Trend Micro Vision One v3

the trend micro vision one v3 connector facilitates seamless integration with swimlane turbine, enabling automated threat detection and response workflows trend micro vision one v3 is an advanced threat defense solution that provides comprehensive visibility and detection capabilities across an organization's digital infrastructure this connector enables seamless integration with swimlane turbine, allowing users to automate the management of alerts, block lists, and intelligence reports by leveraging this integration, security teams can enhance their response to threats, streamline investigations, and enforce proactive defenses with minimal manual intervention this connector integrates trend micro vision one api version 3 with swimlane turbine prerequisites before utilizing the trend micro vision one v3 connector for turbine, ensure you have the following http bearer authentication with the following parameters url endpoint url for the trend micro vision one v3 api token bearer token used for authenticating api requests capabilities this connector provides the following capabilities add alert note add to block list delete alert notes edit alert note get alert note get alert notes get alerts details get alerts lists get container activity data get detection data get discovered devices information get email activity data get endpoint activity data get endpoint data get network activity data and so on asset setup to get a list of available hosts please see the trend micro vision one regional domains https //automation trendmicro com/xdr/guides/regional domains in order to work with the api an api token is needed, please see the first steps toward using the apis https //automation trendmicro com/xdr/guides/first steps toward u for more information task setup get alert notes for more details about this action click here! https //automation trendmicro com/xdr/api v3#tag/workbench notes/paths/ 1v3 0 1workbench 1alerts 1%7balertid%7d 1notes/get get alerts lists for the possible values of tmv1 filter header click here! https //automation trendmicro com/xdr/api v3#tag/workbench/paths/ 1v3 0 1workbench 1alerts/get get endpoint activity data for the possible values of tmv1 query header click here! https //automation trendmicro com/xdr/api v3#tag/suspicious objects/paths/ 1v3 0 1response 1suspiciousobjects 1delete/post get endpoint data for the possible values of tmv1 query header click here! https //automation trendmicro com/xdr/api v3#tag/search/paths/ 1v3 0 1eiqs 1endpoints/get remove from block list every object in the request body must refer to only one item example \[{ 'description' 'your description (string)', 'url' 'your url' }, { 'description' 'your description2', 'domain' 'your domain' }, { 'description' 'your description3', 'filesha1' 'your filesha1' }, { 'description' 'your description4', 'filesha256' 'your filesha256' }, { 'description' 'your description5', 'sendermailaddress' 'your sendermailaddress' }, { 'description' 'your description6', 'ip' 'your ip' }] list suspicious objects for the possible values for tmv1 filter header check here https //automation trendmicro com/xdr/api v3/#tag/suspicious object list/paths/ 1v3 0 1threatintel 1suspiciousobjects/get add to block list every object in the request body must refer to only one item check the array of values here https //automation trendmicro com/xdr/api v3/#tag/suspicious objects/paths/ 1v3 0 1response 1suspiciousobjects/post get detection data for the possible values for tmv1 query header check here https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1detections/get get email activity data for the possible values for tmv1 query header check here https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1emailactivities/get get network activity data for the possible values for tmv1 query header check here https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1networkactivities/get get container activity data for the possible values for tmv1 query header check here https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1containeractivities/get get discovered devices information for the possible values for tmv1 filter header check here https //automation trendmicro com/xdr/api v3/#tag/attack surface discovery isolate endpoints every object in the request body must refer to only one item check the array of values here https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1isolate/post restore endpoint connection every object in the request body must refer to only one item check the array of values here https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1restore/post terminate process every object in the request body must refer to only one item check the array of values here https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1terminateprocess/post scan for malware every object in the request body must refer to only one item check the array of values here https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1startmalwarescan/post configurations trend vision one v3 http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add alert note appends a note to an existing workbench alert in trend micro vision one v3 using the alertid and content provided endpoint url /v3 0/workbench/alerts/{{alertid}}/notes method post input argument name type required description input argument name type required description alertid string required unique alphanumeric string that identifies a workbench alert content string required unique alphanumeric string that identifies a workbench alert