Trend Vision One for Splunk SOAR

Trend Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Vision One prevents the majority of attacks with automated protection

Supported Actions

• test connectivity: Validate the asset configuration for connectivity using supplied configuration
• get endpoint info: Gather information about an endpoint
• quarantine device: Quarantine the endpoint
• unquarantine device: Unquarantine the endpoint
• on poll: Callback action for the on_poll ingest functionality
• status check: Checks the status of a task
• add to blocklist: Adds an item to the Suspicious Objects list in Vision One
• remove from blocklist: Removes an item from the Suspicious Objects list
• quarantine email message: Quarantine the email message
• delete email message: Delete the email message
• terminate process: Terminate the process running on the endpoint
• add to exception: Add object to exception list
• delete from exception: Delete object from exception list
• add to suspicious: Add suspicious object to suspicious list
• delete from suspicious: Delete the suspicious object from suspicious list
• check analysis status: Get the status of file analysis based on task id
• download analysis report: Get the analysis report of a file based on report id
• collect forensic file: Collect forensic file
• forensic file info: Get the download information for collected forensic file
• start analysis: Submit file to sandbox for analysis
• add note: Adds a note to an existing workbench alert
• update status: Updates the status of an existing workbench alert
• get alert details: Displays information about the specified alert
• urls to sandbox: Submits URLs to the sandbox for analysis
• enable account: Allows the user to sign in to new application and browser sessions
• disable account: Signs the user out of all active application and browser sessions, and prevents the user from signing in any new session
• restore email message: Restore quarantined email messages
• sign out account: Signs the user out of all active application and browser sessions
• force password reset: Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt
• sandbox suspicious list: Downloads the suspicious object list associated to the specified object
• sandbox analysis result: Displays the analysis results of the specified object
• sandbox investigation package: Downloads the Investigation Package of the specified object
• get suspicious list: Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs in the Suspicious Object List and displays the information in a paginated list
• get exception list: Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception List and displays it in a paginated list
• vault sandbox analysis: Send vault item to sandbox for analysis