Trend Micro Apex Central™ is a web-based console that provides centralized management for Trend Micro products and services at the gateway, mail server, file server, and corporate desktop levels.
This document provides information about the Trend Micro Apex Central connector, which facilitates automated interactions with a Trend Micro Apex Central server using FortiSOAR™ playbooks. Add the Trend Micro Apex Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating a live investigation, performing actions on security endpoints, and retrieving a list of managed product servers, security agents, etc.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling logs (syslogs) from Trend Micro Apex Central. Currently, "logs" in Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.4.3-2885
Trend Micro Apex Central Version Tested on: SAAS Model Hotfix 5366
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-trendmicro-apex-central
To use the Trend Micro Apex Central connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Trend Micro Apex Central connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Trend Micro Apex Central server to which you will connect and perform automated operations. |
Application ID | Application ID to access the Trend Micro Apex Central console to which you will connect and perform the automated operations. |
API Key | API key to access the Trend Micro Apex Central management console to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Assessment | Creates a new historical investigation on all security agents whose endpoint sensors are enabled in Trend Micro Apex Central, using the specified criteria, search operator, match condition, and other input parameters you have specified. | create_assessment Investigation |
Create Live Investigation | Creates a new live Investigation (Generate RCA) in Trend Micro Apex Central, using the agent GUID, specified criteria, condition parameters, and other input parameters you have specified. | create_live_investigation Investigation |
List Product Server | Retrieves a list of all managed product servers or specific managed product servers reporting to Trend Micro Apex Central based on the input parameters you have specified. | list_server Investigation |
List Security Agents |
Retrieves a list of all security agents or specific security agents in Trend Micro Apex Central based on the input parameters you have specified. |
list_agent Investigation |
Perform Action on Security Agent | Performs actions on a security endpoint such as Isolate, Restore connection, Uninstall Security Agent, or Relocate Security Agent in Trend Micro Apex Central based action and other input parameters you have specified. | perform_action Investigation |
Get All Investigation Results | Retrieves a list of all investigation results from Trend Micro Apex Central based on the task and scan type and other input parameters you have specified. | list_investigation_result Investigation |
Get RCA Response | Retrieves results of investigations from Trend Micro Apex Central, in different formats, based on the specified task ID and other input parameters you have specified. | get_rca_response Investigation |
Get Task ID of RCA in Analysis Chain | Retrieves the taskID of an Analysis Chain view of a Root Cause Analysis (RCA) from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. | get_task_id_analysis_chain Investigation |
Download RCA CSV File | Downloads existing RCA files from Trend Micro Apex Central based on the task type, hostname, and other input parameters you have specified. | download_rca_file Investigation |
Get Task ID of RCA in Table Format | Retrieves the taskID of the table view of a Root Cause Analysis from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. | get_task_id_table_format Investigation |
Get Syslog Data | Retrieves a maximum of 1000 logs of detection types from the Trend Micro Apex Central server based on the log type, and other input parameters you have specified. Note: The Pattern Update Status and Engine Update Status logs returns all logs (no maximum) from the "Since Time" you have specified |
get_syslog_data Investigation |
List UDSO Entries | Retrieves a list of User-Defined Suspicious Objects (UDSO) from the Trend Micro Apex Central server based on the type, and other input parameters you have specified. | list_udso_entries Investigation |
Parameter | Description |
---|---|
Task Type | Type of API request to create the new historical investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Criteria Type | Type of criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'. |
Condition | Condition to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match". |
Value | Criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. |
Search Period | (Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. For example, if you select the THREE_MONTH option, then this operation will assess Trend Micro Apex Central data for the last 90 days only. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"serverName": "",
"content": [],
"lastContentId": "",
"serverGuid": "",
"taskId": "",
"hasMore": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Investigation Name | Name of the live investigation that you want to create in Trend Micro Apex Central. |
Task Type | Type of API request to create the new live investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Agent GUID | GUID of the target endpoint for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Security Agents" action. |
Server GUID | GUID of servers for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Product Servers" action. |
Criteria Type | Type of criteria to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'. |
Condition | Condition to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match". |
Value | Criteria to be used in the live investigation you are creating in Trend Micro Apex Central. |
Period |
(Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. You can choose between All or Custom.
