Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing users to see more and respond faster. Integration with Trend Micro Vision One mainly covers the major operations that are commonly used by users. For example, add file hash to blocklist, quarantine email message, delete message, isolate endpoint, restore endpoint, terminate process, fetch event, edit alert status, and so on.
D3 SOAR is providing REST operations to function with Trend Micro Vision One.
Trend Micro Vision One imposes rate limits on API requests. For more information on rate limits, refer to Trend Micro Vision One's API Request Limits page.
Connection
To connect to Trend Micro Vision One from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
TrendMicro Vision One URL
https://api.xdr.trendmicro.com/
Authentication Token
Use the token for authentication
eyJ0eXAi****************mL7E_KD8
API Version
Specify the API Version.
v2.0
Permission Requirements
Each endpoint in the Trend Micro Vision One API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command
Required Permission
Add Alert Note
Workbench: Modify alert details
Add To Blocklist
Response Management: View, filter, and search (Task List tab) + Add to block list
Suspicious Object Management: View, filter, and search + Manage lists and configure settings
Delete Alert Notes
Workbench: Modify alert details
Delete Message
Response Management: View, filter, and search (Task List tab) + Delete messages
Edit Alert Statuses
Workbench: Modify alert details
Fetch Event
Workbench: View, filter, and search
Get Alert Notes
Workbench: View, filter, and search
Get Endpoint Info
N/A
Get Exception List
Suspicious Object Management: View, filter, and search
Get Message Info
Search: View, filter, and search
Isolate Endpoints
Response Management: View, filter, and search (Task List tab) + Isolate endpoint
List Task Responses
Response Management: View, filter, and search (Task List tab)
Quarantine Email Message
Response Management: View, filter, and search (Task List tab) + Quarantine/Restore messages
Remove From Blocklist
Response Management: View, filter, and search (Task List tab) + Add to block list
Suspicious Object Management: View, filter, and search + Manage lists and configure settings
Restore Endpoints
Response Management: View, filter, and search (Task List tab) + Isolate endpoint
Search Data
Search: View, filter, and search
Search Detections
Search: View, filter, and search
Terminate Process
Response Management: View, filter, and search (Task List tab) + Terminate process
Test Connection
Workbench: View, filter, and search
Configuring Trend Micro Vision One to Work with D3 SOAR
Click on the gear icon to open the settings menu, then select User Roles.
Click + Add Role to create a new user role.
Create a name for the role, then configure the required permissions for the role based on the Permission Requirements. Once finished, click Submit.
To add an account, click the gear icon on the left sidebar, then select User Accounts.
Click + Add Account to create a new user. Input the details of the account, then click Add.
A verification email will be sent to the email provided. Check the email to verify the account.
Once the account is verified, return to the account details and click Generate new authentication token.
Copy and save the Authentication Token. It will be required to build the integration connection in D3 SOAR. Note: The created Authentication Token can only be viewed once. Store it in a secure location before leaving the page.
When making changes to the user role, the token's permissions will not be automatically updated to reflect the new permissions. A new token needs to be generated in order to reflect new changes.
Configuring D3 SOAR to Work with Trend Micro Vision One
Log in to D3 SOAR.
Find the Trend Micro Vision One integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Trend Micro Vision One in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Trend Micro Vision One.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. 1. Input the Server URL. 2. Copy the Authentication Token from the Trend Micro Vision One platform (Refer to step 5 of Configuring Trend Micro Vision One to Work with D3 SOAR). 3. Input the API Version. The default value is v2.0.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
Trend Micro Vision One includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Add Alert Note
Adds a note to the specified alerts.
Reader Note
The parameter Workbench IDs is required to run this command.
Run the Fetch Event command with defined filters to retrieve the desired Workbench IDs. The Workbench IDs can be found in the returned raw data at the path $.data.workbenchRecords[*].data.workbenchId.
Input
Input Parameter
Required/Optional
Description
Example
Workbench IDs
Required
The workbench record IDs of the alerts. Workbench IDs can be obtained using the Fetch Event command with defined filters.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
WORKBENCHID INFO DATA
WB-*****-*****-00001 {'code': *****, 'msg': 'Alert notes added successfully.'} {'id': *****}
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Alert Note failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unable to process the request. Verify that the specified workbench ID exists and that you have permission to access the alert and try again.
Error Sample Data
Add Alert Note failed.
Status Code: 404.
Message: Unable to process the request. Verify that the specified workbench ID exists and that you have permission to access the alert and try again.
Add To Blocklist
Adds a file SHA-1, IP address, domain, or URL object to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections.
Input
Input Parameter
Required/Optional
Description
Example
Value Type
Required
The type of target to be added to the blocklist.
File SHA-1
Target Value
Required
The value of the targets to be added to the blocklist.
[
"36*****5B",
"D5*****92"
]
Description
Optional
The description for the action of adding objects to the blocklist.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Dat
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add To Blocklist failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: InvalidToken.
Error Sample Data
Add To Blocklist failed.
Status Code: 403.
Message: InvalidToken.
Delete Alert Notes
Deletes the specified notes of the alert.
Reader Note
Workbench ID and Note IDs are required parameters to run this command.
Run the Fetch Event command with defined filters to retrieve the desired Workbench IDs. The Workbench IDs can be found in the returned raw data at the path $.data.workbenchRecords[*].data.workbenchId.
Run the Get Alert Notes command to obtain the Note IDs. The Note IDs can be found in the returned raw data at the path $.notes[*].id.
Note: the input value of Workbench ID and Notes IDs must match. It is suggested to use the desired Workbench ID to run the Get Alert Notes command to obtain the Note IDs, then use those pairs of values to run this command.
Input
Input Parameter
Required/Optional
Description
Example
Workbench ID
Required
The workbench records IDs of the alert. Workbench IDs can be obtained using the Fetch Event command with defined filters.
WB-*****-*****-00001
Note IDs
Required
The note ID of the alert. Note IDs can be obtained using the Get Alert Notes command.
[ 1, 2, 32 ]
Output
Raw Data
The primary response data from the API request.
D3 enriches the raw data from the original Trend Micro Vision One API response by adding the "workbenchID" field.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
";Alert notes deleted successfully.";
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Alert Notes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unable to process the request. Verify that the request is properly formatted and try again.
Error Sample Data
Delete Alert Notes failed.
Status Code: 400.
Message: Unable to process the request. Verify that the request is properly formatted and try again.
Delete Message
Deletes a message from a mailbox.
Reader Note
Message ID is a required parameter to run this command.
Run the Get Message Info command to obtain Message ID. Message IDs can be obtained from the returned raw data at the path $.data.logs[*].mail_message_id.
Input
Input Parameter
Required/Optional
Description
Example
Message ID
Required
The message ID of the email to be deleted. Message IDs can be obtained using the Get Message Info command.
The description to add for the action of deleting email.
delete description test
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"actionId": "*****",
"taskStatus": "pending"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data.logs in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
JSON
{
"actionId": "*****",
"taskStatus": "pending"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"ActionId": "*****",
"TaskStatus": "pending"
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Message failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid field format: mailBox.
Error Sample Data
Delete Message failed.
Status Code: 400.
Message: Invalid field format: mailBox.
Edit Alert Statuses
Modifies the investigation status of the specified alerts.
Reader Note
The parameter Workbench IDs is required to run this command.
Run the Fetch Event command with defined filters to retrieve the desired Workbench IDs. The Workbench IDs can be found in the returned raw data at the path $.data.workbenchRecords[*].data.workbenchId.
Input
Input Parameter
Required/Optional
Description
Example
Workbench IDs
Required
The workbench records IDs of the alerts. Workbench IDs can be obtained using the Fetch Event command with defined filters.
["WB-*****-*****-00001", "WB-*****-*****-00000"]
Investigation Status
Optional
The investigation status that will be applied to the alerts.
2: Resolved: True Positive
Output
Raw Data
The primary response data from the API request.
