Trend Micro Apex Central

the trend micro apex central connector enables automated interactions with the apex central security management platform, facilitating tasks such as yara file management and udso list manipulation trend micro apex central serves as a central security management hub, facilitating the automation of threat detection and response across an organization's network this connector enables swimlane turbine users to integrate with apex central to manage security agents, suspicious objects, and yara rules by leveraging this integration, security teams can automate the addition of suspicious files to blocklists, manage security agent configurations, and retrieve detailed agent and threat information, enhancing their security posture and response capabilities limitations none to date prerequisites to utilize the trend micro apex central connector with swimlane, ensure you have the following api key authentication with the necessary parameters host address the endpoint url for the trend micro apex central instance app id the application identifier used for api access api key a unique key provided by trend micro for authenticating api requests capabilities this connector provides the following capabilities add file object to udso list add udso to list isolate restore relocate or uninstall sec agent list security agents list udso entries list uploaded yara files add file object to udso list adds the uploaded file information to the user defined suspicious objects list trend micro apex central api documentation for this action can be found \[here] ( https //automation trendmicro com/apex central/api/#tag/udso/operation/suspiciousobjectresource getproductservers ) add udso to list adds the specified object information to the user defined suspicious objects list trend micro apex central api documentation for this action can be found \[here] ( https //automation trendmicro com/apex central/api/#tag/udso/operation/suspiciousobjects adduserdefinedso ) list security agents retrieves a list of security agents with more detail trend micro apex central api documentation for this action can be found \[here] ( https //automation trendmicro com/apex central/api/#tag/security agents/operation/agentresource getproductagentsv2 ) list udso entries retrieves a list of user defined suspicious objects from the apex central server trend micro apex central api documentation for this action can be found \[here] ( https //automation trendmicro com/apex central/api/#tag/udso/operation/suspiciousobjects queryuserdefinedso ) list uploaded yara files retrieves a list of yara files from the apex central server trend micro apex central api documentation for this action can be found \[here] ( https //automation trendmicro com/apex central/api/#tag/yara/operation/yararesource filingcabinet ) isolate restore relocate or uninstall sec agent performs the action specified in the "act" parameter isolate endpoint prevents the endpoin from connecting to the network restore connection restores network connectivity to an isolated endpoint uninstall security agent removes the security agent program from an endpoint relocate security agent moves the security agent to a different apex one server or domain (the source and target must be registered to the same apex central server) https //automation trendmicro com/apex central/api/#tag/security agents/operation/agentresource postproductagents configurations trend micro apex central api key authentication authenticates using an api key configuration parameters parameter description type required url host address of the apex central instance string required app id used by apex central to identify the external application string required api key used by the external application to sign requests sent to apex central string required is webapp some trend micro apex endpoints may begin with /webapp defaults to true string optional verify ssl verify ssl certificate boolean optional actions add file object to udso list adds uploaded file information to the user defined suspicious objects (udso) list in trend micro apex central endpoint url /webapp/api/suspiciousobjectresource/fileudso method put input argument name type required description file content base64 string string optional the binary content of the file, converted to a base64 string file name string optional the name of the file file scan action string optional the scan action to perform note string optional additional information input example {"json body" {"file content base64 string" "string","file name" "string","file scan action" "string","note" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data featurectrl object output field featurectrl featurectrl mode string output field featurectrl mode meta object output field meta meta errorcode number error message if any meta errormsg string error message if any meta result number result of the operation permissionctrl object output field permissionctrl permissionctrl elements string output field permissionctrl elements permissionctrl permission string output field permissionctrl permission systemctrl object output field systemctrl systemctrl tmcmsodist role string output field systemctrl tmcmsodist role output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"data" {},"featurectrl" {"mode" "string"},"meta" {"errorcode" 0,"errormsg" "string","result" 0},"permissionctrl" {"elements" "string","permission" "string"},"systemctrl" {"tmcmsodist