Fortinet Document Library

Version:


Table of Contents

Trend Micro Apex Central

1.0.0
Copy Link

About the connector

Trend Micro Apex Central™ is a web-based console that provides centralized management for Trend Micro products and services at the gateway, mail server, file server, and corporate desktop levels.

This document provides information about the Trend Micro Apex Central connector, which facilitates automated interactions with a Trend Micro Apex Central server using FortiSOAR™ playbooks. Add the Trend Micro Apex Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating a live investigation, performing actions on security endpoints, and retrieving a list of managed product servers, security agents, etc.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling logs (syslogs) from Trend Micro Apex Central. Currently, "logs" in Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section

Version information 

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 6.4.3-2885

Trend Micro Apex Central Version Tested on: SAAS Model Hotfix 5366 

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session: 

yum install cyops-connector-trendmicro-apex-central

Prerequisites to configuring the connector

  • You must have the URL of the Trend Micro Apex Central server to which you will connect and perform the automated operations.
  • You must also have the Application ID and the API key to access the Trend Micro Apex Central management console to which you will connect and perform the automated operations.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on Trend Micro Apex Central.

Permissions Required

To use the Trend Micro Apex Central connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Trend Micro Apex Central connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Trend Micro Apex Central server to which you will connect and perform automated operations.
Application ID Application ID to access the Trend Micro Apex Central console to which you will connect and perform the automated operations.
API Key API key to access the Trend Micro Apex Central management console to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Create Assessment Creates a new historical investigation on all security agents whose endpoint sensors are enabled in Trend Micro Apex Central, using the specified criteria, search operator, match condition, and other input parameters you have specified. create_assessment
Investigation
Create Live Investigation Creates a new live Investigation (Generate RCA) in Trend Micro Apex Central, using the agent GUID, specified criteria, condition parameters, and other input parameters you have specified. create_live_investigation
Investigation
List Product Server Retrieves a list of all managed product servers or specific managed product servers reporting to Trend Micro Apex Central based on the input parameters you have specified. list_server
Investigation
List Security Agents

Retrieves a list of all security agents or specific security agents in Trend Micro Apex Central based on the input parameters you have specified.

list_agent
Investigation
Perform Action on Security Agent Performs actions on a security endpoint such as Isolate, Restore connection, Uninstall Security Agent, or Relocate Security Agent in Trend Micro Apex Central based action and other input parameters you have specified. perform_action
Investigation
Get All Investigation Results Retrieves a list of all investigation results from Trend Micro Apex Central based on the task and scan type and other input parameters you have specified. list_investigation_result
Investigation
Get RCA Response Retrieves results of investigations from Trend Micro Apex Central, in different formats, based on the specified task ID and other input parameters you have specified. get_rca_response
Investigation
Get Task ID of RCA in Analysis Chain Retrieves the taskID of an Analysis Chain view of a Root Cause Analysis (RCA) from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. get_task_id_analysis_chain
Investigation
Download RCA CSV File Downloads existing RCA files from Trend Micro Apex Central based on the task type, hostname, and other input parameters you have specified. download_rca_file
Investigation
Get Task ID of RCA in Table Format Retrieves the taskID of the table view of a Root Cause Analysis from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. get_task_id_table_format
Investigation
Get Syslog Data Retrieves a maximum of 1000 logs of detection types from the Trend Micro Apex Central server based on the log type, and other input parameters you have specified.
Note: The Pattern Update Status and Engine Update Status logs returns all logs (no maximum) from the "Since Time" you have specified
get_syslog_data
Investigation
List UDSO Entries Retrieves a list of User-Defined Suspicious Objects (UDSO) from the Trend Micro Apex Central server based on the type, and other input parameters you have specified. list_udso_entries
Investigation

operation: Create Assessment

Input parameters

Parameter Description
Task Type Type of API request to create the new historical investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Criteria Type Type of criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'.
Condition Condition to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match".
Value Criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. 
Search Period (Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. For example, if you select the THREE_MONTH option, then this operation will assess Trend Micro Apex Central data for the last 90 days only.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "serverName": "",
             "content": [],
             "lastContentId": "",
             "serverGuid": "",
             "taskId": "",
             "hasMore": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Create Live Investigation

Input parameters

Parameter Description
Investigation Name Name of the live investigation that you want to create in Trend Micro Apex Central. 
Task Type Type of API request to create the new live investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Agent GUID GUID of the target endpoint for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Security Agents" action.
Server GUID GUID of servers for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Product Servers" action.
Criteria Type Type of criteria to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'.
Condition Condition to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match".
Value Criteria to be used in the live investigation you are creating in Trend Micro Apex Central. 
Period

(Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. You can choose between All or Custom.

  • All: Performs investigation on all logged dates.
  • Custom: Perform investigation only on logs that fall within the specified dates.
    If you choose 'Custom', then you must specify the following parameters:
    • Start Date: Date and time from when you want the investigation to start.
    • End Date: Date and time to end the investigation.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "serverName": "",
             "content": [
                 {
                     "content": {
                         "scanSummaryGuid": ""
                     },
                     "message": "",
                     "statusCode": ""
                 }
             ],
             "lastContentId": "",
             "serverGuid": "",
             "taskId": "",
             "hasMore": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: List Product Server

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Entity ID GUID of the managed product server whose details you want to retrieve from Trend Micro Apex Central. 
IP Address IP address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. 
MAC Address MAC address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. 
Hostname Hostname of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. 
Product Trend Micro product name whose associated product server details you want to retrieve from Trend Micro Apex Central. 

Output

The output contains the following populated JSON schema:
{
     "result_code": "",
     "result_content": [
         {
             "ad_domain": "",
             "capabilities": [],
             "entity_id": "",
             "host_name": "",
             "ip_address_list": "",
             "product": ""
         }
     ],
     "result_description": ""
}

operation: List Security Agents

Input parameters

Parameter Description
Agent ID GUID of the managed product agent whose details you want to retrieve from Trend Micro Apex Central. 
IP Address IP address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
MAC Address MAC address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
Hostname Name of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
Product Trend Micro product name whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
Managing Server ID GUID of the product server that manages the Security Agent whose details you want to retrieve from Trend Micro Apex Central. You can retrieve the GUID of the server using the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "result_code": "",
     "result_content": [
         {
             "ad_domain": "",
             "capabilities": [],
             "entity_id": "",
             "host_name": "",
             "ip_address_list": "",
             "product": "",
             "isolation_status": "",
             "managing_server_id": "",
             "folder_path": "",
             "mac_address_list": ""
         }
     ],
     "result_description": ""
}

operation: Perform Action on Security Agent

Input parameters

Parameter Description
Action

Select the action to perform on the security agent in Trend Micro Apex Central. You can choose from the following actions:

  • Isolate: Specify the value as cmd_isolate_agent.
  • Restore: Specify the value as cmd_restore_isolated_agent.
  • Relocate: Specify the value as cmd_relocate_agent. If you select 'Relocate', then you must specify the following parameters:
    • Relocate to Folder Path: Target directory for the agent.
    • Relocate to Server ID: GUID of the target server for the agent.
  • Uninstall: Specify the value as cmd_uninstall_agent.
Allow Multiple Match Select the checkbox to allow multiple security agent matches on which to perform the action.
Agent ID GUID of the managed product agent on which you want to perform the action. You can retrieve the agent GUID using the "List Security Agents" action.
Hostname Endpoint name of the managed product agent on whose associated agent you want to perform the action.
IP Address IP address of the managed product agent on whose associated agent you want to perform the action.
MAC Address MAC address of the managed product agent on whose associated agent you want to perform the action.
Product Trend Micro product on the server instance on whose associated agent you want to perform the action.

Output

The output contains the following populated JSON schema:
{
     "result_code": "",
     "result_content": [
         {
             "ad_domain": "",
             "capabilities": [],
             "entity_id": "",
             "host_name": "",
             "ip_address_list": "",
             "product": "",
             "isolation_status": "",
             "managing_server_id": "",
             "folder_path": "",
             "mac_address_list": ""
         }
     ],
     "result_description": ""
}

operation: Get All Investigation Results

Input parameters

Parameter Description
Task Type Type of API request based on which you want to retrieve investigation results from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Scan Type Type of scan or the method used for investigation based on which you want to retrieve investigation results from Trend Micro Apex Central. You can choose from the following scan types: Windows Registry, YARA Rule File, IOC Rule File, or Disk Rule File.
Record Count (Optional) Number of items to be returned in a single request. Default value is set to 50.
Offset (Optional) Index of the first item that this operation should return. Default value is set to 50.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.
Filter Type

(Optional) Filters used to retrieve scans from Trend Micro Apex Central. You can choose from the following filters:

  • Task Name: If you choose this option, then in the Filter Value field enter the name of the task based on which you want to filter scans from Trend Micro Apex Central.
  • Creator Name: If you choose this option, then in the Filter Value field enter the name of the creator based on which you want to filter scans from Trend Micro Apex Central.
  • Criteria Name: If you choose this option, then in the Filter Value field enter the name of the criteria based on which you want to filter scans from Trend Micro Apex Central.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "content": {
                         "pagination": {
                             "limit": "",
                             "offset": "",
                             "total": ""
                         },
                         "scanSummaryEntity": [
                             {
                                 "agentCount": "",
                                 "creator": "",
                                 "errorServers": "[]",
                                 "finishTime": "",
                                 "matchedAgentCount": "",
                                 "name": "",
                                 "progressInfo": {
                                     "abortCount": "",
                                     "connectionFailCount": "",
                                     "errorCount": "",
                                     "noneCount": "",
                                     "pendingCount": "",
                                     "processingCount": "",
                                     "riskCount": "",
                                     "safeCount": "",
                                     "timeoutCount": ""
                                 },
                                 "scanCriteriaEntity": {
                                     "criteriaContent": "",
                                     "criteriaId": "",
                                     "criteriaName": ""
                                 },
                                 "scanSummaryGuid": "",
                                 "scanSummaryId": "",
                                 "scanType": "",
                                 "serverGuidList": [],
                                 "specificAgentType": "",
                                 "status": "",
                                 "statusForUI": "",
                                 "submitTime": ""
                             }
                         ]
                     },
                     "message": "",
                     "statusCode": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get RCA Response