D3 enriches the raw data from the original Trend Micro Vision One API response by adding the "workbenchID" field.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
No Sample Data
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
INFO DATA WORKBENCHID
{
";code";: *****,
";msg";: ";Alert status changed successfully.";
} WB-*****-*****-00001
{
";code";: *****,
";msg";: ";Alert status changed successfully.";
} WB-*****-*****-00000
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Edit Alert Statuses failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unable to change alert status. Verify that all requested workbench IDs exist and try again.
Error Sample Data
Edit Alert Statuses failed.
Status Code: 404.
Message: Unable to change alert status. Verify that all requested workbench IDs exist and try again.
Fetch Event
Retrieves a list of alerts with details from one or more data sources for a specific period.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to fetch alerts in UTC time.
2021-06-23 00:00
End Time
Required
The end time of the time range to fetch alerts in UTC time.
2021-06-24 00:00
Number of Event(s) Fetched
Optional
The maximum number of alerts to return.
50
Search Condition
Optional
The query string to define the search condition. The query format is: source=<value> investigationStatus=[<value1>, <value2>,<value3>,<value4>]. For example: source=all investigationStatus=[0,1]. Please note that only source and investigationStatus fields can be used in the query string. Valid values for the source field are: all (default), workbench, ... The investigationStatus field is an array of integers. Valid values for the invesitgationStatus are: 0, 1, 2, 3. The definition of values is: 0 = New, 1 = In Progress, 2 = Resolved: True Positive, 3 = Resolved: False Positive.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.workbenchRecords in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click +Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the Trend Micro Vision One integration has some pre-configured field mappings for default field mapping.
Default Event Source The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a “Main Event JSON Path” (i.e., $.data.workbenchRecords) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.
Main Event JSON Path: $.data.workbenchRecords The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays. For example, the root node of a JSON Path is data.workbenchRecords. The child node denoting the Unique Event Key field would be workbenchId. Putting it together, the JSON Path expression to extract the Unique Event Key is $.data.workbenchRecords.workbenchId.
The pre-configured field mappings are detailed below:
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The Search condition format error. Format: {Key1=Value1;Key2=Value2}.
Error Sample Data
Fetch Event failed.
Status Code: 403.
Message: The Search condition format error. Format: {Key1=Value1;Key2=Value2}.
Get Alert Notes
Retrieves the notes of the specified workbenches (alerts).
Reader Note
The parameter Workbench IDs is required to run this command.
You should already have your desired Workbench IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Workbench IDs. The Workbench IDs can be found in the raw data at the path $.data.workbenchRecords[*].data.workbenchId.
Input
Input Parameter
Required/Optional
Description
Example
Workbench IDs
Required
The list of workbench records IDs. Workbench IDs can be obtained using the Fetch Event command with defined filters.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Alert Notes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unable to process the request. Verify that the request is properly formatted and try again.
Error Sample Data
Get Alert Notes failed.
Status Code: 404.
Message: Unable to process the request. Verify that the request is properly formatted and try again.
Get Endpoint Info
Retrieves information about endpoints by Host names, IPs or Mac addresses.
Reader Note
The parameter Host Names Or IPs Or Macs is required to run this command.
You should already have your desired Host Names Or IPs Or Macs on hand to run this command. If you don’t, you can use the Fetch Event command with defined filters to retrieve the desired Host Names Or IPs Or Macs. The Host Names Or IPs Or Macs can be found in the raw data in the Host Names corresponding to the value in "name" under "entityValue" and IPs corresponding to the value in "ips" under "entityValue".
Input
Input Parameter
Required/Optional
Description
Example
Host Names Or IPs Or Macs
Required
The host name(s) or IP address(es) or Mac address(es) of the endpoint(s) to retrieve information about. Host Names Or IPs Or Macs can be obtained using the Fetch Event command with defined filters.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
Items Count
2
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Endpoint Info failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unable to find record.
Error Sample Data
Get Endpoint Info failed.
Status Code: 404.
Message: Unable to find record.