|
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"serverName": "",
"content": [
{
"content": {
"scanSummaryGuid": ""
},
"message": "",
"statusCode": ""
}
],
"lastContentId": "",
"serverGuid": "",
"taskId": "",
"hasMore": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Entity ID | GUID of the managed product server whose details you want to retrieve from Trend Micro Apex Central. |
IP Address | IP address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. |
MAC Address | MAC address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. |
Hostname | Hostname of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. |
Product | Trend Micro product name whose associated product server details you want to retrieve from Trend Micro Apex Central. |
The output contains the following populated JSON schema:
{
"result_code": "",
"result_content": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "",
"host_name": "",
"ip_address_list": "",
"product": ""
}
],
"result_description": ""
}
Parameter | Description |
---|---|
Agent ID | GUID of the managed product agent whose details you want to retrieve from Trend Micro Apex Central. |
IP Address | IP address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
MAC Address | MAC address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
Hostname | Name of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
Product | Trend Micro product name whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
Managing Server ID | GUID of the product server that manages the Security Agent whose details you want to retrieve from Trend Micro Apex Central. You can retrieve the GUID of the server using the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"result_code": "",
"result_content": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "",
"host_name": "",
"ip_address_list": "",
"product": "",
"isolation_status": "",
"managing_server_id": "",
"folder_path": "",
"mac_address_list": ""
}
],
"result_description": ""
}
Parameter | Description |
---|---|
Action |
Select the action to perform on the security agent in Trend Micro Apex Central. You can choose from the following actions:
|
Allow Multiple Match | Select the checkbox to allow multiple security agent matches on which to perform the action. |
Agent ID | GUID of the managed product agent on which you want to perform the action. You can retrieve the agent GUID using the "List Security Agents" action. |
Hostname | Endpoint name of the managed product agent on whose associated agent you want to perform the action. |
IP Address | IP address of the managed product agent on whose associated agent you want to perform the action. |
MAC Address | MAC address of the managed product agent on whose associated agent you want to perform the action. |
Product | Trend Micro product on the server instance on whose associated agent you want to perform the action. |
The output contains the following populated JSON schema:
{
"result_code": "",
"result_content": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "",
"host_name": "",
"ip_address_list": "",
"product": "",
"isolation_status": "",
"managing_server_id": "",
"folder_path": "",
"mac_address_list": ""
}
],
"result_description": ""
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to retrieve investigation results from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Scan Type | Type of scan or the method used for investigation based on which you want to retrieve investigation results from Trend Micro Apex Central. You can choose from the following scan types: Windows Registry, YARA Rule File, IOC Rule File, or Disk Rule File. |
Record Count | (Optional) Number of items to be returned in a single request. Default value is set to 50. |
Offset | (Optional) Index of the first item that this operation should return. Default value is set to 50. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. |
Filter Type |
(Optional) Filters used to retrieve scans from Trend Micro Apex Central. You can choose from the following filters:
|
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"content": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"scanSummaryEntity": [
{
"agentCount": "",
"creator": "",
"errorServers": "[]",
"finishTime": "",
"matchedAgentCount": "",
"name": "",
"progressInfo": {
"abortCount": "",
"connectionFailCount": "",
"errorCount": "",
"noneCount": "",
"pendingCount": "",
"processingCount": "",
"riskCount": "",
"safeCount": "",
"timeoutCount": ""
},
"scanCriteriaEntity": {
"criteriaContent": "",
"criteriaId": "",
"criteriaName": ""
},
"scanSummaryGuid": "",
"scanSummaryId": "",
"scanType": "",
"serverGuidList": [],
"specificAgentType": "",
"status": "",
"statusForUI": "",
"submitTime": ""
}
]
},
"message": "",
"statusCode": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type |
Type of API request based on which you want to retrieve RCA responses from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Task ID | ID of the task from another API call that is used to retrieve a specific task result. You can specify the task ID values returned by the following actions: Create Assessment, Get Task ID of RCA in Analysis Chain, or Get Task ID of RCA in Table Format. |
Top N | Specify the top n (number of RCA responses) that you want to retrieve from Trend Micro Apex Central |
Server GUID | List of GUIDs or GUIDs in the CSV format whose RCA responses you want to retrieve from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action. |
