Trend Micro Endpoint Sensor identifies affected endpoints through on-demand investigations and monitoring that users can customize according to their needs. The Trend Micro Endpoint Sensor server, through the web-based management console, provides a central location to perform investigations and manage agents.
This document provides information about the Trend Micro Endpoint Sensor connector, which facilitates automated interactions, with your Trend Micro Endpoint Sensor server using FortiSOAR™ playbooks. Add the Trend Micro Endpoint Sensor connector, as a step in FortiSOAR™ playbooks and perform automated operations such as fetching a list of endpoints affected by a task from Trend Micro Endpoint Sensor and searching for an endpoint on the Trend Micro Endpoint Sensor server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-trendmicro-endpoint-sensor
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™ , on the connectors page, select the Trend Micro Endpoint Sensor connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Port | Port number used for connecting to the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Username | Username used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Password | Password used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Retro Scan | Performs a retro scan on endpoint assets based on the input parameters you have specified. | retro_scan Investigation |
Get Endpoints for Task | Fetches a list of endpoints affected by a task from Trend Micro Endpoint Sensor based on the task GUID you have specified. | get_endpoints_for_task Investigation |
Check Task Status | Checks the status of the retro scan from Trend Micro Endpoint Sensor based on the task GUID you have specified. | check_retro_complete Investigation |
Search Endpoint By IP | Searches for an endpoint on the Trend Micro Endpoint Sensor server based on the source IP address you have specified. | search_endpoint_by_ip Investigation |
Get Report Summary | Retrieves a report summary from Trend Micro Endpoint Sensor based on the task GUID and endpoint GUID you have specified. | get_report_summary Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint | Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset on which you want to perform a retro scan. |
Name | Name of the scan that you want to run. |
Tag | Tag that you want to assign to the scan. |
Investigation Criteria |
Specify the investigation criteria to perform Retro Scan on Trend Micro Endpoint Sensor. You can choose from the following options: DNS Query, IP Address, File Name, File Hash, or User Account. By default, this option is set as DNS Query.
|
The output contains the following populated JSON schema:
{
"TimeZone": "",
"Code": "",
"Data": {
"timeout": "",
"endUnixTime": "",
"timeRange": "",
"commandType": "",
"retroTaskCriteria": "",
"tag": [],
"specificEndpoints": [],
"startUnixTime": "",
"name": "",
"taskGuid": ""
},
"Message": "",
"HasDataSource": ""
}
Parameter | Description |
---|---|
Task GUID | Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the affected endpoint list. |
The output contains the following populated JSON schema:
{
"excludedProcess": "",
"hostName": "",
"macAddress": "",
"lastReportedTime": "",
"rootCauseChainCustomized": "",
"ipV4": "",
"patternStatus": "",
"taskStatus": "",
"os": "",
"finishTime": "",
"investigateResult": {
"detailCode": "",
"riskCount": ""
},
"assetTag": "",
"triggerTime": "",
"upgradeStatus": "",
"endpointGuid": "",
"endpointId": "",
"online": "",
"agentConfigSetting": "",
"programVersion": ""
}
Parameter | Description |
---|---|
Task GUID | Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the status of the retro scan. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
IP Address | Source IP address of the endpoint that you want to search for on Trend Micro Endpoint Sensor. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Task GUID | Task GUID retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the report summary. |
Endpoint GUID | Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset for which you want to retrieve the report summary. |
The output contains the following populated JSON schema:
{
"TimeZone": "",
"Meta": "",
"Data": {
"meta": [],
"allowGetMore": "",
"pageId": "",
"hostName": "",
"timezone": "",
"pageTotal": "",
"pages": [],
"rootCauseChain": "",
"detectedObjects": [],
"mindmap": []
},
"Message": "",
"Code": "",
"HasDataSource": ""
}
The Sample - TrendMicro-Endpoint-Sensor - 1.0.0
playbook collection comes bundled with the Trend Micro Endpoint Sensor connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Endpoint Sensor connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Trend Micro Endpoint Sensor identifies affected endpoints through on-demand investigations and monitoring that users can customize according to their needs. The Trend Micro Endpoint Sensor server, through the web-based management console, provides a central location to perform investigations and manage agents.
