### Get Workbench Alerts with Filtering (Python) Source: https://automation.trendmicro.com/xdr/api-fedramp This Python script demonstrates how to make a GET request to retrieve workbench alerts. It includes placeholders for authentication token, region, and filter parameters. Ensure to replace these placeholders with your actual values. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/workbench/alerts' token = 'YOUR_TOKEN' query_params = { 'startDateTime': 'YOUR_STARTDATETIME (string)', 'endDateTime': 'YOUR_ENDDATETIME (string)', 'dateTimeTarget': 'YOUR_DATETIMETARGET (string)', 'orderBy': 'YOUR_ORDERBY (string)' } headers = { 'Authorization': 'Bearer ' + token, 'TMV1-Filter': 'YOUR_FILTER (string)' } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Run Custom Script Request Body (JSON) Source: https://automation.trendmicro.com/xdr/api-fedramp Example JSON payload for running a custom script on endpoints. It includes fields for description, agent GUID, file name, and parameters. ```json [ * { * "description": "task description", * "agentGuid": "cb9c8412-1f64-4fa0-a36b-76bf41a07ede", * "fileName": "test.ps1", * "parameter": "string" } ] ``` -------------------------------- ### Add Object to Exception List (Python Example) Source: https://automation.trendmicro.com/xdr/api-fedramp Python example for adding objects to the exception list. Demonstrates constructing the request payload and making the POST request. ```Python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/threatintel/suspiciousObjectExceptions' token = 'YOUR_TOKEN' headers = { 'Authorization': 'Bearer ' + token } payload = [ { "url": "https://*.example.com/path1/*", "description": "object description" } ] r = requests.post(url_base + url_path, headers=headers, data=json.dumps(payload)) print(r.status_code) if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Example GET Request with Authorization Header Source: https://automation.trendmicro.com/xdr/Guides/Authentication Include this header in your requests to authenticate with the TrendAI Vision Oneā„¢ API. Replace '' with your actual token. ```http GET /v3.0/workbench/alerts HTTP/1.1 Authorization: Bearer ``` -------------------------------- ### Error Response Example Source: https://automation.trendmicro.com/xdr/api-fedramp Example of a bad request error response from the API. This indicates an issue with the request formatting or content. ```json { "error": { "code": "BadRequest", "message": "Unable to process the request. Verify that the request is properly formatted and try again. (Error code: 3090003)", "number": 3090003 } } ``` -------------------------------- ### Retrieve Response Tasks in Python Source: https://automation.trendmicro.com/xdr/api-fedramp Example demonstrating how to fetch a paginated list of response tasks using the requests library. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/response/tasks' token = 'YOUR_TOKEN' query_params = { 'startDateTime': 'YOUR_STARTDATETIME (string)', 'endDateTime': 'YOUR_ENDDATETIME (string)', 'dateTimeTarget': 'YOUR_DATETIMETARGET (string)', 'filter': 'YOUR_FILTER (string)', 'top': 'YOUR_TOP (integer)' } headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Delete user account with Python Source: https://automation.trendmicro.com/xdr/api-fedramp Example of deleting a user account using the requests library. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v2.0/xdr/portal/accounts/{email}' url_path = url_path.format(**{'email': 'YOUR_EMAIL'}) token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.delete(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Search Detections with Python Source: https://automation.trendmicro.com/xdr/api-fedramp Uses the requests library to perform a GET request to the detection search endpoint. Requires a valid API token and region-specific FQDN. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/search/detections' token = 'YOUR_TOKEN' query_params = { 'startDateTime': 'YOUR_STARTDATETIME (string)', 'endDateTime': 'YOUR_ENDDATETIME (string)', 'top': 'YOUR_TOP (integer)', 'mode': 'YOUR_MODE (string)', 'select': 'YOUR_SELECT (string)' } headers = { 'Authorization': 'Bearer ' + token, 'TMV1-Query': 'YOUR_QUERY (string)' } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Get Workbench Alert Details Source: https://automation.trendmicro.com/xdr/api-fedramp Use this Python script to make a GET request to the Trend Micro XDR API to retrieve details for a specific alert. Ensure you replace placeholders with your actual region FQDN, alert ID, and bearer token. The script prints the status code, headers, and the JSON response if available. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/workbench/alerts/{id}' url_path = url_path.format(**{'id': 'YOUR_ID'}) token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Response Task JSON Schema Source: https://automation.trendmicro.com/xdr/api-fedramp Example JSON structure for a response task object. ```json { "id": "00000012", "status": "running", "createdDateTime": "2021-04-05T08:22:37Z", "lastActionDateTime": "2021-04-06T08:22:37Z", "error": { "code": "TaskError", "number": 4009999, "message": "An internal error has occurred." }, "description": "task description", "action": "restoreIsolate", "account": "test", "agentGuid": "cb9c8412-1f64-4fa0-a36b-76bf41a07ede", "endpointName": "trend-host-1" } ``` -------------------------------- ### Retrieve Alert Note Request (Python) Source: https://automation.trendmicro.com/xdr/api-fedramp Example of using the requests library to fetch a specific alert note by ID. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/workbench/alerts/{alertId}/notes/{id}' url_path = url_path.format(**{'alertId': 'YOUR_ALERTID', 'id': 'YOUR_ID'}) token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### GET /v2.0/xdr/workbench/alerts Source: https://automation.trendmicro.com/xdr/api-fedramp Displays information about workbench alerts that match the specified criteria in a paginated list. ```APIDOC ## GET /v2.0/xdr/workbench/alerts ### Description Displays information about workbench alerts that match the specified criteria in a paginated list. Note: This method displays up to 10 entries per page. ### Method GET ### Endpoint /v2.0/xdr/workbench/alerts ### Parameters #### Query Parameters - **startDateTime** (string) - Optional - Datetime in ISO 8601 format indicating the start of the data retrieval time range. - **endDateTime** (string) - Optional - Datetime in ISO 8601 format indicating the end of the data retrieval time range. - **dateTimeTarget** (string) - Optional - The timestamp to be used for retrieving Workbench alert data (createdDateTime, updatedDateTime, firstInvestigatedDateTime). - **orderBy** (string) - Optional - Specifies the field by which the results are sorted. ``` -------------------------------- ### Suspicious Object Response Sample Source: https://automation.trendmicro.com/xdr/api-fedramp Example JSON response when retrieving suspicious objects. This includes details like 'nextLink' for pagination and a list of 'items' with object properties. ```json { "nextLink": "https://api.xdr.trendmicro.com/v3.0/threatintel/suspiciousObjects?top=50&skipToken=eyJpZCI6IjI1MGQxMmE3ZDQyMmVhM", "items": [ { "url": "http://test.com", "type": "url", "description": "object description", "scanAction": "log", "riskLevel": "high", "inExceptionList": false, "lastModifiedDateTime": "2019-03-15T07:44:27Z", "expiredDateTime": "2019-03-15T07:44:27Z" } ] } ``` -------------------------------- ### Add Suspicious Object Response Sample Source: https://automation.trendmicro.com/xdr/api-fedramp Example JSON response for adding objects to the Suspicious Object List, indicating the status of each operation. ```json [ { "status": 201 }, { "status": 400, "body": { "error": { "code": "BadRequest", "message": "Bad request" } } }, { "status": 500, "body": { "error": { "code": "InternalServerError", "message": "Internal server error" } } } ] ``` -------------------------------- ### GET /v3.0/workbench/alerts Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves a list of workbench alerts based on optional filtering and pagination parameters. ```APIDOC ## GET /v3.0/workbench/alerts ### Description Retrieves a list of alerts from the Trend Micro XDR Workbench. Supports filtering via the TMV1-Filter header. ### Method GET ### Endpoint /v3.0/workbench/alerts ### Parameters #### Header Parameters - **TMV1-Filter** (string) - Optional - Filter for retrieving a subset of the alert list. Supported fields: id, investigationStatus, status, investigationResult, alertProvider, modelId, model, modelType, severity, impactScopeEntityValue, indicatorValue, incidentId. Supported operators: eq, and, or, not, (), contains. #### Query Parameters - **startDateTime** (string) - Optional - The start of the time range. - **endDateTime** (string) - Optional - The end of the time range. - **dateTimeTarget** (string) - Optional - The target field for the date time range. - **orderBy** (string) - Optional - Field to order the results by. ### Response #### Success Response (200) - **OK** - Successfully retrieved the list of alerts. #### Error Handling - **400** - Bad request - **500** - Internal server error ``` -------------------------------- ### Example API response body Source: https://automation.trendmicro.com/xdr/Guides/First-steps-toward-using-the-APIs Represents the expected JSON structure returned by the suspicious object exceptions API. ```json { "items": [ { "domain": "v1.test.com", "type": "domain", "description": "sample exception data", "lastModifiedDateTime": "2021-05-31T00:28:30Z" }, ... ] } ``` -------------------------------- ### Search Endpoint Activities with Python Source: https://automation.trendmicro.com/xdr/api-fedramp Uses the requests library to perform a GET request to the endpoint activities search API. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/search/endpointActivities' token = 'YOUR_TOKEN' query_params = { 'startDateTime': 'YOUR_STARTDATETIME (string)', 'endDateTime': 'YOUR_ENDDATETIME (string)', 'top': 'YOUR_TOP (integer)', 'mode': 'YOUR_MODE (string)', 'select': 'YOUR_SELECT (string)' } headers = { 'Authorization': 'Bearer ' + token, 'TMV1-Query': 'YOUR_QUERY (string)' } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### GET /v3.0/response/tasks Source: https://automation.trendmicro.com/xdr/api-fedramp Displays a paginated list of response tasks based on optional filters and time ranges. ```APIDOC ## GET /v3.0/response/tasks ### Description Displays a list of response tasks in a paginated list. ### Method GET ### Endpoint /v3.0/response/tasks ### Parameters #### Query Parameters - **startDateTime** (string) - Optional - Timestamp in ISO 8601 format indicating the start of the data retrieval range. - **endDateTime** (string) - Optional - Timestamp in ISO 8601 format indicating the end of the data retrieval range. - **dateTimeTarget** (string) - Optional - Parameter to filter results by 'createdDateTime' or 'lastActionDateTime'. - **filter** (string) - Optional - Filter for retrieving a subset of the response task list. - **top** (integer) - Optional - Number of records displayed on a page (50, 100, or 200). ### Response #### Success Response (200) - **items** (array) - List of response tasks. - **nextLink** (string) - URL for the next page of results. #### Response Example { "items": [ { "id": "00000012", "status": "running", "createdDateTime": "2021-04-05T08:22:37Z", "lastActionDateTime": "2021-04-06T08:22:37Z", "description": "task description", "action": "isolate", "account": "test", "agentGuid": "cb9c8412-1f64-4fa0-a36b-76bf41a07ede", "endpointName": "trend-host-1" } ], "nextLink": "https://api.xdr.trendmicro.com/v3.0/xdr/response/tasks?skipToken=c2tpcFRva2Vu" } ``` -------------------------------- ### GET /v3.0/endpointActivities Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves detection data from the Detection Data source in a paginated list. Requires Agentic SIEM and XDR role permissions. ```APIDOC ## GET /v3.0/endpointActivities ### Description Displays search results from the Detection Data source in a paginated list. ### Method GET ### Endpoint /v3.0/endpointActivities ### Parameters #### Query Parameters - **startDateTime** (string) - Optional - The start of the data retrieval range in ISO 8601 format. Default: 24 hours before the request is made. - **endDateTime** (string) - Optional - Timestamp in ISO 8601 format that indicates the end of the data retrieval time range. If no value is specified, 'endDateTime' defaults to the time the request is made. - **top** (integer) - Optional - The number of records displayed