output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase location string output field location example \[ { "status code" 201, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "location" "http //api xdr trendmicro com/v3 0/workbench/alerts/wb 14 20190709 00003/notes/1" } } ] add to block list adds various objects such as email addresses, file sha 1s, domains, ips, or urls to the trend micro vision one suspicious object list endpoint url /v3 0/threatintel/suspiciousobjects method post input argument name type required description input argument name type required description description string optional description of a response task url string optional universal resource locator domain string optional domain name filesha1 string optional the sha1 hash of file filesha256 string optional the sha256 hash of file sendermailaddress string optional the sender's email address ip string optional ip address this fields supports both ipv4 and ipv6 addresses output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request name string name of the resource value string value for the parameter items array output field items file name string name of the resource file string output field file example \[ { "status code" 202, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "items" \[] }, "headers" \[ {} ] } ] delete alert notes removes specified notes from a workbench alert in trend micro vision one v3 using the provided alertid endpoint url /v3 0/workbench/alerts/{{alertid}}/notes/delete method post input argument name type required description input argument name type required description alertid string required unique alphanumeric string that identifies a workbench alert id number required numeric string that identifies a workbench alert note output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" {}, "reason" "ok", "response text" "" } ] delete custom intelligence reports removes specified custom intelligence reports from trend micro vision one v3 using the provided json body endpoint url /v3 0/threatintel/intelligencereports/delete method post input argument name type required description input argument name type required description id string required the unique alphanumeric string that identifies a custom intelligence report output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ { "status" 204 }, { "status" 400, "body" { "error" { "code" "badrequest", "message" "bad request" } } }, { "status" 404, "body" { "error" { "code" "notfound", "message" "not found" } } } ] } ] download custom intelligence report retrieves a stix bundle formatted custom intelligence report from trend micro vision one v3 using a specific report id endpoint url /v3 0/threatintel/intelligencereports/{{id}} method get input argument name type required description input argument name type required description id string required the unique alphanumeric string that identifies a custom intelligence report output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource updateddatetime string time value downloadlink string output field downloadlink example \[ { "status code" 200, "reason" "ok", "json body" { "id" "report 2c1091ba a7d2 46b2 bf97 4137916c30cb", "name" "report name 1", "updateddatetime" "2019 03 15t07 44 27z", "downloadlink" "https //upload visionone trendmicro com/a txt?awsaccesskeyid=xxxxxxxxxxx " } } ] edit alert note updates a specific alert's note in trend micro vision one with the provided 'id', 'alertid', and note 'content' endpoint url /v3 0/workbench/alerts/{{alertid}}/notes/{{id}} method patch input argument name type required description input argument name type required description alertid string required unique alphanumeric string that identifies a workbench alert id number required numeric string that identifies a workbench alert note headers object optional http headers for the request if match string optional parameter that allows you to specify the version of the resource to be updated content string required response content output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" {}, "reason" "ok", "response text" "" } ] get alert note retrieves a specific note for an alert in trend micro vision one using the provided alertid and note id endpoint url /v3 0/workbench/alerts/{{alertid}}/notes/{{id}} method get input argument name type required description input argument name type required description alertid string required unique identifier for a workbench alert id number required numeric identifier for a workbench alert note output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier content string response content creatormailaddress string output field creatormailaddress creatorname string name of the resource createddatetime string time value lastupdatedby string output field lastupdatedby lastupdateddatetime string time value example \[ { "status code" 200, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "id" 1, "content" "it is a note", "creatormailaddress" "john doe\@xdr com", "creatorname" "john doe", "createddatetime" "2020 11 11t15 10 08z", "lastupdatedby" "john doe", "lastupdateddatetime" "2020 11 11t15 10 08z" } } ] get alert notes retrieves all notes associated with a specific alert in trend micro vision one using the provided alertid endpoint url /v3 0/workbench/alerts/{{alertid}}/notes method get input argument name type required description input argument name type required description alertid string required unique alphanumeric string that identifies a workbench alert startdatetime string optional timestamp in iso 8601 format that indicates the start of the data retrieval time range enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range datetimetarget string optional parameter that allows you to filter the retrieved workbench alert notes orderby string optional parameter to be used for sorting records you can use multiple fields, separated by commas, to sort the retrieved workbench alert notes top number optional number of records displayed on a page headers object optional http headers for the request tmv1 filter string optional filter for retrieving a subset of workbench alert notes output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id number unique identifier content string response content creatormailaddress string output field creatormailaddress creatorname string name of the resource createddatetime string time value lastupdatedby string output field lastupdatedby lastupdateddatetime string time value nextlink string output field nextlink example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "nextlink" "https //api xdr trendmicro com/v3 0/workbench/alerts/wb 14 20190709 00003/notes? " } } ] get alerts details retrieve detailed information for a specified alert in trend micro vision one using the alert id endpoint url /v3 0/workbench/alerts/{{id}} method get input argument name type required description input argument name type required description id string required the unique identifier of a workbench alert output parameter type description parameter type description status code number http status code of the response reason string response reason phrase schemaversion string output field schemaversion id string unique identifier investigationstatus string status value status string status value investigationresult string result of the operation workbenchlink string output field workbenchlink alertprovider string unique identifier modelid string unique identifier model string output field model modeltype string type of the resource description string output field description score number score value severity string output field severity firstinvestigateddatetime string time value createddatetime string time value updateddatetime string time value incidentid string unique identifier caseid string unique identifier ownerids array unique identifier impactscope object output field impactscope desktopcount number count value servercount number count value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "schemaversion" "1 12", "id" "wb 9002 20220906 00025", "investigationstatus" "new", "status" "open", "investigationresult" "no findings", "workbenchlink" "https //the workbench url", "alertprovider" "sae", "modelid" "1ebd4f91 4b28 40b4 87f5 8defee4791d8", "model" "possible credential dumping via registry", "modeltype" "preset", "description" "a user obtained account logon information that can be used to access remote syst ", "score" 64, "severity" "high", "firstinvestigateddatetime" "2022 10 06t02 30 31z", "createddatetime" "2022 09 06t02 49 33z" } } ] get alerts list retrieve a paginated list of workbench alerts from trend micro vision one based on specified criteria endpoint url /v3 0/workbench/alerts method get input argument name type required description input argument name type required description startdatetime string optional datetime in iso 8601 format that indicates the start of the data retrieval time range the available oldest value is "1970 01 01t00 00 00z " enddatetime string optional datetime in iso 8601 format that indicates the end of the data retrieval time range ensure that "enddatetime" is not earlier than "startdatetime" datetimetarget string optional the timestamp to be used for retrieving workbench alert data orderby string optional specifies the field by which the results are sorted headers object optional http headers for the request tmv1 filter string optional filter for retrieving a subset of the alert list output parameter type description parameter type description status code number http status code of the response reason string response reason phrase totalcount number count value count number count value items array output field items schemaversion string output field schemaversion id string unique identifier investigationstatus string status value status string status value investigationresult string result of the operation workbenchlink string output field workbenchlink alertprovider string unique identifier modelid string unique identifier model string output field model modeltype string type of the resource score number score value severity string output field severity firstinvestigateddatetime string time value createddatetime string time value updateddatetime string time value incidentid string unique identifier caseid string unique identifier ownerids array unique identifier impactscope object output field impactscope example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "totalcount" 1, "count" 1, "items" \[] } } ] get container activity data retrieve paginated container activity data from trend micro vision one v3, using authentication headers endpoint url /v3 0/search/containeractivities method get input argument name type required description input argument name type required description startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made top number optional the number of records displayed on a page in default mode mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) 'default' displays the data returned by the query 'countonly' displays the number of records returned by the query'performance' 'performance' displays the data in performance mode, but the "top" parameter does not work and there may be