Trend Micro Apex Central
Integration version: 4.0
How to obtain API Key
For more information about how to obtain API Key, see Adding an Application .
Configure Trend Micro Apex Central integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
API Root
|
String | http://x.x.x.x | Yes | API root of the Trend Micro Apex Central instance. |
|
Application ID
|
String | N/A | Yes | Application ID of the Trend Micro Apex Central instance. |
|
API Key
|
Password | N/A | Yes | API Key of the Trend Micro Apex Central instance. |
|
Verify SSL
|
Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Trend Micro Apex Central server is valid. |
Actions
Ping
Description
Test connectivity to Trend Micro Apex Central with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
If successful:
Not successful:Failed to connect to the Trend Micro Apex Central server! Error: {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities with information from Trend Micro Apex Central. Supported entities: IP Address, MAC Address, Hostname, URL, Hash.
Parameters
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Entity Enrichment
Host, IP, MAC
| Enrichment Field Name | Logic - When to apply |
|---|---|
| ip_address | Returns if it exists in JSON result. |
| mac_address | Returns if it exists in JSON result. |
| hostname | Returns if it exists in JSON result. |
| has_endpoint_sensor | Returns if it exists in JSON result. |
| isolation_status | Returns if it exists in JSON result. |
| ad_domain | Returns if it exists in JSON result. |
URL, Hash, IP
| Enrichment Field Name | Logic - When to apply |
|---|---|
| type | Returns if it exists in JSON result. |
| note | Returns if it exists in JSON result. |
| action | Returns if it exists in JSON result. |
| expiration | Returns if it exists in JSON result. |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful for 1 entity -Successfully retrieved information about the following entities from Trend Micro Apex Central: {\n entity.identifier}
- if not successful for 1 entity -Action wasn't able to retrieve information about the following entities from Trend Micro Apex Central: {\n entity.identifier}
- not successful for all -No entities were enriched using information from Trend Micro Apex Central
The action should fail and stop a playbook execution:
- Fatal error, invalid creds, API root -Error executing action "Enrich Entities". Reason: {error traceback}
Name:Found Endpoints
Column:
IP Address
MAC Address
Hostname
Has Endpoint Sensor
Isolation Status
AD Domain
Name:Found UDSO
Column:
Entity
Note
Action
Create File UDSO
Description
Create a User-defined suspicious object based on a file in Trend Micro Apex Central.
Known Issues
When working with .eml files, the action will not return the JSON result.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
|
File Paths
|
N/A | Yes | Specify a comma-separated list of file paths that needs to be used to created a UDSO. |
|
Action
|
Block Possible Values: Block Log Quarantine |
Yes | Specify what action should be applied to the UDSO. |
|
Note
|
N/A | False | Specify an additional note for the provided UDSO. Warning: the note can't contain more than 256 characters. |
|
Expire In (Days)
|
N/A | False | Specify in how many days the UDSO should expire. If nothing is provided, UDSO will never expire. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 file
|
true | false | Successfully created UDSO based on the following files in Trend Micro Apex Central: {\n file paths} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to create UDSO based on the following files in Trend Micro Apex Central: {\n file paths} |
|
If already exist
|
true | false | The following UDSO already exist in Trend Micro Apex Central: {\n file paths} |
|
not successful for all
|
false | false | No UDSO were created in Trend Micro Apex Central. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Create File UDSO". Reason: {error traceback} |
|
If note > 256 chars
|
false | true | Error executing action "Create File UDSO". Reason: note can't contain more than 256 characters. |
Create Entity UDSO
Description
Create a User-defined suspicious object based on the entities in Trend Micro Apex Central. Supported entities: IP, URL, Hash.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
|
Action
|
Block Possible Values: Block Log |
Yes | Specify what action should be applied to the UDSO. |
|
Note
|
N/A | False | Specify an additional note for the provided UDSO. Warning: the note can't contain more than 256 characters. |
|
Expire In (Days)
|
N/A | False | Specify in how many days the UDSO should expire. If nothing is provided, UDSO will never expire. |
Run On
This action runs on the following entities:
- IP Address
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 entity
|
true | false | Successfully created UDSO based on the following entities in Trend Micro Apex Central: {\n entity.identifier} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to create UDSO based on the following entities in Trend Micro Apex Central: {\n entity.identifier} |
|
If already exist
|
true | false | The following UDSO already exist in Trend Micro Apex Central: {\n entity.identifier} |
|
not successful for all
|
false | false | No UDSO were created in Trend Micro Apex Central. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Create Entity UDSO". Reason: {error traceback} |
|
If note > 256 chars
|
false | true | Error executing action "Create Entity UDSO". Reason: note can't contain more than 256 characters. |
Unisolate Endpoints
Description
Unisolate endpoints in Trend Micro Apex Central. Supported entities: IP, Mac, Hostname.
Parameters
| Name | Default Value | Is mandatory | Description |
|---|---|---|---|
|
N/A
|
N/A | N/A | N/A |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 entity
|
true | false | Successfully unisolated the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to unisolate the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
not successful for all
|
false | false | No endpoints were unisolated in Trend Micro Apex Central. |
|
Async Message
|
false | false | Initiated endpoint unisolation on the following endpoints: {entity.identifier}. Waiting for the unisolation to finish. |
|
Timeout message
|
false | false | Action initiated unisolation, but it's still pending for the following endpoints: {entity.identifier}. Please consider increasing the timeout in the IDE. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Unisolate Endpoints". Reason: {error traceback} |
Isolate Endpoints
Description
Isolate endpoints in Trend Micro Apex Central. Supported entities: IP, Mac, Hostname.
Parameters
| Name | Default Value | Is mandatory | Description |
|---|---|---|---|
|
N/A
|
N/A | N/A | N/A |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
if successful for 1 entity
|
true | false | Successfully isolated the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
if not successful for 1 entity
|
true | false | Action wasn't able to isolate the following endpoints in Trend Micro Apex Central: {\n entity.identifier} |
|
not successful for all
|
false | false | No endpoints were isolated in Trend Micro Apex Central. |
|
Async Message
|
false | false | Initiated endpoint isolation on the following endpoints: {entity.identifier}. Waiting for the isolation to finish. |
|
Timeout message
|
true | false | Action initiated isolation, but it's still pending for the following endpoints: {entity.identifier}. Please consider increasing the timeout in the IDE. |
|
Fatal error, invalid creds, API root
|
false | true | Error executing action "Isolate Endpoints". Reason: {error traceback} |
Need more help? Get answers from Community members and Google SecOps professionals.
