Skip to main content
Skip table of contents

Trend Micro Deep Security Manager

LAST UPDATED: NOV 27, 2024

Overview

Trend Micro Deep Security automatically protects new and existing workloads against known and unknown threats using techniques such as machine learning and virtual patching. It offers a full range of security capabilities through a single smart agent, including protection against vulnerabilities and end-of-life systems.

D3 SOAR is providing REST operations to function with Trend Micro Deep Security Manager.

Trend Micro Deep Security Manager is available for use in:

D3 SOAR

V12.7.0+

Category

Endpoint Protection

Deployment Options

Option I, Option II, Option III, Option IV

Known Limitations

The rate limits applied to Deep Security Manager instances depend on the available resources of the manager computer and the API traffic received. The following rate limits are set by default:

  • User: 500

  • Tenant: 1000

  • Node: 5000

Refer to Determine suitable rate limits | Trend Micro Deep Security Manager for detailed information.

Connection

To connect to Trend Micro Deep Security Manager from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The URL of the Trend Micro Deep Security Manager server.

https://app.deepsecurity.trendmicro.com

API Key

The API key for authentication.

*****

API Version

The API version.

v1

Permission Requirements

Each endpoint in the Trend Micro Deep Security Manager API requires certain permissions. Assigning users to built-in roles or creating custom roles with predefined scopes ensures appropriate access control. The following are the required permissions for the commands in this integration:

Commands

Required Permissions

Built-in Roles

Scopes for Custom Roles

Add Firewall Rule IDs

Deep Security Migration

Computer Rights -> Edit -> All Computers 

Assign Intrusion Prevention Rules

Deep Security Migration

All of:

  • Computer Rights -> Edit -> All Computers 

  • Policy Rights -> Edit -> All Policies

Create Firewall Rule

Full Access

Common Object Rights -> Firewall Rules -> Custom -> Can Create New Firewall Rules

Create Intrusion Rule

Full Access

Common Object Rights -> Intrusion Prevention Rules -> Custom -> Can Create New Intrusion Prevention Rules

Deactivate Computer

Workload Security Read Only

All of:

  • Computer Rights -> View -> All Computers, and

  • Computer Rights -> Delete -> All Computers

Delete Firewall Rules

Full Access

Common Object Rights -> Firewall Rules -> Custom -> Can Delete Firewall Rules

Delete Intrusion Rules

Full Access

Common Object Rights -> Intrusion Prevention Rules -> Custom -> Can Delete Intrusion Prevention Rules

Get Firewall Rule IDs By Computer

Workload Security Read Only

Computer Rights -> View All Computers 

Get Host List

Workload Security Read Only

Computer Rights -> View All Computers 

List Application Types

Workload Security Read Only

Other Rights -> Application Types -> View-Only

List Firewall Rules

Workload Security Read Only

Common Object Rights -> Firewall Rules -> View-Only

List Intrusion Rules

Workload Security Read Only

Common Object Rights -> Intrusion Prevention Rules -> View-Only

List Policies

Workload Security Read Only

Policy Rights -> View -> All Policies

Modify Intrusion Rule

Full Access

Common Object Rights -> Intrusion Prevention Rules -> Custom -> Can Edit Intrusion Prevention Rule Properties

Remove Firewall Rule IDs

Deep Security Migration

Computer Rights -> Edit -> All Computers 

Schedule Daily Scan

Full Access

Other Rights -> Tasks -> Custom -> Can Add New Tasks, Can View Tasks, Can Edit Tasks

Schedule Hourly Scan

Full Access

Other Rights -> Tasks -> Custom -> Can Add New Tasks, Can View Tasks, Can Edit Tasks

Schedule Monthly Scan

Full Access

Other Rights -> Tasks -> Custom -> Can Add New Tasks, Can View Tasks, Can Edit Tasks

Schedule Once Only Scan

Full Access

Other Rights -> Tasks -> Custom -> Can Add New Tasks, Can View Tasks, Can Edit Tasks

Schedule Weekly Scan

Full Access

Other Rights -> Tasks -> Custom -> Can Add New Tasks, Can View Tasks, Can Edit Tasks

Unassign Intrusion Prevention Rules

Deep Security Migration

All of:

  • Computer Rights -> Edit -> All Computers

  • Policy Rights -> Edit -> All Policies

Test Connection

Workload Security Read Only

Computer Rights -> View -> All Computers 

As Trend Micro Deep Security Manager is using role-based access control (RBAC), the API Key is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Trend Micro Deep Security Manager console for each command in this integration.

READER NOTE

Refer to Define roles for users | Trend Micro Deep Security Manager for details on configuring user profiles.

Configuring Trend Micro Deep Security Manager to Work with D3 SOAR

  1. Log into the Trend Cloud One console.

    Group 1.png
  2. Navigate to the API Key management section.

    changingpassword.gif

    1. Select the Endpoint & Workload Security card.

    2. Open the Administration tab.

    3. Go to User Management > API Keys.

    4. Click on the New… button to open the Properties pop-up window.

  3. Configure the API key.

    Group 2.png

    1. Provide a name for the API key.

    2. Select a role using the dropdown.

    3. Click on the Next > button.

  4. Copy the API Key and store it in a secure location. The API Key will not be visible again after this window is closed. Refer to step 3i sub-step 2 in Configuring D3 SOAR to Work with Trend Micro Deep Security Manager.

    Group 3.png
Creating and Configuring Custom Roles
  1. Navigate to Administration > User Management > Roles within Endpoint & Workload Security and click on the New… button.

    Group 4 (1).png
  2. Name the role.

    Group 6.png
  3. Navigate through the tabs at the top to configure the permission scopes for the role. This example demonstrates the configuration of the scopes required for a custom role to execute the Assign Intrusion Prevention Rules and Unassign Intrusion Prevention Rules commands.

    demo_role.gif

READER NOTE

Refer to the Permission Requirements section to identify the necessary scopes for each command.

  1. Save the role and confirm that it has been set up.

    Group 9 (1).png

The API Key for custom roles can be created by following the same steps detailed in Configuring Trend Micro Deep Security Manager to Work with D3 SOAR.

Configuring D3 SOAR to Work with Trend Micro Deep Security Manager

  1. Log in to D3 SOAR.

  2. Find the Trend Micro Deep Security Manager integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Trend Micro Deep Security Manager in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Trend Micro Deep Security Manager.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the checkbox to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input the Server URL. The default value is https://app.deepsecurity.trendmicro.com.

      2. Copy the API Key from the Trend Micro Deep Security Manager platform. Refer to step 4 of Configuring Trend Micro Deep Security Manager to Work with D3 SOAR.

      3. Input the API Version. The default value is v1.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Trend Micro Deep Security Manager includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Trend Micro Deep Security Manager API, refer to the Trend Micro Deep Security Manager API reference.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring Trend Micro Deep Security Manager to Work with D3 SOAR sections for details.

Add Firewall Rule IDs

Assigns firewall rule IDs to a computer.

READER NOTE

Computer ID and Rule IDs are required parameters to run this command.

  • Run the Get Host List command to obtain the Computer ID. Computer IDs can be found in the raw data at the path $.computers[*].ID.

  • Run the List Firewall Rules or Create Firewall Rule command to obtain the Rule IDs. Rule IDs can be found in the raw data at the path $.firewallRules[*].ID for List Firewall Rules or $.ID for Create Firewall Rule.

Input

Input Parameter

Required/Optional

Description

Example

Computer ID

Required

The ID of the computer to which the firewall rule IDs are assigned. Computer ID can be obtained using the Get Host List command.

*****

Rule IDs

Required

The IDs of the firewall rules to assign. Rules IDs can be obtained using the List Firewall Rules or Create Firewall Rule command.

JSON
[ ***** ] 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "assignedRuleIDs": [
        *****,
        *****,
        *****,
        *****,
        *****,
        *****
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "assignedRuleIDs": [
        *****,
        *****,
        *****,
        *****,
        *****,
        *****
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "AssignedRuleIDs": [
        *****, 
        *****
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

assignedRuleIDs

*****

*****

*****

*****

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Firewall Rule IDs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not Found.

Error Sample Data

Add Firewall Rule IDs failed.

Status Code: 404.

Message: Not Found.

Assign Intrusion Prevention Rules

Assigns intrusion prevention rules to the specified computers or policies.

READER NOTE

Intrusion Rule IDs is a required parameter to run this command.

  • Run the List Intrusion Rules command to obtain the Intrusion Rule IDs. Intrusion Rule IDs can be found in the raw data at the path $.intrusionPreventionRules[*].ID.

Computer IDs and Policy IDs are optional parameters to run this command.

  • Run the Get Host List command to obtain the Computer IDs. Computer IDs can be found in the raw data at the path $.computers[*].ID.

  • Run the List Policies command to obtain the Policy IDs. Policy IDs can be found in the raw data at the path $.policies[*].ID.

Input

Input Parameter

Required/Optional

Description

Example

Intrusion Rule IDs

Required

The IDs of the intrusion prevention rules to assign. Intrusion Rule IDs can be obtained using the List Intrusion Rules command.

JSON
[
    *****, 
    *****, 
    *****
]

Computer IDs

Optional

The IDs of the computers to which the rules are assigned. Computer IDs can be obtained using the Get Host List command.

JSON
[*****] 

Policy IDs

Optional

The IDs of the policies to which the rules are assigned. Policy IDs can be obtained using the List Policies command.

