Fortinet Document Library

Version:


Table of Contents

Trend Micro Endpoint Sensor

1.0.0
Copy Link

About the connector

Trend Micro Endpoint Sensor identifies affected endpoints through on-demand investigations and monitoring that users can customize according to their needs. The Trend Micro Endpoint Sensor server, through the web-based management console, provides a central location to perform investigations and manage agents.

This document provides information about the Trend Micro Endpoint Sensor connector, which facilitates automated interactions, with your Trend Micro Endpoint Sensor server using FortiSOAR™ playbooks. Add the Trend Micro Endpoint Sensor connector, as a step in FortiSOAR™ playbooks and perform automated operations such as fetching a list of endpoints affected by a task from Trend Micro Endpoint Sensor and searching for an endpoint on the Trend Micro Endpoint Sensor server.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.12.1-253

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-trendmicro-endpoint-sensor

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of Trend Micro Endpoint Sensor server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the connectors page, select the Trend Micro Endpoint Sensor connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Port Port number used for connecting to the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Username Username used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Password Password used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Retro Scan Performs a retro scan on endpoint assets based on the input parameters you have specified. retro_scan
Investigation
Get Endpoints for Task Fetches a list of endpoints affected by a task from Trend Micro Endpoint Sensor based on the task GUID you have specified. get_endpoints_for_task
Investigation
Check Task Status Checks the status of the retro scan from Trend Micro Endpoint Sensor based on the task GUID you have specified. check_retro_complete
Investigation
Search Endpoint By IP Searches for an endpoint on the Trend Micro Endpoint Sensor server based on the source IP address you have specified. search_endpoint_by_ip
Investigation
Get Report Summary Retrieves a report summary from Trend Micro Endpoint Sensor based on the task GUID and endpoint GUID you have specified. get_report_summary
Investigation

operation: Retro Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Endpoint Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset on which you want to perform a retro scan.
Name Name of the scan that you want to run.
Tag Tag that you want to assign to the scan.
Investigation Criteria

Specify the investigation criteria to perform Retro Scan on Trend Micro Endpoint Sensor.

You can choose from the following options: 

DNS Query, IP Address, File Name, File Hash, or  User Account.

By default, this option is set as DNS Query.
Based on the Investigation Criteria you specify, you must specify the following parameters:

  • If you select DNS Query, then specify the DNS that you want to include in the scan.
  • If you select IP Address, then specify the IP Address that you want to include in the scan.
  • If you select File Name, then specify the Filename that you want to include in the scan.
  • If you select File Hash, then specify the Hash value of the file that you want to include in the scan.
  • If you select User Account, then specify the username that you want to include in the scan.

Output

The output contains the following populated JSON schema:

     "TimeZone": "", 
     "Code": "", 
     "Data": { 
         "timeout": "", 
         "endUnixTime": "", 
         "timeRange": "", 
         "commandType": "", 
         "retroTaskCriteria": "", 
         "tag": [], 
         "specificEndpoints": [], 
         "startUnixTime": "", 
         "name": "", 
         "taskGuid": "" 
     }, 
     "Message": "", 
     "HasDataSource": "" 
}

operation: Get Endpoints for Task

Input parameters

Parameter Description
Task GUID Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the affected endpoint list.

Output

The output contains the following populated JSON schema:

     "excludedProcess": "", 
     "hostName": "", 
     "macAddress": "", 
     "lastReportedTime": "", 
     "rootCauseChainCustomized": "", 
     "ipV4": "", 
     "patternStatus": "", 
     "taskStatus": "", 
     "os": "", 
     "finishTime": "", 
     "investigateResult": { 
         "detailCode": "", 
         "riskCount": "" 
     }, 
     "assetTag": "", 
     "triggerTime": "", 
     "upgradeStatus": "", 
     "endpointGuid": "", 
     "endpointId": "", 
     "online": "", 
     "agentConfigSetting": "", 
     "programVersion": "" 
}

operation: Check Task Status

Input parameters

Parameter Description
Task GUID Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the status of the retro scan.

Output

The output contains a non-dictionary value.

operation: Search Endpoint By IP

Input parameters

Parameter Description
IP Address Source IP address of the endpoint that you want to search for on Trend Micro Endpoint Sensor.

Output

The output contains a non-dictionary value.

operation: Get Report Summary

Input parameters

Parameter Description
Task GUID Task GUID retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the report summary.
Endpoint GUID Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset for which you want to retrieve the report summary.

Output

The output contains the following populated JSON schema:

     "TimeZone": "", 
     "Meta": "", 
     "Data": { 
         "meta": [], 
         "allowGetMore": "", 
         "pageId": "", 
         "hostName": "", 
         "timezone": "", 
         "pageTotal": "", 
         "pages": [], 
         "rootCauseChain": "", 
         "detectedObjects": [], 
         "mindmap": [] 
     }, 
     "Message": "", 
     "Code": "", 
     "HasDataSource": "" 
}

Included playbooks

The Sample - TrendMicro-Endpoint-Sensor - 1.0.0 playbook collection comes bundled with the Trend Micro Endpoint Sensor connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Endpoint Sensor connector.

