Trend Micro DDAN

Integration version: 3.0

Configure Trend Micro DDAN integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Name Type Default Value Is Mandatory Description
API Root String https://IP_ADDRESS Yes API root of the Trend Micro DDAN instance.
API Key Password N/A Yes API key of the Trend Micro DDAN instance.
Verify SSL Checkbox Checked No If enabled, verifies that the SSL certificate for the connection to the Trend Micro DDAN is valid.

Actions

Ping

Test connectivity to Trend Micro DDAN with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:

If successful: "Successfully connected to the Trend Micro DDAN server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Trend Micro DDAN server! Error is {0}".format(exception.stacktrace)"

General

Submit File

Submit files in Trend Micro DDAN.

Parameters

Parameter Name Type Default Value Is Mandatory Description
File URLs CSV N/A Yes Specify a comma-separated list of the URLs that point to the file that needs to be analyzed.
Fetch Event Log Checkbox Checked No If enabled, the action fetches event logs related to the files.
Fetch Suspicious Objects Checkbox Checked No If enabled, the action fetches suspicious objects.
Fetch Sandbox Screenshot Checkbox Unchecked No If enabled, the action tries to fetch a sandbox screenshot related to the files.
Resubmit File Checkbox Checked No If enabled, the action doesn't check if there was a submission for this file previously.
Max Event Logs To Return Integer 50 No Specify the number of event logs to return. Maximum: 200
Max Suspicious Objects To Return Integer 50 No Specify the number of suspicious objects to return. Maximum: 200
Fetch Suspicious Objects Checkbox Checked No If enabled, the action fetches suspicious object.
Max Suspicious Objects To Return Integer 50 No Specify the number of suspicious objects to return. Maximum: 200

Run On

This action doesn't run on entities.

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success:False
JSON Result
{
    "REPORTS": {
        "IMAGE_TYPE": {
            "TYPE": "Windows 10"
        },
        "OVERALL_RISK_LEVEL": -19,
        "FILE_ANALYZE_REPORT": {
            "FileSHA1": "2C2218022BC734EFF94290199C2CDC46E9531F9B",
            "FileMD5": "6061C079AFC5B3198F2752F875513E58",
            "FileSHA256": "6CE4952C2EE4D70CBC3B4276007D0815C03FA0E87E209DF7B901D143C06859AA",
            "FileTLSH": "",
            "FileID": "3315_0001",
            "OrigFileName": "https://example.com/",
            "DownloadedFileName": "",
            "MalwareSourceIP": "",
            "MalwareSourceHost": "",
            "ROZRating": -19,
            "CensusPrevalence": -1,
            "GRIDIsKnownGood": -1,
            "AuthenticodeIsGood": 0,
            "IsAllowed": 0,
            "IsDenylisted": 0,
            "OverallROZRating": -19,
            "AnalyzeTime": "2022-11-07 15:39:24",
            "VirusDetected": 0,
            "EngineVersion": "",
            "PatternVersion": "",
            "VirusName": "",
            "TrueFileType": "URL",
            "FileSize": 0,
            "PcapReady": 0,
            "SandcastleClientVersion": "6.0.5511",
            "AnalyzeStartTime": "2022-11-07 15:39:23",
            "ParentChildRelationship": "",
            "DuplicateSHA1": 0,
            "ConnectionMode": "nat",
            "ExternalServiceMode": "Global",
            "DiagInfo": "",
            "RedirectChain": {
                "Connection": {
                    "ID": 1,
                    "URL": "https://example.com",
                    "WRSScore": 71,
                    "WRSCategoryID": 93,
                    "WRSCategoryName": "Newly Observed Domain",
                    "ThreatName": "",
                    "RedirectFrom": ""
                }
            },
            "DroppedFiles": "",
            "USandboxVersion": "5.8.1044"
        },
        "EXTRA_INFO": {
            "VAAnalysisTime": 96,
            "TotalProcessingTime": 97
        }
    },
    "Screenshot": "",
    "EventLog": [
        {
            "EventLog": {
                "Date": "2022-11-07 15:37:49+00",
                "Source": 1,
                "SubmitDate": "2022-11-07 15:37:49.618895+00",
                "ProtocolGroup": "",
                "Protocol": "",
                "VLANId": "",
                "Direction": "",
                "DstIP": "",
                "DstIPStr": "",
                "DstPort": "",
                "DstMAC": "",
                "SrcIP": "",
                "SrcIPStr": "",
                "SrcPort": "",
                "SrcMAC": "",
                "DomainName": "",
                "HostName": "",
                "DetectionName": "",
                "RiskTypeGroup": "",
                "RiskType": "",
                "FileName": "",
                "FileExt": "",
                "TrueFileType": "",
                "FileSize": "",
                "RuleID": "",
                "Description": "Dummy log content",
                "ConfidenceLevel": "",
                "Recipient": "",
                "Sender": "",
                "Subject": "",
                "BOTCmd": "",
                "BOTUrl": "",
                "ChannelName": "",
                "NickName": "",
                "URL": "https://example.com",
                "UserName": "",
                "Authentication": "",
                "UserAgent": "",
                "TargetShare": "",
                "DetectedBy": "",
                "PotentialRisk": "",
                "HasQFile": "",
                "ServerName": "",
                "MessageID": "",
                "EngineVer": "",
                "PatternNum": "",
                "VirusType": "",
                "EngineVirusMajorType": ""
            }
        }
    ],
    "SuspiciousObjects": ""
}
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:

If returned report (is_success=true): "Successfully analyzed the following URLs in Trend Micro DDAN: SUCCESSFUL_URLS"

If didn't return report for one (is_success=true): "Action wasn't able to return results the following URLs in Trend Micro DDAN: SUCCESSFUL_URLS"

If didn't return report for all URLs (is_success=true): "No results for the provided URLs."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit File URL". Reason: {0}''.format(error.Stacktrace)"

General

Submit File URL

Submit a file using URLs in Trend Micro DDAN.

Parameters

Parameter Name Type Default Value Is Mandatory Description
File URLs CSV N/A Yes Specify a comma-separated list of the URLs that point to the file that needs to be analyzed.
Fetch Event Log Checkbox Checked No If enabled, the action fetches event logs related to the files.
Fetch Suspicious Objects Checkbox Checked No If enabled, the action fetches suspicious objects.
Fetch Sandbox Screenshot Checkbox Unchecked No If enabled, the action tries to fetch a sandbox screenshot related to the files.
Resubmit File Checkbox Checked No If enabled, the action doesn't check if there was a submission for this file previously.
Max Event Logs To Return Integer 50 No Specify the number of event logs to return. Maximum: 200
Max Suspicious Objects To Return Integer 50 No Specify the number of suspicious objects to return. Maximum: 200
Fetch Suspicious Objects Checkbox Checked No If enabled, the action fetches suspicious object.
Max Suspicious Objects To Return Integer 50 No Specify the number of suspicious objects to return. Maximum: 200

Run On

This action doesn't run on entities.

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success:False
JSON Result
{
    "REPORTS": {
        "IMAGE_TYPE": {
            "TYPE": "Windows 10"
        },
        "OVERALL_RISK_LEVEL": -19,
        "FILE_ANALYZE_REPORT": {
            "FileSHA1": "2C2218022BC734EFF94290199C2CDC46E9531F9B",
            "FileMD5": "6061C079AFC5B3198F2752F875513E58",
            "FileSHA256": "6CE4952C2EE4D70CBC3B4276007D0815C03FA0E87E209DF7B901D143C06859AA",
            "FileTLSH": "",
            "FileID": "3315_0001",
            "OrigFileName": "https://example.com",
            "DownloadedFileName": "",
            "MalwareSourceIP": "",
            "MalwareSourceHost": "",
            "ROZRating": -19,
            "CensusPrevalence": -1,
            "GRIDIsKnownGood": -1,
            "AuthenticodeIsGood": 0,
            "IsAllowed": 0,
            "IsDenylisted": 0,
            "OverallROZRating": -19,
            "AnalyzeTime": "2022-11-07 15:39:24",
            "VirusDetected": 0,
            "EngineVersion": "",
            "PatternVersion": "",
            "VirusName": "",
            "TrueFileType": "URL",
            "FileSize": 0,
            "PcapReady": 0,
            "SandcastleClientVersion": "6.0.5511",
            "AnalyzeStartTime": "2022-11-07 15:39:23",
            "ParentChildRelationship": "",
            "DuplicateSHA1": 0,
            "ConnectionMode": "nat",
            "ExternalServiceMode": "Global",
            "DiagInfo": "",
            "RedirectChain": {
                "Connection": {
                    "ID": 1,
                    "URL": "https://example.com",
                    "WRSScore": 71,
                    "WRSCategoryID": 93,
                    "WRSCategoryName": "Newly Observed Domain",
                    "ThreatName": "",
                    "RedirectFrom": ""
                }
            },
            "DroppedFiles": "",
            "USandboxVersion": "5.8.1044"
        },
        "EXTRA_INFO": {
            "VAAnalysisTime": 96,
            "TotalProcessingTime": 97
        }
    },
    "Screenshot": "{base64 of }",
    "EventLog": [
        {
            "EventLog": {
                "Date": "2022-11-07 15:37:49+00",
                "Source": 1,
                "SubmitDate": "2022-11-07 15:37:49.618895+00",
                "ProtocolGroup": "",
                "Protocol": "",
                "VLANId": "",
                "Direction": "",
                "DstIP": "",
                "DstIPStr": "",
                "DstPort": "",
                "DstMAC": "",
                "SrcIP": "",
                "SrcIPStr": "",
                "SrcPort": "",
                "SrcMAC": "",
                "DomainName": "",
                "HostName": "",
                "DetectionName": "",
                "RiskTypeGroup": "",
                "RiskType": "",
                "FileName": "",
                "FileExt": "",
                "TrueFileType": "",
                "FileSize": "",
                "RuleID": "",
                "Description": "Dummy log content",
                "ConfidenceLevel": "",
                "Recipient": "",
                "Sender": "",
                "Subject": "",
                "BOTCmd": "",
                "BOTUrl": "",
                "ChannelName": "",
                "NickName": "",
                "URL": "https://example.com",
                "UserName": "",
                "Authentication": "",
                "UserAgent": "",
                "TargetShare": "",
                "DetectedBy": "",
                "PotentialRisk": "",
                "HasQFile": "",
                "ServerName": "",
                "MessageID": "",
                "EngineVer": "",
                "PatternNum": "",
                "VirusType": "",
                "EngineVirusMajorType": ""
            }
        }
    ],
    "SuspiciousObjects": ""
}
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:

If returned report (is_success=true): "Successfully analyzed the following URLs in Trend Micro DDAN: SUCCESSFUL_URLS"

If didn't return report for one (is_success=true): "Action wasn't able to return results the following URLs in Trend Micro DDAN: SUCCESSFUL_URLS"

If didn't return report for all URLs (is_success=true): "No results for the provided URLs."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit File URL". Reason: {0}''.format(error.Stacktrace)"

General