Retrieves summary and reputation data, and returns a list of objects included in the root cause chain of the investigation specified.
HTTP Request
PUT /WebApp/OSCE_iES/OsceIes/ApiEntry
Parameters
The HTTP request body must contain all required parameters.
|
Name |
Type |
Description |
|---|---|---|
|
Required Parameters |
||
|
Url |
String |
Specifies the Endpoint Sensor API request to query |
|
TaskType |
Integer |
Type of API request For Endpoint Sensor, the value is always 4. For available values, see Threat Investigation API Task Types. |
|
Payload |
Object |
Payload of the request |
|
scanSummaryGuid |
String |
GUID of the investigation summary to retrieve |
|
agentGuid |
String |
GUID of the target endpoint |
|
serverGuid |
String array |
GUID of the target server |
HTTP Request Example
PUT /WebApp/OSCE_iES/OsceIes/ApiEntry
HTTP Request Body
Specify a JSON object containing the following HTTP request body:
Request body:
{
"Url": "V1/Task/ShowFootPrintChain",
"TaskType": 4,
"Payload": {
"serverGuid": [
"2EBEC86D-3FEB-4666-9CA6-B80AB1E193E6"
],
"agentGuid": "654B1B52-C3C9-4405-B133-48E2353DA13B",
"scanSummaryGuid": "58127b3e-1bde-4c6e-8d86-0d0f89ded601"
}
}
Response
If successful, this method returns an HTTP status code of "200", result code of "0", and a response body with the following structure:
The API response may return empty results if the task specified is still ongoing. To monitor the progress of the task and verify if results are ready, use the taskId from the response to call the ShowContent API.
For details, see ShowContent.
{
"Data": {
"Code": 0,
"CodeType": 1,
"Message": "OK",
"Data": {
"taskId": "71B0FFF0-C65B-4502-B405-2404970B1D8B",
"lastContentId": "[{
\"serverGuid\": \"2EBEC86D-3FEB-4666-9CA6-B80AB1E193E6\",
\"lastContentId\": 30130,
\"hasMore\": false
\"totalProgress\": 0,
\"currentProgress\": 0}]",
"hasMore": false,
"serverName": "SAMPLE_SERVER",
"serverGuid": "2EBEC86D-3FEB-4666-9CA6-B80AB1E193E6",
"content": [
{
"statusCode": 0,
"message": "TMSL_S_SUCCESS",
"content": {
"footprint": [
{
"objectNodeId": "41361",
"parentNodeId": "41244",
"operationType": 1,
"timestamp": 1539930386,
"createdBy": "",
"isAVChain": true
},
{
"objectNodeId": "41362",
"parentNodeId": "41244",
"operationType": 1,
"timestamp": 1539930386,
"createdBy": "",
"isAVChain": false
}
],
"metaProperty": [
{
"metaHashId": "-2496182079651645963",
"metaValue": "C:\\Program Files (x86)\\
Trend Micro\\OfficeScan\\PCCSRV\\WSS\\"
},
{
"metaHashId": "-5802268642344638556",
"metaValue": "iCRCService.exe"
},
{
"metaHashId": "1005881870920059050",
"metaValue": "E79618A56858F24F14C4E3BB6C0B0392
46FA29AD6065BFEDA0C31964417BFC47"
},
{
"metaHashId": "-4529102146130573936",
"metaValue": "BDBE92094705F466D8E397839917
66B5C2B1E9D1"
},
{
"metaHashId": "-6177962065641712412",
"metaValue": "4169C663DB11C7D877AF929BD1B2595A"
},
{
"metaHashId": "-7935765538101355343",
"metaValue": "Trend Micro, Inc."