Input parameters

Parameter Description
Task Type

Type of API request based on which you want to retrieve RCA responses from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.

Task ID ID of the task from another API call that is used to retrieve a specific task result. You can specify the task ID values returned by the following actions: Create Assessment, Get Task ID of RCA in Analysis Chain, or Get Task ID of RCA in Table Format.
Top N Specify the top n (number of RCA responses) that you want to retrieve from Trend Micro Apex Central
Server GUID List of GUIDs or GUIDs in the CSV format whose RCA responses you want to retrieve from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action.
Content ID ID of the content that indicates the location of the dataset. Specify an empty string for the initial request. Specify the lastContentId of the response after the first initial request to continually get results from the servers until the hasMore value response is false.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "statusCode": "",
                     "content": {
                         "region": "",
                         "footprint": {
                             "operationType": "",
                             "timestamp": "",
                             "lastSeen": "",
                             "event": [
                                 {
                                     "isExpanded": "",
                                     "timestamp": "",
                                     "rating": {
                                         "metaType": "",
                                         "isSpecialCmdLine": "",
                                         "localPrevalence": "",
                                         "score": ""
                                     },
                                     "lastSeen": "",
                                     "assessmentValue": "",
                                     "isMatched": "",
                                     "firstSeen": "",
                                     "riskLevel": "",
                                     "objectName": "",
                                     "nodeImage": "",
                                     "isSymbolEvent": "",
                                     "meta": [
                                         {
                                             "metaType": "",
                                             "metaHashId": ""
                                         }
                                     ],
                                     "operationType": "",
                                     "eventId": "",
                                     "metaLinkId": "",
                                     "objectType": "",
                                     "assessmentType": ""
                                 }
                             ],
                             "groupNo": "",
                             "objectId": "",
                             "firstSeen": "",
                             "parentId": ""
                         },
                         "agentInfo": [
                             {
                                 "machineName": "",
                                 "agentGuid": "",
                                 "ip": "",
                                 "machineGuid": "",
                                 "serverGuid": ""
                             }
                         ],
                         "group": [
                             {
                                 "timestamp": "",
                                 "groupNo": ""
                             }
                         ],
                         "metadataAgentList": [
                             {
                                 "typeValue": "",
                                 "agentGuid": [],
                                 "metaValue": ""
                             }
                         ],
                         "traceId": "",
                         "metaProperty": [
                             {
                                 "metaHashId": "",
                                 "metaValue": ""
                             }
                         ],
                         "exceedLeafModuleCountLimit": ""
                     },
                     "message": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get Task ID of RCA in Analysis Chain

Input parameters

Parameter Description
Task Type Type of API request based on which you want to retrieve RCA taskID from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Agent GUID GUID of the target endpoint whose associated RCA task ID you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Scan Summary GUID GUID of the investigation summary based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action.
Server GUID GUID of the target server based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Download RCA CSV File

Input parameters

Parameter Description
Task Type Type of API request based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Host IP Host IP address of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Host Name Host name of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Agent GUID GUID of the target endpoint based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Scan Summary GUID GUID of the investigation summary to retrieve based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action.
Server GUID GUID of the target server based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve server GUIDs from the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "content": {
                         "csv": ""
                     },
                     "statusCode": "",
                     "message": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get Task ID of RCA in Table Format

Input parameters

Parameter Description
Task Type Type of API request based on which you want to retrieve the task ID of the table view of an RCA from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Agent GUID GUID of the target endpoint whose associated RCA task ID of the table view you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Scan Summary GUID GUID of the investigation summary based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action.
Server GUID GUID of the target server based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "statusCode": "",
                     "content": {},
                     "message": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get Syslog Data

