Trend Micro EPP
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Trend Micro EPP

  • Dark
    Light
  • PDF

Pre-requisites to use Trend Micro and DNIF

Outbound access required for connectivity between DNIF Setup and Trend Micro.

Protocol Source IP Source Port Direction Destination IP Destination Port
TCP DS,CR Any Egress Trend Micro Host Address 443
Note

The above rule assumes both request and response in enabled

Trend Micro trigger plugin functions

Details of the function that can be used with the Trend Micro trigger is given in this section.

ip_isolateagent

This function allows to isolate an agent from the network using IP address to identify the managed product agent

Input

  • IP Address

Example

_fetch * from even where $Intel=True AND $ViolationField=SOURCE  limit 1
>>_trigger api trendmicro-epp ip_isolateagent $SrcIP

Output

The output of the trigger call has the following structure (for the available data)

Field Description
$TMResultCode Result code of the API
$TMResultDescription Description if the action perfformed by the API call
$TMEntityID The GUID of the managed product agent
$TMProduct The Trend Micro product that the agent is for
$TMManagingServerID The GUID of the product server that manages the agent
$TMADdomain The Active Directory domain that the agent belongs to (if applicable)
$TMFolderPath The folder path of where the agent is located ont the managing server (for example, the Apex One domain that the agent is listed under)
$TMIPAddresslist Lists the IP addresses on the agent endpoint
$TMMacAdrressList Lists the MAC addresses on the agent endpoint
$TMHostName The endpoint name of the managed product agent
$TMIsolationStatus Indicates the agent isolation status
$TMCapablities Lists the API actions that can be performed on the agent

host_isolateagent

This function allows to isolate an agent from the network using host name to identify the managed product agent

Input

  • Host Name

Example

_fetch * from even where $Intel=True AND $ViolationField=SOURCE  limit 1
>>_trigger api trendmicro-epp host_isolateagent $SrcIP

Output

The output of the trigger call has the following structure (for the available data)

Field Description
$TMResultCode Result code of the API
$TMResultDescription Description if the action perfformed by the API call
$TMEntityID The GUID of the managed product agent
$TMProduct The Trend Micro product that the agent is for
$TMManagingServerID The GUID of the product server that manages the agent
$TMADdomain The Active Directory domain that the agent belongs to (if applicable)
$TMFolderPath The folder path of where the agent is located ont the managing server (for example, the Apex One domain that the agent is listed under)
$TMIPAddresslist Lists the IP addresses on the agent endpoint
$TMMacAdrressList Lists the MAC addresses on the agent endpoint
$TMHostName The endpoint name of the managed product agent
$TMIsolationStatus Indicates the agent isolation status
$TMCapablities Lists the API actions that can be performed on the agent

Using the Trend Micro (EPP) trigger API and DNIF

Getting started with Trend Micro (EPP) trigger API and DNIF

  • Place the trendmicro-epp.tar.gz in the /var/tmp location of host machine.
  • Login to your Data Store, Correlator containers and access DNIF Container via SSH
  • Copy the files on the server from location /var/tmp to the relevant location using below commands:
cp /var/tmp/trendmicro-epp.tar.gz /dnif/<D-Key>/trigger_plugins/
  • Move to the ‘/dnif/<D-Key>/trigger_plugins’ folder path.
cd /dnif/<D-Key>/trigger_plugins/
  • Extract the trendmicro-epp.tar.gz using the following command
tar -xvzf trendmicro-epp.tar.gz
  • Move to the ‘/dnif/<D-Key>/trigger_plugins/trendmicro-epp/’ folder path and edit the dnifconfig.yml configuration file

  • Replace the tag: <Add_your_TrendMicro_*> with your Trend Micro credentials

trigger_plugin:
  TM_URL: <Add_your_TrendMicro_URL>
  TM_APP_ID: <Add_your_TrendMicro_ApplicationID>
  TM_API_KEY: <Add_your_TrendMicro_API_KEY>

Was this article helpful?