Trend Micro DDAN
Integration version: 3.0
Configure Trend Micro DDAN integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
API Root
|
String | https://
IP_ADDRESS
|
Yes | API root of the Trend Micro DDAN instance. |
|
API Key
|
Password | N/A | Yes | API key of the Trend Micro DDAN instance. |
|
Verify SSL
|
Checkbox | Checked | No | If enabled, verifies that the SSL certificate for the connection to the Trend Micro DDAN is valid. |
Actions
Ping
Test connectivity to Trend Micro DDAN with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should neither fail nor stop a playbook execution: If successful: "Successfully connected to the Trend Micro DDAN server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Trend Micro DDAN server! Error is {0}".format(exception.stacktrace)" |
General |
Submit File
Submit files in Trend Micro DDAN.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
File URLs
|
CSV | N/A | Yes | Specify a comma-separated list of the URLs that point to the file that needs to be analyzed. |
|
Fetch Event Log
|
Checkbox | Checked | No | If enabled, the action fetches event logs related to the files. |
|
Fetch Suspicious Objects
|
Checkbox | Checked | No | If enabled, the action fetches suspicious objects. |
|
Fetch Sandbox Screenshot
|
Checkbox | Unchecked | No | If enabled, the action tries to fetch a sandbox screenshot related to the files. |
|
Resubmit File
|
Checkbox | Checked | No | If enabled, the action doesn't check if there was a submission for this file previously. |
|
Max Event Logs To Return
|
Integer | 50 | No | Specify the number of event logs to return. Maximum: 200 |
|
Max Suspicious Objects To Return
|
Integer | 50 | No | Specify the number of suspicious objects to return. Maximum: 200 |
|
Fetch Suspicious Objects
|
Checkbox | Checked | No | If enabled, the action fetches suspicious object. |
|
Max Suspicious Objects To Return
|
Integer | 50 | No | Specify the number of suspicious objects to return. Maximum: 200 |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"REPORTS"
:
{
"IMAGE_TYPE"
:
{
"TYPE"
:
"Windows 10"
},
"OVERALL_RISK_LEVEL"
:
-19
,
"FILE_ANALYZE_REPORT"
:
{
"FileSHA1"
:
"2C2218022BC734EFF94290199C2CDC46E9531F9B"
,
"FileMD5"
:
"6061C079AFC5B3198F2752F875513E58"
,
"FileSHA256"
:
"6CE4952C2EE4D70CBC3B4276007D0815C03FA0E87E209DF7B901D143C06859AA"
,
"FileTLSH"
:
""
,
"FileID"
:
"3315_0001"
,
"OrigFileName"
:
"https://example.com/"
,
"DownloadedFileName"
:
""
,
"MalwareSourceIP"
:
""
,
"MalwareSourceHost"
:
""
,
"ROZRating"
:
-19
,
"CensusPrevalence"
:
-1
,
"GRIDIsKnownGood"
:
-1
,
"AuthenticodeIsGood"
:
0
,
"IsAllowed"
:
0
,
"IsDenylisted"
:
0
,
"OverallROZRating"
:
-19
,
"AnalyzeTime"
:
"2022-11-07 15:39:24"
,
"VirusDetected"
:
0
,
"EngineVersion"
:
""
,
"PatternVersion"
:
""
,
"VirusName"
:
""
,
"TrueFileType"
:
"URL"
,
"FileSize"
:
0
,
"PcapReady"
:
0
,
"SandcastleClientVersion"
:
"6.0.5511"
,
"AnalyzeStartTime"
:
"2022-11-07 15:39:23"
,
"ParentChildRelationship"
:
""
,
"DuplicateSHA1"
:
0
,
"ConnectionMode"
:
"nat"
,
"ExternalServiceMode"
:
"Global"
,
"DiagInfo"
:
""
,
"RedirectChain"
:
{
"Connection"
:
{
"ID"
:
1