on a page. Default: 500. Enum: 50, 100, 500, 1000, 5000. - **mode** (string) - Optional - The type of data returned by the query results. Default: "default". Enum: "default", "countOnly", "performance". - 'default' - Displays the data returned by the query. - 'countOnly' - Displays the number of records returned by the query. - 'performance' - Displays the data in performance mode, but the "top" parameter does not work and there may be zero records returned even though progressRate has not reached 100. To display all records, call the API again via nextLink until progressRate has reached 100. Use count mode to avoid returning empty data. - **select** (string) - Optional - The list of fields included in search results. If no fields are specified, the query returns all supported fields. Max length: 2048 characters. ### Request Example ```json { "example": "request body" } ``` ### Response #### Success Response (200) - **nextLink** (string) - URL for the next page of results. - **progressRate** (integer) - The progress rate of the data retrieval. - **items** (array) - An array of endpoint activity objects. - **dpt** (integer) - Destination port. - **dst** (string) - Destination IP address. - **endpointGuid** (string) - Unique identifier for the endpoint. - **endpointHostName** (string) - Hostname of the endpoint. - **endpointIp** (array) - List of IP addresses associated with the endpoint. - **eventId** (string) - Unique identifier for the event. - **eventSubId** (integer) - Sub-identifier for the event. - **objectIntegrityLevel** (integer) - Integrity level of the object. - **objectTrueType** (integer) - True type of the object. - **objectSubTrueType** (integer) - Sub true type of the object. - **winEventId** (integer) - Windows Event ID. - **eventTime** (integer) - Timestamp of the event in milliseconds. - **eventTimeDT** (string) - Timestamp of the event in ISO 8601 format. - **hostName** (string) - Hostname where the event occurred. - **logonUser** (array) - List of logon users. - **objectCmd** (string) - Command executed for the object. - **objectFileHashSha1** (string) - SHA1 hash of the object file. - **objectFilePath** (string) - File path of the object. - **objectHostName** (string) - Hostname associated with the object. - **objectIp** (string) - IP address associated with the object. - **objectIps** (array) - List of IP addresses associated with the object. - **objectPort** (integer) - Port number associated with the object. - **objectRegistryData** (string) - Data of the registry key. - **objectRegistryKeyHandle** (string) - Handle of the registry key. - **objectRegistryValue** (string) - Value of the registry key. - **objectSigner** (array) - Signer of the object. - **objectSignerValid** (array) - Indicates if the object signer is valid. - **objectUser** (string) - User associated with the object. - **os** (string) - Operating system of the endpoint. - **parentCmd** (string) - Command of the parent process. - **parentFileHashSha1** (string) - SHA1 hash of the parent process file. - **parentFilePath** (string) - File path of the parent process. - **processCmd** (string) - Command of the process. - **processFileHashSha1** (string) - SHA1 hash of the process file. - **processFilePath** (string) - File path of the process. - **request** (string) - The request associated with the event. - **searchDL** (string) - Search data layer. - **spt** (integer) - Source port. - **src** (string) - Source IP address. - **srcFileHashSha1** (string) - SHA1 hash of the source file. - **srcFilePath** (string) - File path of the source. - **tags** (array) - Tags associated with the event (e.g., MITRE ATT&CK techniques). - **uuid** (string) - Unique identifier for the event. #### Response Example ```json { "nextLink": "https://api.xdr.trendmicro.com/v3.0/endpointActivities?...