Input parameters

Parameter Description
Log Type Select the type of log data you want to retrieve from Trend Micro Apex Central.
You can choose from the following log types: Data Loss Prevention, Device Control, Behavior Monitoring, Virus/Malware, Spyware/Grayware, Web Violation, Content Violation, Network Content Inspection, C&C Callback, Suspicious File Information, Predictive Machine Learning, Virtual Analyzer Detections, Application Control, Managed Product User Access, Attack Discovery, Pattern Update Status, Engine Update Status, Product Auditing Events, or Intrusion Prevention.
Page Token (Optional) ID of the log of the first record to query in Trend Micro Apex Central.
Time Range (Optional) Time range based on which you want to retrieve syslogs from Trend Micro Apex Central. You can choose from the following options: Last 24 hours, Today, Last 7 days, Last 14 days, Last 30 days, or Custom Time.
If you choose Custom Time, then in the Since Time parameter specify the date and time of the first record to query in the Trend Micro Apex Central.
Note: If you do not specify the time, then 1000 logs will be retrieved from Trend Micro Apex Central.
Output Format (Optional) Log format in which you want to retrieve the response from Trend Micro Apex Central. Specify 1 or CEF Format.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "ErrorCode": "",
         "Result": "",
         "ErrorMsg": ""
     },
     "Data": {
         "SyslogName": "",
         "Next": "",
         "Count": "",
         "SyslogType": "",
         "SyslogOutputFormat": "",
         "Logs": [],
         "CurrentPage": {
             "SinceTime": "",
             "PageToken": ""
         },
         "NextPage": {
             "SinceTime": "",
             "PageToken": ""
         }
     }
}

operation: List UDSO Entries

Input parameters

Parameter Description
Type Type of suspicious object that you want to query in Trend Micro Apex Central. You can choose from the following types: Files, File SHA-1, IP Addresses, URLs, or Domains.
Content Filter Filters the list of suspicious objects to retrieve only those suspicious objects from Trend Micro Apex Central that match the string (filter) that you have specified.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "ErrorCode": "",
         "Result": "",
         "ErrorMsg": ""
     },
     "Data": [
         {
             "scan_action": "",
             "expiration_utc_date": "",
             "content": "",
             "type": "",
             "notes": ""
         }
     ]
}

Included playbooks

The Sample - Trend Micro Apex Central - 1.0.0 playbook collection comes bundled with the Trend Micro Apex Central connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Apex Central connector.

  • Create Assessment
  • Create Live Investigation
  • Download RCA CSV File
  • Generate RCA for an Assessment: This is a sample playbook that demonstrates how to use various connector actions such as Create Assessment, Get Task ID of RCA in Table format, etc., and build a use-case. This playbook demonstrates the use case of performing a live investigation of assessment and retrieving the RCA of the investigation from Trend Micro Apex Central.
  • Get All Investigation Results
  • Get RCA Response
  • Get Syslog Data
  • Get Task ID of RCA in Analysis Chain
  • Get Task ID of RCA in Table Format
  • List Product Server
  • List Security Agents
  • List UDSO Entries
  • Perform Action on Security Agent

The following playbooks are used for Data Ingestion:

  • > Trend Micro Apex Central > Fetch
  • >> Trend Micro Apex Central > Handle Macro
  • Trend Micro Apex Central > Ingest

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling syslogs from Trend Micro Apex Central. Currently, these "logs" from Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Trend Micro Apex Central "logs" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data (sysogs) from Trend Micro Apex Central into FortiSOAR™. It also lets you pull some sample data from Trend Micro Apex Central using which you can define the mapping of data between Trend Micro Apex Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Trend Micro Apex Central event. 

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Trend Micro Apex Central connector’s "Configurations" page. 
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between Trend Micro Apex Central data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Trend Micro Apex Central data.
    Users can choose to pull data from Trend Micro Apex Central by specifying a log type that would be used to search and retrieve logs from Trend Micro Apex Central. You can also specify additional parameters such as the time range for which you want to pull logs from Trend Micro Apex Central and the log format, for example, CEF, of the response. The fetched data is used to create a mapping between the Trend Micro Apex Central data and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of a Trend Micro Apex Central log to the fields of an alert present in FortiSOAR™. 
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the DeviceProduct parameter of a Trend Micro Apex Central event to the Source Type parameter of a FortiSOAR™ alert, click the Source Type field and then click the DeviceProduct field to populate its keys:  

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Trend Micro Apex Central, so that the content gets pulled from the Trend Micro Apex Central integration into FortiSOAR™. 
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.    
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Trend Micro Apex Central every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., logs will be pulled from Trend Micro Apex Central every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.

About the connector

Trend Micro Apex Central™ is a web-based console that provides centralized management for Trend Micro products and services at the gateway, mail server, file server, and corporate desktop levels.