JSON
[*****] 

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        assignedRuleIDs: [
            *****, 
            *****, 
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: none,
        recommendedToAssignRuleIDs: [],
        recommendedToUnassignRuleIDs: [],
        computerID: *****
    },
    {
        assignedRuleIDs: [
            *****, 
            *****, 
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: valid,
        recommendedToAssignRuleIDs: [
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****
        ],
        recommendedToUnassignRuleIDs: [],
        policyID: *****
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        assignedRuleIDs: [
            *****, 
            *****, 
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: none,
        recommendedToAssignRuleIDs: [],
        recommendedToUnassignRuleIDs: [],
        computerID: *****
    },
    {
        assignedRuleIDs: [
            *****, 
            *****, 
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: valid,
        recommendedToAssignRuleIDs: [
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****, 
            *****
        ],
        recommendedToUnassignRuleIDs: [],
        policyID: *****
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

assignedRuleIDs

[*****, *****]

[*****, *****, *****]

assignedApplicationTypeIDs

[*****]

[*****]

recommendationScanStatus

none

valid

recommendedToAssignRuleIDs

[]

[*****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****]

recommendedToUnassignRuleIDs

[]

[]

computerID

*****

*****

policyID

*****

*****

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Assign Intrusion Prevention Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Either of Computer IDs or Policy IDs can be empty but not both empty.

Error Sample Data

Assign Intrusion Prevention Rules failed.

Status Code: 400.

Message: Either of Computer IDs or Policy IDs can be empty but not both empty.

Create Firewall Rule

Creates a new firewall rule.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the firewall rule.

Test Rule

Description

Optional

The description of the firewall rule.

Test for creating firewall rule

Action

Optional

The action applied by the packet filter. Available options include:

  • Log only

  • Allow

  • Deny

  • Force Allow

  • Bypass

By default, the value is Allow.

Allow

Priority

Optional

The priority of the packet filter. Available options are:

  • 0 - Lowest

  • 1 - Low

  • 2 - Normal

  • 3 - High

  • 4 - Highest

By default, the value is 0 - Lowest.

0 - Lowest

Direction

Optional

The direction of the packet. Available options are:

  • Incoming

  • Outgoing

By default, the value is Incoming.

Incoming

Frame Type

Required

The type of frame supported.

  • Any

  • IP

  • ARP

  • REVARP

  • IPV4

  • IPV6

  • Other

By default, the value is IP.

IP

Protocol

Optional

The protocol of the packet. By default, the value is Any.

TCP

Source IP Value

Optional

The source IP address of the packet. If provided, the source IP type is set to Masked IP.

***.***.***.***

Source IP Mask

Optional

The source IP mask of the packet. If provided, the source IP type is set to Masked IP.

***.***.***.***

Source MAC Multiple

Optional

A list of source MAC addresses. If provided, the source MAC type is set to Multiple.

JSON
[
    "**-**-**-**-**-**",
    "**-**-**-**-**-**"
]

Packet Source Multiple

Optional

A list of source ports. If provided, the source port type is set to Multiple.

JSON
[
    "*****",
    "*****"
]

Destination IP Value

Optional

The destination IP address of the packet. If provided, the destination IP type is set to Masked IP.

***.***.***.***

Destination IP Mask

Optional

The destination IP mask of the packet. If provided, the destination IP type is set to Masked IP.

***.***.***.***

Destination MAC Multiple

Optional

A list of destination MAC addresses. If provided, the destination MAC type is set to Multiple.

JSON
[
    "**-**-**-**-**-**",
    "**-**-**-**-**-**"
]

Destination Port Multiple

Optional

A list of destination ports. If provided, the destination port type is set to Multiple.

CODE
[
    "*****",
    "*****"
]

Additional Settings

Optional

Additional settings for creating a firewall rule. This is formatted as <FieldName1>=<FieldValue1> <FieldName2>=<FieldValue2>. For example, logDisabled=true TCPNot=true is a valid input. Refer to the Firewall Rules | Trend Micro Deep Security Manager for available field names and values.

sourceIPMask=***.***.***.*** sourceIPValue=***.***.***.***

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "Test Rule44",
    "description": "Test for creating firewall rule",
    "action": "allow",
    "priority": "0",
    "direction": "incoming",
    "frameType": "ip",
    "frameNumber": 2048,
    "frameNot": false,
    "protocol": "tcp",
    "protocolNot": false,
    "sourceIPType": "masked-ip",
    "sourceIPValue": "***.***.***.***",
    "sourceIPMask": "***.***.***.***",
    "sourceIPNot": false,
    "sourceMACType": "multiple",
    "sourceMACMultiple": [
        "**:**:**:**:**:**",
        "**:**:**:**:**:**"
    ],
    "sourceMACNot": false,
    "sourcePortType": "multiple",
    "sourcePortMultiple": [
        "*****",
        "*****"
    ],
    "sourcePortNot": false,
    "destinationIPType": "masked-ip",
    "destinationIPValue": "***.***.***.***",
    "destinationIPMask": "***.***.***.***",
    "destinationIPNot": false,
    "destinationMACType": "multiple",
    "destinationMACMultiple": [
        "**:**:**:**:**:**",
        "**:**:**:**:**:**"
    ],
    "destinationMACNot": false,
    "destinationPortType": "multiple",
    "destinationPortMultiple": [
        "*****",
        "*****"
    ],
    "destinationPortNot": false,
    "anyFlags": true,
    "logDisabled": false,
    "includePacketData": false,
    "alertEnabled": false,
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "name": "Test Rule44",
    "description": "Test for creating firewall rule",
    "action": "allow",
    "priority": "0",
    "direction": "incoming",
    "frameType": "ip",
    "frameNumber": 2048,
    "frameNot": false,
    "protocol": "tcp",
    "protocolNot": false,
    "sourceIPType": "masked-ip",
    "sourceIPValue": "***.***.***.***",
    "sourceIPMask": "***.***.***.***",
    "sourceIPNot": false,
    "sourceMACType": "multiple",
    "sourceMACMultiple": [
        "**:**:**:**:**:**",
        "**:**:**:**:**:**"
    ],
    "sourceMACNot": false,
    "sourcePortType": "multiple",
    "sourcePortMultiple": [
        "*****",
        "*****"
    ],
    "sourcePortNot": false,
    "destinationIPType": "masked-ip",
    "destinationIPValue": "***.***.***.***",
    "destinationIPMask": "***.***.***.***",
    "destinationIPNot": false,
    "destinationMACType": "multiple",
    "destinationMACMultiple": [
        "**:**:**:**:**:**",
        "**:**:**:**:**:**"
    ],
    "destinationMACNot": false,
    "destinationPortType": "multiple",
    "destinationPortMultiple": [
        "*****",
        "*****"
    ],
    "destinationPortNot": false,
    "anyFlags": true,
    "logDisabled": false,
    "includePacketData": false,
    "alertEnabled": false,
    "ID": *****
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "RuleID": *****
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

Test Rule 44

description

Test for creating firewall rule

action

allow

priority

0

direction

incoming

frameType

ip

frameNumber

2048

frameNot

FALSE

protocol

tcp

protocolNot

FALSE

sourceIPType

masked-ip

sourceIPValue

***.***.***.***

sourceIPMask

***.***.***.***

sourceIPNot

FALSE

sourceMACType

multiple

sourceMACMultiple

**:**:**:**:**:**, **:**:**:**:**:**

sourceMACNot

FALSE

sourcePortType

any

sourcePortMultiple

*****,*****

sourcePortNot

FALSE

destinationIPType

masked-ip

destinationIPValue

***.***.***.***

destinationIPMask

***.***.***.***

destinationIPNot

FALSE

destinationMACType

multiple

destinationMACMultiple

**:**:**:**:**:**, **:**:**:**:**:**

destinationMACNot

FALSE

destinationPortType

any

destinationPortMultiple

*****,*****

destinationPortNot

FALSE

anyFlags

TRUE

logDisabled

FALSE

includePacketData

FALSE

alertEnabled

FALSE

ID

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Firewall Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 409.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The requested firewall rule name already exists.

Error Sample Data

Create Firewall Rule failed.

Status Code: 409.

Message: The requested firewall rule name already exists.

Create Intrusion Rule

Creates a new intrusion prevention rule.

READER NOTE

Application Type ID is a required parameter to run this command.

  • Run the List Application Types command to obtain the Application Type ID. Application Type IDs can be found in the raw data at the path $.applicationTypes[*].ID.

One of the following must be provided to create an intrusion rule:

  • Signature

  • Start Pattern, Body Patterns, and End Pattern

  • Custom XML.

If the Start Pattern is specified, the template is set to start-end-patterns. Start Pattern, Body Patterns, and End Pattern are all required to create a start-end-patterns rule.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The name of the intrusion prevention rule.

test202109081

Signature

Optional

The signature of the rule. If provided, the template is set to signature, and the input values of Start Pattern, End Pattern, Body Patterns, and Custom XML will be ignored.

*****

Start Pattern

Optional

The start pattern of the rule. If provided, the template is set to start-end-patterns.

secret

Body Patterns

Optional

The body patterns of the rule.

JSON
["*money"]

End Pattern

Optional

The ending pattern of the rule.

hack

Custom XML

Optional

The Custom XML used to define the rule. If provided, the template is set to custom.

*****

Application Type ID

Required

The ID of the application type associated with the rule. Application Type ID can be obtained using the List Application Types command.

*****

Severity

Optional

The severity level of the rule. Available options are:

  • Any

  • Critical

  • High

  • Medium

  • Low

By default, the value is Any.

Critical

Priority

Optional

The priority of the rule. Higher priority rules are applied before lower priority rules.

Available options are:

  • Highest

  • High

  • Normal

  • Low

  • Lowest

Highest

Alert Enabled

Optional

Whether to raise an alert when the rule logs an event. By default, the value is False.

False

Action

Optional

The action applied when the rule is triggered. Available options are:

  • Drop

  • Log-Only

Drop

Description

Optional

The description of the rule.