},
{
"metaHashId": "6636",
"metaValue": "6636"
},
{
"metaHashId": "2996153155457079169",
"metaValue": "\"C:\\Program Files (x86)
\\Trend Micro\\OfficeScan
\\PCCSRV\\WSS
\\iCRCService.exe\""
},
{
"metaHashId": "6314752325711353153",
"metaValue": "SYSTEM"
},
{
"metaHashId": "-5266231795820613969",
"metaValue": "NT AUTHORITY"
},
{
"metaHashId": "-3086522818343600695",
"metaValue": "C:\\Program Files (x86)
\\Trend Micro\\OfficeScan
\\PCCSRV\\LWCS\\"
},
{
"metaHashId": "3546988568951304820",
"metaValue": "LWCSService.exe"
},
{
"metaHashId": "-2895303478273136063",
"metaValue": "69B9FA6E8A2F4C3981EB47958671F14F
70EECDDD0E671A2F41C79058E9832209"
},
{
"metaHashId": "2617236305917161076",
"metaValue": "2DE4FF049B0F4D6ED148F411F77D5EC5
CFEF2536"
},
{
"metaHashId": "-5536433289243677264",
"metaValue": "CA42B970294E2B25D88FA905E658E632"
},
{
"metaHashId": "6688",
"metaValue": "6688"
},
{
"metaHashId": "-8563225389150726767",
"metaValue": "\"C:\\Program Files (x86)
\\Trend Micro\\OfficeScan
\\PCCSRV\\LWCS
\\LWCSService.exe\""
}
],
"node": [
{
"nodeId": "41244",
"nodeName": "services.exe",
"nodeType": 2,
"event": [
{
"eventId": "0",
"metaLinkId": 2785366296500991000,
"objectType": 2,
"operation": 1,
"meta": [
{
"metaHashId": "-5349834418636952392",
"metaType": 104
},
{
"metaHashId": "-2175757065909091954",
"metaType": 105
},
{
"metaHashId": "4346264787540198193",
"metaType": 118
},
{
"metaHashId": "1006679994994412622",
"metaType": 101
},
{
"metaHashId": "5200381119426793962",
"metaType": 102
},
{
"metaHashId": "-6575892910388423387",
"metaType": 107
},
{
"metaHashId": "640",
"metaType": 108
},
{
"metaHashId": "6314752325711353153",
"metaType": 300
},
{
"metaHashId": "-5266231795820613969",
"metaType": 302
}
],
"timestamp": 1539930320,
"isMatched": false,
"isSymbolEvent": true,
"riskLevel": 1,
"isExpanded": false,
"rating": {
"score": 1,
"metaType": 101,
"hasInvalidSigner": false
},
"assessmentValue":
"23036BE19298431426FD2AEE322BCE85CE553815",
"assessmentType": 5
},
{
"eventId": "86",
"metaLinkId": -6289113405219598000,
"objectType": 1,
"operation": 8,
"meta": [
{
"metaHashId": "5991800187057662179",
"metaType": 115
},
{
"metaHashId": "-4772257846797309731",
"metaType": 116
},
{
"metaHashId": "8627432305371481955",
"metaType": 118
},
{
"metaHashId": "7834867635825532860",
"metaType": 101
},
{
"metaHashId": "8843900691366424126",
"metaType": 102
}
],
"timestamp": 1540201914,
"isMatched": false,
"isSymbolEvent": false,
"riskLevel": 2,
"isExpanded": false,
"rating": {
"score": 0,
"lowGlobalPrevalence": true,
"metaType": 101,
"hasInvalidSigner": false
},
"assessmentValue":
"CD5F4DD89D821A4E93A234E75F7F0F1FCE99E965",
"assessmentType": 5
}
],
"riskLevel": 1,
"groupNo": 1,
"nodeImage": 2,
"isAVNode": true,
"isAVChain": true
},
{
"nodeId": "41361",
"nodeName": "iCRCService.exe",
"nodeType": 2,
"event": [
{
"eventId": "2",
"metaLinkId": 6552613549544301000,
"objectType": 2,
"operation": 1,
"meta": [
{
"metaHashId": "-2496182079651645963",
"metaType": 104
},
{
"metaHashId": "-5802268642344638556",
"metaType": 105
},
{
"metaHashId": "1005881870920059050",
"metaType": 118
}
],
"timestamp": 1539930386,
"isMatched": false,
"isSymbolEvent": true,
"riskLevel": 1,
"isExpanded": false,
"rating": {
"score": 1,
"metaType": 101,
"hasInvalidSigner": false
},
"assessmentValue":
"BDBE92094705F466D8E39783991766B5C2B1E9D1",
"assessmentType": 5
}
],
"riskLevel": 1,
"groupNo": 1,
"nodeImage": 2,
"isAVNode": false,
"isAVChain": true
},
{
"nodeId": "41362",