This document provides information about the Trend Micro Endpoint Sensor connector, which facilitates automated interactions, with your Trend Micro Endpoint Sensor server using FortiSOAR™ playbooks. Add the Trend Micro Endpoint Sensor connector, as a step in FortiSOAR™ playbooks and perform automated operations such as fetching a list of endpoints affected by a task from Trend Micro Endpoint Sensor and searching for an endpoint on the Trend Micro Endpoint Sensor server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-trendmicro-endpoint-sensor
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™ , on the connectors page, select the Trend Micro Endpoint Sensor connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Port | Port number used for connecting to the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Username | Username used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Password | Password used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Retro Scan | Performs a retro scan on endpoint assets based on the input parameters you have specified. | retro_scan Investigation |
Get Endpoints for Task | Fetches a list of endpoints affected by a task from Trend Micro Endpoint Sensor based on the task GUID you have specified. | get_endpoints_for_task Investigation |
Check Task Status | Checks the status of the retro scan from Trend Micro Endpoint Sensor based on the task GUID you have specified. | check_retro_complete Investigation |
Search Endpoint By IP | Searches for an endpoint on the Trend Micro Endpoint Sensor server based on the source IP address you have specified. | search_endpoint_by_ip Investigation |
Get Report Summary | Retrieves a report summary from Trend Micro Endpoint Sensor based on the task GUID and endpoint GUID you have specified. | get_report_summary Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint | Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset on which you want to perform a retro scan. |
Name | Name of the scan that you want to run. |
Tag | Tag that you want to assign to the scan. |
Investigation Criteria |
Specify the investigation criteria to perform Retro Scan on Trend Micro Endpoint Sensor. You can choose from the following options: DNS Query, IP Address, File Name, File Hash, or User Account. By default, this option is set as DNS Query.
|
The output contains the following populated JSON schema:
{
"TimeZone": "",
"Code": "",
"Data": {
"timeout": "",
"endUnixTime": "",
"timeRange": "",
"commandType": "",
"retroTaskCriteria": "",
"tag": [],
"specificEndpoints": [],
"startUnixTime": "",
"name": "",
"taskGuid": ""
},
"Message": "",
"HasDataSource": ""
}
Parameter | Description |
---|---|
Task GUID | Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the affected endpoint list. |
The output contains the following populated JSON schema:
{
"excludedProcess": "",
"hostName": "",
"macAddress": "",
"lastReportedTime": "",
"rootCauseChainCustomized": "",
"ipV4": "",
"patternStatus": "",
"taskStatus": "",
"os": "",
"finishTime": "",
"investigateResult": {
"detailCode": "",
"riskCount": ""
},
"assetTag": "",
"triggerTime": "",
"upgradeStatus": "",
"endpointGuid": "",
"endpointId": "",
"online": "",
"agentConfigSetting": "",
"programVersion": ""
}
Parameter | Description |
---|---|
Task GUID | Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the status of the retro scan. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
IP Address | Source IP address of the endpoint that you want to search for on Trend Micro Endpoint Sensor. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Task GUID | Task GUID retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the report summary. |
Endpoint GUID | Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset for which you want to retrieve the report summary. |
The output contains the following populated JSON schema:
{
"TimeZone": "",
"Meta": "",
"Data": {
"meta": [],
"allowGetMore": "",
"pageId": "",
"hostName": "",
"timezone": "",
"pageTotal": "",
"pages": [],
"rootCauseChain": "",
"detectedObjects": [],
"mindmap": []
},
"Message": "",
"Code": "",
"HasDataSource": ""
}
The Sample - TrendMicro-Endpoint-Sensor - 1.0.0
playbook collection comes bundled with the Trend Micro Endpoint Sensor connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Endpoint Sensor connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.