Content ID | ID of the content that indicates the location of the dataset. Specify an empty string for the initial request. Specify the lastContentId of the response after the first initial request to continually get results from the servers until the hasMore value response is false. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"statusCode": "",
"content": {
"region": "",
"footprint": {
"operationType": "",
"timestamp": "",
"lastSeen": "",
"event": [
{
"isExpanded": "",
"timestamp": "",
"rating": {
"metaType": "",
"isSpecialCmdLine": "",
"localPrevalence": "",
"score": ""
},
"lastSeen": "",
"assessmentValue": "",
"isMatched": "",
"firstSeen": "",
"riskLevel": "",
"objectName": "",
"nodeImage": "",
"isSymbolEvent": "",
"meta": [
{
"metaType": "",
"metaHashId": ""
}
],
"operationType": "",
"eventId": "",
"metaLinkId": "",
"objectType": "",
"assessmentType": ""
}
],
"groupNo": "",
"objectId": "",
"firstSeen": "",
"parentId": ""
},
"agentInfo": [
{
"machineName": "",
"agentGuid": "",
"ip": "",
"machineGuid": "",
"serverGuid": ""
}
],
"group": [
{
"timestamp": "",
"groupNo": ""
}
],
"metadataAgentList": [
{
"typeValue": "",
"agentGuid": [],
"metaValue": ""
}
],
"traceId": "",
"metaProperty": [
{
"metaHashId": "",
"metaValue": ""
}
],
"exceedLeafModuleCountLimit": ""
},
"message": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to retrieve RCA taskID from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Agent GUID | GUID of the target endpoint whose associated RCA task ID you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Scan Summary GUID | GUID of the investigation summary based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action. |
Server GUID | GUID of the target server based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Host IP | Host IP address of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Host Name | Host name of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Agent GUID | GUID of the target endpoint based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Scan Summary GUID | GUID of the investigation summary to retrieve based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action. |
Server GUID | GUID of the target server based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve server GUIDs from the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"content": {
"csv": ""
},
"statusCode": "",
"message": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to retrieve the task ID of the table view of an RCA from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Agent GUID | GUID of the target endpoint whose associated RCA task ID of the table view you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Scan Summary GUID | GUID of the investigation summary based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action. |
Server GUID | GUID of the target server based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"statusCode": "",
"content": {},
"message": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Log Type | Select the type of log data you want to retrieve from Trend Micro Apex Central. You can choose from the following log types: Data Loss Prevention, Device Control, Behavior Monitoring, Virus/Malware, Spyware/Grayware, Web Violation, Content Violation, Network Content Inspection, C&C Callback, Suspicious File Information, Predictive Machine Learning, Virtual Analyzer Detections, Application Control, Managed Product User Access, Attack Discovery, Pattern Update Status, Engine Update Status, Product Auditing Events, or Intrusion Prevention. |
Page Token | (Optional) ID of the log of the first record to query in Trend Micro Apex Central. |
Time Range | (Optional) Time range based on which you want to retrieve syslogs from Trend Micro Apex Central. You can choose from the following options: Last 24 hours, Today, Last 7 days, Last 14 days, Last 30 days, or Custom Time. If you choose Custom Time, then in the Since Time parameter specify the date and time of the first record to query in the Trend Micro Apex Central. Note: If you do not specify the time, then 1000 logs will be retrieved from Trend Micro Apex Central. |
Output Format | (Optional) Log format in which you want to retrieve the response from Trend Micro Apex Central. Specify 1 or CEF Format. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"ErrorCode": "",
"Result": "",
"ErrorMsg": ""
},
"Data": {
"SyslogName": "",
"Next": "",
"Count": "",
"SyslogType": "",
"SyslogOutputFormat": "",
"Logs": [],
"CurrentPage": {
"SinceTime": "",
"PageToken": ""
},
"NextPage": {
"SinceTime": "",
"PageToken": ""
}
}
}
Parameter | Description |
---|---|
Type | Type of suspicious object that you want to query in Trend Micro Apex Central. You can choose from the following types: Files, File SHA-1, IP Addresses, URLs, or Domains. |
Content Filter | Filters the list of suspicious objects to retrieve only those suspicious objects from Trend Micro Apex Central that match the string (filter) that you have specified. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"ErrorCode": "",
"Result": "",
"ErrorMsg": ""
},
"Data": [
{
"scan_action": "",
"expiration_utc_date": "",
"content": "",
"type": "",
"notes": ""
}
]
}
The Sample - Trend Micro Apex Central - 1.0.0
playbook collection comes bundled with the Trend Micro Apex Central connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Apex Central connector.
