Fortinet Document Library

Version:


Table of Contents

TrendMicro Deepsecurity

1.1.0
Copy Link

About the connector

Trend Micro Deep Security provides protection to your servers across the data center and the cloud without compromising in performance or security. The Trend Micro Deep Security connector provides an interface to connect to the Trend Micro Deep Security sever.

This document provides information about the Trend Micro Deep Security connector, which facilitates automated interactions, with a Trend Micro Deep Security server using FortiSOAR™ playbooks. Add the Trend Micro Deep Security connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about events, hosts, and alerts and assigning a security profile to a host.

 

Version information

Connector Version: 1.1.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Trend Micro Deep Security Versions: 8.0 and later

 

Release Notes for version 1.1.0

Following changes have been made to the Trend Micro Deep Security Connector in version 1.1.0:

  • Renamed the Get All Events operation to Get Events. Added new parameters to this operation, such as Lookup Duration, and also added some new options to the Event Type parameter like system events, anti-malware events.
  • Renamed the Get Latest Alerts operation to Get Alerts. Added three new parameters to this operation: Alert ID Filter, Alert ID, and Dismissed and renamed the Count parameter to Limit.
  • Removed the Get Anti-Malware Events, Get Anti-Malware Events By Name, and Get System Events operations.
  • Added a new operation named Get Application Control Events.
  • Renamed the Scan Computers operation to Scan Endpoint and the Get Latest Alerts operation to Get Alerts.
  • Updated sample playbooks and sample playbook names.
  • Updated annotations.

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Trend Micro Deep Security server to which you will connect and perform the automated operations and the credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Trend Micro Deep Security connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Trend Micro Deep Security server to which you will connect and perform automated operations.
Username Username for accessing the Trend Micro Deep Security server to which you will connect and perform the automated operations.
Password Encrypted Password for accessing the Trend Micro Deep Security server to which you will connect and perform the automated operations.
Account Name Account name that is configured for your account for using the Trend Micro Deep Security server.
Port Port used to connect to the Trend Micro Deep Security server.
Defaults to 443.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Alerts Retrieves details of all alerts or specific alerts, based on the input parameters such as the alert ID that you have specified, from the Trend Micro Deep Security server. get_alerts
Investigation
Scan Endpoint Scans the endpoint (computer) based on the hostnames and scan type that you have specified on the Trend Micro Deep Security server. scan_endpoint
Investigation
Get Security Profile Retrieves details of the security profile, based on the security profile ID or security profile name you have specified, from the Trend Micro Deep Security server. get_profiles
Investigation
Assign Security Profile Assigns a security profile you have specified using the security profile name or ID to a host you have specified using the hostname, on the Trend Micro Deep Security server.  
Get Events Retrieves details of events, based on the input parameters such as the event type that you have specified, from the Trend Micro Deep Security server. get_events
Investigation
Get All Hosts Retrieves details of all available hosts from the Trend Micro Deep Security server. get_hosts
Investigation
Get Application Control Events Retrieves details of application control events, based on the parameters you have specified, from the Trend Micro Deep Security server. get_events
Investigation

 

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Alert ID Filter Criteria based on which you want to filter the Alert ID that you specify. You can choose from the following options: Greater Than, Greater Than Or Equal To, Equal To, Lesser than, or Lesser than Or Equal To.
Note: You must specify this option if you are specifying the Alert ID parameter.
Alert ID ID of the alert whose details you want to retrieve from the Trend Micro Deep Security server.
Limit Maximum number of alerts you want this operation to return.
Dismissed Select this option if you want this operation result to include alerts that have been dismissed.
By default, this is set to False.

 

Output

The JSON output contains information about all alerts, or alerts based on the input parameters that you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Alerts operation

 

operation: Scan Endpoint

Input parameters

 

Parameter Description
Scan Type Type of scan that you want to run on the hosts that you specify. You can choose from the following options: Integrity Scan and Recommendation Scan.
List of Hostnames(CSV / List Format) Comma-separated hostnames or list of hostnames on which you want to run the scan.

 

Output

The JSON output returns a Success message if the scan runs successfully on the host you have specified on the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Scan Computers operation

 

operation: Get Security Profile

Input parameters

 

Parameter Description
Security Profile ID or Name ID or Name of the security profile for which you want to retrieve details.

 

Output

The JSON output contains details of security profile, based on the ID or Name of the security profile you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Security Profile operation

 

operation: Assign Security Profile

Input parameters

 

Parameter Description
Security Profile Name Name of the security profile that you want to assign to the specified host on the Trend Micro Deep Security server.
Hostname Name of the host on the Trend Micro Deep Security server, to which you want to assign the specified security profile.

 

Output

The JSON output returns a Success message if the specified security profile is assigned successfully to the specified host on the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Assign Security Profile operation

 

operation: Get Events

Input parameters

 

Parameter Description
Event Type Type of events for which you want to retrieve details from the Trend Micro Deep Security server.
You can choose from the following options: System Events, Anti-malware Events, Integrity Monitoring Events, Log Inspection Events, Web Reputation Events, Deep Packet Inspection Events, or Firewall Events.
Hostname (Optional) Name of the host for which you want to retrieve events from the Trend Micro Deep Security server.
If you specify the host then the Host Type parameter defaults to Specific Host.
Host Group ID (Optional) Group IDs of the groups for which you want to retrieve events from the Trend Micro Deep Security server.
If the host is specified then the Host Type parameter defaults to Hosts In Group And All Subgroups.
Host Type (Optional) Type of host for which you want to retrieve events from the Trend Micro Deep Security server.
You can choose from the following options: All Hosts, Hosts In Group, Hosts Using Security Profile, Hosts In Group And All Subgroups, Specific Host, My Hosts.
By default, this option is set to All Hosts.
Security Profile Name (Optional) Security profile based on which you want to retrieve events from the Trend Micro Deep Security server.
If you have specified the host then the Host Type parameter defaults to Hosts Using Security Profile.
Range From (Optional) DateTime from when you want to retrieve events from the Trend Micro Deep Security server. DateTime must be entered in the standard format of YYYY-MM-DDTHH:MM:SS. For example: 2017-12-27T13:45:30.
Note: If you specify the Range From and Range To parameters, do not specify the Lookup Duration parameter.
Range To (Optional) DateTime till when you want to retrieve events from the Trend Micro Deep Security server. DateTime must be entered in the standard format of YYYY-MM-DDTHH:MM:SS. For example: 2017-12-27T13:45:30.
Note: If you specify the Range From and Range To parameters, do not specify the Lookup Duration parameter.
Lookup Duration (Optional) Time range for which you want to retrieve events from the Trend Micro Deep Security server.
You can choose from the following options: Last Hour, Last 24 Hours, or Last 7 Days.

 

Output

The JSON output contains details of events based on the event type and other input parameters that you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Events operation

 

operation: Get All Hosts

Input parameters

None.

Output

The JSON output contains details of all available hosts retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get All Hosts operation

 

operation: Get Application Control Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Event Time Filter Criteria based on which you want to filter the Event Time that you specify. You can choose from the following options: Greater Than, Greater Than Or Equal To, Equal To, Lesser than, or Lesser than Or Equal To.
Note: You must specify this option if you are specifying the Event Time parameter.
Event Time Time of the event based on which you want to retrieve application control events from the Trend Micro Deep Security server.
Note: You can filter the event time using the Event Time Filter parameter.
Limit Maximum number of application control events you want this operation to return.

 

Output

The JSON output contains information about all application control events or application control events based on the input parameters that you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Application Control Events operation

 

Included playbooks

The Sample - DeepSecurity - 1.1.0 playbook collection comes bundled with the Trend Micro Deep Security connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Deep Security connector.

  • Assign Security Profile
  • Get Alerts
  • Get All Hosts
  • Get Application Control Events
  • Get Events
  • Get Security Profile
  • Scan Endpoint

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Trend Micro Deep Security provides protection to your servers across the data center and the cloud without compromising in performance or security. The Trend Micro Deep Security connector provides an interface to connect to the Trend Micro Deep Security sever.

This document provides information about the Trend Micro Deep Security connector, which facilitates automated interactions, with a Trend Micro Deep Security server using FortiSOAR™ playbooks. Add the Trend Micro Deep Security connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about events, hosts, and alerts and assigning a security profile to a host.

 

Version information

Connector Version: 1.1.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Trend Micro Deep Security Versions: 8.0 and later

 

Release Notes for version 1.1.0

Following changes have been made to the Trend Micro Deep Security Connector in version 1.1.0:

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Trend Micro Deep Security connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Trend Micro Deep Security server to which you will connect and perform automated operations.
Username Username for accessing the Trend Micro Deep Security server to which you will connect and perform the automated operations.
Password Encrypted Password for accessing the Trend Micro Deep Security server to which you will connect and perform the automated operations.
Account Name Account name that is configured for your account for using the Trend Micro Deep Security server.
Port Port used to connect to the Trend Micro Deep Security server.
Defaults to 443.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Alerts Retrieves details of all alerts or specific alerts, based on the input parameters such as the alert ID that you have specified, from the Trend Micro Deep Security server. get_alerts
Investigation
Scan Endpoint Scans the endpoint (computer) based on the hostnames and scan type that you have specified on the Trend Micro Deep Security server. scan_endpoint
Investigation
Get Security Profile Retrieves details of the security profile, based on the security profile ID or security profile name you have specified, from the Trend Micro Deep Security server. get_profiles
Investigation
Assign Security Profile Assigns a security profile you have specified using the security profile name or ID to a host you have specified using the hostname, on the Trend Micro Deep Security server.  
Get Events Retrieves details of events, based on the input parameters such as the event type that you have specified, from the Trend Micro Deep Security server. get_events
Investigation
Get All Hosts Retrieves details of all available hosts from the Trend Micro Deep Security server. get_hosts
Investigation
Get Application Control Events Retrieves details of application control events, based on the parameters you have specified, from the Trend Micro Deep Security server. get_events
Investigation

 

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Alert ID Filter Criteria based on which you want to filter the Alert ID that you specify. You can choose from the following options: Greater Than, Greater Than Or Equal To, Equal To, Lesser than, or Lesser than Or Equal To.
Note: You must specify this option if you are specifying the Alert ID parameter.
Alert ID ID of the alert whose details you want to retrieve from the Trend Micro Deep Security server.
Limit Maximum number of alerts you want this operation to return.
Dismissed Select this option if you want this operation result to include alerts that have been dismissed.
By default, this is set to False.