role" "string"}}} add udso to list adds an object to the user defined suspicious objects (udso) list in trend micro apex central, requiring specific 'param' details endpoint url /api/suspiciousobjects/userdefinedso method put input argument name type required description param object optional parameter for add udso to list param content string optional the suspicious object content for the specified type param expiration utc date string optional the expiration date(utc) of the suspicious object param notes string optional description of the object param scan action string optional the scan action to perform on the suspicious object param type string optional the suspicious object type input example {"json body" {"param" {"content" "string","expiration utc date" "2019 08 24t14 15 22z","notes" "string","scan action" "string","type" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data featurectrl object output field featurectrl featurectrl mode string output field featurectrl mode meta object output field meta meta errorcode number error message if any meta errormsg string error message if any meta result number result of the operation permissionctrl object output field permissionctrl permissionctrl elements string output field permissionctrl elements permissionctrl permission string output field permissionctrl permission systemctrl object output field systemctrl systemctrl tmcmsodist role string output field systemctrl tmcmsodist role output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"data" {},"featurectrl" {"mode" "string"},"meta" {"errorcode" 0,"errormsg" "string","result" 0},"permissionctrl" {"elements" "string","permission" "string"},"systemctrl" {"tmcmsodist role" "string"}}} isolate restore relocate or uninstall sec agent executes the specified action (isolation, restoration, relocation, or uninstallation) on a security agent via trend micro apex central endpoint url api/agentresource/productagents method post input argument name type required description act string optional the action to perform allow multiple match string optional if true, the action will be performed on multiple endpoints entity id string optional the guid of the managed product agent use to identify the agent(s) on which the action is performed host name string optional the endpoint name of the managed product agent use to identify the agent(s) on which the action is performed ip address string optional the ip address of the managed product agent use to identify the agent(s) on which the action is performed mac address string optional the mac address of the managed product agent use to identify the agent(s) on which the action is performed product string optional the trend micro product on the server instance use to identify the agent(s) on which the action is performed relocate to folder path string optional the target directory for the agent relocate to server id string optional the guid of the target server for the agent allowlist object optional the allow list for the agent allowlist inbound array optional parameter for isolate restore relocate or uninstall sec agent allowlist inbound protocol array optional protocol of connection ex \ tcp ,udp,icmp allowlist inbound type number optional type of connection ex 0 allowlist inbound value string optional value of connection ex 192 168 1 0/24 allowlist inbound port array optional port of connection ex 80 ,443,8080 allowlist outbound array optional parameter for isolate restore relocate or uninstall sec agent allowlist outbound protocol array optional protocol of connection ex \ tcp ,udp,icmp allowlist outbound type number optional type of connection ex 0 allowlist outbound value string optional value of connection ex 10 0 0 1 allowlist outbound port array optional parameter for isolate restore relocate or uninstall sec agent input example {"json body" {"act" "cmd isolate agent","allow multiple match" "false","entity id" "12345678 1234 1234 1234 123456789abc","host name" "endpoint hostname 01","ip address" "192 168 1 100","mac address" "00 1b 44 11 3a\ b7","product" "officescan","relocate to folder path" "/opt/trendmicro/agents","relocate to server id" "87654321 4321 4321 4321 cba987654321","allowlist" {"inbound" \[{"protocol" \["tcp","udp"],"type" 0,"value" "192 168 1 0/24","port" \["80","443","8080"]}],"outbound" \[{"protocol" \["tcp","udp","icmp"],"type" 0,"value" "10 0 0 1","port" \["53","443"]}]}}} output parameter type description status code number http status code of the response reason string response reason phrase result code number result of the operation result content object response content result description string result of the operation output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"result code" 1,"result content" {},"result description" "string"}} list security agents retrieves a detailed list of security agents from trend micro apex central for monitoring and management endpoint url /api/v2/agentresource/productagents method get input argument name type required description parameters entityid string optional the guid of the security agent parameters ipaddress string optional the ip address of the endpoint parameters macaddress string optional the mac address of the endpoint parameters hostname string optional the name of the endpoint parameters product string optional the trend micro product id parameters managingserverid string optional the guid of the product server that manages the security agent input