The following playbooks are used for Data Ingestion:
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling syslogs from Trend Micro Apex Central. Currently, these "logs" from Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Trend Micro Apex Central "logs" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data (sysogs) from Trend Micro Apex Central into FortiSOAR™. It also lets you pull some sample data from Trend Micro Apex Central using which you can define the mapping of data between Trend Micro Apex Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Trend Micro Apex Central event.
On the Field Mapping screen, map the fields of a Trend Micro Apex Central log to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the DeviceProduct parameter of a Trend Micro Apex Central event to the Source Type parameter of a FortiSOAR™ alert, click the Source Type field and then click the DeviceProduct field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Trend Micro Apex Central, so that the content gets pulled from the Trend Micro Apex Central integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Trend Micro Apex Central every 5 minutes, click Every X Minute and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., logs will be pulled from Trend Micro Apex Central every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.
Trend Micro Apex Central™ is a web-based console that provides centralized management for Trend Micro products and services at the gateway, mail server, file server, and corporate desktop levels.
This document provides information about the Trend Micro Apex Central connector, which facilitates automated interactions with a Trend Micro Apex Central server using FortiSOAR™ playbooks. Add the Trend Micro Apex Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating a live investigation, performing actions on security endpoints, and retrieving a list of managed product servers, security agents, etc.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling logs (syslogs) from Trend Micro Apex Central. Currently, "logs" in Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.4.3-2885
Trend Micro Apex Central Version Tested on: SAAS Model Hotfix 5366
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-trendmicro-apex-central
To use the Trend Micro Apex Central connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Trend Micro Apex Central connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Trend Micro Apex Central server to which you will connect and perform automated operations. |
Application ID | Application ID to access the Trend Micro Apex Central console to which you will connect and perform the automated operations. |
API Key | API key to access the Trend Micro Apex Central management console to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Assessment | Creates a new historical investigation on all security agents whose endpoint sensors are enabled in Trend Micro Apex Central, using the specified criteria, search operator, match condition, and other input parameters you have specified. | create_assessment Investigation |
Create Live Investigation | Creates a new live Investigation (Generate RCA) in Trend Micro Apex Central, using the agent GUID, specified criteria, condition parameters, and other input parameters you have specified. | create_live_investigation Investigation |
List Product Server | Retrieves a list of all managed product servers or specific managed product servers reporting to Trend Micro Apex Central based on the input parameters you have specified. | list_server Investigation |
List Security Agents |
Retrieves a list of all security agents or specific security agents in Trend Micro Apex Central based on the input parameters you have specified. |
list_agent Investigation |
Perform Action on Security Agent | Performs actions on a security endpoint such as Isolate, Restore connection, Uninstall Security Agent, or Relocate Security Agent in Trend Micro Apex Central based action and other input parameters you have specified. | perform_action Investigation |
Get All Investigation Results | Retrieves a list of all investigation results from Trend Micro Apex Central based on the task and scan type and other input parameters you have specified. | list_investigation_result Investigation |
Get RCA Response | Retrieves results of investigations from Trend Micro Apex Central, in different formats, based on the specified task ID and other input parameters you have specified. | get_rca_response Investigation |
Get Task ID of RCA in Analysis Chain | Retrieves the taskID of an Analysis Chain view of a Root Cause Analysis (RCA) from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. | get_task_id_analysis_chain Investigation |
Download RCA CSV File | Downloads existing RCA files from Trend Micro Apex Central based on the task type, hostname, and other input parameters you have specified. | download_rca_file Investigation |