,
"URL"
:
"https://example.com"
,
"WRSScore"
:
71
,
"WRSCategoryID"
:
93
,
"WRSCategoryName"
:
"Newly Observed Domain"
,
"ThreatName"
:
""
,
"RedirectFrom"
:
""
}
},
"DroppedFiles"
:
""
,
"USandboxVersion"
:
"5.8.1044"
},
"EXTRA_INFO"
:
{
"VAAnalysisTime"
:
96
,
"TotalProcessingTime"
:
97
}
},
"Screenshot"
:
""
,
"EventLog"
:
[
{
"EventLog"
:
{
"Date"
:
"2022-11-07 15:37:49+00"
,
"Source"
:
1
,
"SubmitDate"
:
"2022-11-07 15:37:49.618895+00"
,
"ProtocolGroup"
:
""
,
"Protocol"
:
""
,
"VLANId"
:
""
,
"Direction"
:
""
,
"DstIP"
:
""
,
"DstIPStr"
:
""
,
"DstPort"
:
""
,
"DstMAC"
:
""
,
"SrcIP"
:
""
,
"SrcIPStr"
:
""
,
"SrcPort"
:
""
,
"SrcMAC"
:
""
,
"DomainName"
:
""
,
"HostName"
:
""
,
"DetectionName"
:
""
,
"RiskTypeGroup"
:
""
,
"RiskType"
:
""
,
"FileName"
:
""
,
"FileExt"
:
""
,
"TrueFileType"
:
""
,
"FileSize"
:
""
,
"RuleID"
:
""
,
"Description"
:
"Dummy log content"
,
"ConfidenceLevel"
:
""
,
"Recipient"
:
""
,
"Sender"
:
""
,
"Subject"
:
""
,
"BOTCmd"
:
""
,
"BOTUrl"
:
""
,
"ChannelName"
:
""
,
"NickName"
:
""
,
"URL"
:
"https://example.com"
,
"UserName"
:
""
,
"Authentication"
:
""
,
"UserAgent"
:
""
,
"TargetShare"
:
""
,
"DetectedBy"
:
""
,
"PotentialRisk"
:
""
,
"HasQFile"
:
""
,
"ServerName"
:
""
,
"MessageID"
:
""
,
"EngineVer"
:
""
,
"PatternNum"
:
""
,
"VirusType"
:
""
,
"EngineVirusMajorType"
:
""
}
}
],
"SuspiciousObjects"
:
""
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should neither fail nor stop a playbook execution: If returned report (is_success=true):
"Successfully analyzed the following URLs in Trend Micro DDAN: If didn't return report for one (is_success=true):
"Action wasn't able to return results the following URLs in Trend Micro DDAN: If didn't return report for all URLs (is_success=true): "No results for the provided URLs." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit File URL". Reason: {0}''.format(error.Stacktrace)" |
General |
Submit File URL
Submit a file using URLs in Trend Micro DDAN.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
File URLs
|
CSV | N/A | Yes | Specify a comma-separated list of the URLs that point to the file that needs to be analyzed. |
|
Fetch Event Log
|
Checkbox | Checked | No | If enabled, the action fetches event logs related to the files. |
|
Fetch Suspicious Objects
|
Checkbox | Checked | No | If enabled, the action fetches suspicious objects. |
|
Fetch Sandbox Screenshot
|
Checkbox | Unchecked | No | If enabled, the action tries to fetch a sandbox screenshot related to the files. |
|
Resubmit File
|
Checkbox | Checked | No | If enabled, the action doesn't check if there was a submission for this file previously. |
|
Max Event Logs To Return
|
Integer | 50 | No | Specify the number of event logs to return. Maximum: 200 |
|
Max Suspicious Objects To Return
|
Integer | 50 | No | Specify the number of suspicious objects to return. Maximum: 200 |
|
Fetch Suspicious Objects
|
Checkbox | Checked | No | If enabled, the action fetches suspicious object. |
|
Max Suspicious Objects To Return
|
Integer | 50 | No | Specify the number of suspicious objects to return. Maximum: 200 |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"REPORTS"