"Modify test Intrusion Prevention Rule"

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "test20210913-1",
    "description": "an test Intrusion Prevention Rule",
    "applicationTypeID": *****,
    "priority": "normal",
    "severity": "low",
    "detectOnly": false,
    "eventLoggingDisabled": false,
    "generateEventOnPacketDrop": true,
    "alwaysIncludePacketData": false,
    "debugModeEnabled": false,
    "template": "start-end-patterns",
    "start": "*****",
    "patterns": ["*****"],
    "end": "*****",
    "caseSensitive": false,
    "condition": "all",
    "action": "drop",
    "alertEnabled": false,
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "name": "test20210913-1",
    "description": "an test Intrusion Prevention Rule",
    "applicationTypeID": *****,
    "priority": "normal",
    "severity": "low",
    "detectOnly": false,
    "eventLoggingDisabled": false,
    "generateEventOnPacketDrop": true,
    "alwaysIncludePacketData": false,
    "debugModeEnabled": false,
    "template": "start-end-patterns",
    "start": "*****",
    "patterns": ["*****"],
    "end": "*****",
    "caseSensitive": false,
    "condition": "all",
    "action": "drop",
    "alertEnabled": false,
    "ID": *****
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IntrusionPreventionRuleID": *****,
    "IntrusionPreventionRuleName": "test20210913-1",
    "Description": "an test Intrusion Prevention Rule",
    "ApplicationTypeID": *****,
    "Priority": "normal",
    "Severity": "medium"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

test20210913-1

description

an test Intrusion Prevention Rule

applicationTypeID

*****

priority

normal

severity

low

detectOnly

FALSE

eventLoggingDisabled

FALSE

generateEventOnPacketDrop

TRUE

alwaysIncludePacketData

FALSE

debugModeEnabled

FALSE

template

start-end-patterns

start

t5r7y43

patterns

['4358uhtjgfdy']

end

grfehstruy

caseSensitive

FALSE

condition

all

action

drop

alertEnabled

FALSE

ID

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Intrusion Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please input either Signature or Start-Body-End Patterns or Custom XML to create an intrusion rule.

Error Sample Data

Create Intrusion Rule failed.

Status Code: 400

Message: Please input either Signature or Start-Body-End Patterns or Custom XML to create an intrusion rule.

Deactivate Computer

Deactivates computers using IDs.

READER NOTE

Computer ID is a required parameter to run this command.

  • Run the Get Host List command to obtain the Computer ID. Computer IDs can be found in the raw data at the path $.computers[*].ID.

Input

Input Parameter

Required/Optional

Description

Example

Computer IDs

Required

The IDs of the computers to deactivate. Computer IDs can be obtained using the Get Host List command.

JSON
[
    *****, 
    *****
]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ID": *****,
        "result": "Successful"
    },
    {
        "ID": *****,
        "result": "Successful"
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "ID": *****,
        "result": "Successful"
    },
    {
        "ID": *****,
        "result": "Successful"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
      *****,
      *****
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

result

*****

Successful

*****

Successful

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Deactivate Computer failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ID ***** not found

Error Sample Data

Deactivate Computer failed.

Status Code: 404.

Message: ID ***** not found

Delete Firewall Rules

Deletes firewall rules using the specified IDs.

READER NOTE

Rule IDs is a required parameter to run this command.

  • Run the List Firewall Rules or Create Firewall Rule command to obtain the Rule IDs. Rule IDs can be found in the raw data at the path $.firewallRules[*].ID for List Firewall Rules or $.ID for Create Firewall Rule.

Input

Input Parameter

Required/Optional

Description

Example

Rule IDs

Required

The IDs of the firewall rules to delete. Rules IDs can be obtained using the List Firewall Rules or Create Firewall Rule command.

JSON
[ ***** ] 

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ruleID": *****,
        "actionResult": "Deleted the rule successfully"
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "ruleID": *****,
        "actionResult": "Deleted the rule successfully"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ruleID

actionResult

*****

Deleted the rule successfully

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Firewall Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 409.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more firewall rules could not be deleted because it is in use by one or more computers or policies.

Error Sample Data

Delete Firewall Rules failed.

Status Code: 409.

Message: One or more firewall rules could not be deleted because it is in use by one or more computers or policies.

Delete Intrusion Rules

Deletes intrusion prevention rules using the specified IDs.

READER NOTE

Intrusion Rule IDs is a required parameter to run this command.

  • Run the List Intrusion Rules command to obtain the Intrusion Rule IDs. Intrusion Rule IDs can be found in the raw data at the path $.intrusionPreventionRules[*].ID.

Input

Input Parameter

Required/Optional

Description

Example

Intrusion Rule IDs

Required

The IDs of the intrusion prevention rules to delete. Intrusion Rule IDs can be obtained using the List Intrusion Rules command.

CODE
[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ID": *****,
        "Message": "Intrusion Prevention Rule ID ***** has been removed successfully."
    },
    {
        "ID": *****,
        "Message": "Intrusion Prevention Rule ID ***** has been removed successfully."
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "ID": *****,
        "Message": "Intrusion Prevention Rule ID ***** has been removed successfully."
    },
    {
        "ID": *****,
        "Message": "Intrusion Prevention Rule ID ***** has been removed successfully."
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

Message

*****

Intrusion Prevention Rule ID ***** has been removed successfully.

*****

Intrusion Prevention Rule ID ***** has been removed successfully.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Intrusion Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 409.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more Intrusion Prevention Rules could not be deleted because they have been issued by Trend Micro.

Error Sample Data

Delete Intrusion Rules failed.

Status Code: 409.

Message: One or more Intrusion Prevention Rules could not be deleted because they have been issued by Trend Micro.

Get Firewall Rule IDs By Computer

Retrieves all firewall rule IDs assigned to a computer.

READER NOTE

Computer ID is a required parameter to run this command.

  • Run the Get Host List command to obtain the Computer ID. Computer IDs can be found in the raw data at the path $.computers[*].ID.

Input

Input Parameter

Required/Optional

Description

Example

Computer ID

Required

The ID of the computer for which to retrieve firewall rule IDs. Computer ID can be obtained using the Get Host List command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    assignedRuleIDs: [
        *****,
        *****,
        *****,
        *****,
        *****
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    assignedRuleIDs: [
        *****,
        *****,
        *****,
        *****,
        *****
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "AssignedRuleIDs": [
        *****,
        *****
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

assignedRuleIDs

*****

*****

*****

*****

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Firewall Rule IDs By Computer failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not Found.

Error Sample Data

Get Firewall Rule IDs By Computer failed.

Status Code: 404.

Message: Not Found.

Get Host List

Retrieves all computers.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "computers": [
        {
            "hostName": "*****",
            "displayName": "",
            "description": "",
            "lastIPUsed": "***.***.***.***",
            "platform": "",
            "policyID": *****,
            "relayListID": *****,
            "lastAgentCommunication": 1617922434092,
            "agentVersion": "0.0.0.0",
            "biosUUID": "*****",
            "hostGUID": "*****",
            "ID": *****
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "computers": [
        {
            "hostName": "*****",
            "displayName": "",
            "description": "",
            "lastIPUsed": "***.***.***.***",
            "platform": "",
            "policyID": *****,
            "relayListID": *****,
            "lastAgentCommunication": 1617922434092,
            "agentVersion": "0.0.0.0",
            "biosUUID": "*****",
            "hostGUID": "*****",
            "ID": *****
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ComputerIDs": [
        *****
    ],
    "ComputerNames": [
        "*****"
    ],
    "HostGUIDs": [
        "*****"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

hostName

*****

displayName

description

lastIPUsed

***.***.***.***

platform

relayListID

0

agentFingerPrint

*****

lastAgentCommunication

1.61E+12

agentVersion

0.0.0.0

biosUUID

*****

hostGUID

*****

agentGUID

*****

ID

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Host List failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid API Key.

Error Sample Data

Get Host List failed.

Status Code: 401.

Message: Invalid API Key.

List Application Types

Lists all application types.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "applicationTypes": [
        {
            "name": "Backdoors TCP",
            "description": "",
            "minimumAgentVersion": "4.0.0.0",
            "direction": "incoming",
            "protocol": "tcp",
            "portType": "port-list",
            "portListID": *****,
            "ID": *****
        },
        {
            "name": "TFTP Client Decoder",
            "description": "This application type helps the TFTP client application type to decode the traffic.",
            "minimumAgentVersion": "4.0.0.0",
            "direction": "outgoing",
            "protocol": "udp",
            "portType": "port-list",
            "portListID": *****,
            "ID": *****
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "name": "Backdoors TCP",
        "description": "",
        "minimumAgentVersion": "4.0.0.0",
        "direction": "incoming",
        "protocol": "tcp",
        "portType": "port-list",
        "portListID": *****,
        "ID": *****
    },
    {
        "name": "TFTP Client Decoder",
        "description": "This application type helps the TFTP client application type to decode the traffic.",
        "minimumAgentVersion": "4.0.0.0",
        "direction": "outgoing",
        "protocol": "udp",
        "portType": "port-list",
        "portListID": *****,
        "ID": *****
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ApplicationTypeIDs": [
        *****,
        *****
    ],
    "ApplicationTypeNames": [
        "Backdoors TCP",
        "TFTP Client Decoder"
    ],
    "Descriptions": [
        "",
        "This application type helps the TFTP client application type to decode the traffic."
    ],
    "Directions": [
        "incoming",
        "outgoing"
    ],
    "Protocols": [
        "tcp",
        "udp"
    ],
    "PortTypes": [
        "port-list",
        "port-list"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

Backdoors TCP

TFTP Client Decoder

description

This application type helps the TFTP client application type to decode the traffic.

minimumAgentVersion

4.0.0.0

4.0.0.0

direction

incoming

outgoing

protocol

tcp

udp

portType

port-list

port-list

portListID

*****

*****

ID

*****

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Application Types failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

List Application Types failed.

Status Code: 403.

Message: Not authorized. Invalid Key. Check DSM events for details.

List Firewall Rules

Lists all firewall rules.