Get Task ID of RCA in Table Format | Retrieves the taskID of the table view of a Root Cause Analysis from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. | get_task_id_table_format Investigation |
Get Syslog Data | Retrieves a maximum of 1000 logs of detection types from the Trend Micro Apex Central server based on the log type, and other input parameters you have specified. Note: The Pattern Update Status and Engine Update Status logs returns all logs (no maximum) from the "Since Time" you have specified |
get_syslog_data Investigation |
List UDSO Entries | Retrieves a list of User-Defined Suspicious Objects (UDSO) from the Trend Micro Apex Central server based on the type, and other input parameters you have specified. | list_udso_entries Investigation |
Parameter | Description |
---|---|
Task Type | Type of API request to create the new historical investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Criteria Type | Type of criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'. |
Condition | Condition to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match". |
Value | Criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. |
Search Period | (Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. For example, if you select the THREE_MONTH option, then this operation will assess Trend Micro Apex Central data for the last 90 days only. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"serverName": "",
"content": [],
"lastContentId": "",
"serverGuid": "",
"taskId": "",
"hasMore": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Investigation Name | Name of the live investigation that you want to create in Trend Micro Apex Central. |
Task Type | Type of API request to create the new live investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Agent GUID | GUID of the target endpoint for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Security Agents" action. |
Server GUID | GUID of servers for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Product Servers" action. |
Criteria Type | Type of criteria to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'. |
Condition | Condition to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match". |
Value | Criteria to be used in the live investigation you are creating in Trend Micro Apex Central. |
Period |
(Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. You can choose between All or Custom.
|
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"serverName": "",
"content": [
{
"content": {
"scanSummaryGuid": ""
},
"message": "",
"statusCode": ""
}
],
"lastContentId": "",
"serverGuid": "",
"taskId": "",
"hasMore": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Entity ID | GUID of the managed product server whose details you want to retrieve from Trend Micro Apex Central. |
IP Address | IP address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. |
MAC Address | MAC address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. |
Hostname | Hostname of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. |
Product | Trend Micro product name whose associated product server details you want to retrieve from Trend Micro Apex Central. |
The output contains the following populated JSON schema:
{
"result_code": "",
"result_content": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "",
"host_name": "",
"ip_address_list": "",
"product": ""
}
],
"result_description": ""
}
Parameter | Description |
---|---|
Agent ID | GUID of the managed product agent whose details you want to retrieve from Trend Micro Apex Central. |
IP Address | IP address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
MAC Address | MAC address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
Hostname | Name of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
Product | Trend Micro product name whose associated security agents details you want to retrieve from Trend Micro Apex Central. |
Managing Server ID | GUID of the product server that manages the Security Agent whose details you want to retrieve from Trend Micro Apex Central. You can retrieve the GUID of the server using the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"result_code": "",
"result_content": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "",
"host_name": "",
"ip_address_list": "",
"product": "",
"isolation_status": "",
"managing_server_id": "",
"folder_path": "",
"mac_address_list": ""
}
],
"result_description": ""
}
Parameter | Description |
---|---|
Action |
Select the action to perform on the security agent in Trend Micro Apex Central. You can choose from the following actions:
|
Allow Multiple Match | Select the checkbox to allow multiple security agent matches on which to perform the action. |
Agent ID | GUID of the managed product agent on which you want to perform the action. You can retrieve the agent GUID using the "List Security Agents" action. |
Hostname | Endpoint name of the managed product agent on whose associated agent you want to perform the action. |
IP Address | IP address of the managed product agent on whose associated agent you want to perform the action. |