:
{
"IMAGE_TYPE"
:
{
"TYPE"
:
"Windows 10"
},
"OVERALL_RISK_LEVEL"
:
-19
,
"FILE_ANALYZE_REPORT"
:
{
"FileSHA1"
:
"2C2218022BC734EFF94290199C2CDC46E9531F9B"
,
"FileMD5"
:
"6061C079AFC5B3198F2752F875513E58"
,
"FileSHA256"
:
"6CE4952C2EE4D70CBC3B4276007D0815C03FA0E87E209DF7B901D143C06859AA"
,
"FileTLSH"
:
""
,
"FileID"
:
"3315_0001"
,
"OrigFileName"
:
"https://example.com"
,
"DownloadedFileName"
:
""
,
"MalwareSourceIP"
:
""
,
"MalwareSourceHost"
:
""
,
"ROZRating"
:
-19
,
"CensusPrevalence"
:
-1
,
"GRIDIsKnownGood"
:
-1
,
"AuthenticodeIsGood"
:
0
,
"IsAllowed"
:
0
,
"IsDenylisted"
:
0
,
"OverallROZRating"
:
-19
,
"AnalyzeTime"
:
"2022-11-07 15:39:24"
,
"VirusDetected"
:
0
,
"EngineVersion"
:
""
,
"PatternVersion"
:
""
,
"VirusName"
:
""
,
"TrueFileType"
:
"URL"
,
"FileSize"
:
0
,
"PcapReady"
:
0
,
"SandcastleClientVersion"
:
"6.0.5511"
,
"AnalyzeStartTime"
:
"2022-11-07 15:39:23"
,
"ParentChildRelationship"
:
""
,
"DuplicateSHA1"
:
0
,
"ConnectionMode"
:
"nat"
,
"ExternalServiceMode"
:
"Global"
,
"DiagInfo"
:
""
,
"RedirectChain"
:
{
"Connection"
:
{
"ID"
:
1
,
"URL"
:
"https://example.com"
,
"WRSScore"
:
71
,
"WRSCategoryID"
:
93
,
"WRSCategoryName"
:
"Newly Observed Domain"
,
"ThreatName"
:
""
,
"RedirectFrom"
:
""
}
},
"DroppedFiles"
:
""
,
"USandboxVersion"
:
"5.8.1044"
},
"EXTRA_INFO"
:
{
"VAAnalysisTime"
:
96
,
"TotalProcessingTime"
:
97
}
},
"Screenshot"
:
"{base64 of }"
,
"EventLog"
:
[
{
"EventLog"
:
{
"Date"
:
"2022-11-07 15:37:49+00"
,
"Source"
:
1
,
"SubmitDate"
:
"2022-11-07 15:37:49.618895+00"
,
"ProtocolGroup"
:
""
,
"Protocol"
:
""
,
"VLANId"
:
""
,
"Direction"
:
""
,
"DstIP"
:
""
,
"DstIPStr"
:
""
,
"DstPort"
:
""
,
"DstMAC"
:
""
,
"SrcIP"
:
""
,
"SrcIPStr"
:
""
,
"SrcPort"
:
""
,
"SrcMAC"
:
""
,
"DomainName"
:
""
,
"HostName"
:
""
,
"DetectionName"
:
""
,
"RiskTypeGroup"
:
""
,
"RiskType"
:
""
,
"FileName"
:
""
,
"FileExt"
:
""
,
"TrueFileType"
:
""
,
"FileSize"
:
""
,
"RuleID"
:
""
,
"Description"
:
"Dummy log content"
,
"ConfidenceLevel"
:
""
,
"Recipient"
:
""
,
"Sender"
:
""
,
"Subject"
:
""
,
"BOTCmd"
:
""
,
"BOTUrl"
:
""
,
"ChannelName"
:
""
,
"NickName"
:
""
,
"URL"
:
"https://example.com"
,
"UserName"
:
""
,
"Authentication"
:
""
,
"UserAgent"
:
""
,
"TargetShare"
:
""
,
"DetectedBy"
:
""
,
"PotentialRisk"
:
""
,
"HasQFile"
:
""
,
"ServerName"
:
""
,
"MessageID"
:
""
,
"EngineVer"
:
""
,
"PatternNum"
:
""
,
"VirusType"
:
""
,
"EngineVirusMajorType"
:
""
}
}
],
"SuspiciousObjects"
:
""
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should neither fail nor stop a playbook execution: If returned report (is_success=true):
"Successfully analyzed the following URLs in Trend Micro DDAN: If didn't return report for one (is_success=true):
"Action wasn't able to return results the following URLs in Trend Micro DDAN: If didn't return report for all URLs (is_success=true): "No results for the provided URLs." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit File URL". Reason: {0}''.format(error.Stacktrace)" |
General |
Need more help? Get answers from Community members and Google SecOps professionals.
