Trend Micro Apex Central
This document provides guidance on how to integrate Trend Micro Apex Central with Google SecOps.
How to obtain API Key
For more information about how to obtain API Key, see Adding an Application .
Configure Trend Micro Apex Central integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
API Root
|
String | http://x.x.x.x | Yes | API root of the Trend Micro Apex Central instance. |
|
Application ID
|
String | N/A | Yes | Application ID of the Trend Micro Apex Central instance. |
|
API Key
|
Password | N/A | Yes | API Key of the Trend Micro Apex Central instance. |
|
Verify SSL
|
Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Trend Micro Apex Central server is valid. |
Actions
Ping
Description
Test connectivity to Trend Micro Apex Central with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
If successful:
Not successful:Failed to connect to the Trend Micro Apex Central server! Error: {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities with information from Trend Micro Apex Central. Supported entities: IP Address, MAC Address, Hostname, URL, Hash.
Parameters
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Entity Enrichment
Host, IP, MAC
| Enrichment Field Name | Logic - When to apply |
|---|---|
| ip_address | Returns if it exists in JSON result. |
| mac_address | Returns if it exists in JSON result. |
| hostname | Returns if it exists in JSON result. |
| has_endpoint_sensor | Returns if it exists in JSON result. |
| isolation_status | Returns if it exists in JSON result. |
| ad_domain | Returns if it exists in JSON result. |
URL, Hash, IP
| Enrichment Field Name | Logic - When to apply |
|---|---|
| type | Returns if it exists in JSON result. |
| note | Returns if it exists in JSON result. |
| action | Returns if it exists in JSON result. |
| expiration | Returns if it exists in JSON result. |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful for 1 entity -Successfully retrieved information about the following entities from Trend Micro Apex Central: {\n entity.identifier}
- if not successful for 1 entity -Action wasn't able to retrieve information about the following entities from Trend Micro Apex Central: {\n entity.identifier}
- not successful for all -No entities were enriched using information from Trend Micro Apex Central
The action should fail and stop a playbook execution:
- Fatal error, invalid creds, API root -Error executing action "Enrich Entities". Reason: {error traceback}
Name:Found Endpoints
Column:
IP Address
MAC Address
Hostname
Has Endpoint Sensor
Isolation Status
AD Domain
Name:Found UDSO
Column:
Entity
Note
Action
Create File UDSO
Description
Create a User-defined suspicious object based on a file in Trend Micro Apex Central.
Known Issues
When working with .eml files, the action will not return the JSON result.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
|
File Paths
|
N/A | Yes | Specify a comma-separated list of file paths that needs to be used to created a UDSO. |
|
Action
|
Block Possible Values: Block Log Quarantine |
Yes | Specify what action should be applied to the UDSO. |
|
Note
|
N/A | False | Specify an additional note for the provided UDSO. Warning: the note can't contain more than 256 characters. |
|
Expire In (Days)
|
N/A | False | Specify in how many days the UDSO should expire. If nothing is provided, UDSO will never expire. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 file
|
true | false | Successfully created UDSO based on the following files in Trend Micro Apex Central: {\n file paths} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to create UDSO based on the following files in Trend Micro Apex Central: {\n file paths} |
|
If already exist
|
true | false | The following UDSO already exist in Trend Micro Apex Central: {\n file paths} |
|
not successful for all
|
false | false | No UDSO were created in Trend Micro Apex Central. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Create File UDSO". Reason: {error traceback} |
|
If note > 256 chars
|
false | true | Error executing action "Create File UDSO". Reason: note can't contain more than 256 characters. |
Create Entity UDSO
Description
Create a User-defined suspicious object based on the entities in Trend Micro Apex Central. Supported entities: IP, URL, Hash.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
|
Action
|
Block Possible Values: Block Log |
Yes | Specify what action should be applied to the UDSO. |
|
Note
|
N/A | False | Specify an additional note for the provided UDSO. Warning: the note can't contain more than 256 characters. |
|
Expire In (Days)
|
N/A | False | Specify in how many days the UDSO should expire. If nothing is provided, UDSO will never expire. |
Run On
This action runs on the following entities:
- IP Address
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 entity
|
true | false | Successfully created UDSO based on the following entities in Trend Micro Apex Central: {\n entity.identifier} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to create UDSO based on the following entities in Trend Micro Apex Central: {\n entity.identifier} |
|
If already exist
|
true | false | The following UDSO already exist in Trend Micro Apex Central: {\n entity.identifier} |
|
not successful for all
|
false | false | No UDSO were created in Trend Micro Apex Central. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Create Entity UDSO". Reason: {error traceback} |
|
If note > 256 chars
|
false | true | Error executing action "Create Entity UDSO". Reason: note can't contain more than 256 characters. |
Unisolate Endpoints
Description
Unisolate endpoints in Trend Micro Apex Central. Supported entities: IP, Mac, Hostname.
Parameters
| Name | Default Value | Is mandatory | Description |
|---|---|---|---|
|
N/A
|
N/A | N/A | N/A |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 entity
|
true | false | Successfully unisolated the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to unisolate the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
not successful for all
|
false | false | No endpoints were unisolated in Trend Micro Apex Central. |
|
Async Message
|
false | false | Initiated endpoint unisolation on the following endpoints: {entity.identifier}. Waiting for the unisolation to finish. |
|
Timeout message
|
false | false | Action initiated unisolation, but it's still pending for the following endpoints: {entity.identifier}. Please consider increasing the timeout in the IDE. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Unisolate Endpoints". Reason: {error traceback} |
Isolate Endpoints
Description
Isolate endpoints in Trend Micro Apex Central. Supported entities: IP, Mac, Hostname.
Parameters
| Name | Default Value | Is mandatory | Description |
|---|---|---|---|
|
N/A
|
N/A | N/A | N/A |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 entity
|
true | false | Successfully isolated the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to isolate the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
not successful for all
|
false | false | No endpoints were isolated in Trend Micro Apex Central. |
|
Async Message
|
false | false | Initiated endpoint isolation on the following endpoints: {entity.identifier}. Waiting for the isolation to finish. |
|
Timeout message
|
true | false | Action initiated isolation, but it's still pending for the following endpoints: {entity.identifier}. Please consider increasing the timeout in the IDE. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Isolate Endpoints". Reason: {error traceback} |
Need more help? Get answers from Community members and Google SecOps professionals.