This document provides information about the Trend Micro Apex Central connector, which facilitates automated interactions with a Trend Micro Apex Central server using FortiSOAR™ playbooks. Add the Trend Micro Apex Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating a live investigation, performing actions on security endpoints, and retrieving a list of managed product servers, security agents, etc.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling logs (syslogs) from Trend Micro Apex Central. Currently, "logs" in Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section

Version information 

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 6.4.3-2885

Trend Micro Apex Central Version Tested on: SAAS Model Hotfix 5366 

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session: 

yum install cyops-connector-trendmicro-apex-central

Prerequisites to configuring the connector

Permissions Required

To use the Trend Micro Apex Central connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Trend Micro Apex Central connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Trend Micro Apex Central server to which you will connect and perform automated operations.
Application ID Application ID to access the Trend Micro Apex Central console to which you will connect and perform the automated operations.
API Key API key to access the Trend Micro Apex Central management console to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Create Assessment Creates a new historical investigation on all security agents whose endpoint sensors are enabled in Trend Micro Apex Central, using the specified criteria, search operator, match condition, and other input parameters you have specified. create_assessment
Investigation
Create Live Investigation Creates a new live Investigation (Generate RCA) in Trend Micro Apex Central, using the agent GUID, specified criteria, condition parameters, and other input parameters you have specified. create_live_investigation
Investigation
List Product Server Retrieves a list of all managed product servers or specific managed product servers reporting to Trend Micro Apex Central based on the input parameters you have specified. list_server
Investigation
List Security Agents

Retrieves a list of all security agents or specific security agents in Trend Micro Apex Central based on the input parameters you have specified.

list_agent
Investigation
Perform Action on Security Agent Performs actions on a security endpoint such as Isolate, Restore connection, Uninstall Security Agent, or Relocate Security Agent in Trend Micro Apex Central based action and other input parameters you have specified. perform_action
Investigation
Get All Investigation Results Retrieves a list of all investigation results from Trend Micro Apex Central based on the task and scan type and other input parameters you have specified. list_investigation_result
Investigation
Get RCA Response Retrieves results of investigations from Trend Micro Apex Central, in different formats, based on the specified task ID and other input parameters you have specified. get_rca_response
Investigation
Get Task ID of RCA in Analysis Chain Retrieves the taskID of an Analysis Chain view of a Root Cause Analysis (RCA) from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. get_task_id_analysis_chain
Investigation
Download RCA CSV File Downloads existing RCA files from Trend Micro Apex Central based on the task type, hostname, and other input parameters you have specified. download_rca_file
Investigation
Get Task ID of RCA in Table Format Retrieves the taskID of the table view of a Root Cause Analysis from Trend Micro Apex Central based on the task type, agent GUID, and other input parameters you have specified. get_task_id_table_format
Investigation
Get Syslog Data Retrieves a maximum of 1000 logs of detection types from the Trend Micro Apex Central server based on the log type, and other input parameters you have specified.
Note: The Pattern Update Status and Engine Update Status logs returns all logs (no maximum) from the "Since Time" you have specified
get_syslog_data
Investigation
List UDSO Entries Retrieves a list of User-Defined Suspicious Objects (UDSO) from the Trend Micro Apex Central server based on the type, and other input parameters you have specified. list_udso_entries
Investigation

operation: Create Assessment

Input parameters

Parameter Description
Task Type Type of API request to create the new historical investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Criteria Type Type of criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'.
Condition Condition to be used in the historical investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match".
Value Criteria to be used in the historical investigation you are creating in Trend Micro Apex Central. 
Search Period (Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. For example, if you select the THREE_MONTH option, then this operation will assess Trend Micro Apex Central data for the last 90 days only.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "serverName": "",
             "content": [],
             "lastContentId": "",
             "serverGuid": "",
             "taskId": "",
             "hasMore": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Create Live Investigation

Input parameters

Parameter Description
Investigation Name Name of the live investigation that you want to create in Trend Micro Apex Central. 
Task Type Type of API request to create the new live investigation in Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Agent GUID GUID of the target endpoint for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Security Agents" action.
Server GUID GUID of servers for which you want to create the new live investigation in Trend Micro Apex Central. You can retrieve the agent GUID using the "List Product Servers" action.
Criteria Type Type of criteria to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose from the following criteria type values: 'Registry data', 'File name', 'File path', 'MD5', 'SHA-1', 'Registry name', 'Account', 'Command line', 'Registry key', 'SHA-2', or 'Host name'.
Condition Condition to be used in the live investigation you are creating in Trend Micro Apex Central. You can choose between IS: which means that the condition should be an "Exact Match" or CONTAIN: which means that the condition can be a "Partial Match".
Value Criteria to be used in the live investigation you are creating in Trend Micro Apex Central. 
Period

(Optional) Scope of the search results that this operation should return from Trend Micro Apex Central. You can choose between All or Custom.

  • All: Performs investigation on all logged dates.
  • Custom: Perform investigation only on logs that fall within the specified dates.
    If you choose 'Custom', then you must specify the following parameters:
    • Start Date: Date and time from when you want the investigation to start.
    • End Date: Date and time to end the investigation.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "serverName": "",
             "content": [
                 {
                     "content": {
                         "scanSummaryGuid": ""
                     },
                     "message": "",
                     "statusCode": ""
                 }
             ],
             "lastContentId": "",
             "serverGuid": "",
             "taskId": "",
             "hasMore": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: List Product Server

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Entity ID GUID of the managed product server whose details you want to retrieve from Trend Micro Apex Central. 
IP Address IP address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. 
MAC Address MAC address of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. 
Hostname Hostname of the endpoint whose associated product server details you want to retrieve from Trend Micro Apex Central. 
Product Trend Micro product name whose associated product server details you want to retrieve from Trend Micro Apex Central. 

Output

The output contains the following populated JSON schema:
{
     "result_code": "",
     "result_content": [
         {
             "ad_domain": "",
             "capabilities": [],
             "entity_id": "",
             "host_name": "",
             "ip_address_list": "",
             "product": ""
         }
     ],
     "result_description": ""
}

operation: List Security Agents

Input parameters

Parameter Description
Agent ID GUID of the managed product agent whose details you want to retrieve from Trend Micro Apex Central. 
IP Address IP address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
MAC Address MAC address of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
Hostname Name of the endpoint whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
Product Trend Micro product name whose associated security agents details you want to retrieve from Trend Micro Apex Central. 
Managing Server ID GUID of the product server that manages the Security Agent whose details you want to retrieve from Trend Micro Apex Central. You can retrieve the GUID of the server using the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "result_code": "",
     "result_content": [
         {
             "ad_domain": "",
             "capabilities": [],
             "entity_id": "",
             "host_name": "",
             "ip_address_list": "",
             "product": "",
             "isolation_status": "",
             "managing_server_id": "",
             "folder_path": "",
             "mac_address_list": ""
         }
     ],
     "result_description": ""
}

operation: Perform Action on Security Agent

Input parameters

Parameter Description
Action

Select the action to perform on the security agent in Trend Micro Apex Central. You can choose from the following actions:

  • Isolate: Specify the value as cmd_isolate_agent.
  • Restore: Specify the value as cmd_restore_isolated_agent.
  • Relocate: Specify the value as cmd_relocate_agent. If you select 'Relocate', then you must specify the following parameters:
    • Relocate to Folder Path: Target directory for the agent.
    • Relocate to Server ID: GUID of the target server for the agent.
  • Uninstall: Specify the value as cmd_uninstall_agent.
Allow Multiple Match Select the checkbox to allow multiple security agent matches on which to perform the action.
Agent ID GUID of the managed product agent on which you want to perform the action. You can retrieve the agent GUID using the "List Security Agents" action.
Hostname Endpoint name of the managed product agent on whose associated agent you want to perform the action.
IP Address IP address of the managed product agent on whose associated agent you want to perform the action.
MAC Address MAC address of the managed product agent on whose associated agent you want to perform the action.
Product Trend Micro product on the server instance on whose associated agent you want to perform the action.

Output

The output contains the following populated JSON schema:
{
     "result_code": "",
     "result_content": [
         {
             "ad_domain": "",
             "capabilities": [],
             "entity_id": "",
             "host_name": "",
             "ip_address_list": "",
             "product": "",
             "isolation_status": "",
             "managing_server_id": "",
             "folder_path": "",
             "mac_address_list": ""
         }
     ],
     "result_description": ""
}

operation: Get All Investigation Results

Input parameters

Parameter Description
Task Type Type of API request based on which you want to retrieve investigation results from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Scan Type Type of scan or the method used for investigation based on which you want to retrieve investigation results from Trend Micro Apex Central. You can choose from the following scan types: Windows Registry, YARA Rule File, IOC Rule File, or Disk Rule File.
Record Count (Optional) Number of items to be returned in a single request. Default value is set to 50.
Offset (Optional) Index of the first item that this operation should return. Default value is set to 50.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.
Filter Type

(Optional) Filters used to retrieve scans from Trend Micro Apex Central. You can choose from the following filters:

  • Task Name: If you choose this option, then in the Filter Value field enter the name of the task based on which you want to filter scans from Trend Micro Apex Central.
  • Creator Name: If you choose this option, then in the Filter Value field enter the name of the creator based on which you want to filter scans from Trend Micro Apex Central.
  • Criteria Name: If you choose this option, then in the Filter Value field enter the name of the criteria based on which you want to filter scans from Trend Micro Apex Central.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "content": {
                         "pagination": {
                             "limit": "",
                             "offset": "",
                             "total": ""
                         },
                         "scanSummaryEntity": [
                             {
                                 "agentCount": "",
                                 "creator": "",
                                 "errorServers": "[]",
                                 "finishTime": "",
                                 "matchedAgentCount": "",
                                 "name": "",
                                 "progressInfo": {
                                     "abortCount": "",
                                     "connectionFailCount": "",
                                     "errorCount": "",
                                     "noneCount": "",
                                     "pendingCount": "",
                                     "processingCount": "",
                                     "riskCount": "",
                                     "safeCount": "",
                                     "timeoutCount": ""
                                 },
                                 "scanCriteriaEntity": {
                                     "criteriaContent": "",
                                     "criteriaId": "",
                                     "criteriaName": ""
                                 },
                                 "scanSummaryGuid": "",
                                 "scanSummaryId": "",
                                 "scanType": "",
                                 "serverGuidList": [],
                                 "specificAgentType": "",
                                 "status": "",
                                 "statusForUI": "",
                                 "submitTime": ""
                             }
                         ]
                     },
                     "message": "",
                     "statusCode": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get RCA Response

Input parameters

Parameter Description
Task Type

Type of API request based on which you want to retrieve RCA responses from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.

Task ID ID of the task from another API call that is used to retrieve a specific task result. You can specify the task ID values returned by the following actions: Create Assessment, Get Task ID of RCA in Analysis Chain, or Get Task ID of RCA in Table Format.
Top N Specify the top n (number of RCA responses) that you want to retrieve from Trend Micro Apex Central
Server GUID List of GUIDs or GUIDs in the CSV format whose RCA responses you want to retrieve from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action.
Content ID ID of the content that indicates the location of the dataset. Specify an empty string for the initial request. Specify the lastContentId of the response after the first initial request to continually get results from the servers until the hasMore value response is false.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "statusCode": "",
                     "content": {
                         "region": "",
                         "footprint": {
                             "operationType": "",
                             "timestamp": "",
                             "lastSeen": "",
                             "event": [
                                 {
                                     "isExpanded": "",
                                     "timestamp": "",
                                     "rating": {
                                         "metaType": "",
                                         "isSpecialCmdLine": "",
                                         "localPrevalence": "",
                                         "score": ""
                                     },
                                     "lastSeen": "",
                                     "assessmentValue": "",
                                     "isMatched": "",
                                     "firstSeen": "",
                                     "riskLevel": "",
                                     "objectName": "",
                                     "nodeImage": "",
                                     "isSymbolEvent": "",
                                     "meta": [
                                         {
                                             "metaType": "",
                                             "metaHashId": ""
                                         }
                                     ],
                                     "operationType": "",
                                     "eventId": "",
                                     "metaLinkId": "",
                                     "objectType": "",
                                     "assessmentType": ""
                                 }
                             ],
                             "groupNo": "",
                             "objectId": "",
                             "firstSeen": "",
                             "parentId": ""
                         },
                         "agentInfo": [
                             {
                                 "machineName": "",
                                 "agentGuid": "",
                                 "ip": "",
                                 "machineGuid": "",
                                 "serverGuid": ""
                             }
                         ],
                         "group": [
                             {
                                 "timestamp": "",
                                 "groupNo": ""
                             }
                         ],
                         "metadataAgentList": [
                             {
                                 "typeValue": "",
                                 "agentGuid": [],
                                 "metaValue": ""
                             }
                         ],
                         "traceId": "",
                         "metaProperty": [
                             {
                                 "metaHashId": "",
                                 "metaValue": ""
                             }
                         ],
                         "exceedLeafModuleCountLimit": ""
                     },
                     "message": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get Task ID of RCA in Analysis Chain

Input parameters

Parameter Description
Task Type Type of API request based on which you want to retrieve RCA taskID from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Agent GUID GUID of the target endpoint whose associated RCA task ID you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Scan Summary GUID GUID of the investigation summary based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action.
Server GUID GUID of the target server based on which you want to retrieve RCA taskID from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Download RCA CSV File

Input parameters

Parameter Description
Task Type Type of API request based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Host IP Host IP address of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Host Name Host name of security agent based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Agent GUID GUID of the target endpoint based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Scan Summary GUID GUID of the investigation summary to retrieve based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action.
Server GUID GUID of the target server based on which you want to download an existing RCA CSV file from Trend Micro Apex Central. You can retrieve server GUIDs from the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "content": {
                         "csv": ""
                     },
                     "statusCode": "",
                     "message": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get Task ID of RCA in Table Format

Input parameters

Parameter Description
Task Type Type of API request based on which you want to retrieve the task ID of the table view of an RCA from Trend Micro Apex Central. For endpoint sensors, the value is always CMEF(4). You can choose from the following values: UNKNOWN, INTERNAL, CM, CMEF, OSF_COMMAND, OSF_QUERY, OSF_NOTIFY, OSF_LOG, MDR_ATTACK_DISCOVERY, or OSF_SYS_CALL.
Agent GUID GUID of the target endpoint whose associated RCA task ID of the table view you want to retrieve from Trend Micro Apex Central. You can retrieve Agent GUIDs using the "List Security Agents" action.
Scan Summary GUID GUID of the investigation summary based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve investigation summary GUIDs using the "Get All Investigation Results" action.
Server GUID GUID of the target server based on which you want to retrieve RCA taskID of the table view from Trend Micro Apex Central. You can retrieve Server GUIDs using the "List Product Server" action.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "errorCode": "",
         "result": "",
         "errorMsg": ""
     },
     "Data": {
         "CodeType": "",
         "Data": {
             "hasMore": "",
             "serverGuid": "",
             "serverName": "",
             "taskId": "",
             "content": [
                 {
                     "statusCode": "",
                     "content": {},
                     "message": ""
                 }
             ],
             "lastContentId": ""
         },
         "Code": "",
         "Message": "",
         "TimeZone": ""
     }
}

operation: Get Syslog Data

Input parameters

Parameter Description
Log Type Select the type of log data you want to retrieve from Trend Micro Apex Central.
You can choose from the following log types: Data Loss Prevention, Device Control, Behavior Monitoring, Virus/Malware, Spyware/Grayware, Web Violation, Content Violation, Network Content Inspection, C&C Callback, Suspicious File Information, Predictive Machine Learning, Virtual Analyzer Detections, Application Control, Managed Product User Access, Attack Discovery, Pattern Update Status, Engine Update Status, Product Auditing Events, or Intrusion Prevention.
Page Token (Optional) ID of the log of the first record to query in Trend Micro Apex Central.
Time Range (Optional) Time range based on which you want to retrieve syslogs from Trend Micro Apex Central. You can choose from the following options: Last 24 hours, Today, Last 7 days, Last 14 days, Last 30 days, or Custom Time.
If you choose Custom Time, then in the Since Time parameter specify the date and time of the first record to query in the Trend Micro Apex Central.
Note: If you do not specify the time, then 1000 logs will be retrieved from Trend Micro Apex Central.
Output Format (Optional) Log format in which you want to retrieve the response from Trend Micro Apex Central. Specify 1 or CEF Format.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "ErrorCode": "",
         "Result": "",
         "ErrorMsg": ""
     },
     "Data": {
         "SyslogName": "",
         "Next": "",
         "Count": "",
         "SyslogType": "",
         "SyslogOutputFormat": "",
         "Logs": [],
         "CurrentPage": {
             "SinceTime": "",
             "PageToken": ""
         },
         "NextPage": {
             "SinceTime": "",
             "PageToken": ""
         }
     }
}

operation: List UDSO Entries

Input parameters

Parameter Description
Type Type of suspicious object that you want to query in Trend Micro Apex Central. You can choose from the following types: Files, File SHA-1, IP Addresses, URLs, or Domains.
Content Filter Filters the list of suspicious objects to retrieve only those suspicious objects from Trend Micro Apex Central that match the string (filter) that you have specified.

Output

The output contains the following populated JSON schema:
{
     "PermissionCtrl": {
         "permission": "",
         "elements": ""
     },
     "SystemCtrl": {
         "TmcmSoDist_Role": ""
     },
     "FeatureCtrl": {
         "mode": ""
     },
     "Meta": {
         "ErrorCode": "",
         "Result": "",
         "ErrorMsg": ""
     },
     "Data": [
         {
             "scan_action": "",
             "expiration_utc_date": "",
             "content": "",
             "type": "",
             "notes": ""
         }
     ]
}

Included playbooks

The Sample - Trend Micro Apex Central - 1.0.0 playbook collection comes bundled with the Trend Micro Apex Central connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Apex Central connector.

The following playbooks are used for Data Ingestion:

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling syslogs from Trend Micro Apex Central. Currently, these "logs" from Trend Micro Apex Central are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Trend Micro Apex Central "logs" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data (sysogs) from Trend Micro Apex Central into FortiSOAR™. It also lets you pull some sample data from Trend Micro Apex Central using which you can define the mapping of data between Trend Micro Apex Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Trend Micro Apex Central event. 

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Trend Micro Apex Central connector’s "Configurations" page. 
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between Trend Micro Apex Central data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Trend Micro Apex Central data.
    Users can choose to pull data from Trend Micro Apex Central by specifying a log type that would be used to search and retrieve logs from Trend Micro Apex Central. You can also specify additional parameters such as the time range for which you want to pull logs from Trend Micro Apex Central and the log format, for example, CEF, of the response. The fetched data is used to create a mapping between the Trend Micro Apex Central data and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of a Trend Micro Apex Central log to the fields of an alert present in FortiSOAR™. 
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the DeviceProduct parameter of a Trend Micro Apex Central event to the Source Type parameter of a FortiSOAR™ alert, click the Source Type field and then click the DeviceProduct field to populate its keys:  

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Trend Micro Apex Central, so that the content gets pulled from the Trend Micro Apex Central integration into FortiSOAR™. 
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.    
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Trend Micro Apex Central every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., logs will be pulled from Trend Micro Apex Central every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.