Close alert in TrendVisionOne with a job in secops

Good afternoon,

I am trying to create a job in secops that lets me close alerts in TrendVisionOne. I successfully connected to Trend with this code:

from SiemplifyJob import SiemplifyJob

from SiemplifyUtils import output_handler

from TrendVisionOneManager import TrendVisionOneManager

from UtilsManager import validate_response

from datetime import datetime, timedelta, timezone



SCRIPT_NAME = "Sync_Alerts_to_Trend"



@output_handler

def main():

    siemplify = SiemplifyJob()

    siemplify.script_name = SCRIPT_NAME





    try:

        # === Configurate Connection to Trend Vision One ===

        API_ROOT = siemplify.extract_job_param("API Root", input_type=str, default_value=".", is_mandatory=False, print_value=True)

        API_TOKEN = siemplify.extract_job_param("API Token", input_type=str, default_value=".", is_mandatory=False, print_value=False)

        VERIFY_SSL = siemplify.extract_job_param("Verify SSL", input_type=bool, default_value=True, is_mandatory=False, print_value=True)



        manager = TrendVisionOneManager(

            api_root=API_ROOT,

            api_token=API_TOKEN,

            verify_ssl=VERIFY_SSL,

            siemplify=siemplify

        )



        siemplify.LOGGER.info("🚀 TrendVisionOneManager successfully started.")



        



    except Exception as e:

        siemplify.LOGGER.error(f"❌ Error in job: {e}")

        siemplify.LOGGER.exception(e)



    siemplify.LOGGER.info("✅ Job successfully completed.")



if __name__ == "__main__":

    main()

Now I want to close an alert whose id field I know. I know that the alerts in TrendVisionOne has a dictionary like this:

- raw_data: dict

  - schemaVersion: str

  - id: str

  - investigationStatus: str

  - status: str

  - investigationResult: str

  - workbenchLink: str

  - alertProvider: str

  - modelId: str

  - model: str

  - modelType: str

  - score: int

  - severity: str

  - createdDateTime: str

  - updatedDateTime: str

  - ownerIds: list

  - incidentId: str

  - impactScope: dict

    - desktopCount: int

    - serverCount: int

    - accountCount: int

    - emailAddressCount: int

    - containerCount: int

    - cloudIdentityCount: int

    - entities: list

      (list of 3 elements)

      - entityType: str

      - entityValue: str

      - entityId: str

      - relatedEntities: list

        (list of 1 element)

      - relatedIndicatorIds: list

      - provenance: list

        (list of 1 element)

  - description: str

  - matchedRules: list

    (list of 1 element)

    - id: str

    - name: str

    - matchedFilters: list

      (list of 1 element)

      - id: str

      - name: str

      - matchedDateTime: str

      - mitreTechniqueIds: list

        (list of 1 element)

      - matchedEvents: list

        (list of 1 element)

        - uuid: str

        - matchedDateTime: str

        - type: str

  - indicators: list

    (list of 22 elements)

    - id: int

    - type: str

    - field: str

    - value: str

    - relatedEntities: list

      (list of 1 element)

    - filterIds: list

      (list of 1 element)

    - provenance: list

      (list of 1 element)

