API Cookbook

Modify alert status after checking alert details

This task retrieves data about incident-related Workbench alerts and then modifies the status of these alerts after investigation is completed.
Start
Retrieve
Workbench alerts
Parse
alert details
Update
alert status
List
alert details
End

  • At least one Trend Micro product that connects to Trend Vision One

Perform IoC Sweeping from a CSV or STIX (2.x) file

This task imports IoCs from STIX (2.x) or CSV files into a custom intelligence report, starts a sweeping task, and then checks for matched indicators.
Yes
No
Start
Upload
CSV / STIX file
Trigger IoC sweeping
for uploaded file
Wait for
sweeping completion
Fetch
sweeping result
Does sweeping
have any matched indicators?
Download
sweeping result
End

  • At least one of the following: Deep Security, Trend Cloud One - Workload Security, Trend Micro Apex One, Trend Micro Apex One (Mac), XDR Endpoint Sensor

Send Workbench alerts, audit logs, and other detection data to Elasticsearch

This task retrieves Workbench alerts, Observed Attack Technique events, detections and audit logs to Elasticsearch.
Yes
No
Yes
No
Start
Retrieve
Workbench alerts
Retrieve
Observed Attack Techniques
events
Do you need
other detection data?
Retrieve file and web
detection data
Do you need
audit logs?
Retrieve audit logs
Convert data to format
required for indexing
Index the data
in Elasticsearch
End

  • At least one Trend Micro product that connects to Trend Vision One

Take a response action on the highlighted object in a Workbench alert

This task identifies the highlighted object in a Workbench alert and then takes a response action on that object.
Yes
Supported
type
Others
Email
Endpoint
Yes
Others
No
No
Start
Retrieve
new Workbench alerts
Are new alerts
available?
Update
alert status
Indicators'
type
Register IoCs as
suspicious objects
Impact
scope
Search
email message details
Create quarantine
email message task
Supported
product
Query
endpoint information
Create isolate
endpoint task
Wait for
response
Add
alert notes
End

  • At least one of the following: Deep Security, Trend Cloud One - Workload Security, Trend Micro Apex One, Trend Micro Apex One (Mac), XDR Endpoint Sensor
  • Cloud App Security

Submit object to Sandbox Analysis

This task submits files or URLs to the sandbox and retrieves the analysis results if there are submissions available in the daily reserve. If the risk level of the submitted objects is is equal or higher to 'low', this task also downloads an analysis report.
Yes
No
File
URL
Successful
Unsuccessful
Unsupported
Internal
Server Error
High / Medium / Low
No risk
Start
Are there submissions available
in the daily reserve?
Submission
type
End
Submit file
Submit URL
Wait for
analysis completion
Task
status
Get
analysis result
Error
code
Risk
level
Download
analysis report

Create custom reports in XLSX or PPTX format using data from the Security Posture API

This cookbook queries the Security Posture API once a day and creates custom reports in PPTX or XLSX format with the retrieved data. Each security metric is stored in a separate sheet inside XLSX workbooks or an individual slide in PPTX slides.
Get security posture information
Yes
No
Generate PPTX report
Start
Execute command
Get
Security posture
information
Does the
XLSX report exist?
Append row to the
existing XLSX file
Create new XLSX File
Read existing XLSX file
Create a new PPTX file
and insert charts
End

  • At least one Trend Micro product that connects to Trend Vision One