Input

N/A

Output

Return Data

SAMPLE DATA

CODE
Successful
Raw Data

SAMPLE DATA

JSON
{
    "firewallRules": [
        {
            "name": "Off Domain Exceptions - Domain Client (UDP)",
            "description": "test rule",
            "action": "force-allow",
            "priority": "2",
            "direction": "outgoing",
            "frameType": "ip",
            "frameNumber": 2048,
            "frameNot": false,
            "protocol": "udp",
            "protocolNot": false,
            "sourceIPType": "any",
            "sourceIPNot": false,
            "sourceMACType": "any",
            "sourceMACNot": false,
            "sourcePortType": "any",
            "sourcePortNot": false,
            "destinationIPType": "ip-list",
            "destinationIPListID": *****,
            "destinationIPNot": false,
            "destinationMACType": "any",
            "destinationMACNot": false,
            "destinationPortType": "port-list",
            "destinationPortListID": *****,
            "destinationPortNot": false,
            "anyFlags": true,
            "logDisabled": false,
            "includePacketData": false,
            "alertEnabled": false,
            "contextID": "*****",
            "ID": *****
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "name": "Off Domain Exceptions - Domain Client (UDP)",
        "description": "test rule",
        "action": "force-allow",
        "priority": "2",
        "direction": "outgoing",
        "frameType": "ip",
        "frameNumber": 2048,
        "frameNot": false,
        "protocol": "udp",
        "protocolNot": false,
        "sourceIPType": "any",
        "sourceIPNot": false,
        "sourceMACType": "any",
        "sourceMACNot": false,
        "sourcePortType": "any",
        "sourcePortNot": false,
        "destinationIPType": "ip-list",
        "destinationIPListID": *****,
        "destinationIPNot": false,
        "destinationMACType": "any",
        "destinationMACNot": false,
        "destinationPortType": "port-list",
        "destinationPortListID": *****,
        "destinationPortNot": false,
        "anyFlags": true,
        "logDisabled": false,
        "includePacketData": false,
        "alertEnabled": false,
        "contextID": *****,
        "ID": *****
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "RuleIDs": [
        *****
    ],
    "RuleNames": [
        "Off Domain Exceptions - Domain Client (UDP)"
    ],
    "Actions": [
        "force-allow"
    ],
    "Priorities": [
        "2"
    ],
    "Directions": [
        "test rule"
    ],
    "Protocols": [
        "tcp"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

Off Domain Exceptions - Domain Client (UDP)

description

action

force-allow

priority

2

direction

outgoing

frameType

ip

frameNumber

2048

frameNot

FALSE

protocol

udp

protocolNot

FALSE

sourceIPType

any

sourceIPNot

FALSE

sourceMACType

any

sourceMACNot

FALSE

sourcePortType

any

sourcePortNot

FALSE

destinationIPType

ip-list

destinationIPListID

*****

destinationIPNot

FALSE

destinationMACType

any

destinationMACNot

FALSE

destinationPortType

port-list

destinationPortListID

*****

destinationPortNot

FALSE

anyFlags

TRUE

logDisabled

FALSE

includePacketData

FALSE

alertEnabled

FALSE

contextID

*****

ID

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Firewall Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid API Key.

Error Sample Data

List Firewall Rules failed.

Status Code: 401.

Message: Invalid API Key.

List Intrusion Rules

Lists intrusion prevention rules based on specified filters.

Input

Input Parameter

Required/Optional

Description

Example

Type

Required

The type of intrusion prevention rule. Available options are:

  • Custom

  • Smart

  • Vulnerability

  • Exploit

  • Hidden

  • Policy

  • Info

By default, the value is Custom.

Custom

Severity

Required

The severity level of the rule. Available options are:

  • Any

  • Critical

  • High

  • Medium

  • Low

By default, the value is Any.

Critical

Max Results

Optional

The maximum number of results returned. The maximum is 5000. By default, the value is 5000.

5000

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "intrusionPreventionRules": [
        {
            "name": "Oracle Database Server XML Database Component Buffer Overflow (create file)",
            "description": "Oracle Database has a buffer overflow vulnerability in public procedure DBMS_XMLSCHEMA.GENERATESCHEMA that can be exploited to run arbitrary code.",
            "applicationTypeID": *****,
            "priority": "high",
            "severity": "critical",
            "detectOnly": false,
            "eventLoggingDisabled": false,
            "generateEventOnPacketDrop": true,
            "alwaysIncludePacketData": false,
            "debugModeEnabled": false,
            "type": "exploit",
            "originalIssue": 1139856774000,
            "lastUpdated": 1168375378000,
            "identifier": "*****",
            "alertEnabled": false,
            "recommendationsMode": "enabled",
            "canBeAssignedAlone": true,
            "ID": *****,
            "CVSSScore": "9.00",
            "CVE": ["*****"]
        },
        {
            "name": "Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow",
            "description": "There exists a buffer overflow vulnerability in Symantec VERITAS NetBackup Server, Backup Client Service (BPCD). The flaw is caused by incorrect processing of specially crafted BPCD messages. A remote attacker may exploit this vulnerability to inject and execute arbitrary code on the vulnerable system within the security context of the affected service, normally System.",
            "applicationTypeID": *****,
            "priority": "normal",
            "severity": "critical",
            "detectOnly": false,
            "eventLoggingDisabled": false,
            "generateEventOnPacketDrop": true,
            "alwaysIncludePacketData": false,
            "debugModeEnabled": false,
            "type": "exploit",
            "originalIssue": 1166611684000,
            "lastUpdated": 1166611684000,
            "identifier": "*****",
            "alertEnabled": false,
            "recommendationsMode": "enabled",
            "canBeAssignedAlone": true,
            "ID": *****,
            "CVSSScore": "10.00",
            "CVE": ["*****"]
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "name": "Oracle Database Server XML Database Component Buffer Overflow (create file)",
        "description": "Oracle Database has a buffer overflow vulnerability in public procedure DBMS_XMLSCHEMA.GENERATESCHEMA that can be exploited to run arbitrary code.",
        "applicationTypeID": *****,
        "priority": "high",
        "severity": "critical",
        "detectOnly": false,
        "eventLoggingDisabled": false,
        "generateEventOnPacketDrop": true,
        "alwaysIncludePacketData": false,
        "debugModeEnabled": false,
        "type": "exploit",
        "originalIssue": 1139856774000,
        "lastUpdated": 1168375378000,
        "identifier": "*****",
        "alertEnabled": false,
        "recommendationsMode": "enabled",
        "canBeAssignedAlone": true,
        "ID": *****,
        "CVSSScore": "9.00",
        "CVE": ["*****"],
        "originalIssueUTCTime": "2006-02-13T18:52:54",
        "lastUpdatedUTCTime": "2007-01-09T20:42:58"
    },
    {
        "name": "Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow",
        "description": "There exists a buffer overflow vulnerability in Symantec VERITAS NetBackup Server, Backup Client Service (BPCD). The flaw is caused by incorrect processing of specially crafted BPCD messages. A remote attacker may exploit this vulnerability to inject and execute arbitrary code on the vulnerable system within the security context of the affected service, normally System.",
        "applicationTypeID": *****,
        "priority": "normal",
        "severity": "critical",
        "detectOnly": false,
        "eventLoggingDisabled": false,
        "generateEventOnPacketDrop": true,
        "alwaysIncludePacketData": false,
        "debugModeEnabled": false,
        "type": "exploit",
        "originalIssue": 1166611684000,
        "lastUpdated": 1166611684000,
        "identifier": "*****",
        "alertEnabled": false,
        "recommendationsMode": "enabled",
        "canBeAssignedAlone": true,
        "ID": *****,
        "CVSSScore": "10.00",
        "CVE": ["*****"],
        "originalIssueUTCTime": "2006-12-20T10:48:04",
        "lastUpdatedUTCTime": "2006-12-20T10:48:04"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IntrusionPreventionRuleIDs": [
        *****,
        *****
    ],
    "IntrusionPreventionRuleNames": [
        "Oracle Database Server XML Database Component Buffer Overflow (create file)",
        "Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow"
    ],
    "Descriptions": [
        "Oracle Database has a buffer overflow vulnerability in public procedure DBMS_XMLSCHEMA.GENERATESCHEMA that can be exploited to run arbitrary code.",
        "There exists a buffer overflow vulnerability in Symantec VERITAS NetBackup Server, Backup Client Service (BPCD). The flaw is caused by incorrect processing of specially crafted BPCD messages. A remote attacker may exploit this vulnerability to inject and execute arbitrary code on the vulnerable system within the security context of the affected service, normally System."
    ],
    "ApplicationTypeIDs": [
        "*****",
        "*****"
    ],
    "Priorities": [
        "high",
        "normal"
    ],
    "Severities": [
        "critical",
        "critical"
    ],
    "Types": [
        "exploit",
        "exploit"
    ],
    "CVSSScores": [
        "9.00",
        "10.00"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

Oracle Database Server XML Database Component Buffer Overflow (create file)

Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow

description

Oracle Database has a buffer overflow vulnerability in public procedure DBMS_XMLSCHEMA.GENERATESCHEMA that can be exploited to run arbitrary code.

There exists a buffer overflow vulnerability in Symantec VERITAS NetBackup Server, Backup Client Service (BPCD). The flaw is caused by incorrect processing of specially crafted BPCD messages. A remote attacker may exploit this vulnerability to inject and execute arbitrary code on the vulnerable system within the security context of the affected service, normally System.

applicationTypeID

*****

*****

priority

high

normal

severity

critical

critical

detectOnly

FALSE

FALSE

eventLoggingDisabled

FALSE

FALSE

generateEventOnPacketDrop

TRUE

TRUE

alwaysIncludePacketData

FALSE

FALSE

debugModeEnabled

FALSE

FALSE

type

exploit

exploit

originalIssue

1.14E+12

1.17E+12

lastUpdated

1.17E+12

1.17E+12

identifier

*****

*****

alertEnabled

FALSE

FALSE

recommendationsMode

enabled

enabled

canBeAssignedAlone

TRUE

TRUE

ID

*****

*****

CVSSScore

9

10

CVE

['*****']

['*****']

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Intrusion Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Type and Severity is required.

Error Sample Data

List Intrusion Rules failed.

Status Code: 400.

Message: Type and Severity is required.

List Policies

Lists all policies.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "policies": [
        {
            "name": "Base Policy",
            "description": "A policy from which all other policies can inherit. Only the most general settings should be applied to this policy as they will apply to all policies that inherit from it, unless overridden. More specific settings and rules should be added to sub-policies that are assigned to computers.",
            "policySettings": {
                "logInspectionSettingSeverityClippingAgentEventSendSyslogLevelMin": {
                    "value": "Medium (6)"
                },
                "firewallSettingEngineOptionConnectionsCleanupMax": {
                    "value": "1000"
                },
                "firewallSettingEngineOptionVerifyTcpChecksumEnabled": {
                    "value": "false"
                }
            },
            "recommendationScanMode": "ongoing",
            "autoRequiresUpdate": "on",
            "ID": "*****",
            "antiMalware": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off"
                },
                "realTimeScanConfigurationID": *****,
                "realTimeScanScheduleID": *****,
                "manualScanConfigurationID": *****,
                "scheduledScanConfigurationID": *****
            },
            "webReputation": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off"
                }
            },
            "activityMonitoring": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off"
                }
            },
            "firewall": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off, 2 rules"
                },
                "globalStatefulConfigurationID": "*****",
                "ruleIDs": [
                    *****,
                    *****
                ]
            },
            "intrusionPrevention": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off, no rules"
                }
            },
            "integrityMonitoring": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off, no rules"
                }
            },
            "logInspection": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off, no rules"
                }
            },
            "applicationControl": {
                "state": "off",
                "moduleStatus": {
                    "status": "inactive",
                    "statusMessage": "Off"
                }
            }
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "name": "Base Policy",
        "description": "A policy from which all other policies can inherit. Only the most general settings should be applied to this policy as they will apply to all policies that inherit from it, unless overridden. More specific settings and rules should be added to sub-policies that are assigned to computers.",
        "policySettings": {
            "logInspectionSettingSeverityClippingAgentEventSendSyslogLevelMin": {
                "value": "Medium (6)"
            },
            "firewallSettingEngineOptionConnectionsCleanupMax": {
                "value": "1000"
            },
            "firewallSettingEngineOptionVerifyTcpChecksumEnabled": {
                "value": "false"
            }
        },
        "recommendationScanMode": "ongoing",
        "autoRequiresUpdate": "on",
        "ID": "*****",
        "antiMalware": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off"
            },
            "realTimeScanConfigurationID": *****,
            "realTimeScanScheduleID": *****,
            "manualScanConfigurationID": *****,
            "scheduledScanConfigurationID": *****
        },
        "webReputation": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off"
            }
        },
        "activityMonitoring": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off"
            }
        },
        "firewall": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off, 2 rules"
            },
            "globalStatefulConfigurationID": "*****",
            "ruleIDs": [
                    *****,
                    *****
            ]
        },
        "intrusionPrevention": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off, no rules"
            }
        },
        "integrityMonitoring": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off, no rules"
            }
        },
        "logInspection": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off, no rules"
            }
        },
        "applicationControl": {
            "state": "off",
            "moduleStatus": {
                "status": "inactive",
                "statusMessage": "Off"
            }
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "PolicyIDs": [
        *****
    ],
    "PolicyNames": [
        "Base Policy"
    ],
    "Descriptions": [
        "A policy from which all other policies can inherit. Only the most general settings should be applied to this policy as they will apply to all policies that inherit from it, unless overridden. More specific settings and rules should be added to sub-policies that are assigned to computers."
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

Base Policy

description

A policy from which all other policies can inherit. Only the most general settings should be applied to this policy as they will apply to all policies that inherit from it, unless overridden. More specific settings and rules should be added to sub-policies that are assigned to computers.

policySettings

{'logInspectionSettingSeverityClippingAgentEventSendSyslogLevelMin': {'value': 'Medium (6)'}, 'firewallSettingEngineOptionConnectionsCleanupMax': {'value': '1000'}, 'firewallSettingEngineOptionVerifyTcpChecksumEnabled': {'value': 'false'}, 'antiMalwareSettingScanCacheOnDemandConfigId': {'value': '*****'}, 'applicationControlSettingSharedRulesetId': {'value': '*****'}, 'webReputationSettingSmartProtectionServerConnectionLostWarningEnabled': {'value': 'true'}, 'applicationControlSettingExecutionEnforcementLevel': {'value': 'Allow unrecognized software until it is explicitly blocked'}, 'webReputationSettingBlockedUrlDomains': {'value': ''}, 'firewallSettingEngineOptionSynSentTimeout': {'value': '20 Seconds'}, 'platformSettingAgentSelfProtectionPassword': {'value': ''}, 'firewallSettingReconnaissanceBlockTcpXmasAttackDuration': {'value': 'No'}, 'intrusionPreventionSettingVirtualAndContainerNetworkScanEnabled': {'value': 'true'}, 'logInspectionSettingSyslogConfigId': {'value': '0'}, 'firewallSettingEngineOptionDebugModeEnabled': {'value': 'false'}, 'firewallSettingVirtualAndContainerNetworkScanEnabled': {'value': 'false'}, 'antiMalwareSettingFileHashSha256Enabled': {'value': 'false'}, 'firewallSettingReconnaissanceNotifyFingerprintProbeEnabled': {'value': 'true'}, 'firewallSettingEventLogFileRetainNum': {'value': '3'}, 'firewallSettingAntiEvasionCheckTcpPawsZero': {'value': 'Allow'}, 'antiMalwareSettingConnectedThreatDefenseUseControlManagerSuspiciousObjectListEnabled': {'value': 'true'}, 'intrusionPreventionSettingEngineOptionFragmentedIpKeepMax': {'value': '1000'}, 'firewallSettingEngineOptionDrop6To4BogonsAddressesEnabled': {'value': 'true'}, 'logInspectionSettingSeverityClippingAgentEventStoreLevelMin': {'value': 'Medium (6)'}, 'platformSettingScanCacheConcurrencyMax': {'value': '1'}, 'antiMalwareSettingSyslogConfigId': {'value': '*****'}, 'firewallSettingAntiEvasionTcpPawsWindowPolicy': {'value': '0'}, 'firewallSettingReconnaissanceDetectTcpXmasAttackEnabled': {'value': 'true'}, 'applicationControlSettingRulesetMode': {'value': 'Use local ruleset'}, 'antiMalwareSettingSmartProtectionGlobalServerUseProxyEnabled': {'value': 'false'}, 'webReputationSettingSmartProtectionLocalServerAllowOffDomainGlobal': {'value': 'false'}, 'integrityMonitoringSettingCombinedModeProtectionSource': {'value': 'Appliance preferred'}, 'firewallSettingEngineOptionCloseWaitTimeout': {'value': '2 Minutes'}, 'platformSettingScanOpenPortListId': {'value': '*****'}, 'platformSettingAgentSelfProtectionPasswordEnabled': {'value': 'false'}, 'firewallSettingEngineOptionAckTimeout': {'value': '1 Second'}, 'firewallSettingEventLogFileCachedEntriesStaleTime': {'value': '15 Minutes'}, 'firewallSettingCombinedModeProtectionSource': {'value': 'Agent preferred'}, 'platformSettingAgentEventsSendInterval': {'value': '60 Seconds'}, 'platformSettingInactiveAgentCleanupOverrideEnabled': {'value': 'false'}, 'firewallSettingFailureResponseEngineSystem': {'value': 'Fail closed'}, 'platformSettingRelayState': {'value': 'false'}, 'firewallSettingEngineOptionDropEvasiveRetransmitEnabled': {'value': 'false'}, 'activityMonitoringSettingIndicatorEnabled': {'value': 'Off'}, 'intrusionPreventionSettingEngineOptionFragmentedIpTimeout': {'value': '60 Seconds'}, 'firewallSettingAntiEvasionCheckTcpZeroFlags': {'value': 'Deny'}, 'webReputationSettingSmartProtectionGlobalServerUseProxyEnabled': {'value': 'false'}, 'intrusionPreventionSettingNsxSecurityTaggingPreventModeLevel': {'value': 'No Tagging'}, 'firewallSettingReconnaissanceNotifyTcpXmasAttackEnabled': {'value': 'true'}, 'firewallSettingEngineOptionUdpTimeout': {'value': '20 Seconds'}, 'webReputationSettingSmartProtectionLocalServerEnabled': {'value': 'false'}, 'firewallSettingEngineOptionTcpMssLimit': {'value': '128 Bytes'}, 'firewallSettingEngineOptionColdStartTimeout': {'value': '5 Minutes'}, 'firewallSettingEngineOptionEstablishedTimeout': {'value': '3 Hours'}, 'antiMalwareSettingIdentifiedFilesSpaceMaxMbytes': {'value': '1024'}, 'firewallSettingEngineOptionAllowNullIpEnabled': {'value': 'true'}, 'platformSettingNotificationsSuppressPopupsEnabled': {'value': 'false'}, 'firewallSettingAntiEvasionCheckTcpRstFinFlags': {'value': 'Deny'}, 'firewallSettingEngineOptionDisconnectTimeout': {'value': '60 Seconds'}, 'firewallSettingEngineOptionCloseTimeout': {'value': '0 Seconds'}, 'firewallSettingEngineOptionTunnelDepthMaxExceededAction': {'value': 'Drop'}, 'firewallSettingReconnaissanceDetectTcpNullScanEnabled': {'value': 'true'}, 'platformSettingSmartProtectionAntiMalwareGlobalServerProxyId': {'value': ''}, 'firewallSettingEngineOptionFilterIpv4Tunnels': {'value': 'Disable Detection of IPv4 Tunnels'}, 'webReputationSettingSmartProtectionLocalServerUrls': {'value': ''}, 'firewallSettingEngineOptionLogOnePacketPeriod': {'value': '5 Minutes'}, 'firewallSettingEngineOptionFilterIpv6Tunnels': {'value': 'Disable Detection of IPv6 Tunnels'}, 'firewallSettingAntiEvasionCheckTcpCongestionFlags': {'value': 'Allow'}, 'intrusionPreventionSettingEngineOptionsEnabled': {'value': 'false'}, 'firewallSettingEngineOptionConnectionsNumUdpMax': {'value': '1000000'}, 'integrityMonitoringSettingAutoApplyRecommendationsEnabled': {'value': 'No'}, 'firewallSettingEngineOptionTunnelDepthMax': {'value': '1'}, 'firewallSettingEngineOptionDropUnknownSslProtocolEnabled': {'value': 'true'}, 'antiMalwareSettingNsxSecurityTaggingValue': {'value': 'ANTI_VIRUS.VirusFound.threat=medium'}, 'intrusionPreventionSettingLogDataRuleFirstMatchEnabled': {'value': 'true'}, 'firewallSettingEngineOptionLoggingPolicy': {'value': 'Default'}, 'platformSettingTroubleshootingLoggingLevel': {'value': 'Do Not Override'}, 'antiMalwareSettingVirtualApplianceOnDemandScanCacheEntriesMax': {'value': '500000'}, 'webReputationSettingCombinedModeProtectionSource': {'value': 'Agent preferred'}, 'firewallSettingEngineOptionClosingTimeout': {'value': '1 Second'}, 'firewallSettingAntiEvasionCheckPaws': {'value': 'Ignore'}, 'intrusionPreventionSettingAutoApplyRecommendationsEnabled': {'value': 'Yes'}, 'firewallSettingReconnaissanceDetectFingerprintProbeEnabled': {'value': 'true'}, 'antiMalwareSettingNsxSecurityTaggingRemoveOnCleanScanEnabled': {'value': 'true'}, 'firewallSettingEngineOptionLogPacketLengthMax': {'value': '1500 Bytes'}, 'firewallSettingEngineOptionDropTeredoAnomaliesEnabled': {'value': 'true'}, 'webReputationSettingSecurityLevel': {'value': 'Medium'}, 'firewallSettingEngineOptionDropIpv6SiteLocalAddressesEnabled': {'value': 'false'}, 'activityMonitoringSettingActivityEnabled': {'value': 'Off'}, 'firewallSettingEngineOptionStrictTerodoPortCheckEnabled': {'value': 'true'}, 'webReputationSettingBlockedUrlKeywords': {'value': ''}, 'webReputationSettingSyslogConfigId': {'value': '*****'}, 'firewallSettingFailureResponsePacketSanityCheck': {'value': 'Fail closed'}, 'firewallSettingNetworkEngineMode': {'value': 'Inline'}, 'firewallSettingEventLogFileSizeMax': {'value': '4 MB'}, 'antiMalwareSettingMalwareScanMultithreadedProcessingEnabled': {'value': 'false'}, 'firewallSettingReconnaissanceDetectTcpSynFinScanEnabled': {'value': 'true'}, 'firewallSettingEngineOptionDropIpZeroPayloadEnabled': {'value': 'true'}, 'firewallSettingEngineOptionBlockIpv6Agent8AndEarlierEnabled': {'value': 'true'}, 'intrusionPreventionSettingEngineOptionFragmentedIpPacketSendIcmpEnabled': {'value': 'true'}, 'antiMalwareSettingPredictiveMachineLearningExceptions': {'value': ''}, 'firewallSettingEngineOptionLogEventsPerSecondMax': {'value': '100'}, 'firewallSettingEngineOptionSslSessionTime': {'value': '24 Hours'}, 'antiMalwareSettingBehaviorMonitoringScanExclusionList': {'value': ''}, 'antiMalwareSettingSmartProtectionGlobalServerEnabled': {'value': 'true'}, 'firewallSettingEngineOptionLogOnePacketWithinPeriodEnabled': {'value': 'false'}, 'firewallSettingEngineOptionGenerateConnectionEventsIcmpEnabled': {'value': 'false'}, 'platformSettingHeartbeatInactiveVmOfflineAlertEnabled': {'value': 'false'}, 'webReputationSettingSmartProtectionWebReputationGlobalServerProxyId': {'value': ''}, 'antiMalwareSettingNsxSecurityTaggingEnabled': {'value': 'true'}, 'firewallSettingAntiEvasionCheckFragmentedPackets': {'value': 'Allow'}, 'firewallSettingEngineOptionConnectionsNumIcmpMax': {'value': '10000'}, 'firewallSettingAntiEvasionCheckTcpSplitHandshake': {'value': 'Deny'}, 'antiMalwareSettingCombinedModeProtectionSource': {'value': 'Appliance preferred'}, 'firewallSettingEngineOptionEventNodesMax': {'value': '20000'}, 'webReputationSettingMonitorPortListId': {'value': '*****,*****'}, 'applicationControlSettingSyslogConfigId': {'value': '*****'}, 'firewallSettingAntiEvasionCheckOutNoConnection': {'value': 'Allow'}, 'firewallSettingEngineOptionBlockIpv6Agent9AndLaterEnabled': {'value': 'false'}, 'integrityMonitoringSettingVirtualApplianceOptimizationScanCacheEntriesMax': {'value': '500000'}, 'firewallSettingReconnaissanceNotifyTcpNullScanEnabled': {'value': 'true'}, 'firewallSettingEngineOptionIgnoreStatusCode1': {'value': 'None'}, 'firewallSettingEngineOptionIgnoreStatusCode0': {'value': 'None'}, 'firewallSettingEngineOptionIgnoreStatusCode2': {'value': 'None'}, 'firewallSettingEngineOptionSslSessionSize': {'value': 'Low - 2500'}, 'antiMalwareSettingScanCacheRealTimeConfigId': {'value': '*****'}, 'platformSettingRecommendationOngoingScansInterval': {'value': '7 Days'}, 'platformSettingSmartProtectionGlobalServerUseProxyEnabled': {'value': 'false'}, 'firewallSettingInterfaceLimitOneActiveEnabled': {'value': 'false'}, 'firewallSettingAntiEvasionCheckTcpChecksum': {'value': 'Allow'}, 'firewallSettingEngineOptionDropIpv6ExtType0Enabled': {'value': 'true'}, 'antiMalwareSettingScanFileSizeMaxMbytes': {'value': '0'}, 'firewallSettingEngineOptionGenerateConnectionEventsTcpEnabled': {'value': 'false'}, 'antiMalwareSettingFileHashSizeMaxMbytes': {'value': '128'}, 'firewallSettingEventLogFileCachedEntriesLifeTime': {'value': '30 Minutes'}, 'platformSettingSmartProtectionGlobalServerProxyId': {'value': ''}, 'logInspectionSettingAutoApplyRecommendationsEnabled': {'value': 'No'}, 'antiMalwareSettingConnectedThreatDefenseSuspiciousFileDdanSubmissionEnabled': {'value': 'true'}, 'webReputationSettingBlockingPageLink': {'value': 'http://sitesafety.trendmicro.com/'}, 'firewallSettingSyslogConfigId': {'value': '*****'}, 'platformSettingAgentCommunicationsDirection': {'value': 'Agent/Appliance Initiated'}, 'integrityMonitoringSettingScanCacheConfigId': {'value': '*****'}, 'antiMalwareSettingDocumentExploitProtectionRuleExceptions': {'value': ''}, 'firewallSettingAntiEvasionCheckTcpSynWithData': {'value': 'Deny'}, 'antiMalwareSettingFileHashEnabled': {'value': 'false'}, 'firewallSettingReconnaissanceBlockFingerprintProbeDuration': {'value': 'No'}, 'firewallSettingEngineOptionDropIpv6BogonsAddressesEnabled': {'value': 'true'}, 'firewallSettingEngineOptionBootStartTimeout': {'value': '20 Seconds'}, 'firewallSettingEngineOptionConnectionsNumTcpMax': {'value': '10000'}, 'firewallSettingAntiEvasionSecurityPosture': {'value': 'Normal'}, 'firewallSettingInterfacePatterns': {'value': ''}, 'firewallSettingInterfaceIsolationEnabled': {'value': 'false'}, 'antiMalwareSettingVirtualApplianceRealTimeScanCacheEntriesMax': {'value': '500000'}, 'firewallSettingEventsOutOfAllowedPolicyEnabled': {'value': 'true'}, 'firewallSettingAntiEvasionCheckEvasiveRetransmit': {'value': 'Allow'}, 'firewallSettingEngineOptionIcmpTimeout': {'value': '60 Seconds'}, 'integrityMonitoringSettingSyslogConfigId': {'value': '*****'}, 'firewallSettingEngineOptionConnectionCleanupTimeout': {'value': '10 Seconds'}, 'antiMalwareSettingSmartProtectionLocalServerAllowOffDomainGlobal': {'value': 'false'}, 'firewallSettingReconnaissanceNotifyTcpSynFinScanEnabled': {'value': 'true'}, 'firewallSettingEngineOptionErrorTimeout': {'value': '10 Seconds'}, 'webReputationSettingAllowedUrls': {'value': ''}, 'firewallSettingReconnaissanceNotifyNetworkOrPortScanEnabled': {'value': 'true'}, 'firewallSettingEngineOptionFinWait1Timeout': {'value': '2 Minutes'}, 'firewallSettingEngineOptionGenerateConnectionEventsUdpEnabled': {'value': 'false'}, 'activityMonitoringSettingSyslogConfigId': {'value': '*****'}, 'firewallSettingAntiEvasionCheckTcpSynRstFlags': {'value': 'Deny'}, 'antiMalwareSettingSpywareApprovedList': {'value': ''}, 'firewallSettingAntiEvasionCheckTcpUrgentFlags': {'value': 'Allow'}, 'intrusionPreventionSettingNsxSecurityTaggingDetectModeLevel': {'value': 'No Tagging'}, 'intrusionPreventionSettingEngineOptionFragmentedIpUnconcernedMacAddressBypassEnabled': {'value': 'false'}, 'firewallSettingEngineOptionLogAllPacketDataEnabled': {'value': 'false'}, 'firewallSettingAntiEvasionCheckTcpSynFinFlags': {'value': 'Deny'}, 'firewallSettingEngineOptionFragmentSizeMin': {'value': '120'}, 'antiMalwareSettingSmartProtectionServerConnectionLostWarningEnabled': {'value': 'true'}, 'firewallSettingReconnaissanceBlockNetworkOrPortScanDuration': {'value': 'No'}, 'integrityMonitoringSettingContentHashAlgorithm': {'value': 'sha1'}, 'antiMalwareSettingSmartScanState': {'value': 'Automatic'}, 'firewallSettingConfigPackageExceedsAlertMaxEnabled': {'value': 'true'}, 'platformSettingEnvironmentVariableOverrides': {'value': ''}, 'firewallSettingEngineOptionFragmentOffsetMin': {'value': '60'}, 'antiMalwareSettingSmartProtectionLocalServerUrls': {'value': ''}, 'firewallSettingEngineOptionSynRcvdTimeout': {'value': '60 Seconds'}, 'firewallSettingEventLogFileCachedEntriesNum': {'value': '128'}, 'firewallSettingEngineOptionForceAllowIcmpType3Code4': {'value': 'Add Force Allow rule for ICMP type3 code4'}, 'firewallSettingReconnaissanceBlockTcpNullScanDuration': {'value': 'No'}, 'platformSettingSmartProtectionGlobalServerEnabled': {'value': 'true'}, 'integrityMonitoringSettingRealtimeEnabled': {'value': 'false'}, 'firewallSettingEngineOptionLastAckTimeout': {'value': '3 Minutes'}, 'firewallSettingReconnaissanceExcludeIpListId': {'value': '*****'}, 'platformSettingAgentSelfProtectionEnabled': {'value': 'false'}, 'firewallSettingEngineOptionDropIpv6ReservedAddressesEnabled': {'value': 'true'}, 'firewallSettingAntiEvasionCheckFinNoConnection': {'value': 'Allow'}, 'firewallSettingEngineOptionDebugPacketNumMax': {'value': '8'}, 'firewallSettingEngineOptionBypassCiscoWaasConnectionsEnabled': {'value': 'false'}, 'firewallSettingReconnaissanceEnabled': {'value': 'true'}, 'platformSettingHeartbeatLocalTimeShiftAlertThreshold': {'value': 'Unlimited'}, 'antiMalwareSettingFileHashMd5Enabled': {'value': 'false'}, 'firewallSettingReconnaissanceDetectNetworkOrPortScanEnabled': {'value': 'true'}, 'firewallSettingEngineOptionSilentTcpConnectionDropEnabled': {'value': 'false'}, 'firewallSettingEngineOptionBlockSameSrcDstIpEnabled': {'value': 'true'}, 'firewallSettingEngineOptionForceAllowDhcpDns': {'value': 'Allow DNS Query and DHCP Client'}, 'firewallSettingReconnaissanceIncludeIpListId': {'value': ''}, 'firewallSettingEngineOptionsEnabled': {'value': 'true'}, 'firewallSettingReconnaissanceBlockTcpSynFinScanDuration': {'value': 'No'}, 'webReputationSettingSecurityBlockUntestedPagesEnabled': {'value': 'false'}, 'webReputationSettingAllowedUrlDomains': {'value': ''}, 'firewallSettingEventLogFileIgnoreSourceIpListId': {'value': ''}, 'firewallSettingEngineOptionDropIpv6FragmentsLowerThanMinMtuEnabled': {'value': 'true'}, 'platformSettingAutoAssignNewIntrusionPreventionRulesEnabled': {'value': 'true'}, 'firewallSettingAntiEvasionCheckRstNoConnection': {'value': 'Allow'}, 'webReputationSettingBlockedUrls': {'value': ''}, 'platformSettingCombinedModeNetworkGroupProtectionSource': {'value': 'Agent preferred'}, 'webReputationSettingAlertingEnabled': {'value': 'false'}, 'antiMalwareSettingNsxSecurityTaggingOnRemediationFailureEnabled': {'value': 'true'}, 'integrityMonitoringSettingCpuUsageLevel': {'value': 'High'}, 'platformSettingAutoUpdateAntiMalwareEngineEnabled': {'value': 'false'}, 'intrusionPreventionSettingCombinedModeProtectionSource': {'value': 'Agent preferred'}}

recommendationScanMode

ongoing

autoRequiresUpdate

on

ID

*****

antiMalware

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off'}, 'realTimeScanConfigurationID': *****, 'realTimeScanScheduleID': *****, 'manualScanConfigurationID': *****, 'scheduledScanConfigurationID': *****}

webReputation

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off'}}

activityMonitoring

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off'}}

firewall

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off, 2 rules'}, 'globalStatefulConfigurationID': *****, 'ruleIDs': [*****, *****]}

intrusionPrevention

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off, no rules'}}

integrityMonitoring

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off, no rules'}}

logInspection

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off, no rules'}}

applicationControl

{'state': 'off', 'moduleStatus': {'status': 'inactive', 'statusMessage': 'Off'}}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Policies failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

List Policies failed.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

Modify Intrusion Rule

Modifies an existing intrusion prevention rule.

READER NOTE

Rule ID and Application Type ID are required parameters to run this command.

  • Run the List Intrusion Rules command to obtain the Rule ID. Rule IDs can be found in the raw data at the path $.intrusionPreventionRules[*].ID.

  • Run the List Application Types command to obtain the Application Type ID. Application Type IDs can be found in the raw data at the path $.applicationTypes[*].ID.

One of the following must be provided to create an intrusion rule:

  • Signature

  • Start Pattern, Body Patterns, and End Pattern

  • Custom XML.

If the Start Pattern is specified, the template is set to start-end-patterns. Start Pattern, Body Patterns, and End Pattern are all required to create a start-end-patterns rule.

Input

Input Parameter

Required/Optional

Description

Example

Rule ID

Required

The ID of the intrusion prevention rule to modify. Rule ID can be obtained using the List Intrusion Rules command.

*****

Rule Name

Optional

The new name for the rule.

test202109081

Signature

Optional

The signature of the rule. If provided, the template is set to signature, and the input values of Start Pattern, End Pattern, Body Patterns, and Custom XML will be ignored.

*****

Start Pattern

Optional

The start pattern of the rule. If provided, the template is set to start-end-patterns.

secret

Body Patterns

Optional

The body patterns of the rule.

JSON
["*money"] 

End Pattern

Optional

The ending pattern of the rule.

hack

Custom XML

Optional

The Custom XML used to define the rule. If provided, the template is set to custom.

*****

Application Type ID

Optional

The ID of the application type associated with the rule. Application Type ID can be obtained using the List Application Types command.

*****

Severity

Optional

The severity level of the rule. Available options are:

  • Any

  • Critical

  • High

  • Medium

  • Low

By default, the value is Any.

Critical

Priority

Optional

The priority of the rule. Higher priority rules are applied before lower priority rules.

Available options are:

  • Highest

  • High

  • Normal

  • Low

  • Lowest

Highest

Alert Enabled

Optional

Whether to raise an alert when the rule logs an event. By default, the value is False.

False

Action

Optional

The action applied when the rule is triggered. Available options are:

  • Drop

  • Log-Only

Drop

Description

Optional

The description of the rule.

"Modify test Intrusion Prevention Rule"

Additional Settings

Optional

Additional settings for modifying an intrusion prevention rule. This is formatted as <FieldName1>=<FieldValue1> <FieldName2>=<FieldValue2-1>,<FieldValue2-2>. For example, minimumAgentVersion=12 originalIssue=***** CVE=CVE-2006-0272,CVE-2006-5822 is a valid input. Refer to the Intrusion Prevention Rules | Trend Micro Deep Security Manager for available field names and values.

minimumAgentVersion=12 originalIssue=***** CVE=CVE-2006-0272,CVE-2006-5822

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "test20210913-1 Modify",
    "description": "Modify test Intrusion Prevention Rule",
    "applicationTypeID": *****,
    "priority": "high",
    "severity": "critical",
    "detectOnly": true,
    "eventLoggingDisabled": false,
    "generateEventOnPacketDrop": true,
    "alwaysIncludePacketData": false,
    "debugModeEnabled": false,
    "template": "signature",
    "signature": "*****",
    "caseSensitive": false,
    "action": "drop",
    "alertEnabled": false,
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "name": "test20210913-1 Modify",
    "description": "Modify test Intrusion Prevention Rule",
    "applicationTypeID": *****,
    "priority": "high",
    "severity": "critical",
    "detectOnly": true,
    "eventLoggingDisabled": false,
    "generateEventOnPacketDrop": true,
    "alwaysIncludePacketData": false,
    "debugModeEnabled": false,
    "template": "signature",
    "signature": "*****",
    "caseSensitive": false,
    "action": "drop",
    "alertEnabled": false,
    "ID": *****
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IntrusionPreventionRuleID": *****,
    "IntrusionPreventionRuleName": "*****",
    "Description": "*****",
    "ApplicationTypeID": *****,
    "Priority": "normal",
    "Severity": "medium"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

test20210913-1 Modify

description

Modify test Intrusion Prevention Rule

applicationTypeID

*****

priority

high

severity

critical

detectOnly

TRUE

eventLoggingDisabled

FALSE

generateEventOnPacketDrop

TRUE

alwaysIncludePacketData

FALSE

debugModeEnabled

FALSE

template

signature

signature

*****

caseSensitive

FALSE

action

drop

alertEnabled

FALSE

ID

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Modify Intrusion Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not Found.

Error Sample Data

Modify Intrusion Rule failed.

Status Code: 404.

Message: Not Found.

Remove Firewall Rule IDs

Unassigns one or more firewall rule IDs from a computer.