Get Exception List
Retrieves information about Domains, File SHA-1 values, IP Addresses, or URLs that are in the Exception List.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data.exceptionList in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
TYPE VALUE DESCRIPTION LASTMODIFIED
domain github.com test exception domain 1 2021-06-25T18:42:57Z
ip 8.8.8.8 test exception domain 1 2021-06-25T18:42:57Z
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Exception List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: InvalidToken.
Error Sample Data
Get Exception List failed.
Status Code: 403.
Message: InvalidToken.
Get Message Info
Retrieves information about the messages matching the specified query criteria.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to get message info in UTC time.
2021-06-23 00:00
End Time
Required
The end time of the time range to get message info in UTC time.
2021-06-24 00:00
Query
Required
The query string to filter messages. Adding a query string allows you to retrieve a subset of the collected email activity data.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data.logs in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
MAIL_MESSAGE_SENDER MAIL_MESSAGE_RECIPIENT MAIL_MESSAGE_SUBJECT MAILBOX MAIL_URLS SOURCE_DOMAIN SOURCE_IP MAIL_MESSAGE_DELIVERY_TIME MAIL_MESSAGE_ID MAIL_UNIQUE_ID MAIL_ATTACHMENTS MAIL_INTERNET_HEADERS SEARCHDL EVENTTIME
*****@D3DevCyber.onmicrosoft.com [
";test@example.com";
] Undeliverable: Malicious Country Detected - Date Reported from 01/01/2013 to 02/28/2019 test@example.com [
";https://support.google.com/mail/?p=DisabledUser";
] d3devcyber.onmicrosoft.com 1.1.1.1 6/24/2021 12:49:36 AM ***** [] [
{
";HeaderName";: ";In-Reply-To";,
";Value";: ";";
}
] CAS 1624495776000
test@example.com [
";test@example.com";
] Malicious Country Detected - Date Reported from 01/01/2013 to 02/28/2019 test@example.com [
";https://demo.d3securityonline.net:443/Mitre/VSOC/AnalysisReports/FlexDashboardReport.aspx?q=M8zN%2f7yXJcThMXCRvVkPrmFuQMkpUlZrJKuHJSVeCLfwNHrIqvfowLRWmBM4%2bY6%2bjha1zo%2fFp6QcukMSPz%2fCcvjFgjLhhFPiINanm5KLMv2i%2bnDtuEXc0NMnNmgly8Vrr5N5R%2frwMHsO%2bc7iHKKVH%2fu4ZhC6kJBb9L1OBJK4FVU%3d";
] d3soar.com 0.0.0.0 6/24/2021 12:49:34 AM ***** [] [
{
";Value";: ";test@example.com";,
";HeaderName";: ";Return-Path";
}
] CAS 1624495774000
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Message Info failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unsupported query field. The specified query field does not exist.
Error Sample Data
Get Message Info failed.
Status Code: 404.
Message: Unsupported query field. The specified query field does not exist.
Isolate Endpoints
Disconnects the specified endpoints from the network.
Reader Note
The parameter Host Names is required to run this command.
You should already have your desired Host Names on hand to run this command. If you don’t, you can use the Fetch Event command with defined filters to retrieve the desired Host Names. The Host Names can be found in the raw data in the Host Names corresponding to the value in "name" under "entityValue".
Input
Input Parameter
Required/Optional
Description
Example
Host Names
Required
The host name of the endpoints to be isolated. Host Names can be obtained using the Fetch Event command with defined filters.
["WIN-*****"]
Description
Optional
The description to add for the action of isolating the endpoint.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
ACTIONID TASKSTATUS
***** pending
***** pending
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Isolate Endpoints failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Task Responses failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: InvalidToken.
Error Sample Data
List Task Responses failed.
Status Code: 403.
Message: InvalidToken.
Quarantine Email Message
Moves a message from a mailbox to the quarantine folder.
Reader Note
Message ID is a required parameterto run this command.
Run the Get Message Info command to obtain Message ID. Message ID can be obtained from the returned raw data at the path $.data.logs[*].mail_message_id.
Input
Input Parameter
Required/Optional
Description
Example
Message ID
Required
The message ID of the email to be quarantined. Message IDs can be obtained using the Get Message Info command.
The description to add for the action of quarantining the email.
quarantine description test
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"actionId": "*****",
"taskStatus": "pending"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
JSON
{
"actionId": "*****",
"taskStatus": "pending"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"ActionId": "*****",
"TaskStatus": "pending"
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Quarantine Email Message failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid request - Invalid field format: mailBox.
Error Sample Data
Quarantine Email Message failed.
Status Code: 400.
Message: Invalid request - Invalid field format: mailBox.
Remove From Blocklist
Removes a file SHA-1, IP address, domain, or URL object that was added to the User-Defined Suspicious Objects List by the "Add to block list" command.
Reader Note
The inputs of Target Value must already have been added to the block list. An invalid request error will be returned if the value does not exist in the blocklist.
Input
Input Parameter
Required/Optional
Description
Example
Value Type
Required
The type of the target to be removed from the blocklist.
File SHA-1
Target Value
Required
The value of the targets to be removed from the blocklist.
[
"36*****5B",
"D5*****92"
]
Description
Optional
The description to add for the action of removing the object from the blocklist.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
ACTIONID TASKSTATUS
***** pending
***** pending
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Remove From Blocklist failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid request.
Error Sample Data
Remove From Blocklist failed.
Status Code: 400.
Message: Invalid request.
Restore Endpoints
Restores network connectivity to isolated endpoints.
Reader Note
The parameter Host Names is required to run this command.
You should already have your desired Host Names on hand to run this command. If you don’t, you can use the Fetch Event command with defined filters to retrieve the desired Host Names. The Host Names can be found in the raw data in the Host Names corresponding to the value in "name" under "entityValue".
The input host names must be isolated already to run this command.
Input
Input Parameter
Required /Optional
Description
Example
Host Names
Required
The host name of the endpoint to be restored. Host Names can be obtained using the Fetch Event command.
["WIN-*****"]
Description
Optional
The description to add for the action of restoring the endpoints.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
ACTIONID TASKSTATUS
***** pending
***** pending
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Restore Endpoints failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unable to find record.
Error Sample Data
Restore Endpoints failed.
Status Code: 400.
Message: Unable to find record.
Search Data
Searches data sources using the specified query criteria and retrieves all matching records.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to search data in UTC time.
2021-06-23 00:00
End Time
Required
The end time of the time range to search data in UTC time.
2021-06-24 00:00
Source
Required
The Datalake source to search.
Endpoint Activity Data
Query
Required
The query string to filter the data. Endpoint Activity Data field available list: dst, endpointGuid, endpointHostName, endpointIp, eventId, eventSubId, hostName, logonUser, objectCmd, objectFileHashSha1, objectFilePath, objectIp, objectIps, objectPort, objectRegistryData, objectRegistryKeyHandle, objectRegistryValue, objectSigner, objectSignerValid, objectUser,parentCmd, parentFileHashSha1, parentFilePath, pname, processCmd, processFileHashSha1, processFilePath, request, spt, dpt, src, srcFileHashSha1, srcFilePath.
Message Activity Data field available list: sender, subject, mailbox, url, recipient, source_domain, source_ip, file_sha1, message_id, file_extension, file_name.
Network Activity Data field available list: url, ip, file_sha1, file_sha256, filename, domain, user_account, ip_port.