MAC Address | MAC address of the managed product agent on whose associated agent you want to perform the action. |
Product | Trend Micro product on the server instance on whose associated agent you want to perform the action. |
The output contains the following populated JSON schema:
{
"result_code": "",
"result_content": [
{
"ad_domain": "",
"capabilities": [],
"entity_id": "",
"host_name": "",
"ip_address_list": "",
"product": "",
"isolation_status": "",
"managing_server_id": "",
"folder_path": "",
"mac_address_list": ""
}
],
"result_description": ""
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to retrieve investigation results from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Scan Type | Type of scan or the method used for investigation based on which you want to retrieve investigation results from Trend Micro Apex Central. You can choose from the following scan types: Windows Registry, YARA Rule File, IOC Rule File, or Disk Rule File. |
Record Count | (Optional) Number of items to be returned in a single request. Default value is set to 50. |
Offset | (Optional) Index of the first item that this operation should return. Default value is set to 50. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. |
Filter Type |
(Optional) Filters used to retrieve scans from Trend Micro Apex Central. You can choose from the following filters:
|
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"content": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"scanSummaryEntity": [
{
"agentCount": "",
"creator": "",
"errorServers": "[]",
"finishTime": "",
"matchedAgentCount": "",
"name": "",
"progressInfo": {
"abortCount": "",
"connectionFailCount": "",
"errorCount": "",
"noneCount": "",
"pendingCount": "",
"processingCount": "",
"riskCount": "",
"safeCount": "",
"timeoutCount": ""
},
"scanCriteriaEntity": {
"criteriaContent": "",
"criteriaId": "",
"criteriaName": ""
},
"scanSummaryGuid": "",
"scanSummaryId": "",
"scanType": "",
"serverGuidList": [],
"specificAgentType": "",
"status": "",
"statusForUI": "",
"submitTime": ""
}
]
},
"message": "",
"statusCode": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type |
Type of API request based on which you want to retrieve RCA responses from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Task ID | ID of the task from another API call that is used to retrieve a specific task result. You can specify the task ID values returned by the following actions: Create Assessment, Get Task ID of RCA in Analysis Chain, or Get Task ID of RCA in Table Format. |
Top N | Specify the top n (number of RCA responses) that you want to retrieve from Trend Micro Apex Central |
Server GUID | List of GUIDs or GUIDs in the CSV format whose RCA responses you want to retrieve from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action. |
Content ID | ID of the content that indicates the location of the dataset. Specify an empty string for the initial request. Specify the lastContentId of the response after the first initial request to continually get results from the servers until the hasMore value response is false. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"statusCode": "",
"content": {
"region": "",
"footprint": {
"operationType": "",
"timestamp": "",
"lastSeen": "",
"event": [
{
"isExpanded": "",
"timestamp": "",
"rating": {
"metaType": "",
"isSpecialCmdLine": "",
"localPrevalence": "",
"score": ""
},
"lastSeen": "",
"assessmentValue": "",
"isMatched": "",
"firstSeen": "",
"riskLevel": "",
"objectName": "",
"nodeImage": "",
"isSymbolEvent": "",
"meta": [
{
"metaType": "",
"metaHashId": ""
}
],
"operationType": "",
"eventId": "",
"metaLinkId": "",
"objectType": "",
"assessmentType": ""
}
],
"groupNo": "",
"objectId": "",
"firstSeen": "",
"parentId": ""
},
"agentInfo": [
{
"machineName": "",
"agentGuid": "",
"ip": "",
"machineGuid": "",
"serverGuid": ""
}
],
"group": [
{
"timestamp": "",
"groupNo": ""
}
],
"metadataAgentList": [
{
"typeValue": "",
"agentGuid": [],
"metaValue": ""
}
],
"traceId": "",
"metaProperty": [
{
"metaHashId": "",
"metaValue": ""
}
],
"exceedLeafModuleCountLimit": ""
},
"message": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to retrieve RCA taskID from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Agent GUID | GUID of the target endpoint whose associated RCA task ID you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Scan Summary GUID | GUID of the investigation summary based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action. |
Server GUID | GUID of the target server based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Host IP | Host IP address of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Host Name | Host name of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Agent GUID | GUID of the target endpoint based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Scan Summary GUID | GUID of the investigation summary to retrieve based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action. |
Server GUID | GUID of the target server based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve server GUIDs from the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"content": {
"csv": ""
},
"statusCode": "",
"message": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Task Type | Type of API request based on which you want to retrieve the task ID of the table view of an RCA from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL. |
Agent GUID | GUID of the target endpoint whose associated RCA task ID of the table view you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action. |
Scan Summary GUID | GUID of the investigation summary based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action. |
Server GUID | GUID of the target server based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"errorCode": "",
"result": "",
"errorMsg": ""
},
"Data": {
"CodeType": "",
"Data": {
"hasMore": "",
"serverGuid": "",
"serverName": "",
"taskId": "",
"content": [
{
"statusCode": "",
"content": {},
"message": ""
}
],
"lastContentId": ""
},
"Code": "",
"Message": "",
"TimeZone": ""
}
}
Parameter | Description |
---|---|
Log Type | Select the type of log data you want to retrieve from Trend Micro Apex Central. You can choose from the following log types: Data Loss Prevention, Device Control, Behavior Monitoring, Virus/Malware, Spyware/Grayware, Web Violation, Content Violation, Network Content Inspection, C&C Callback, Suspicious File Information, Predictive Machine Learning, Virtual Analyzer Detections, Application Control, Managed Product User Access, Attack Discovery, Pattern Update Status, Engine Update Status, Product Auditing Events, or Intrusion Prevention. |
Page Token | (Optional) ID of the log of the first record to query in Trend Micro Apex Central. |
Time Range | (Optional) Time range based on which you want to retrieve syslogs from Trend Micro Apex Central. You can choose from the following options: Last 24 hours, Today, Last 7 days, Last 14 days, Last 30 days, or Custom Time. If you choose Custom Time, then in the Since Time parameter specify the date and time of the first record to query in the Trend Micro Apex Central. Note: If you do not specify the time, then 1000 logs will be retrieved from Trend Micro Apex Central. |
Output Format | (Optional) Log format in which you want to retrieve the response from Trend Micro Apex Central. Specify 1 or CEF Format. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"ErrorCode": "",
"Result": "",
"ErrorMsg": ""
},
"Data": {
"SyslogName": "",
"Next": "",
"Count": "",
"SyslogType": "",
"SyslogOutputFormat": "",
"Logs": [],
"CurrentPage": {
"SinceTime": "",
"PageToken": ""
},
"NextPage": {
"SinceTime": "",
"PageToken": ""
}
}
}
Parameter | Description |
---|---|
Type | Type of suspicious object that you want to query in Trend Micro Apex Central. You can choose from the following types: Files, File SHA-1, IP Addresses, URLs, or Domains. |
Content Filter | Filters the list of suspicious objects to retrieve only those suspicious objects from Trend Micro Apex Central that match the string (filter) that you have specified. |
The output contains the following populated JSON schema:
{
"PermissionCtrl": {
"permission": "",
"elements": ""
},
"SystemCtrl": {
"TmcmSoDist_Role": ""
},
"FeatureCtrl": {
"mode": ""
},
"Meta": {
"ErrorCode": "",
"Result": "",
"ErrorMsg": ""
},
"Data": [
{
"scan_action": "",
"expiration_utc_date": "",
"content": "",
"type": "",
"notes": ""
}
]
}
The Sample - Trend Micro Apex Central - 1.0.0
playbook collection comes bundled with the Trend Micro Apex Central connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Apex Central connector.
The following playbooks are used for Data Ingestion:
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling syslogs from Trend Micro Apex Central. Currently, these "logs" from Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Trend Micro Apex Central "logs" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data (sysogs) from Trend Micro Apex Central into FortiSOAR™. It also lets you pull some sample data from Trend Micro Apex Central using which you can define the mapping of data between Trend Micro Apex Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Trend Micro Apex Central event.
On the Field Mapping screen, map the fields of a Trend Micro Apex Central log to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the DeviceProduct parameter of a Trend Micro Apex Central event to the Source Type parameter of a FortiSOAR™ alert, click the Source Type field and then click the DeviceProduct field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Trend Micro Apex Central, so that the content gets pulled from the Trend Micro Apex Central integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Trend Micro Apex Central every 5 minutes, click Every X Minute and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., logs will be pulled from Trend Micro Apex Central every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.