- flat_raw_data: dict

  - schemaVersion: str

  - id: str

  - investigationStatus: str

  - status: str

  - investigationResult: str

  - workbenchLink: str

  - alertProvider: str

  - modelId: str

  - model: str

  - modelType: str

  - score: str

  - severity: str

  - createdDateTime: str

  - updatedDateTime: str

  - incidentId: str

  - impactScope_desktopCount: str

  - impactScope_serverCount: str

  - impactScope_accountCount: str

  - impactScope_emailAddressCount: str

  - impactScope_containerCount: str

  - impactScope_cloudIdentityCount: str

  - impactScope_entities_1_entityType: str

  - impactScope_entities_1_entityValue: str

  - impactScope_entities_1_entityId: str

  - impactScope_entities_1_relatedEntities_1: str

  - impactScope_entities_1_provenance_1: str

  - impactScope_entities_2_entityType: str

  - impactScope_entities_2_entityValue: str

  - impactScope_entities_2_entityId: str

  - impactScope_entities_2_relatedEntities_1: str

  - impactScope_entities_2_relatedIndicatorIds_1: str

  - impactScope_entities_2_relatedIndicatorIds_2: str

  - impactScope_entities_2_relatedIndicatorIds_3: str

  - impactScope_entities_2_relatedIndicatorIds_4: str

  - impactScope_entities_2_relatedIndicatorIds_5: str

  - impactScope_entities_2_relatedIndicatorIds_6: str

  - impactScope_entities_2_relatedIndicatorIds_7: str

  - impactScope_entities_2_relatedIndicatorIds_8: str

  - impactScope_entities_2_relatedIndicatorIds_9: str

  - impactScope_entities_2_relatedIndicatorIds_10: str

  - impactScope_entities_2_relatedIndicatorIds_11: str

  - impactScope_entities_2_relatedIndicatorIds_12: str

  - impactScope_entities_2_relatedIndicatorIds_13: str

  - impactScope_entities_2_relatedIndicatorIds_14: str

  - impactScope_entities_2_relatedIndicatorIds_15: str

  - impactScope_entities_2_provenance_1: str

  - impactScope_entities_2_provenance_2: str

  - impactScope_entities_2_managementScopeGroupId: str

  - impactScope_entities_3_entityType: str

  - impactScope_entities_3_entityValue: str

  - impactScope_entities_3_entityId: str

  - impactScope_entities_3_relatedIndicatorIds_1: str

  - impactScope_entities_3_relatedIndicatorIds_2: str

  - impactScope_entities_3_relatedIndicatorIds_3: str

  - impactScope_entities_3_relatedIndicatorIds_4: str

  - impactScope_entities_3_relatedIndicatorIds_5: str

  - impactScope_entities_3_relatedIndicatorIds_6: str

  - impactScope_entities_3_relatedIndicatorIds_7: str

  - impactScope_entities_3_relatedIndicatorIds_8: str

  - impactScope_entities_3_relatedIndicatorIds_9: str

  - impactScope_entities_3_relatedIndicatorIds_10: str

  - impactScope_entities_3_provenance_1: str

  - impactScope_entities_3_provenance_2: str

  - description: str

  - matchedRules_1_id: str

  - matchedRules_1_name: str

  - matchedRules_1_matchedFilters_1_id: str

  - matchedRules_1_matchedFilters_1_name: str

  - matchedRules_1_matchedFilters_1_matchedDateTime: str

  - matchedRules_1_matchedFilters_1_mitreTechniqueIds_1: str

  - matchedRules_1_matchedFilters_1_matchedEvents_1_uuid: str

  - matchedRules_1_matchedFilters_1_matchedEvents_1_matchedDateTime: str

  - matchedRules_1_matchedFilters_1_matchedEvents_1_type: str

  - indicators_1_id: str

  - indicators_1_type: str

  - indicators_1_field: str

  - indicators_1_value: str

  - indicators_1_relatedEntities_1: str

  - indicators_1_filterIds_1: str

  - indicators_1_provenance_1: str

  ... (continues up to indicators_22)

- alert_id: str

- model: str

- description: str

- severity: str

- created_datetime: int

- events: list

Is there any way to create a job that lets me close the alert in TrendVisionOne from SecOps? And if so, which are the necesary fields that must be included from the dictionary in order for it to work? And what value must be changed to? (For example, if the "status" field must be changed so the alert gets closed in Trend, does it have to change to "Resolved", "Closed" or something else?)

Any help will be apreciated!

Page 1 / 1

We do have a page on various Trend Vision One integrations: Trend Vision One | Google Security Operations. Let us know if there is nothing there that helps.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded