Trend Micro Vision One

this connector integrates trend micro vision one api with turbine prerequisites this connector requires an api token and a host asset setup to get a list of available hosts please see the trend micro vision one regional domains https //automation trendmicro com/xdr/guides/regional domains in order to work with the api an api token is needed, please see the first steps toward using the apis https //automation trendmicro com/xdr/guides/first steps toward u for more information configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add suspicious object adds domains, file sha 1 values, ip addresses, or urls to the suspicious object list endpoint url /v2 0/xdr/threatintel/suspiciousobjects method post input argument name type required description data array optional response data type string optional type of the resource value string optional value for the parameter description string optional parameter for add suspicious object scanaction string optional parameter for add suspicious object risklevel string optional parameter for add suspicious object expiredday number optional parameter for add suspicious object output parameter type description data object response data example \[ { "data" {} } ] isolate endpoint disconnects an endpoint from the network (but allows communication with the managing trend micro server product) endpoint url /v2 0/xdr/response/isolate method post input argument name type required description computerid string required unique identifier productid string required unique identifier description string optional parameter for isolate endpoint output parameter type description actionid number unique identifier taskstatus string status value example \[ { "actionid" 88139521, "taskstatus" "pending" } ] restore endpoint restores network connectivity to an endpoint that applied the "isolate endpoint" action endpoint url /v2 0/xdr/response/restoreisolate method post input argument name type required description computerid string required unique identifier productid string required unique identifier description string optional parameter for restore endpoint output parameter type description actionid number unique identifier taskstatus string status value example \[ { "actionid" 88139521, "taskstatus" "pending" } ] search observed attack techniques retrieves a list of events in the observed attack techniques app that match specified criteria endpoint url /v2 0/xdr/oat/detections method get input argument name type required description start string optional parameter for search observed attack techniques end string optional parameter for search observed attack techniques ingeststart string optional parameter for search observed attack techniques ingestend string optional parameter for search observed attack techniques size string required parameter for search observed attack techniques risklevels string optional parameter for search observed attack techniques endpointname string optional name of the resource tacticids string optional unique identifier techniqueids string optional unique identifier filternames string optional name of the resource nextbatchtoken string optional parameter for search observed attack techniques output parameter type description info object output field info code string output field code message string response message data object response data totalcount number count value searchapipostdata array response data from number output field from to number output field to source string output field source query string output field query nextbatchtoken string output field nextbatchtoken detections array output field detections source string output field source uuid string unique identifier filters array output field filters id string unique identifier name string name of the resource description string output field description tactics array output field tactics techniques array output field techniques highlightedobjects array output field highlightedobjects type string type of the resource field string output field field value string value for the parameter level string output field level example \[ { "info" { "code" "1010000", "message" "execution successful" }, "data" { "totalcount" 0, "searchapipostdata" \[], "nextbatchtoken" "string", "detections" \[] } } ] notes trend micro vision one regional domains https //automation trendmicro com/xdr/guides/regional domainsfirst steps toward using the apis https //automation trendmicro com/xdr/guides/first steps toward u