  • Check Task Status
  • Get Endpoints for Task
  • Get Report Summary
  • Retro Scan
  • Search Endpoint By IP

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Trend Micro Endpoint Sensor identifies affected endpoints through on-demand investigations and monitoring that users can customize according to their needs. The Trend Micro Endpoint Sensor server, through the web-based management console, provides a central location to perform investigations and manage agents.

This document provides information about the Trend Micro Endpoint Sensor connector, which facilitates automated interactions, with your Trend Micro Endpoint Sensor server using FortiSOAR™ playbooks. Add the Trend Micro Endpoint Sensor connector, as a step in FortiSOAR™ playbooks and perform automated operations such as fetching a list of endpoints affected by a task from Trend Micro Endpoint Sensor and searching for an endpoint on the Trend Micro Endpoint Sensor server.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.12.1-253

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-trendmicro-endpoint-sensor

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the connectors page, select the Trend Micro Endpoint Sensor connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Port Port number used for connecting to the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Username Username used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Password Password used to access the Trend Micro Endpoint Sensor server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Retro Scan Performs a retro scan on endpoint assets based on the input parameters you have specified. retro_scan
Investigation
Get Endpoints for Task Fetches a list of endpoints affected by a task from Trend Micro Endpoint Sensor based on the task GUID you have specified. get_endpoints_for_task
Investigation
Check Task Status Checks the status of the retro scan from Trend Micro Endpoint Sensor based on the task GUID you have specified. check_retro_complete
Investigation
Search Endpoint By IP Searches for an endpoint on the Trend Micro Endpoint Sensor server based on the source IP address you have specified. search_endpoint_by_ip
Investigation
Get Report Summary Retrieves a report summary from Trend Micro Endpoint Sensor based on the task GUID and endpoint GUID you have specified. get_report_summary
Investigation

operation: Retro Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Endpoint Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset on which you want to perform a retro scan.
Name Name of the scan that you want to run.
Tag Tag that you want to assign to the scan.
Investigation Criteria

Specify the investigation criteria to perform Retro Scan on Trend Micro Endpoint Sensor.

You can choose from the following options: 

DNS Query, IP Address, File Name, File Hash, or  User Account.

By default, this option is set as DNS Query.
Based on the Investigation Criteria you specify, you must specify the following parameters:

  • If you select DNS Query, then specify the DNS that you want to include in the scan.
  • If you select IP Address, then specify the IP Address that you want to include in the scan.
  • If you select File Name, then specify the Filename that you want to include in the scan.
  • If you select File Hash, then specify the Hash value of the file that you want to include in the scan.
  • If you select User Account, then specify the username that you want to include in the scan.

Output

The output contains the following populated JSON schema:

     "TimeZone": "", 
     "Code": "", 
     "Data": { 
         "timeout": "", 
         "endUnixTime": "", 
         "timeRange": "", 
         "commandType": "", 
         "retroTaskCriteria": "", 
         "tag": [], 
         "specificEndpoints": [], 
         "startUnixTime": "", 
         "name": "", 
         "taskGuid": "" 
     }, 
     "Message": "", 
     "HasDataSource": "" 
}

operation: Get Endpoints for Task

Input parameters

Parameter Description
Task GUID Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the affected endpoint list.

Output

The output contains the following populated JSON schema:

     "excludedProcess": "", 
     "hostName": "", 
     "macAddress": "", 
     "lastReportedTime": "", 
     "rootCauseChainCustomized": "", 
     "ipV4": "", 
     "patternStatus": "", 
     "taskStatus": "", 
     "os": "", 
     "finishTime": "", 
     "investigateResult": { 
         "detailCode": "", 
         "riskCount": "" 
     }, 
     "assetTag": "", 
     "triggerTime": "", 
     "upgradeStatus": "", 
     "endpointGuid": "", 
     "endpointId": "", 
     "online": "", 
     "agentConfigSetting": "", 
     "programVersion": "" 
}

operation: Check Task Status

Input parameters

Parameter Description
Task GUID Task GUID of retro scan that is retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the status of the retro scan.

Output

The output contains a non-dictionary value.

operation: Search Endpoint By IP

Input parameters

Parameter Description
IP Address Source IP address of the endpoint that you want to search for on Trend Micro Endpoint Sensor.

Output

The output contains a non-dictionary value.

operation: Get Report Summary

Input parameters

Parameter Description
Task GUID Task GUID retrieved from Trend Micro backend for an endpoint asset for which you want to retrieve the report summary.
Endpoint GUID Endpoint GUID retrieved from the Trend Micro backend for an endpoint asset for which you want to retrieve the report summary.

Output

The output contains the following populated JSON schema:

     "TimeZone": "", 
     "Meta": "", 
     "Data": { 
         "meta": [], 
         "allowGetMore": "", 
         "pageId": "", 
         "hostName": "", 
         "timezone": "", 
         "pageTotal": "", 
         "pages": [], 
         "rootCauseChain": "", 
         "detectedObjects": [], 
         "mindmap": [] 
     }, 
     "Message": "", 
     "Code": "", 
     "HasDataSource": "" 
}

Included playbooks

The Sample - TrendMicro-Endpoint-Sensor - 1.0.0 playbook collection comes bundled with the Trend Micro Endpoint Sensor connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Endpoint Sensor connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.