&skipToken=ewogICJvdXRlcl9zbGl...", "progressRate": 30, "items": [ { "dpt": 443, "dst": "", "endpointGuid": "72436165-b5a5-471a-9389-0bdc3647bc33", "endpointHostName": "xxx-docker", "endpointIp": [ "192.0.2.0" ], "eventId": "1", "eventSubId": 0, "objectIntegrityLevel": 0, "objectTrueType": 0, "objectSubTrueType": 0, "winEventId": 3, "eventTime": 1633124154241, "eventTimeDT": "2021-10-01T21:35:54.241000+00:00", "hostName": "xxx-docker", "logonUser": [ "string" ], "objectCmd": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --type=utility --lang=en-US --no-sandbox", "objectFileHashSha1": "98A9A1C8F69373B211E5F1E303BA8762F44BC898", "objectFilePath": "C:\\Program Files (x86)\\temp\\Application\\test.exe", "objectHostName": "string", "objectIp": "string", "objectIps": [ "string" ], "objectPort": 0, "objectRegistryData": "wscript \"C:\\Program Files (x86)\\JNJ\\ITS_IE_PREF\\IE_Preferences.vbs\"", "objectRegistryKeyHandle": "hklm\\software\\wow6432node\\microsoft\\windows\\currentversion\\run", "objectRegistryValue": "its_ie_settings", "objectSigner": [ "Microsoft Windows" ], "objectSignerValid": [ true ], "objectUser": "SYSTEM", "os": "Linux", "parentCmd": "string", "parentFileHashSha1": "string", "parentFilePath": "string", "processCmd": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --type=utility --lang=en-US --no-sandbox", "processFileHashSha1": "string", "processFilePath": "C:\\Program Files (x86)\\temp\\Application\\test.exe", "request": "https://www.example.com", "searchDL": "SDL", "spt": 8080, "src": "192.169.1.1", "srcFileHashSha1": "string", "srcFilePath": "string", "tags": [ "MITRE.T1210" ], "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } ] } ``` ``` -------------------------------- ### GET /v3.0/threatintel/suspiciousObjects Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves a paginated list of suspicious objects including domains, file hashes, IP addresses, and URLs. ```APIDOC ## GET /v3.0/threatintel/suspiciousObjects ### Description Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs in the Suspicious Object List. ### Method GET ### Endpoint /v3.0/threatintel/suspiciousObjects ### Parameters #### Query Parameters - **orderBy** (string) - Optional - Sort results by 'riskLevel', 'lastModifiedDateTime', or 'expiredDateTime'. - **startDateTime** (string) - Optional - ISO 8601 timestamp for the start of the retrieval range. - **endDateTime** (string) - Optional - ISO 8601 timestamp for the end of the retrieval range. - **top** (integer) - Optional - Number of records to display (50, 100, or 200). #### Header Parameters - **TMV1-Filter** (string) - Optional - Filter string for retrieving a subset of objects (e.g., type, riskLevel, scanAction). ### Response #### Success Response (200) - **data** (array) - List of suspicious objects. ``` -------------------------------- ### Retrieve Audit Logs via Python Source: https://automation.trendmicro.com/xdr/api-fedramp Uses the requests library to perform a GET request to the audit logs endpoint with authentication and optional query parameters. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/audit/logs' token = 'YOUR_TOKEN' query_params = { 'startDateTime': 'YOUR_STARTDATETIME (string)', 'endDateTime': 'YOUR_ENDDATETIME (string)', 'dateTimeTarget': 'YOUR_DATETIMETARGET (string)', 'orderBy': 'YOUR_ORDERBY (string)', 'top': 'YOUR_TOP (integer)', 'labels': 'YOUR_LABELS (string)' } headers = { 'Authorization': 'Bearer ' + token, 'Accept': 'YOUR_ACCEPT (string)', 'TMV1-Filter': 'YOUR_FILTER (string)' } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### GET /v2.0/xdr/suspiciousObjects/exceptions Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception List. ```APIDOC ## GET /v2.0/xdr/suspiciousObjects/exceptions ### Description Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception List and displays it in a paginated list. ### Method GET ### Endpoint /v2.0/xdr/suspiciousObjects/exceptions ### Parameters #### Query Parameters - **orderBy** (string) - Optional - Sort results (e.g., 'lastModifiedDateTime desc'). - **startDateTime** (string) - Optional - Start of the data retrieval time range (ISO 8601). - **endDateTime** (string) - Optional - End of the data retrieval time range (ISO 8601). - **top** (integer) - Optional - Number of records displayed (50, 100, or 200). ``` -------------------------------- ### GET /v2.0/xdr/portal/accounts/roles Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves a list of roles that users can select when configuring accounts. This is useful for understanding available role options for user management. ```APIDOC ## GET /v2.0/xdr/portal/accounts/roles ### Description Retrieves the list of roles users can select when configuring accounts. ### Method GET ### Endpoint /v2.0/xdr/portal/accounts/roles ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```json { "example": "" } ``` ### Response #### Success Response (200) - **roles** (array) - A list of available roles. - **role_id** (string) - The unique identifier for the role. - **role_name** (string) - The name of the role. #### Response Example ```json { "example": "{\"roles\": [{\"role_id\": \"admin\", \"role_name\": \"Administrator\"}, {\"role_id\": \"viewer\", \"role_name\": \"Viewer\"}]}" } ``` ### Error Handling - **400**: The specified parameter is invalid. Review the available parameters for the API request. - **401**: User account failed to pass the authentication of the server. - **403**: User account tries to access resources which he does not have permissions. - **500**: These errors are usually caused by a server-side issue. ``` -------------------------------- ### Get Single Sign-On Status Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves the current status of single sign-on for SAML accounts. Requires Administration: Identity Providers: View permissions. ```Python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v2.0/xdr/portal/metadata/status' token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Restore Endpoint Request Payload Source: https://automation.trendmicro.com/xdr/api-fedramp Example JSON payload for the restore endpoint connection request, requiring an agent GUID. ```json [ { "description": "task description", "agentGuid": "cb9c8412-1f64-4fa0-a36b-76bf41a07ede" } ] ``` -------------------------------- ### List user roles via Python Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves the list of roles available for account configuration. Requires Administration permissions. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v2.0/xdr/portal/accounts/roles' token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Download XDR SP Metadata with Python Source: https://automation.trendmicro.com/xdr/api-fedramp Downloads the Trend Micro XDR service provider (SP) metadata file, which is necessary for configuring SAML 2.0 single sign-on. Requires 'Administration' permissions for 'Identity Providers'. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v2.0/xdr/portal/metadata/xdrSpMetadata.xml' token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### GET /v3.0/response/customScripts/{id} Source: https://automation.trendmicro.com/xdr/api-fedramp Downloads the content of a specific custom script. ```APIDOC ## GET /v3.0/response/customScripts/{id} ### Description Downloads a custom script file. ### Method GET ### Endpoint /v3.0/response/customScripts/{id} ### Parameters #### Path Parameters - **id** (string) - Required - Unique alphanumeric string that identifies a script file ### Response #### Success Response (200) - Successful operation #### Error Responses - 403: Access denied - 404: Not found - 500: Internal server error ``` -------------------------------- ### List company account roles via Python Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves roles currently used in company accounts along with their associated permissions. Requires Administration permissions. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v2.0/xdr/portal/roles' token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### GET /v2.0/xdr/portal/roles/permissions Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves the permissions of all roles in Trend Vision One. ```APIDOC ## GET /v2.0/xdr/portal/roles/permissions ### Description Retrieves the permissions of all roles in Trend Vision One. ### Method GET ### Endpoint /v2.0/xdr/portal/roles/permissions ### Response #### Success Response (200) - successful operation ``` -------------------------------- ### GET /v3.0/threatintel/suspiciousObjects Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves a list of suspicious objects from the threat intelligence database. ```APIDOC ## GET /v3.0/threatintel/suspiciousObjects ### Description Retrieves a list of suspicious objects. Supports filtering and ordering. ### Method GET ### Endpoint /v3.0/threatintel/suspiciousObjects ### Parameters #### Query Parameters - **orderBy** (string) - Optional - The field to order results by. - **startDateTime** (string) - Optional - Start date for filtering. - **endDateTime** (string) - Optional - End date for filtering. - **top** (integer) - Optional - Number of items to return. ### Response #### Success Response (200) - **nextLink** (string) - URL for the next page of results. - **items** (array) - List of suspicious objects. #### Response Example { "nextLink": "https://api.xdr.trendmicro.com/v3.0/threatintel/suspiciousObjects?top=50&skipToken=...", "items": [ { "url": "http://test.com", "type": "url", "description": "object description", "scanAction": "log", "riskLevel": "high", "inExceptionList": false, "lastModifiedDateTime": "2019-03-15T07:44:27Z", "expiredDateTime": "2019-03-15T07:44:27Z" } ] } ``` -------------------------------- ### Get Endpoint Data with Python Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves a paginated list of endpoint information from the Endpoint Info source. Requires 'Endpoint Inventory' view permissions and includes 'TMV1-Query' in headers for pagination. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/eiqs/endpoints' token = 'YOUR_TOKEN' query_params = { 'top': 'YOUR_TOP (integer)' } headers = { 'Authorization': 'Bearer ' + token, 'TMV1-Query': 'YOUR_QUERY (string)' } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### Example Workbench Alert Notes Response Source: https://automation.trendmicro.com/xdr/api-fedramp This JSON object represents a successful response when retrieving Workbench alert notes. It includes a list of notes ('items') and a 'nextLink' for pagination if more results are available. ```json { "items": [ { "id": 2, "content": "test note 2", "creatorMailAddress": "john_doe@xdr.com", "creatorName": "John Doe", "createdDateTime": "2020-11-12T10:30:13Z", "lastUpdatedBy": null, "lastUpdatedDateTime": null }, { "id": 1, "content": "test note 1", "creatorMailAddress": "john_doe@xdr.com", "creatorName": "John Doe", "createdDateTime": "2020-11-11T15:10:08Z", "lastUpdatedBy": "John Doe", "lastUpdatedDateTime": "2020-11-11T15:15:21Z" } ], "nextLink": "https://api.xdr.trendmicro.com/v3.0/workbench/alerts/WB-14-20190709-00003/notes?skipToken=skipToken" } ``` -------------------------------- ### Get Task Status Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves the status of a specific response task by its ID. ```APIDOC ## GET /v3.0/response/tasks/{id} ### Description Retrieves the status of a specific response task. ### Method GET ### Endpoint /v3.0/response/tasks/{id} ### Parameters #### Path Parameters - **id** (string) - Required - The ID of the task to retrieve. ### Request Example ```python import requests import json url_base = 'https://api.usgov.xdr.trendmicro.com' url_path = '/v3.0/response/tasks/{id}' url_path = url_path.format(**{'id': 'YOUR_ID'}) token = 'YOUR_TOKEN' query_params = {} headers = { 'Authorization': 'Bearer ' + token } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` ### Response #### Success Response (200) - **id** (string) - The ID of the task. - **status** (string) - The current status of the task (e.g., "running"). - **createdDateTime** (string) - The date and time when the task was created. - **lastActionDateTime** (string) - The date and time of the last action performed on the task. - **error** (object) - Information about any errors encountered. - **code** (string) - The error code. - **number** (integer) - The error number. - **message** (string) - A description of the error. - **description** (string) - A description of the task. - **action** (string) - The action performed by the task. - **account** (string) - The account associated with the task. - **agentGuid** (string) - The GUID of the agent associated with the task. - **endpointName** (string) - The name of the endpoint associated with the task. #### Response Example ```json { "id": "00000012", "status": "running", "createdDateTime": "2021-04-05T08:22:37Z", "lastActionDateTime": "2021-04-06T08:22:37Z", "error": { "code": "TaskError", "number": 4009999, "message": "An internal error has occurred." }, "description": "task