hostName:* AND endpointIp:1.1.1.1
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"data": {
"logs": [
{
"service": "exchange",
"mail_message_delivery_time": "2023-05-05T17:44:12Z",
"mail_attachments": {
"file_sha1": [
"*****"
],
"file_sha256": [
"*****"
],
"file_name": [
"IR-20230505-*****.pdf"
]
},
"mail_internet_headers": {
"HeaderName": [
"Received",
"Received",
"Received",
"Received",
"Received",
"Authentication-Results",
"Received-SPF",
"CC",
"X-Microsoft-Antispam",
"X-Forefront-Antispam-Report",
"X-TM-AS-ERS",
"X-TM-Product-Ver",
"X-TMASE-XGENCLOUD",
"MAPIExtendedProperties",
"MAPIExtendedProperties"
],
"Value": [
"from *****.CANPRD01.PROD.OUTLOOK.COM (*****) by *****.CANPRD01.PROD.OUTLOOK.COM with HTTPS; Fri, 5 May 2023 17:44:12 +0000",
"from *****.namprd17.prod.outlook.com (*****) by ****.CANPRD01.PROD.OUTLOOK.COM (**** with Microsoft SMTP Server (version=TLS1_2, cipher=****) id ******; Fri, 5 May 2023 17:42:54 +0000",
"from *****.eop-CAN01.prod.protection.outlook.com (**8*) by *****.outlook.*****.com (****) with Microsoft SMTP Server (version=TLS1_2, cipher=****) id ***** via Frontend Transport; Fri, 5 May 2023 17:42:54 +0000",
"from ***** (*****) by YQBCAN01FT010.mail.protection.outlook.com (*****) with Microsoft SMTP Server id ***** via Frontend Transport; Fri, 5 May 2023 17:42:54 +0000",
"from [**8**] ([****]) by ***** over TLS secured channel with Microsoft SMTPSVC(*****);\t Fri, 5 May 2023 10:42:53 -0700",
"spf=permerror (sender IP is *****) smtp.mailfrom=*****; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=*****.com;compauth=softpass reason=201",
"PermError (protection.*****.com: domain of **88.com used an invalid SPF mechanism)",
"",
"BCL:5;",
"CIP:*****;CTRY:US;LANG:la;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:d3sm-poc-web33;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(*****);DIR:INB;",
"*****",
"cloud-app-security-5.0",
"5***-***-***-***-***-0-0-200-0",
"{\"id\":\"String {*****} Id *****\",\"value\":null}",
"{\"id\":\"Boolean {***88} Id *****\",\"value\":null}"
]
},
"mail_message_subject": "ST_Playbook_Email_2023/05/05 17:42:51",
"mail_message_id": "",
"mail_unique_id": "*****",
"mailbox": "test@example.com",
"source_ip": "*****",
"mail_message_sender": [
"test@example"
],
"mail_message_recipient": [
"test@example.com",
null,
null
],
"source_domain": "*****",
"org_id": "***-***-***-***-***",
"eventTime": 1683308652000,
"searchDL": "CAS"
}
]
}
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
Items Count
10
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Data failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: InvalidToken.
Error Sample Data
Search Data failed.
Status Code: 403.
Message: InvalidToken.
Search Detections
Searches the "Detections" data using specified query criteria and retrieves all matching detections. Note: A maximum of 500 detection items can be returned using this command.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to search detections in UTC time.
2023-05-05 00:00
End Time
Required
The end time of the time range to search detections in UTC time.
2023-05-06 00:00
Query
Optional
The query string to filter the detections. If this parameter is not defined, all detections logged within the specified time range will be returned.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
Detections Count
10
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Detections failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trend Micro Vision One portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: InvalidToken.
Error Sample Data
Search Detections failed.
Status Code: 403.
Message: InvalidToken.
Terminate Process
Terminates a specified process that is running on an endpoint.
Reader Note
The parameter Host Names is required to run this command.
You should already have your desired Host Names on hand to run this command. If you don’t, you can use the Fetch Event command with defined filters to retrieve the desired Host Names. The Host Names can be found in the raw data in the Host Names corresponding to the value in "name" under "entityValue".
Input
Input Parameter
Required/Optional
Description
Example
Host Names
Required
The host name of the endpoint to terminate the process for. Host Names can be obtained using the Fetch Event command with defined filters.
["WIN-*****"]
File Hash SHA-1
Required
The file hash of the process to be terminated.
12*****f8b
Description
Optional
The description to add for the action of terminating the process.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
