{"isalertcustomized"\ true,"direction" "string","severity" 123,"isdroppacket"\ true,"issendalerttomanager"\ true,"nspid" "string","isblockingsettingcustomized"\ true,"attackname" "example name","isseveritycustomized"\ true,"notification" {"isautoackcustomized"\ true,"ispager"\ true,"issyslogcustomized"\ true,"ispagercustomized"\ true,"isemail"\ true,"isscriptcustomized"\ true,"issnmpcustomized"\ true,"isscript"\ true,"issnmp"\ true,"isemailcustomized"\ true,"isautoack"\ true,"issyslog"\ true}}],"thresholdattack" \[{"isalertcustomized"\ true,"direction" "string","severity" 123,"isthresholddurationcustomized"\ true,"issendalerttomanager"\ true,"nspid" "string","thresholdduration" 123,"isseveritycustomized"\ true,"notification" {"isautoackcustomized"\ true,"ispager"\ true,"issyslogcustomized"\ true,"ispagercustomized"\ true,"isemail"\ true,"isscriptcustomized"\ true,"issnmpcustomized"\ true,"isscript"\ true,"issnmp"\ true,"isemailcustomized"\ true,"isautoack"\ true,"issyslog"\ true},"attackname" "example name","thresholdvalue" 123,"isthresholdvaluecustomized"\ true}]},"isvisibletochildren"\ true,"outboundattackcategory" {"expolitattacklist" \[{"isalertcustomized"\ true,"blockingtype" "string","direction" "string","severity" 123,"attackresponse" {"isflowcustomized"\ true,"isicmpsend"\ true,"blockingoption" "string","mcafeenacnotification" "string","isalertcustomized"\ true,"iscapturedprior"\ true,"numberofbytesineachpacket" {},"isicmpsendcustomized"\ true,"iscapturedpriorcustomized"\ true,"timestamp" "2024 01 01t00 00 00z","isquarantinecustomized"\ true,"tcpreset" "string","islogcustomized"\ true,"istcpresetcustomized"\ true,"isnbytescustomized"\ true,"flow" "string","ismcafeenacnotificationenabled"\ true,"isalert"\ true,"action" "string","loggingduration" {},"isremediateenabled"\ true,"isblockingoptioncustomized"\ true},"nspid" "string","isenabled"\ true,"benigntriggerprobability" "string","notification" {"isautoackcustomized"\ true,"ispager"\ true,"issyslogcustomized"\ true,"ispagercustomized"\ true,"isemail"\ true,"isscriptcustomized"\ true,"issnmpcustomized"\ true,"isscript"\ true,"issnmp"\ true,"isemailcustomized"\ true,"isautoack"\ true,"issyslog"\ true},"isrecommendedforsmartblocking"\ true,"isseveritycustomized"\ true,"subcategory" "string"}]},"attackcategory" {"expolitattacklist" \[{"isalertcustomized"\ true,"blockingtype" "string","direction" "string","severity" 123,"attackresponse" {"isflowcustomized"\ true,"isicmpsend"\ true,"blockingoption" "string","mcafeenacnotification" "string","isalertcustomized"\ true,"iscapturedprior"\ true,"numberofbytesineachpacket" {},"isicmpsendcustomized"\ true,"iscapturedpriorcustomized"\ true,"timestamp" "2024 01 01t00 00 00z","isquarantinecustomized"\ true,"tcpreset" "string","islogcustomized"\ true,"istcpresetcustomized"\ true,"isnbytescustomized"\ true,"flow" "string","ismcafeenacnotificationenabled"\ true,"isalert"\ true,"action" "string","loggingduration" {},"isremediateenabled"\ true,"isblockingoptioncustomized"\ true},"nspid" "string","isenabled"\ true,"benigntriggerprobability" "string","notification" {"isautoackcustomized"\ true,"ispager"\ true,"issyslogcustomized"\ true,"ispagercustomized"\ true,"isemail"\ true,"isscriptcustomized"\ true,"issnmpcustomized"\ true,"isscript"\ true,"issnmp"\ true,"isemailcustomized"\ true,"isautoack"\ true,"issyslog"\ true},"isrecommendedforsmartblocking"\ true,"isseveritycustomized"\ true,"subcategory" "string"}]},"outboundruleset" "string","inboundruleset" "string"} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} update ips quarantine duration for a host modifies the quarantine duration for a host in trellix ips using the sensor id and specified ip address and duration endpoint url /sensor/{{sensor id}}/action/quarantinehost method put input argument name type required description path parameters sensor id number required sensor id ipaddress string optional ipv4/ipv6 to be quarantined duration string optional duration for which the ip is to be quarantined remediate boolean optional remediate the ip along with quarantine isoverride boolean optional override the previous data if present for the ip provided input example {"path parameters" {"sensor id" 123},"ipaddress" "string","duration" "string","remediate"\ true,"isoverride"\ true} output parameter type description status code number http status code of the response reason string response reason phrase status number status value output example {"status code" 200,"reason" "ok","json body" {"status" 1}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt