Trend Micro Vision One V3

the trend micro vision one v3 connector facilitates automated interactions with trend micro's threat defense platform, enabling streamlined threat management and response trend micro vision one v3 is an advanced threat defense solution that provides comprehensive visibility and analysis across an organization's security infrastructure this connector enables automated interaction with trend micro vision one v3, allowing users to manage alerts, block lists, and intelligence reports directly from swimlane turbine by integrating with trend micro vision one v3, security teams can streamline threat detection, enhance incident response, and bolster their overall security posture with minimal manual intervention this connector integrates trend micro vision one api version 3 with swimlane turbine prerequisites to effectively utilize the trend micro vision one v3 connector within swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url endpoint for the trend micro vision one v3 api token bearer token required for authenticating api requests capabilities this connector provides the following capabilities add alert note add to block list delete alert notes edit alert note get alert note get alert notes get alerts details get alerts lists get container activity data get detection data get discovered devices information get email activity data get endpoint activity data get endpoint data get network activity data and so on asset setup to get a list of available hosts please see the https //automation trendmicro com/xdr/guides/regional domains in order to work with the api an api token is needed, please see the https //automation trendmicro com/xdr/guides/first steps toward u for more information task setup get alert notes for more details about this action https //automation trendmicro com/xdr/api v3#tag/workbench notes/paths/ 1v3 0 1workbench 1alerts 1%7balertid%7d 1notes/get get alerts lists for the possible values of tmv1 filter header https //automation trendmicro com/xdr/api v3#tag/workbench/paths/ 1v3 0 1workbench 1alerts/get get endpoint activity data for the possible values of tmv1 query header https //automation trendmicro com/xdr/api v3#tag/suspicious objects/paths/ 1v3 0 1response 1suspiciousobjects 1delete/post get endpoint data for the possible values of tmv1 query header https //automation trendmicro com/xdr/api v3#tag/search/paths/ 1v3 0 1eiqs 1endpoints/get remove from block list every object in the request body must refer to only one item example \[{ 'description' 'your description (string)', 'url' 'your url' }, { 'description' 'your description2', 'domain' 'your domain' }, { 'description' 'your description3', 'filesha1' 'your filesha1' }, { 'description' 'your description4', 'filesha256' 'your filesha256' }, { 'description' 'your description5', 'sendermailaddress' 'your sendermailaddress' }, { 'description' 'your description6', 'ip' 'your ip' }] list suspicious objects for the possible values for tmv1 filter header https //automation trendmicro com/xdr/api v3/#tag/suspicious object list/paths/ 1v3 0 1threatintel 1suspiciousobjects/get add to block list every object in the request body must refer to only one item check the array of values https //automation trendmicro com/xdr/api v3/#tag/suspicious objects/paths/ 1v3 0 1response 1suspiciousobjects/post get detection data for the possible values for tmv1 query header https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1detections/get get email activity data for the possible values for tmv1 query header https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1emailactivities/get get network activity data for the possible values for tmv1 query header https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1networkactivities/get get container activity data for the possible values for tmv1 query header https //automation trendmicro com/xdr/api v3/#tag/search/paths/ 1v3 0 1search 1containeractivities/get get discovered devices information for the possible values for tmv1 filter header https //automation trendmicro com/xdr/api v3/#tag/attack surface discovery isolate endpoints every object in the request body must refer to only one item check the array of values https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1isolate/post restore endpoint connection every object in the request body must refer to only one item check the array of values https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1restore/post terminate process every object in the request body must refer to only one item check the array of values https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1terminateprocess/post scan for malware every object in the request body must refer to only one item check the array of values https //automation trendmicro com/xdr/api v3/#tag/endpoint/paths/ 1v3 0 1response 1endpoints 1startmalwarescan/post notes https //automation trendmicro com/xdr/guides/regional domains https //automation trendmicro com/xdr/guides/first steps toward u https //automation trendmicro com/xdr/api v3 configurations trend vision one v3 http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add alert note appends a note to an existing workbench alert in trend micro vision one v3 using the specified alertid and note content endpoint url /v3 0/workbench/alerts/{{alertid}}/notes method post input argument name type required description path parameters alertid string required unique alphanumeric string that identifies a workbench alert content string optional unique alphanumeric string that identifies a workbench alert input example {"path parameters" {"alertid" "wb 14 20190709 00003"}} output parameter type description status code number http status code of the response reason string response reason phrase location string output field location output example {"status code" 201,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo add to block list adds objects like email addresses, file sha 1s, domains, ips, or urls to the trend micro vision one suspicious object list endpoint url /v3 0/threatintel/suspiciousobjects method post input argument name type required description description string optional description of a response task url string optional universal resource locator domain string optional domain name filesha1 string optional the sha1 hash of file filesha256 string optional the sha256 hash of file sendermailaddress string optional the sender's email address ip string optional ip address this fields supports both ipv4 and ipv6 addresses input example {"description" "string","url" "https //example com/api/resource","domain" "string","filesha1" "string","filesha256" "string","sendermailaddress" "string","ip" "string"} output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request headers name string http headers for the request headers value string http headers for the request items array output field items items file name string name of the resource items file string output field items file output example {"status code" 202,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo delete alert notes removes specified notes from a workbench alert in trend micro vision one v3 using the alertid provided endpoint url /v3 0/workbench/alerts/{{alertid}}/notes/delete method post input argument name type required description path parameters alertid string required unique alphanumeric string that identifies a workbench alert input example {"json body" \[{"id" 0},{"id" 1}],"path parameters" {"alertid" "wb 14 20190709 00003"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "ok","response text" ""} delete custom intelligence reports removes specified custom intelligence reports from trend micro vision one v3 using the provided json body endpoint url /v3 0/threatintel/intelligencereports/delete method post output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"status" 204},{"status" 400,"body" {"error" {"code" "badrequest","message" "bad request"}}},{"status" 404,"body" {"error" {"code" "notfound","message" "not found"}}}]} download custom intelligence report retrieves a stix bundle formatted custom intelligence report from trend micro vision one v3 using the provided report id endpoint url /v3 0/threatintel/intelligencereports/{{id}} method get input argument name type required description path parameters id string required the unique alphanumeric string that identifies a custom intelligence report input example {"path parameters" {"id" "report 2c1091ba a7d2 46b2 bf97 4137916c30cb"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource updateddatetime string time value downloadlink string output field downloadlink output example {"status code" 200,"reason" "ok","json body" {"id" "report 2c1091ba a7d2 46b2 bf97 4137916c30cb","name" "report name 1","updateddatetime" "2019 03 15t07 44 27z","downloadlink" "https //upload visionone trendmicro com/a txt?awsaccesskeyid=xxxxxxxxxxx "}} edit alert note updates a specific alert's note in trend micro vision one using the provided 'id', 'alertid', and 'content' endpoint url /v3 0/workbench/alerts/{{alertid}}/notes/{{id}} method patch input argument name type required description path parameters alertid string required unique alphanumeric string that identifies a workbench alert path parameters id number required numeric string that identifies a workbench alert note headers object optional http headers for the request headers if match string optional parameter that allows you to specify the version of the resource to be updated content string optional response content input example {"json body" {"content" "edit alert"},"path parameters" {"alertid" "wb 14 20190709 00003","id" 1},"headers" {"if match" "33a64df551425fcc55e4d42a148795d9f25f89d4"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "ok","response text" ""} get alert note retrieves a specific note for an alert in trend micro vision one using the provided alertid and note id endpoint url /v3 0/workbench/alerts/{{alertid}}/notes/{{id}} method get input argument name type required description path parameters alertid string required unique identifier for a workbench alert path parameters id number required numeric identifier for a workbench alert note input example {"path parameters" {"alertid" "wb 14 20190709 00003","id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier content string response content creatormailaddress string output field creatormailaddress creatorname string name of the resource createddatetime string time value lastupdatedby string output field lastupdatedby lastupdateddatetime string time value output example {"status code" 200,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo get alert notes retrieves all notes linked to a specific alert in trend micro vision one using the alertid provided endpoint url /v3 0/workbench/alerts/{{alertid}}/notes method get input argument name type required description path parameters alertid string required unique alphanumeric string that identifies a workbench alert parameters startdatetime string optional timestamp in iso 8601 format that indicates the start of the data retrieval time range parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range parameters datetimetarget string optional parameter that allows you to filter the retrieved workbench alert notes parameters orderby string optional parameter to be used for sorting records you can use multiple fields, separated by commas, to sort the retrieved workbench alert notes parameters top number optional number of records displayed on a page headers object optional http headers for the request headers tmv1 filter string optional filter for retrieving a subset of workbench alert notes input example {"parameters" {"startdatetime" "1970 01 01t00 00 00z","enddatetime" "1970 01 01t00 00 00z","datetimetarget" "createddatetime","orderby" "createddatetime desc","top" 50},"path parameters" {"alertid" "wb 14 20190709 00003"},"headers" {"tmv1 filter" "creatorname eq 'john doe'"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id number unique identifier items content string response content items creatormailaddress string output field items creatormailaddress items creatorname string name of the resource items createddatetime string time value items lastupdatedby string output field items lastupdatedby items lastupdateddatetime string time value nextlink string output field nextlink output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{},{}],"nextlink" "https //api xdr trendmicro com/v3 0/workbench/alerts/wb 14 20190709 00003/notes? "}} get alerts details retrieve detailed information for a specified alert in trend micro vision one using the alert id endpoint url /v3 0/workbench/alerts/{{id}} method get input argument name type required description path parameters id string required the unique identifier of a workbench alert input example {"path parameters" {"id" "wb 14 20190709 00003"}} output parameter type description status code number http status code of the response reason string response reason phrase schemaversion string output field schemaversion id string unique identifier investigationstatus string status value status string status value investigationresult string result of the operation workbenchlink string output field workbenchlink alertprovider string unique identifier modelid string unique identifier model string output field model modeltype string type of the resource description string output field description score number score value severity string output field severity firstinvestigateddatetime string time value createddatetime string time value updateddatetime string time value incidentid string unique identifier caseid string unique identifier ownerids array unique identifier impactscope object output field impactscope impactscope desktopcount number count value impactscope servercount number count value impactscope accountcount number count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"schemaversion" "1 12","id" "wb 9002 20220906 00025","investigationstatus" "new","status" "open","investigationresult" "no findings","workbenchlink" "https //the workbench url","alertprovider" "sae","modelid" "1ebd4f91 4b28 40b4 87f5 8defee4791d8","model" "possible credential dumping via registry","modeltype" "preset","description" "a user obtained account logon information that can be used to access remote syst ","score" 64," get alerts list retrieve a paginated list of workbench alerts from trend micro vision one based on specified criteria endpoint url /v3 0/workbench/alerts method get input argument name type required description parameters startdatetime string optional datetime in iso 8601 format that indicates the start of the data retrieval time range the available oldest value is "1970 01 01t00 00 00z " parameters enddatetime string optional datetime in iso 8601 format that indicates the end of the data retrieval time range ensure that "enddatetime" is not earlier than "startdatetime" parameters datetimetarget string optional the timestamp to be used for retrieving workbench alert data parameters orderby string optional specifies the field by which the results are sorted headers object optional http headers for the request headers tmv1 filter string optional filter for retrieving a subset of the alert list input example {"parameters" {"startdatetime" "2020 06 15t10 00 00z","enddatetime" "2020 06 15t10 00 00z","datetimetarget" "createddatetime","orderby" "createddatetime desc"},"headers" {"tmv1 filter" "impactscopeentityvalue eq \<value>"}} output parameter type description status code number http status code of the response reason string response reason phrase totalcount number count value count number count value items array output field items items schemaversion string output field items schemaversion items id string unique identifier items investigationstatus string status value items status string status value items investigationresult string result of the operation items workbenchlink string output field items workbenchlink items alertprovider string unique identifier items modelid string unique identifier items model string output field items model items modeltype string type of the resource items score number score value items severity string output field items severity items firstinvestigateddatetime string time value items createddatetime string time value items updateddatetime string time value items incidentid string unique identifier items caseid string unique identifier items ownerids array unique identifier items impactscope object output field items impactscope items impactscope desktopcount number count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"totalcount" 1,"count" 1,"items" \[{}]}} get container activity data retrieve paginated container activity data from trend micro vision one v3, using specified authentication headers endpoint url /v3 0/search/containeractivities method get input argument name type required description parameters startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made parameters top number optional the number of records displayed on a page in default mode parameters mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) 'default' displays the data returned by the query 'countonly' displays the number of records returned by the query'performance' 'performance' displays the data in performance mode, but the "top" parameter does not work and there may be zero records returned even though progressrate has not reached 100 to display all records, call the api again via nextlink until progressrate has reached 100 use count mode to avoid returning empty data parameters select string optional the list of fields included in search results (if no fields are specified, the query returns all supported fields ) headers object required headers for the request headers tmv1 query string required statement that allows you to retrieve a subset of the collected secure access activity data supported fields can be find in readme link input example {"parameters" {"startdatetime" "2021 04 05t08 22 37z","enddatetime" "2021 04 05t08 22 37z","top" 500,"mode" "default","select" "dpt,dst,objectfilepath"},"headers" {"tmv1 query" "objectfilepath \\"/opt/nimsoft/probes/system/processes/processes\\" and eventid 3"}} output parameter type description status code number http status code of the response reason string response reason phrase nextlink string output field nextlink progressrate number output field progressrate items array output field items items endpointhostname string name of the resource items eventid number unique identifier items eventsubid number unique identifier items eventtime number time value items objectfilepath string output field items objectfilepath items srcfilepath string output field items srcfilepath items tags array output field items tags items uuid string unique identifier items productcode array output field items productcode items filterrisklevel string output field items filterrisklevel items eventsourcetype string type of the resource items version string output field items version items customerid string unique identifier items receivedtime number time value items bitwisefilterrisklevel string output field items bitwisefilterrisklevel items customfiltertags string output field items customfiltertags items customfilterrisklevel string output field items customfilterrisklevel items tmfilterrisklevel string output field items tmfilterrisklevel items clusterid string unique identifier items clustername string name of the resource output example {"status code" 200,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo get detection data retrieve detailed detection data from trend micro vision one using specified authentication headers endpoint url /v3 0/search/detections method get input argument name type required description parameters startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made parameters top number optional the number of records displayed on a page in default mode parameters mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) 'default' displays the data returned by the query 'countonly' displays the number of records returned by the query'performance' 'performance' displays the data in performance mode, but the "top" parameter does not work and there may be zero records returned even though progressrate has not reached 100 to display all records, call the api again via nextlink until progressrate has reached 100 use count mode to avoid returning empty data parameters select string optional the list of fields included in search results (if no fields are specified, the query returns all supported fields ) headers object required headers for the request headers tmv1 query string required statement that allows you to retrieve a subset of the collected secure access activity data supported fields can be find in readme link input example {"parameters" {"startdatetime" "2021 04 05t08 22 37z","enddatetime" "2021 04 05t08 22 37z","top" 500,"mode" "default","select" "dpt,dst,objectfilepath"},"headers" {"tmv1 query" "objectfilepath \\"/opt/nimsoft/probes/system/processes/processes\\" and eventid 3"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items file name string name of the resource items file string output field items file progressrate number output field progressrate output example {"status code" 200,"response headers" {"date" "sat, 02 nov 2024 15 09 42 gmt","content type" "application/json; charset=utf 8","content length" "31","connection" "keep alive","x powered by" "express","etag" "w/\\"1f swghjhgirjch9amg2thj8+scgom\\"","x trace id" "f00bd414 05fe 40bf b944 dd19b009b0d1","x task id" "9ea157d4 83be 4420 9dac 8d73556b2d6c","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" get discovered devices information retrieve a list of devices with credit allocation details from trend micro vision one's attack surface discovery endpoint url /v3 0/asrm/attacksurfacedevices method get input argument name type required description parameters orderby string optional the field by which the results are sorted to display records in ascending or descending order, add the phrase asc or desc after the parameter name parameters top number optional number of records per page parameters lastdetectedstartdatetime string optional the start time of the data retrieval range, in iso 8601 format, based on the lastdetectdatetime field default is the earliest available value parameters lastdetectedenddatetime string optional the end time of the data retrieval range, represented in iso 8601 format, based on the lastdetectdatetime field default is the time you make the request parameters firstseenstartdatetime string optional the start time of the data retrieval range, in iso 8601 format, based on the firstseendatetime field default is the earliest available value parameters firstseenenddatetime string optional the end time of the data retrieval range, in iso 8601 format, based on the firstseendatetime field default is the time you make the request headers object optional headers to be included in the request headers tmv1 filter string optional filter for retrieving a subset of the device information list input example {"parameters" {"orderby" "latestriskscore desc","top" 100,"lastdetectedstartdatetime" "2021 01 01t00 00 00z","lastdetectedenddatetime" "2021 12 31t23 59 59z","firstseenstartdatetime" "2021 01 01t00 00 00z","firstseenenddatetime" "2021 12 31t23 59 59z"},"headers" {"tmv1 filter" "(latestriskscore ge 70) and (installedagents eq 'trend vision one agent')"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items devicename string name of the resource items id string unique identifier items latestriskscore number score value items criticality string output field items criticality items osname string name of the resource items osplatform string output field items osplatform items ip array output field items ip items lastuser string output field items lastuser items cvecount number count value items installedagents array output field items installedagents items discoveredby array output field items discoveredby items firstseendatetime string time value items lastdetectdatetime string time value items assetcustomtags array output field items assetcustomtags items assetcustomtags key string output field items assetcustomtags key items assetcustomtags id string unique identifier items assetcustomtags value string value for the parameter count number count value totalcount number count value nextlink string output field nextlink output example {"status code" 200,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo get email activity data retrieve detailed email activity data, including headers, from trend micro vision one for comprehensive analysis endpoint url /v3 0/search/emailactivities method get input argument name type required description parameters top number optional number of records per page parameters startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made parameters mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) parameters select string optional list of fields to include in the search results if no fields are specified, the query returns all supported fields headers object required headers for the request headers tmv1 query string required statement that allows you to retrieve a subset of the collected email activity data check readme link document for supported fields input example {"parameters" {"top" 100,"startdatetime" "2021 04 05t08 22 37z","enddatetime" "2021 04 05t08 22 37z","mode" "default","select" "mailmsgsubject,mailfromaddresses,mailtoaddresses"},"headers" {"tmv1 query" "mailmsgsubject\ spam or mailsenderip \\"192 169 1 1\\""}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json json nextlink string output field json nextlink json progressrate number output field json progressrate json items array output field json items json items mailmsgsubject string output field json items mailmsgsubject json items mailmsgid string unique identifier json items msguuid string unique identifier json items mailbox string output field json items mailbox json items mailsenderip string output field json items mailsenderip json items mailfromaddresses string output field json items mailfromaddresses json items mailwholeheader array output field json items mailwholeheader json items mailtoaddresses array output field json items mailtoaddresses json items mailsourcedomain string output field json items mailsourcedomain json items searchdl string output field json items searchdl json items scantype string type of the resource json items eventtime number time value json items org id string unique identifier json items mailurlsvisiblelink array url endpoint for the request json items mailurlsreallink array url endpoint for the request output example {"status code" 200,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo get endpoint activity data retrieve paginated search results from the endpoint activity data source in trend micro vision one v3, using specified headers endpoint url /v3 0/search/endpointactivities method get input argument name type required description parameters startdatetime string optional timestamp in iso 8601 format that indicates the start of the data retrieval range if no value is specified, startdatetime defaults to 24 hours before the request is made parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, enddatetime defaults to the time the request is made parameters top number optional number of records displayed on a page parameters select string optional list of fields to include in the search results if no fields are specified, the query returns all supported fields parameters mode string optional parameter that allows you to select the type of data the query displays headers object required http headers for the request headers tmv1 query string required when generating paginated output, tmv1 query has to be included with every request statement that allows you to retrieve a subset of the collected endpoint activity data input example {"parameters" {"startdatetime" "2021 04 05t08 22 37z","enddatetime" "2021 04 06t08 22 37z","top" 500,"select" "empty","mode" "default"},"headers" {"tmv1 query" "dpt 443"}} output parameter type description status code number http status code of the response reason string response reason phrase nextlink string output field nextlink progressrate number output field progressrate items array output field items items dpt number output field items dpt items dst string output field items dst items endpointguid string unique identifier items endpointhostname string name of the resource items endpointip array output field items endpointip items eventid string unique identifier items eventsubid number unique identifier items objectintegritylevel number output field items objectintegritylevel items objecttruetype number type of the resource items objectsubtruetype number type of the resource items wineventid number unique identifier items eventtime number time value items eventtimedt string output field items eventtimedt items hostname string name of the resource items logonuser array output field items logonuser items objectcmd string output field items objectcmd items objectfilehashsha1 string output field items objectfilehashsha1 items objectfilepath string output field items objectfilepath items objecthostname string name of the resource items objectip string output field items objectip output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"nextlink" "https //api xdr trendmicro com/v3 0/endpointactivities? \&skiptoken=ewogicjvdxr ","progressrate" 30,"items" \[{}]}} get endpoint data retrieve a paginated list of endpoint information from trend micro vision one v3, with specific headers required endpoint url /v3 0/eiqs/endpoints method get input argument name type required description parameters top number optional number of records displayed on a page headers object required http headers for the request headers tmv1 query string required when generating paginated output, tmv1 query has to be included with every request statement that allows you to retrieve a subset of the collected endpoint activity data input example {"parameters" {"top" 50},"headers" {"tmv1 query" "(endpointname eq 'sample host')"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items agentguid string unique identifier items loginaccount object count value items loginaccount value array value for the parameter items loginaccount updateddatetime string time value items endpointname object name of the resource items endpointname value string name of the resource items endpointname updateddatetime string name of the resource items macaddress object output field items macaddress items macaddress value array value for the parameter items macaddress updateddatetime string time value items ip object output field items ip items ip value array value for the parameter items ip updateddatetime string time value items osname string name of the resource items osversion string output field items osversion items osdescription string output field items osdescription items productcode string output field items productcode items installedproductcodes array output field items installedproductcodes nextlink string output field nextlink output example {"status code" 207,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"items" \[{}],"nextlink" "https //api xdr trendmicro com/public/eiqs/v3/query/endpoints?skiptoken=50"}} get network activity data retrieve paginated network activity data, including details like ip addresses and protocols, from trend micro vision one v3 endpoint url /v3 0/search/networkactivities method get input argument name type required description parameters startdatetime string optional the start of the data retrieval range in iso 8601 format default \ startdatetime defaults to 24 hours before the request is made parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made parameters top number optional number of records displayed on a page parameters mode string optional the type of data returned by the query results ("default" displays all data returned by the query, "countonly" displays the number of records returned, and "performance" limits the returned records to 500 ) parameters select string optional the list of fields included in search results (if no fields are specified, the query returns all supported fields ) headers object required headers for the request headers tmv1 query string required statement that allows you to retrieve a subset of the collected secure access activity data input example {"parameters" {"startdatetime" "2021 04 05t08 22 37z"},"headers" {"tmv1 query" "dpt 443 or src \\"192 169 1 1\\""}} output parameter type description status code number http status code of the response reason string response reason phrase nextlink string output field nextlink progressrate number output field progressrate items array output field items items endpointhostname string name of the resource items customerid string unique identifier items osname string name of the resource items dst string output field items dst items endpointguid string unique identifier items principalname string name of the resource items request string output field items request items act number output field items act items src string output field items src items servertls string output field items servertls items eventtime number time value items serverprotocol string output field items serverprotocol items useragent string output field items useragent items rt number output field items rt items tenantguid string unique identifier items eventname string name of the resource items application string output field items application items rulename string name of the resource items clientip string output field items clientip items requestbase string output field items requestbase output example {"status code" 202,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo get task results retrieve the results of a specified task in trend micro vision one v3 using the unique task id endpoint url /v3 0/threatintel/tasks/{{id}} method get input argument name type required description path parameters id string required the unique alphanumeric string that identifies a sweeping task input example {"path parameters" {"id" "43597ab5 b8b4 415d 87dc 24c94df82012"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value createddatetime string time value action string output field action lastactiondatetime string time value error object error message if any error code string error message if any error message string response message error number number error message if any reportid string unique identifier resourcelocation string output field resourcelocation expireddatetime string time value sweeptype string type of the resource sweepdatetime string time value ishit boolean output field ishit workbenchid string unique identifier impactscope array output field impactscope impactscope entitytype string type of the resource impactscope entityid string unique identifier matchedindicators array output field matchedindicators matchedindicators indicatorid string unique identifier matchedindicators pattern string output field matchedindicators pattern matchedindicators highlightedobjects array output field matchedindicators highlightedobjects output example {"status code" 200,"reason" "ok","json body" {"id" "43597ab5 b8b4 415d 87dc 24c94df82012","status" "running","createddatetime" "2021 04 05t08 22 37z","action" "sweep","lastactiondatetime" "string","error" {"code" "internalservererror","message" "db error","number" 4000102},"reportid" "report 2c1091ba a7d2 46b2 bf97 4137916c30cb","resourcelocation" "https //api xdr trendmicro com/ ","expireddatetime" "2019 03 15t07 44 27z","sweeptype" "schedule","sweepdatetime" "2019 03 15t07 44 27z","ishit"\ t import custom intelligence reports create a custom intelligence report in trend micro vision one v3 from csv/stix files using the provided file and data body endpoint url /v3 0/threatintel/intelligencereports method post input argument name type required description file object required the file to be imported (encoded in utf 8) file file string optional parameter for import custom intelligence reports file file name string optional name of the resource data body object required response data data body reportname string required the name of a custom intelligence report input example {"data body" {"reportname" "report1"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"status" 201,"headers" \[]},{"status" 400,"body" {}},{"status" 500,"body" {}}]} isolate endpoints isolates endpoints from the network while ensuring they remain connected to the trend micro management server, using 'endpointname' or 'agentguid' endpoint url /v3 0/response/endpoints/isolate method post input argument name type required description description string optional description of the response task agentguid string optional id of the installed agent endpointname string optional the endpoint name of the target endpoint input example {"description" "string","agentguid" "string","endpointname" "example name"} output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request headers name string http headers for the request headers value string http headers for the request output example {"status code" 202,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo list custom intelligence reports retrieve a list of custom intelligence reports, including imported and retrieved data, from trend micro vision one v3 endpoint url /v3 0/threatintel/intelligencereports method get input argument name type required description parameters orderby string optional the parameter that allows you to sort the retrieved search results in ascending or descending order parameters filter string optional the filter for retrieving a subset of the custom intelligence reports list parameters startdatetime string optional the timestamp in iso 8601 format that indicates the start of the data retrieval time range parameters enddatetime string optional timestamp in iso 8601 format that indicates the end of the data retrieval time range parameters top number optional the number of records displayed on a page input example {"parameters" {"orderby" "createddatetime desc","filter" "id eq 'report 2c1091ba a7d2 46b2 bf97 4137916c30cb' and name eq 'report1'","startdatetime" "2021 04 05t08 22 37z","enddatetime" "2021 04 06t08 22 37z","top" 100}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items name string name of the resource items updateddatetime string time value nextlink string output field nextlink output example {"status code" 200,"reason" "ok","json body" {"items" \[{}],"nextlink" "https //api xdr trendmicro com/v3 0/threatintel/intelligencereports?top=50\&skipt "}} list suspicious objects retrieve a paginated list of suspicious domains, file hashes, ip addresses, and urls from trend micro vision one v3 endpoint url /v3 0/threatintel/suspiciousobjects method get input argument name type required description parameters orderby string optional the parameter that allows you to sort the retrieved search results in ascending or descending order if no order is specified, the results are shown in ascending order parameters startdatetime string optional the timestamp in iso 8601 format that indicates the start of the data retrieval time range if no value is specified, 'startdatetime' defaults to the earliest available value for 'lastmodifieddatetime' parameters enddatetime string optional the timestamp in iso 8601 format that indicates the end of the data retrieval time range if no value is specified, 'enddatetime' defaults to the time the request is made parameters top number optional number of records displayed on a page headers object optional headers for the request headers tmv1 filter string optional the filter parameter that allows you to filter the retrieved search results input example {"parameters" {"orderby" "lastmodifieddatetime desc"},"headers" {"tmv1 filter" "type eq 'url' and risklevel eq 'high'"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items file name string name of the resource items file string output field items file output example {"status code" 200,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo list tasks retrieve a paginated list of tasks and asynchronous jobs within trend micro vision one v3 endpoint url /v3 0/threatintel/tasks method get input argument name type required description parameters orderby string optional the parameter that allows you to sort the retrieved search results in ascending or descending order parameters filter string optional filter for retrieving a subset of the sweeping task list parameters startdatetime string optional the timestamp in iso 8601 format that indicates the start of the data retrieval time range parameters enddatetime string optional the timestamp in iso 8601 format that indicates the end of the data retrieval time range parameters top number optional the number of records displayed on a page input example {"parameters" {"orderby" "lastactiondatetime desc","filter" "sweeptype eq 'manual' and ishit eq true","startdatetime" "2021 04 05t08 22 37z","enddatetime" "2021 04 06t08 22 37z","top" 100}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items status string status value items createddatetime string time value items action string output field items action items lastactiondatetime string time value items error object error message if any items error code string error message if any items error message string response message items error number number error message if any items reportid string unique identifier items resourcelocation string output field items resourcelocation items expireddatetime string time value items sweeptype string type of the resource items sweepdatetime string time value items ishit boolean output field items ishit items workbenchid string unique identifier items impactscope array output field items impactscope items impactscope entitytype string type of the resource items impactscope entityid string unique identifier items matchedindicators array output field items matchedindicators items matchedindicators indicatorid string unique identifier items matchedindicators pattern string output field items matchedindicators pattern output example {"status code" 200,"reason" "ok","json body" {"items" \[{}],"nextlink" "https //api xdr trendmicro com/v3 0/threatintel/tasks?top=50\&skiptoken=eyjpzci6i "}} modify alert status updates an alert or investigation status in trend micro vision one v3 using a unique identifier endpoint url /v3 0/workbench/alerts/{{id}} method patch input argument name type required description path parameters id string required the unique identifier of a workbench alert headers object optional http headers for the request headers if match string optional the etag of the resource you want to update status string optional the status of a case or investigation investigationresult string optional the findings of a case or investigation input example {"json body" {"status" "open","investigationresult" "true positive"},"path parameters" {"id" "wb 14 20190709 00003"},"headers" {"if match" "d41d8cd98f00b204e9800998ecf8427e"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "ok","response text" ""} remove from block list removes items like email addresses, file sha 1s, domains, ips, or urls from the suspicious object list in trend micro vision one v3 endpoint url /v3 0/response/suspiciousobjects/delete method post output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 207,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"status" 202,"headers" \[{"name" "operation location","value" "https //api xdr trendmicro com/v3 0/xdr/response/tasks/00000001"}]},{"status" 400,"headers" \[{"name" "operation location","value" "https //api xdr trendmicro com/v3 0/xdr/response/tasks/00000001"}],"body" {"error" {"code" "taskerror","message" "task duplication "}}},{"statu restore endpoint connection reinstates network access for isolated endpoints in trend micro vision one using computer name or agent guid endpoint url /tmdr/v3 0/response tasks/restore endpoint connection method post input argument name type required description description string optional description of the response task agentguid string optional id of the installed agent endpointname string optional <= 255 characters the endpoint name of the target endpoint input example {"description" "string","agentguid" "string","endpointname" "example name"} output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request headers name string http headers for the request headers value string http headers for the request output example {"status code" 202,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo scan for malware initiates a one time malware scan on specified endpoints using trend micro vision one v3, requiring endpoint details endpoint url /v3 0/response/endpoints/startmalwarescan method post input argument name type required description endpoints array optional list of endpoints to scan endpoints description string optional description of the endpoint endpoints agentguid string optional guid of the installed agent endpoints endpointname string optional name of the endpoint input example {"endpoints" \[{"description" "string","agentguid" "string","endpointname" "example name"}]} output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request headers operation location string http headers for the request output example {"status code" 202,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo terminate process terminates a running process on specified endpoints using the provided file sha1 hash in trend micro vision one v3 endpoint url /v3 0/response/endpoints/terminateprocess method post input argument name type required description description string optional description of the response task agentguid string optional id of the installed agent filesha1 string optional sha1 hash of the executable file filename string optional file name of the response task target endpointname string optional name of the endpoint input example {"description" "string","agentguid" "string","filesha1" "string","filename" "example name","endpointname" "example name"} output parameter type description status code number http status code of the response reason string response reason phrase headers array http headers for the request headers name string http headers for the request headers value string http headers for the request output example {"status code" 202,"response headers" {"date" "sat, 02 nov 2024 14 49 31 gmt","content type" "application/json; charset=utf 8","content length" "12","connection" "keep alive","x task id" "fc3bca51 cdb3 43f2 9bb7 b47f410044d0","x trace id" "ed651ba6 a6e0 4977 a101 c05bed17f0d9","ratelimit policy" "100;w=60","ratelimit limit" "100","ratelimit remaining" "99","ratelimit reset" "60","etag" "w/\\"c f6g7sbyjuuocyykgtnzj94yg+ze\\"","tmv1 customer id" "010989fb 1843 4677 a944 2856b69339af","strict transpo trigger sweeping task initiates a comprehensive search task within trend micro vision one v3 to scan for threats using custom intelligence inputs endpoint url /v3 0/threatintel/intelligencereports/sweep method post output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"status" 202,"headers" \[{"name" "operation location","value" "https //api xdr trendmicro com/ "}]},{"status" 400,"body" {"error" {"code" "badrequest","message" "bad request"}}},{"status" 404,"body" {"error" {"code" "notfound","message" "not found"}}}]} response headers header description example connection http response header connection keep alive content length the length of the response body in bytes 31 content type the media type of the resource application/json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt etag an identifier for a specific version of a resource w/"c f6g7sbyjuuocyykgtnzj94yg+ze" ratelimit limit http response header ratelimit limit 100 ratelimit policy http response header ratelimit policy 100;w=60 ratelimit remaining http response header ratelimit remaining 99 ratelimit reset http response header ratelimit reset 60 strict transport security http response header strict transport security max age=31536000; includesubdomains tmv1 customer id http response header tmv1 customer id 010989fb 1843 4677 a944 2856b69339af x powered by http response header x powered by express x task id http response header x task id 9ea157d4 83be 4420 9dac 8d73556b2d6c x trace id http response header x trace id ed651ba6 a6e0 4977 a101 c05bed17f0d9