About the connector
Trend Micro Endpoint Sensor identifies affected endpoints through on-demand investigations and monitoring that users can customize according to their needs. The Trend Micro Endpoint Sensor server, through the web-based management console, provides a central location to perform investigations and manage agents.
This document provides information about the Trend Micro Endpoint Sensor connector, which facilitates automated interactions, with your Trend Micro Endpoint Sensor server using FortiSOAR™ playbooks. Add the Trend Micro Endpoint Sensor connector, as a step in FortiSOAR™ playbooks and perform automated operations such as fetching a list of endpoints affected by a task from Trend Micro Endpoint Sensor and searching for an endpoint on the Trend Micro Endpoint Sensor server.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-trendmicro-endpoint-sensor
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of Trend Micro Endpoint Sensor server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™ , on the connectors page, select the Trend Micro Endpoint Sensor connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Server URL |
URL of the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
| Port |
Port number used for connecting to the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
| Username |
Username used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
| Password |
Password used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Retro Scan |
Performs a retro scan on endpoint assets based on the input parameters you have specified. |
retro_scan
Investigation |
| Get Endpoints for Task |
Fetches a list of endpoints affected by a task from Trend Micro Endpoint Sensor based on the task GUID you have specified. |
get_endpoints_for_task
Investigation |
| Check Task Status |
Checks the status of the retro scan from Trend Micro Endpoint Sensor based on the task GUID you have specified. |
check_retro_complete
Investigation |
| Search Endpoint By IP |
Searches for an endpoint on the Trend Micro Endpoint Sensor server based on the source IP address you have specified. |
search_endpoint_by_ip
Investigation |
| Get Report Summary |
Retrieves a report summary from Trend Micro Endpoint Sensor based on the task GUID and endpoint GUID you have specified. |
get_report_summary
Investigation |
operation: Retro Scan
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Endpoint |
Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset on which you want to perform a retro scan. |
| Name |
Name of the scan that you want to run. |
| Tag |
Tag that you want to assign to the scan. |
| Investigation Criteria |
Specify the investigation criteria to perform Retro Scan on Trend Micro Endpoint Sensor.
You can choose from the following options:
DNS Query, IP Address, File Name, File Hash, or User Account.
By default, this option is set as DNS Query.
Based on the Investigation Criteria you specify, you must specify the following parameters:
- If you select DNS Query, then specify the DNS that you want to include in the scan.
- If you select IP Address, then specify the IP Address that you want to include in the scan.
- If you select File Name, then specify the Filename that you want to include in the scan.
- If you select File Hash, then specify the Hash value of the file that you want to include in the scan.
- If you select User Account, then specify the username that you want to include in the scan.
|
Output
The output contains the following populated JSON schema:
{
"TimeZone": "",
"Code": "",
"Data": {
"timeout": "",
"endUnixTime": "",
"timeRange": "",
"commandType": "",
"retroTaskCriteria": "",
"tag": [],
"specificEndpoints": [],
"startUnixTime": "",
"name": "",
"taskGuid": ""
},
"Message": "",
"HasDataSource": ""
}
operation: Get Endpoints for Task
Input parameters
| Parameter |
Description |
| Task GUID |
Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the affected endpoint list. |
Output
The output contains the following populated JSON schema:
{
"excludedProcess": "",
"hostName": "",
"macAddress": "",
"lastReportedTime": "",
"rootCauseChainCustomized": "",
"ipV4": "",
"patternStatus": "",
"taskStatus": "",
"os": "",
"finishTime": "",
"investigateResult": {
"detailCode": "",
"riskCount": ""
},
"assetTag": "",
"triggerTime": "",
"upgradeStatus": "",
"endpointGuid": "",
"endpointId": "",
"online": "",
"agentConfigSetting": "",
"programVersion": ""
}
operation: Check Task Status
Input parameters
| Parameter |
Description |
| Task GUID |
Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the status of the retro scan. |
Output
The output contains a non-dictionary value.
operation: Search Endpoint By IP
Input parameters
| Parameter |
Description |
| IP Address |
Source IP address of the endpoint that you want to search for on Trend Micro Endpoint Sensor. |
Output
The output contains a non-dictionary value.
operation: Get Report Summary
Input parameters
| Parameter |
Description |
| Task GUID |
Task GUID retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the report summary. |
| Endpoint GUID |
Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset for which you want to retrieve the report summary. |
Output
The output contains the following populated JSON schema:
{
"TimeZone": "",
"Meta": "",
"Data": {
"meta": [],
"allowGetMore": "",
"pageId": "",
"hostName": "",
"timezone": "",
"pageTotal": "",
"pages": [],
"rootCauseChain": "",
"detectedObjects": [],
"mindmap": []
},
"Message": "",
"Code": "",
"HasDataSource": ""
}
Included playbooks
The Sample - TrendMicro-Endpoint-Sensor - 1.0.0 playbook collection comes bundled with the Trend Micro Endpoint Sensor connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Endpoint Sensor connector.
- Check Task Status
- Get Endpoints for Task
- Get Report Summary
- Retro Scan
- Search Endpoint By IP
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