READER NOTE

Computer ID and Rule IDs are required parameters to run this command.

  • Run the Get Host List command to obtain the Computer ID. Computer IDs can be found in the raw data at the path $.computers[*].ID.

  • Run the List Firewall Rules or Create Firewall Rule command to obtain the Rule IDs. Rule IDs can be found in the raw data at the path $.firewallRules[*].ID for List Firewall Rules or $.ID for Create Firewall Rule.

Input

Input Parameter

Required/Optional

Description

Example

Computer ID

Required

The ID of the computer from which the firewall rules are unassigned. Computer ID can be obtained using the Get Host List command.

*****

Firewall Rule IDs

Required

The IDs of the firewall rules to unassign. Rules IDs can be obtained using the List Firewall Rules or Create Firewall Rule command.

JSON
[*****] 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "assignedRuleIDs": [
        *****,
        *****,
        *****,
        *****"
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "assignedRuleIDs": [
        *****,
        *****,
        *****,
        *****"
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "AssignedRuleIDs": [
        *****,
        *****
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

assignedRuleIDs

*****

*****

*****

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Firewall Rule IDs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not Found.

Error Sample Data

Remove Firewall Rule IDs failed.

Status Code: 404.

Message: Not Found.

Schedule Daily Scan

Schedules a daily scan.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the scheduled scan.

TestScanMalwareDaily0195 

Start Time

Required

The start time (in UTC) of the scheduled scan.

2021-06-23 03:33:19 

Filter Type

Optional

The filter type.

computers-using-policy 

Filter Value

Optional

The filter value.

Base Policy 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "TestScanMalwareDaily0195",
    "type": "scan-for-malware",
    "scheduleDetails": {
        "timeZone": "America/Vancouver",
        "recurrenceType": "daily",
        "dailyScheduleParameters": {
            "startTime": 1624444399,
            "frequencyType": "everyday"
        }
    },
    "enabled": true,
    "nextRunTime": 1624990440000,
    "scanForMalwareTaskParameters": {
        "computerFilter": {
            "type": "computers-using-policy",
            "policyID": *****
        },
        "timeout": "never"
    },
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "scanId": *****,
    "nextRunTime": 1624990440000
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ScanId": {
      *****
    },
    "NextRunTime": {
      1624990440000
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

scanId

*****

nextRunTime

1624990440000

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Schedule Daily Scan failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

Schedule Daily Scan failed.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

Schedule Hourly Scan

Schedules an hourly scan.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the scheduled scan.

TestScanMalwareHourly017 

Minutes Past The Hour

Required

After the specified number of minutes past the hour, the scheduled task will start. By default, the value is 0.

Filter Type

Optional

The filter type.

computer 

Filter Value

Optional

The filter value.

***** 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "TestScanMalwareHourly017",
    "type": "scan-for-malware",
    "scheduleDetails": {
        "timeZone": "America/Vancouver",
        "recurrenceType": "hourly",
        "hourlyScheduleParameters": {
            "minutesPastTheHour": "5"
        }
    },
    "enabled": true,
    "nextRunTime": 1624917900000,
    "scanForMalwareTaskParameters": {
        "computerFilter": {
            "type": "computer",
            "computerID": *****
        },
        "timeout": "never"
    },
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "scanId": *****,
    "nextRunTime": 1624917900000
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ScanId": *****,
    "NextRunTime": 1624917900000
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

scanId

*****

nextRunTime

1624917900000

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Schedule Hourly Scan failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

Schedule Hourly Scan failed.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

Schedule Monthly Scan

Schedules a monthly scan.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the scheduled scan.

TestMonthlyScanMonthly017 

Start Time

Required

The start time (in UTC) of the scheduled scan.

2021-06-23 03:33:19 

Day(s) of Month

Required

The days of the month for the scheduled scan. Valid values range from 1 to 31.

Filter Type

Optional

The filter type.

computer 

Filter Value

Optional

The filter value.

***** 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "TestMonthlyScanMonthly017",
    "type": "scan-for-malware",
    "scheduleDetails": {
        "timeZone": "America/Vancouver",
        "recurrenceType": "monthly",
        "monthlyScheduleParameters": {
            "startTime": 1624444399,
            "frequencyType": "day-of-month",
            "dayOfMonth": 1,
            "months": [
                "january",
                "feburary",
                "march",
                "april",
                "may",
                "june",
                "july",
                "august",
                "september",
                "october",
                "november",
                "december"
            ]
        }
    },
    "enabled": true,
    "nextRunTime": 1625163240000,
    "scanForMalwareTaskParameters": {
        "computerFilter": {
            "type": "computer",
            "computerID": *****
        },
        "timeout": "never"
    },
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "scanId": *****,
    "nextRunTime": 1625163240000
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ScanId": *****,
    "NextRunTime": 1625163240000
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

scanId

*****

nextRunTime

1625163240000

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Schedule Monthly Scan failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

Schedule Monthly Scan failed.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

Schedule Once Only Scan

Schedules a scan to run only once at the specified date and time.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the scheduled scan.

TestScheduledScanOnce016 

StartTime

Required

The start time (in UTC) of the scheduled scan.

2021-06-23 03:33:19 

Filter Type

Optional

The filter type.

computer 

Filter Value

Optional

The filter value.

***** 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "TestScheduledScanOnce016",
    "type": "scan-for-malware",
    "scheduleDetails": {
        "timeZone": "America/Vancouver",
        "recurrenceType": "none",
        "onceOnlyScheduleParameters": {
            "startTime": 1624444399
        }
    },
    "enabled": true,
    "scanForMalwareTaskParameters": {
        "computerFilter": {
            "type": "computer",
            "computerID": *****
        },
        "timeout": "never"
    },
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "scanId": *****
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ScanId": *****
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

scanId

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Schedule Once Only Scan failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

Schedule Once Only Scan failed.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

Schedule Weekly Scan

Schedules a weekly scan.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the scheduled scan.

TestWeeklyScheduledScanWeekly031 

Start Time

Required

The start time (in UTC) of the scheduled scan.

2021-06-23 03:33:19 

Day(s) of Week

Required

The days of the week for the scheduled scan. If multiple days are specified, use a comma as a delimiter.

sunday,Monday 

Filter Type

Optional

The filter type.

computer 

Filter Value

Optional

The filter value.

***** 

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "TestWeeklyScheduledScanWeekly031",
    "type": "scan-for-malware",
    "scheduleDetails": {
        "timeZone": "America/Vancouver",
        "recurrenceType": "weekly",
        "weeklyScheduleParameters": {
            "startTime": 1624444399,
            "interval": 1,
            "days": [
                "sunday",
                "monday"
            ]
        }
    },
    "enabled": true,
    "nextRunTime": 1625422440000,
    "scanForMalwareTaskParameters": {
        "computerFilter": {
            "type": "computer",
            "computerID": *****
        },
        "timeout": "never"
    },
    "ID": *****
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "scanId": *****,
    "nextRunTime": 1625422440000
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ScanId": *****,
    "NextRunTime": 1625422440000
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

scanId

*****

nextRunTime

1625422440000

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Schedule Weekly Scan failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

Schedule Weekly Scan failed.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

Unassign Intrusion Prevention Rules

Unassigns intrusion prevention rules from computers or policies using the specified rule IDs.

READER NOTE

Intrusion Rule IDs is a required parameter to run this command.

  • Run the List Intrusion Rules command to obtain the Intrusion Rule IDs. Intrusion Rule IDs can be found in the raw data at the path $.intrusionPreventionRules[*].ID.

Computer IDs and Policy IDs are optional parameters to run this command.

  • Run the Get Host List command to obtain the Computer IDs. Computer IDs can be found in the raw data at the path $.computers[*].ID.

  • Run the List Policies command to obtain the Policy IDs. Policy IDs can be found in the raw data at the path $.policies[*].ID.

Input

Input Parameter

Required/Optional

Description

Example

Intrusion Rule IDs

Required

The IDs of the intrusion prevention rules to unassign. Intrusion Rule IDs can be obtained using the List Intrusion Rules command.

JSON
[*****] 

Computer IDs

Optional

The IDs of the computers from which the rules are unassigned. Computer IDs can be obtained using the Get Host List command.

JSON
[*****] 

Policy IDs

Optional

The IDs of the policies from which the rules are unassigned. Policy IDs can be obtained using the List Policies command.

JSON
[*****] 

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        assignedRuleIDs: [
            *****,
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: none,
        recommendedToAssignRuleIDs: [],
        recommendedToUnassignRuleIDs: [],
        computerID: *****
    },
    {
        assignedRuleIDs: [
            *****,
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: valid,
        recommendedToAssignRuleIDs: [
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****
        ],
        recommendedToUnassignRuleIDs: [],
        policyID: *****
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

As the Raw Data contains the complete API response, refer to the Raw Data instead of the Context Data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        assignedRuleIDs: [
            *****,
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: none,
        recommendedToAssignRuleIDs: [],
        recommendedToUnassignRuleIDs: [],
        computerID: *****
    },
    {
        assignedRuleIDs: [
            *****,
            *****
        ],
        assignedApplicationTypeIDs: [
            *****
        ],
        recommendationScanStatus: valid,
        recommendedToAssignRuleIDs: [
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****,
            *****
        ],
        recommendedToUnassignRuleIDs: [],
        policyID: *****
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

assignedRuleIDs

[]

[]

[*****]

assignedApplicationTypeIDs

[]

[]

[*****]

recommendationScanStatus

none

none

valid

recommendedToAssignRuleIDs

[]

[]

[*****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****, *****]

recommendedToUnassignRuleIDs

[]

[]

[]

computerID

*****

*****

policyID

*****

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Unassign Intrusion Prevention Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not Found.

Error Sample Data

Unassign Intrusion Prevention Rules failed.

Status Code: 404.

Message: Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Deep Security Manager portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not authorized. Invalid Key. Check DSM events for details.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Not authorized. Invalid Key. Check DSM events for details.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.