example {"parameters" {"entityid" "string","ipaddress" "string","macaddress" "string","hostname" "string","product" "string","managingserverid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase result code number result of the operation result content array response content result content endpointid string unique identifier result content endpointhost string response content result content endpointip string response content result content endpointmac string response content result content product string response content result content managingserverid string unique identifier result content addomain string response content result content domain string response content result content domainhierarchy string response content result content logonuser string response content result content platform string response content result content clientprogram string response content result content connectionstatus string status value result content isolationstatus string status value result content firewall string response content result content scanmethod string http method to use result content updateagent string response content result content lastscheduledscanutc string response content result content lastmanualscanutc string response content result content laststartup string response content result content lastconnected string response content output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"result code" 1,"result content" \[{}],"result description" "string"}} list udso entries retrieve a list of user defined suspicious objects (udso) from trend micro apex central endpoint url /api/suspiciousobjects/userdefinedso method get input argument name type required description parameters type string optional the suspicious object type to query parameters contentfilter string optional filters the list to suspicious objects that match the specified string input example {"parameters" {"type" "domain","contentfilter" "168 95"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data featurectrl object output field featurectrl featurectrl mode string output field featurectrl mode meta object output field meta meta errorcode number error message if any meta errormsg string error message if any meta result number result of the operation permissionctrl object output field permissionctrl permissionctrl elements string output field permissionctrl elements permissionctrl permission string output field permissionctrl permission systemctrl object output field systemctrl systemctrl tmcmsodist role string output field systemctrl tmcmsodist role output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"data" {},"featurectrl" {"mode" "string"},"meta" {"errorcode" 0,"errormsg" "string","result" 0},"permissionctrl" {"elements" "string","permission" "string"},"systemctrl" {"tmcmsodist role" "string"}}} list uploaded yara files retrieves a list of uploaded yara files from trend micro apex central, utilizing specific 'param' details for the query endpoint url /iocbackend/yararesource/filingcabinet method get input argument name type required description param object optional parameter for list uploaded yara files param filehashidlist array optional filters the list for file sha 1 values param fuzzymatchstring string optional filters the list for matching strings in the "file name", "title", and "source context" fields param pagenumber number optional filters the list to uploaded files that appear on the specified page number on the threat intel > custom intelligence > stix tab param pagesize number optional filters the list to the specified number of uploaded files per page param sortingcolumn number optional sorts the list by the specified table column param sortingdirection number optional sorts the list in the specified direction input example {"json body" {"param" {"filehashidlist" \["string"],"fuzzymatchstring" "string","pagenumber" 2147483647,"pagesize" 2147483647,"sortingcolumn" 1,"sortingdirection" 1}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data filingcabinet array response data data filingcabinet extractingstatus number response data data filingcabinet fileaddeddatetime string response data data filingcabinet filehashid string response data data filingcabinet filename string response data data filingcabinet shortdesc string response data data filingcabinet title string response data data filingcabinet uploadedby string response data data filingcabinet uploadedfrom number response data data totalioccount number response data featurectrl object output field featurectrl featurectrl mode string output field featurectrl mode meta object output field meta meta errorcode number error message if any meta errormsg string error message if any meta result number result of the operation permissionctrl object output field permissionctrl permissionctrl elements string output field permissionctrl elements permissionctrl permission string output field permissionctrl permission systemctrl object output field systemctrl systemctrl tmcmsodist role string output field systemctrl tmcmsodist role output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"data" {"filingcabinet" \[],"totalioccount" 0},"featurectrl" {"mode" "string"},"meta" {"errorcode" 0,"errormsg" "string","result" 0},"permissionctrl" {"elements" "string","permission" "string"},"systemctrl" {"tmcmsodist role" "string"}}} response headers header description example content type the media type of the resource application/json