zero records returned even though progressrate has not reached 100 to display all records, call the api again via nextlink until progressrate has reached 100 use count mode to avoid returning empty data select string optional the list of fields included in search results (if no fields are specified, the query returns all supported fields ) headers object required headers for the request tmv1 query string required statement that allows you to retrieve a subset of the collected secure access activity data supported fields can be find in readme link output parameter type description parameter type description status code number http status code of the response reason string response reason phrase nextlink string output field nextlink progressrate number output field progressrate items array output field items endpointhostname string name of the resource eventid number unique identifier eventsubid number unique identifier eventtime number time value objectfilepath string output field objectfilepath srcfilepath string output field srcfilepath tags array output field tags uuid string unique identifier productcode array output field productcode filterrisklevel string output field filterrisklevel eventsourcetype string type of the resource version string output field version customerid string unique identifier receivedtime number time value bitwisefilterrisklevel string output field bitwisefilterrisklevel customfiltertags string output field customfiltertags customfilterrisklevel string output field customfilterrisklevel tmfilterrisklevel string output field tmfilterrisklevel clusterid string unique identifier example \[ { "status code" 200, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "nextlink" "https //api xdr trendmicro com/v3 0/containeractivities? \&skiptoken=ewogicjvdx ", "progressrate" 30, "items" \[] } } ] get detection data retrieve detailed detection data from trend micro vision one using specified authentication headers endpoint url /v3 0/search/detections method get input argument name type required description input argument name type required description startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made top number optional the number of records displayed on a page in default mode mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) 'default' displays the data returned by the query 'countonly' displays the number of records returned by the query'performance' 'performance' displays the data in performance mode, but the "top" parameter does not work and there may be zero records returned even though progressrate has not reached 100 to display all records, call the api again via nextlink until progressrate has reached 100 use count mode to avoid returning empty data select string optional the list of fields included in search results (if no fields are specified, the query returns all supported fields ) headers object required headers for the request tmv1 query string required statement that allows you to retrieve a subset of the collected secure access activity data supported fields can be find in readme link output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase items array output field items file name string name of the resource file string output field file progressrate number output field progressrate example \[ { "status code" 200, "response headers" { "date" "sat, 02 nov 2024 15 09 42 gmt", "content type" "application/json; charset=utf 8", "content length" "31", "connection" "keep alive", "x powered by" "express", "etag" "w/\\"1f swghjhgirjch9amg2thj8+scgom\\"", "x trace id" "f00bd414 05fe 40bf b944 dd19b009b0d1", "x task id" "9ea157d4 83be 4420 9dac 8d73556b2d6c", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "items" \[], "progressrate" 100 } } ] get discovered devices information retrieve a list of devices with credit allocation details identified by trend micro vision one's attack surface discovery endpoint url /v3 0/asrm/attacksurfacedevices method get input argument name type required description input argument name type required description orderby string optional the field by which the results are sorted to display records in ascending or descending order, add the phrase asc or desc after the parameter name top number optional number of records per page lastdetectedstartdatetime string optional the start time of the data retrieval range, in iso 8601 format, based on the lastdetectdatetime field default is the earliest available value lastdetectedenddatetime string optional the end time of the data retrieval range, represented in iso 8601 format, based on the lastdetectdatetime field default is the time you make the request firstseenstartdatetime string optional the start time of the data retrieval range, in iso 8601 format, based on the firstseendatetime field default is the earliest available value firstseenenddatetime string optional the end time of the data retrieval range, in iso 8601 format, based on the firstseendatetime field default is the time you make the request headers object optional headers to be included in the request tmv1 filter string optional filter for retrieving a subset of the device information list output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase items array output field items devicename string name of the resource id string unique identifier latestriskscore number score value criticality string output field criticality osname string name of the resource osplatform string output field osplatform ip array output field ip lastuser string output field lastuser cvecount number count value installedagents array output