 

Output

The JSON output contains information about all alerts, or alerts based on the input parameters that you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Alerts operation

 

operation: Scan Endpoint

Input parameters

 

Parameter Description
Scan Type Type of scan that you want to run on the hosts that you specify. You can choose from the following options: Integrity Scan and Recommendation Scan.
List of Hostnames(CSV / List Format) Comma-separated hostnames or list of hostnames on which you want to run the scan.

 

Output

The JSON output returns a Success message if the scan runs successfully on the host you have specified on the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Scan Computers operation

 

operation: Get Security Profile

Input parameters

 

Parameter Description
Security Profile ID or Name ID or Name of the security profile for which you want to retrieve details.

 

Output

The JSON output contains details of security profile, based on the ID or Name of the security profile you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Security Profile operation

 

operation: Assign Security Profile

Input parameters

 

Parameter Description
Security Profile Name Name of the security profile that you want to assign to the specified host on the Trend Micro Deep Security server.
Hostname Name of the host on the Trend Micro Deep Security server, to which you want to assign the specified security profile.

 

Output

The JSON output returns a Success message if the specified security profile is assigned successfully to the specified host on the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Assign Security Profile operation

 

operation: Get Events

Input parameters

 

Parameter Description
Event Type Type of events for which you want to retrieve details from the Trend Micro Deep Security server.
You can choose from the following options: System Events, Anti-malware Events, Integrity Monitoring Events, Log Inspection Events, Web Reputation Events, Deep Packet Inspection Events, or Firewall Events.
Hostname (Optional) Name of the host for which you want to retrieve events from the Trend Micro Deep Security server.
If you specify the host then the Host Type parameter defaults to Specific Host.
Host Group ID (Optional) Group IDs of the groups for which you want to retrieve events from the Trend Micro Deep Security server.
If the host is specified then the Host Type parameter defaults to Hosts In Group And All Subgroups.
Host Type (Optional) Type of host for which you want to retrieve events from the Trend Micro Deep Security server.
You can choose from the following options: All Hosts, Hosts In Group, Hosts Using Security Profile, Hosts In Group And All Subgroups, Specific Host, My Hosts.
By default, this option is set to All Hosts.
Security Profile Name (Optional) Security profile based on which you want to retrieve events from the Trend Micro Deep Security server.
If you have specified the host then the Host Type parameter defaults to Hosts Using Security Profile.
Range From (Optional) DateTime from when you want to retrieve events from the Trend Micro Deep Security server. DateTime must be entered in the standard format of YYYY-MM-DDTHH:MM:SS. For example: 2017-12-27T13:45:30.
Note: If you specify the Range From and Range To parameters, do not specify the Lookup Duration parameter.
Range To (Optional) DateTime till when you want to retrieve events from the Trend Micro Deep Security server. DateTime must be entered in the standard format of YYYY-MM-DDTHH:MM:SS. For example: 2017-12-27T13:45:30.
Note: If you specify the Range From and Range To parameters, do not specify the Lookup Duration parameter.
Lookup Duration (Optional) Time range for which you want to retrieve events from the Trend Micro Deep Security server.
You can choose from the following options: Last Hour, Last 24 Hours, or Last 7 Days.

 

Output

The JSON output contains details of events based on the event type and other input parameters that you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Events operation

 

operation: Get All Hosts

Input parameters

None.

Output

The JSON output contains details of all available hosts retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get All Hosts operation

 

operation: Get Application Control Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Event Time Filter Criteria based on which you want to filter the Event Time that you specify. You can choose from the following options: Greater Than, Greater Than Or Equal To, Equal To, Lesser than, or Lesser than Or Equal To.
Note: You must specify this option if you are specifying the Event Time parameter.
Event Time Time of the event based on which you want to retrieve application control events from the Trend Micro Deep Security server.
Note: You can filter the event time using the Event Time Filter parameter.
Limit Maximum number of application control events you want this operation to return.

 

Output

The JSON output contains information about all application control events or application control events based on the input parameters that you have specified, retrieved from the Trend Micro Deep Security server.

Following image displays a sample output:

 

Sample output of the Get Application Control Events operation

 

Included playbooks

The Sample - DeepSecurity - 1.1.0 playbook collection comes bundled with the Trend Micro Deep Security connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Trend Micro Deep Security connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.