Trend Micro Vision One V3
TrendAI Vision One™ is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—TrendAI Vision One™ prevents the majority of attacks with automated protection.
Data Enrichment & Threat Intelligence · TrendAI Vision One™
Configuration parameters
url— API URL (e.g. https://api.xdr.trendmicro.com) (required)apikey— (required)isFetch— Fetch incidentsincidentFetchInterval— Incidents Fetch IntervalincidentType— Incident typefirst_fetch— Sync On First Run (days)max_fetch— Max Incidentsproxy— Use system proxy settingsinsecure— Trust any certificate (not secure)integrationReliability— Source Reliabilityincident_severity— Severitymirror_direction— Incident Mirroring Direction
Commands (47)
-
get-mapping-fieldsReturns the list of fields for an incident type. This command is used for incident mirroring.
-
get-modified-remote-dataGets the list of Vision One alerts that were modified since the last update time. This command is used for incoming mirroring.
-
get-remote-dataGets remote data from Vision One for a specific alert. This method is used for incoming mirroring and debugging purposes.
-
trendmicro-visionone-add-custom-scriptAdds a custom script to V1 portal in Response management under custom scripts.
-
trendmicro-visionone-add-noteAttaches a note to a workbench alert.
-
trendmicro-visionone-add-objects-to-exception-listAdds domain, ip, url, file_sha1, file_sha256, sender_mail_address to the Exception List and prevents these objects from being added to the Suspicious Object List.
-
trendmicro-visionone-add-objects-to-suspicious-listAdds domain, ip, url, file_sha1, file_sha256, sender_mail_address to the Suspicious Object List.
-
trendmicro-visionone-add-to-block-listAdds a domain, ip, file_sha1, url, sender_mail_address to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections.
-
trendmicro-visionone-check-task-statusCommand gives the status of the running task based on the task id.
-
trendmicro-visionone-collect-forensic-fileCompresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform.
-
trendmicro-visionone-delete-custom-scriptDelete a custom script based on script ID.
-
trendmicro-visionone-delete-email-messageDeletes a message from a mailbox.
-
trendmicro-visionone-delete-objects-from-exception-listDeletes domain, ip, url, file_sha1, file_sha256, sender_mail_address from the Exception List.
-
trendmicro-visionone-delete-objects-from-suspicious-listDeletes domain, ip, url, file_sha1, file_sha256, sender_mail_address from the Suspicious Object List.
-
trendmicro-visionone-disable-user-accountSigns the user out of all active application and browser sessions, and prevents the user from signing in any new session. Supported IAM systems -> Azure AD and Active Directory (on-premises).
-
trendmicro-visionone-download-analysis-reportDownloads the analysis report for an object submitted to sandbox for analysis based on the submission ID.
-
trendmicro-visionone-download-custom-scriptDownloads the contents of a custom script based on script ID.
-
trendmicro-visionone-download-information-for-collected-forensic-fileRetrieves a URL and other information required to download a collected file via the trendmicro-visionone-collect-forensic-file command.
-
trendmicro-visionone-download-investigation-packageDownloads the investigation package based on submission ID.
-
trendmicro-visionone-download-suspicious-object-listDownloads the suspicious object list associated to the specified object. Note ~ Suspicious Object Lists are only available for objects with a high risk level.
-
trendmicro-visionone-enable-user-accountAllows the user to sign in to new application and browser sessions. Supported IAM systems -> Azure AD and Active Directory (on-premises).
-
trendmicro-visionone-force-password-resetSigns the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. Supported IAM systems -> Azure AD and Active Directory (on-premises).
-
trendmicro-visionone-force-signoutSigns the user out of all active application and browser sessions. Supported IAM systems -> Azure AD.
-
trendmicro-visionone-get-alert-detailsFetches details for a specific alert.
-
trendmicro-visionone-get-custom-script-listFetches a list of all available custom scripts in V1 XDR Portal.
-
trendmicro-visionone-get-email-activity-dataDisplays search results from the Email Activity Data source that match the parameters provided.
-
trendmicro-visionone-get-email-activity-data-countDisplays search results from the Email Activity Data source that match the parameters provided.
-
trendmicro-visionone-get-endpoint-activity-dataDisplays search results from the Endpoint Activity Data source that match the parameters provided.
-
trendmicro-visionone-get-endpoint-activity-data-countDisplays total count of search results from the Endpoint Activity Data source that match the parameters provided.
-
trendmicro-visionone-get-endpoint-infoRetrieves information about a specific endpoint.
-
trendmicro-visionone-get-file-analysis-resultRetrieves the sandbox submission analysis result.
-
trendmicro-visionone-get-file-analysis-statusRetrieves the status of a sandbox analysis submission.
-
trendmicro-visionone-get-observed-attack-techniquesDisplays a list of Observed Attack Techniques events that match the specified criteria.
-
trendmicro-visionone-isolate-endpointDisconnects an endpoint from the network (but allows communication with the managing TrendAI™ product).
-
trendmicro-visionone-quarantine-email-messageMoves a message from a mailbox to the quarantine folder.
-
trendmicro-visionone-remove-from-block-listRemoves a domain, ip, file_sha1, url, sender_mail_address from the User-Defined Suspicious Objects List.
-
trendmicro-visionone-restore-email-messageRestores a quarantined message. Deleted messages cannot be restored.
-
trendmicro-visionone-restore-endpoint-connectionRestores network connectivity to an endpoint that applied the "isolate endpoint" action.
-
trendmicro-visionone-run-custom-scriptRuns a custom script on the specified endpoint or agentGuid.
-
trendmicro-visionone-run-sandbox-submission-pollingRuns a polling command to retrieve the status of a sandbox analysis submission.
-
trendmicro-visionone-submit-file-entry-to-sandboxSubmits a file to the sandbox for analysis (Note. For more information about the supported file types, see [the TrendAI Vision One™Online Help](https://docs.trendmicro.com/en-us/enterprise/trend-micro-vision-one/threat-intelligence-/sandbox-analysis/sandbox-supported-fi.aspx). Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)
-
trendmicro-visionone-submit-file-to-sandboxSubmits a file to the sandbox for analysis (Note. For more information about the supported file types, see [the TrendAI Vision One™ Online Help](https://docs.trendmicro.com/en-us/enterprise/trend-micro-vision-one/threat-intelligence-/sandbox-analysis/sandbox-supported-fi.aspx). Submissions require credits. Does not require credits in regions where Sandbox Analysis has not been officially released.)
-
trendmicro-visionone-submit-urls-to-sandboxSends URL(s) to sandbox for analysis.
-
trendmicro-visionone-terminate-processTerminates a process that is running on an endpoint.
-
trendmicro-visionone-update-custom-scriptUpdates the contents of a custom script based on script ID.
-
trendmicro-visionone-update-statusUpdates the status of a workbench alert.
-
update-remote-systemPushes local XSOAR incident changes to the remote Vision One alert system. This command is used for outgoing mirroring.