field installedagents discoveredby array output field discoveredby firstseendatetime string time value lastdetectdatetime string time value assetcustomtags array output field assetcustomtags key string output field key id string unique identifier value string value for the parameter count number count value totalcount number count value nextlink string output field nextlink example \[ { "status code" 200, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "items" \[], "count" 1, "totalcount" 1, "nextlink" "https //api xdr trendmicro com/v3 0/asrm/attacksurfacedevices?skiptoken=skiptoke " } } ] get email activity data retrieve detailed email activity data from trend micro vision one, including headers, for comprehensive analysis endpoint url /v3 0/search/emailactivities method get input argument name type required description input argument name type required description top number optional number of records per page startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) select string optional list of fields to include in the search results if no fields are specified, the query returns all supported fields headers object required headers for the request tmv1 query string required statement that allows you to retrieve a subset of the collected email activity data check readme link document for supported fields output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase json object output field json nextlink string output field nextlink progressrate number output field progressrate items array output field items mailmsgsubject string output field mailmsgsubject mailmsgid string unique identifier msguuid string unique identifier mailbox string output field mailbox mailsenderip string output field mailsenderip mailfromaddresses string output field mailfromaddresses mailwholeheader array output field mailwholeheader mailtoaddresses array output field mailtoaddresses mailsourcedomain string output field mailsourcedomain searchdl string output field searchdl scantype string type of the resource eventtime number time value org id string unique identifier mailurlsvisiblelink array url endpoint for the request mailurlsreallink array url endpoint for the request example \[ { "status code" 200, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json" { "nextlink" "https //api xdr trendmicro com/v3 0/emailactivities? \&skiptoken=ewogicjvdxrlcl ", "progressrate" 30, "items" \[] } } ] get endpoint activity data retrieve paginated search results from the endpoint activity data source in trend micro vision one v3, with specified headers endpoint url /v3 0/search/endpointactivities method get input argument name type required description input argument name type required description startdatetime string optional timestamp in iso 8601 format that indicates the start of the data retrieval range if no value is specified, startdatetime defaults to 24 hours before the request is made enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, enddatetime defaults to the time the request is made top number optional number of records displayed on a page select string optional list of fields to include in the search results if no fields are specified, the query returns all supported fields mode string optional parameter that allows you to select the type of data the query displays headers object required http headers for the request tmv1 query string required when generating paginated output, tmv1 query has to be included with every request statement that allows you to retrieve a subset of the collected endpoint activity data output parameter type description parameter type description status code number http status code of the response reason string response reason phrase nextlink string output field nextlink progressrate number output field progressrate items array output field items dpt number output field dpt dst string output field dst endpointguid string unique identifier endpointhostname string name of the resource endpointip array output field endpointip eventid string unique identifier eventsubid number unique identifier objectintegritylevel number output field objectintegritylevel objecttruetype number type of the resource objectsubtruetype number type of the resource wineventid number unique identifier eventtime number time value eventtimedt string output field eventtimedt hostname string name of the resource logonuser array output field logonuser objectcmd string output field objectcmd objectfilehashsha1 string output field objectfilehashsha1 objectfilepath string output field objectfilepath objecthostname string name of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "nextlink" "https //api xdr trendmicro com/v3 0/endpointactivities? \&skiptoken=ewogicjvdxr ", "progressrate" 30, "items" \[] } } ] get endpoint data retrieve a paginated list of endpoint information from trend micro vision one v3, requiring specific headers endpoint url /v3 0/eiqs/endpoints method get input argument name type required description input argument name type required description top number optional number of records displayed on a page headers object required http headers for the request tmv1 query string required when generating paginated output, tmv1 query has to be included with every request statement that allows you to retrieve a subset of the collected endpoint activity data output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase items array output field items agentguid string unique identifier loginaccount object count value value array value for the parameter updateddatetime string time value endpointname object name of the resource value string value for the parameter updateddatetime string time value macaddress object output field macaddress value array value for the parameter updateddatetime string time value ip object output field ip value array value for the parameter updateddatetime string time value osname string name of the resource osversion string output field osversion osdescription string output field osdescription productcode string output field productcode installedproductcodes array output field installedproductcodes nextlink string output field nextlink example \[ { "status code" 207, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "items" \[], "nextlink" "https //api xdr trendmicro com/public/eiqs/v3/query/endpoints?skiptoken=50" } } ] get network activity data retrieve paginated network activity data from trend micro vision one v3, including authentication headers endpoint url /v3 0/search/networkactivities method get input argument name type required description input argument name type required description startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made top number optional number of records displayed on a page mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) select string optional the list of fields included in search results (if no fields are specified, the query returns all supported fields ) headers object required headers for the request tmv1 query string required statement that allows you to retrieve a subset of the collected secure access activity data output parameter type description parameter type description status code number http status code of the response reason string response reason phrase nextlink string output field nextlink progressrate number output field progressrate items array output field items endpointhostname string name of the resource customerid string unique identifier osname string name of the resource dst string output field dst endpointguid string unique identifier principalname string name of the resource request string output field request act number output field act src string output field src servertls string output field servertls eventtime number time value serverprotocol string output field serverprotocol useragent string output field useragent rt number output field rt tenantguid string unique identifier eventname string name of the resource application string output field application rulename string name of the resource clientip string output field clientip example \[ { "status code" 202, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "nextlink" "https //api xdr trendmicro com/v3 0/networkactivities? \&skiptoken=ewogicjvdxrl ", "progressrate" 30, "items" \[] } } ] get task results retrieve the results of a specified task in trend micro vision one v3 using the unique task id provided endpoint url /v3 0/threatintel/tasks/{{id}} method get input argument name type required description input argument name type required description id string required the unique alphanumeric string that identifies a sweeping task output parameter type description parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value createddatetime string time value action string output field action lastactiondatetime string time value error object error message if any code string output field code message string response message number number output field number reportid string unique identifier resourcelocation string output field resourcelocation expireddatetime string time value sweeptype string type of the resource sweepdatetime string time value ishit boolean output field ishit workbenchid string unique identifier impactscope array output field impactscope entitytype string type of the resource entityid string unique identifier matchedindicators array output field matchedindicators indicatorid string unique identifier pattern string output field pattern example \[ { "status code" 200, "reason" "ok", "json body" { "id" "43597ab5 b8b4 415d 87dc 24c94df82012", "status" "running", "createddatetime" "2021 04 05t08 22 37z", "action" "sweep", "lastactiondatetime" "string", "error" {}, "reportid" "report 2c1091ba a7d2 46b2 bf97 4137916c30cb", "resourcelocation" "https //api xdr trendmicro com/ ", "expireddatetime" "2019 03 15t07 44 27z", "sweeptype" "schedule", "sweepdatetime" "2019 03 15t07 44 27z", "ishit" true, "workbenchid" "wb 20210722 001", "impactscope" \[], "matchedindicators" \[] } } ] import custom intelligence reports create a custom intelligence report in trend micro vision one v3 using data from provided csv/stix files endpoint url /v3 0/threatintel/intelligencereports method post input argument name type required description input argument name type required description data body object required response data reportname string required the name of a custom intelligence report file object required the file to be imported (encoded in utf 8) file string optional parameter for import custom intelligence reports file name string optional name of the resource output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ {}, {}, {} ] } ] isolate endpoints isolates endpoints from the network while maintaining connection to the trend micro management server, using 'endpointname' or 'agentguid' endpoint url /v3 0/response/endpoints/isolate method post input argument name type required description input argument name type required description description string optional description of the response task agentguid string optional id of the installed agent endpointname string optional the endpoint name of the target endpoint output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request name string name of the resource value string value for the parameter example \[ { "status code" 202, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "headers" \[ {} ] } ] list custom intelligence reports retrieve a list of custom intelligence reports from trend micro vision one v3, encompassing both imported and retrieved data endpoint url /v3 0/threatintel/intelligencereports method get input argument name type required description input argument name type required description orderby string optional the parameter that allows you to sort the retrieved search results in ascending or descending order filter string optional the filter for retrieving a subset of the custom intelligence reports list startdatetime string optional the timestamp in iso 8601 format that indicates the start of the data retrieval time range enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range top number optional the number of records displayed on a page output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier name string name of the resource updateddatetime string time value nextlink string output field nextlink example \[ { "status code" 200, "reason" "ok", "json body" { "items" \[], "nextlink" "https //api xdr trendmicro com/v3 0/threatintel/intelligencereports?top=50\&skipt " } } ] list suspicious objects retrieve a paginated list of suspicious domains, file hashes, ip addresses, and urls from trend micro vision one v3 endpoint url /v3 0/threatintel/suspiciousobjects method get input argument name type required description input argument name type required description orderby string optional the parameter that allows you to sort the retrieved search results in ascending or descending order if no order is specified, the results are shown in ascending order startdatetime string optional the timestamp in iso 8601 format that indicates the start of the data retrieval time range if no value is specified, 'startdatetime' defaults to the earliest available value for 'lastmodifieddatetime' enddatetime string optional the timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made top number optional number of records displayed on a page headers object optional headers for the request tmv1 filter string optional the filter parameter that allows you to filter the retrieved search results output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase items array output field items file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "items" \[] } } ] list tasks retrieve a paginated list of tasks and asynchronous jobs within trend micro vision one v3 endpoint url /v3 0/threatintel/tasks method get input argument name type required description input argument name type required description orderby string optional the parameter that allows you to sort the retrieved search results in ascending or descending order filter string optional filter for retrieving a subset of the sweeping task list startdatetime string optional the timestamp in iso 8601 format that indicates the start of the data retrieval time range enddatetime string optional the timestamp in iso 8601 format that indicates the end of the data retrieval time range top number optional the number of records displayed on a page output parameter type description parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier status string status value createddatetime string time value action string output field action lastactiondatetime string time value error object error message if any code string output field code message string response message number number output field number reportid string unique identifier resourcelocation string output field resourcelocation expireddatetime string time value sweeptype string type of the resource sweepdatetime string time value ishit boolean output field ishit workbenchid string unique identifier impactscope array output field impactscope entitytype string type of the resource entityid string unique identifier matchedindicators array output field matchedindicators indicatorid string unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "items" \[], "nextlink" "https //api xdr trendmicro com/v3 0/threatintel/tasks?top=50\&skiptoken=eyjpzci6i " } } ] modify alert status updates the status of an alert or investigation in trend micro vision one v3 using the provided unique identifier endpoint url /v3 0/workbench/alerts/{{id}} method patch input argument name type required description input argument name type required description id string required the unique identifier of a workbench alert headers object optional http headers for the request if match string optional the etag of the resource you want to update status string optional the status of a case or investigation investigationresult string optional the findings of a case or investigation output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" {}, "reason" "ok", "response text" "" } ] remove from block list removes specified items such as email addresses, file sha 1s, domains, ips, or urls from the suspicious object list in trend micro vision one v3 endpoint url /v3 0/response/suspiciousobjects/delete method post input argument name type required description input argument name type required description description string optional description of a response task url string optional universal resource locator domain string optional parameter for remove from block list filesha1 string optional the sha1 hash of file filesha256 string optional the sha256 hash of a file sendermailaddress string optional email address ip string optional ip address this fields supports both ipv4 and ipv6 addresses output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 207, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ { "status" 202, "headers" \[ { "name" "operation location", "value" "https //api xdr trendmicro com/v3 0/xdr/response/tasks/00000001" } ] }, { "status" 400, "headers" \[ { "name" "operation location", "value" "https //api xdr trendmicro com/v3 0/xdr/response/tasks/00000001" } ], "body" { "error" { "code" "taskerror", "message" "task duplication " } } }, { "status" 400, "body" { "error" { "code" "badrequest", "message" "invalid request required fields not found %field% " } } } ] } ] restore endpoint connection reinstates network access for isolated endpoints in trend micro vision one using either computer name or agent guid endpoint url /tmdr/v3 0/response tasks/restore endpoint connection method post input argument name type required description input argument name type required description description string optional description of the response task agentguid string optional id of the installed agent endpointname string optional <= 255 characters the endpoint name of the target endpoint output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request name string name of the resource value string value for the parameter example \[ { "status code" 202, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "headers" \[ {} ] } ] scan for malware initiates a one time malware scan on specified endpoints with trend micro vision one v3, requiring details of the endpoints endpoint url /v3 0/response/endpoints/startmalwarescan method post input argument name type required description input argument name type required description endpoints array required list of endpoints to scan description string optional description of the endpoint agentguid string optional guid of the installed agent endpointname string optional name of the endpoint output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request operation location string output field operation location example \[ { "status code" 202, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "headers" \[ {} ] } ] terminate process terminates a running process on specified endpoints using the provided file sha1 hash in trend micro vision one v3 endpoint url /v3 0/response/endpoints/terminateprocess method post input argument name type required description input argument name type required description description string optional description of the response task agentguid string optional id of the installed agent filesha1 string required sha1 hash of the executable file filename string optional file name of the response task target endpointname string optional name of the endpoint output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request name string name of the resource value string value for the parameter example \[ { "status code" 202, "response headers" { "date" "sat, 02 nov 2024 14 49 31 gmt", "content type" "application/json; charset=utf 8", "content length" "12", "connection" "keep alive", "x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0", "x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9", "ratelimit policy" "100;w=60", "ratelimit limit" "100", "ratelimit remaining" "99", "ratelimit reset" "60", "etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"", "tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "headers" \[ {} ] } ] trigger sweeping task initiates a comprehensive search task in trend micro vision one v3 using stix shifter, based on custom intelligence reports endpoint url /v3 0/threatintel/intelligencereports/sweep method post input argument name type required description input argument name type required description id string required the unique alphanumeric string that identifies a custom intelligence report sweeptype string required the type of sweeping task description string optional the description of an object output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ { "status" 202, "headers" \[ { "name" "operation location", "value" "https //api xdr trendmicro com/ " } ] }, { "status" 400, "body" { "error" { "code" "badrequest", "message" "bad request" } } }, { "status" 404, "body" { "error" { "code" "notfound", "message" "not found" } } } ] } ] response headers header description example connection http response header connection keep alive content length the length of the response body in bytes 31 content type the media type of the resource application/json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt etag an identifier for a specific version of a resource w/"c f6g7sbyjuuocyykgtnzj94yg+ze" ratelimit limit http response header ratelimit limit 100 ratelimit policy http response header ratelimit policy 100;w=60 ratelimit remaining http response header ratelimit remaining 99 ratelimit reset http response header ratelimit reset 60 strict transport security http response header strict transport security max age=31536000; includesubdomains tmv1 customer id http response header tmv1 customer id 010989fb 1843 4677 a944 2856b69339af x powered by http response header x powered by express x task id http response header x task id fc3bca51 cdb3 43f2 9bb7 b47f410044d0 x trace id http response header x trace id f00bd414 05fe 40bf b944 dd19b009b0d1 notes trend micro vision one regional domains https //automation trendmicro com/xdr/guides/regional domainsfirst steps toward using the apis https //automation trendmicro com/xdr/guides/first steps toward utrend micro vision one api documentation https //automation trendmicro com/xdr/api v3