description", "action": "restoreIsolate", "account": "test", "agentGuid": "cb9c8412-1f64-4fa0-a36b-76bf41a07ede", "endpointName": "trend-host-1" } ``` ### Errors - **400**: Bad request - **403**: Access denied - **404**: Not found - **500**: Internal server error ``` -------------------------------- ### GET /v2.0/xdr/portal/roles/{role}/permissions Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves the permissions associated with a specific role. ```APIDOC ## GET /v2.0/xdr/portal/roles/{role}/permissions ### Description Retrieves the permissions of a specific role in Trend Vision One. ### Method GET ### Endpoint /v2.0/xdr/portal/roles/{role}/permissions ### Parameters #### Path Parameters - **role** (string) - Required - The unique identifier of the role. ``` -------------------------------- ### Request Detections with Python Source: https://automation.trendmicro.com/xdr/api-fedramp Use this Python script to make a GET request to the detections endpoint. Ensure you replace placeholder values for region, token, and query parameters. The script prints the status code, headers, and JSON response. ```python import requests import json url_base = 'https://YOUR_V1_REGION_FQDN' url_path = '/v3.0/oat/detections' token = 'YOUR_TOKEN' query_params = { 'detectedStartDateTime': 'YOUR_DETECTEDSTARTDATETIME (string)', 'detectedEndDateTime': 'YOUR_DETECTEDENDDATETIME (string)', 'ingestedStartDateTime': 'YOUR_INGESTEDSTARTDATETIME (string)', 'ingestedEndDateTime': 'YOUR_INGESTEDENDDATETIME (string)', 'top': 'YOUR_TOP (integer)' } headers = { 'Authorization': 'Bearer ' + token, 'TMV1-Filter': 'YOUR_FILTER (string)' } r = requests.get(url_base + url_path, params=query_params, headers=headers) print(r.status_code) for k, v in r.headers.items(): print(f'{k}: {v}') print('') if 'application/json' in r.headers.get('Content-Type', '') and len(r.content): print(json.dumps(r.json(), indent=4)) else: print(r.text) ``` -------------------------------- ### GET /v2.0/xdr/portal/metadata/status Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves the status (enabled or disabled) of single sign-on for SAML accounts. ```APIDOC ## GET /v2.0/xdr/portal/metadata/status ### Description Retrieves the status (enabled or disabled) of single sign-on for SAML accounts. ### Method GET ### Endpoint /v2.0/xdr/portal/metadata/status ### Response #### Success Response (200) - **status** (boolean) - The enabled or disabled status of single sign-on. #### Response Example { "enabled": true } ``` -------------------------------- ### GET /v3.0/response/customScripts/{id} Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves details of a specific custom script by its unique identifier. ```APIDOC ## GET /v3.0/response/customScripts/{id} ### Description Retrieves a specific custom script by its ID. ### Method GET ### Endpoint /v3.0/response/customScripts/{id} ### Parameters #### Path Parameters - **id** (string) - Required - Unique alphanumeric string that identifies a script file. ``` -------------------------------- ### GET /v3.0/workbench/alerts/{alertId}/notes/{id} Source: https://automation.trendmicro.com/xdr/api-fedramp Retrieves a specific note from a Workbench alert. ```APIDOC ## GET /v3.0/workbench/alerts/{alertId}/notes/{id} ### Description Retrieves the details of a specific note associated with a Workbench alert. ### Method GET ### Endpoint /v3.0/workbench/alerts/{alertId}/notes/{id} ### Parameters #### Path Parameters - **alertId** (string) - Required - Unique alphanumeric string that identifies a Workbench alert. - **id** (integer) - Required - Numeric string that identifies a Workbench alert note. ### Response #### Success Response (200) - **id** (integer) - Note ID - **content** (string) - Note content - **creatorMailAddress** (string) - Creator email - **creatorName** (string) - Creator name - **createdDateTime** (string) - Creation timestamp - **lastUpdatedBy** (string) - Last updated by - **lastUpdatedDateTime** (string) - Last update timestamp #### Response Example { "id": 1, "content": "It is a note", "creatorMailAddress": "john_doe@xdr.com", "creatorName": "John Doe", "createdDateTime": "2020-11-11T15:10:08Z", "lastUpdatedBy": "John Doe", "lastUpdatedDateTime": "2020-11-11T15:10:08Z" } ```