"nodeName": "LWCSService.exe",
"nodeType": 2,
"event": [
{
"eventId": "3",
"metaLinkId": -2272764769042133500,
"objectType": 2,
"operation": 1,
"meta": [
{
"metaHashId": "-3086522818343600695",
"metaType": 104
},
{
"metaHashId": "3546988568951304820",
"metaType": 105
},
{
"metaHashId": "-2895303478273136063",
"metaType": 118
},
{
"metaHashId": "2617236305917161076",
"metaType": 101
},
{
"metaHashId": "-5536433289243677264",
"metaType": 102
},
{
"metaHashId": "-7935765538101355343",
"metaType": 107
},
{
"metaHashId": "6688",
"metaType": 108
},
{
"metaHashId": "-8563225389150726767",
"metaType": 109
},
{
"metaHashId": "6314752325711353153",
"metaType": 300
},
{
"metaHashId": "-5266231795820613969",
"metaType": 302
}
],
"timestamp": 1539930386,
"isMatched": false,
"isSymbolEvent": true,
"riskLevel": 1,
"isExpanded": false,
"rating": {
"score": 1,
"metaType": 101,
"hasInvalidSigner": false
},
"assessmentValue":
"2DE4FF049B0F4D6ED148F411F77D5EC5CFEF2536",
"assessmentType": 5
}
],
"riskLevel": 1,
"groupNo": 1,
"nodeImage": 2,
"isAVNode": false,
"isAVChain": false
}
],
"group": [
{
"groupNo": 1,
"timestamp": 1539930320
}
],
"exceedLeafModuleCountLimit": true,
"matchedObject": [
{
"isSymbolEvent": true,
"objectName": "cmd.exe",
"nodeId": "61638",
"objectType": 2,
"groupNo": 1
},
{
"isSymbolEvent": true,
"objectName": "cmd.exe",
"nodeId": "61687",
"objectType": 2,
"groupNo": 1
}
]
}
}
]
},
"TimeZone": 8
},
"Meta": {
"result": 1,
"errorCode": 0,
"errorMessgae": "Success"
},
"PermissionCtrl": {
"permission": "255",
"elements": null
},
"FeatureCtrl": {
"mode": "0"
},
"SystemCtrl": {
"TmcmSoDist_Role": "none"
}
}
The following table describes the response objects specific to this API.
|
Name |
Type |
Description |
|---|---|---|
|
footprint |
Object array |
Container for footprint objects Indicates the relationship between two nodes in the root cause chain |
|
footprint[i].objectNodeId |
String |
ID of the child node |
|
footprint[i].parentNodeId |
String |
ID of the parent node |
|
footprint[i].operationType |
Integer |
Specifies the type of operation associated with the event For possible values, see Threat Investigation API Operation Types. |
|
footprint[i].timestamp |
Integer |
Date and time when event was recorded, in unix timestamp format |
|
footprint[i].createdBy |
String |
Parent process which created the target process, in an "association" operation |
|
footprint[i].isAVChain |
Boolean |
Indicates if the object is part of the path from the "matched object" to "First Observed Object" in the chain The "isAVChain" follows the every movement of an attacker, and traces a path from a start node (matched object) to a goal node (First Observed Object). |
|
metaProperty |
Object array |
Container for metaProperty objects Indicates the properties assigned to the object in the server metadata |
|
metaProperty[j].metaHashId |
String |
Unique hash ID assigned to the object |
|
metaProperty[j].metaValue |
String |
Value of the specified metaHashId |
|
node |
Object array |
Container for node objects Displays details about the node objects |
|
node[k].nodeId |
String |
ID of the node |
|
node[k].nodeName |
String |
Name of the node |
|
node[k].nodeType |
Integer |
Specifies the type of object For possible values, see Threat Investigation API Node Types. |
|
node[k].event |
Object array |
Container for event objects |
|
node[k].event[m].eventId |
String |
ID of the event |
|
node[k].event[m].metaLinkId |
Integer |
ID of the meta group of an event |
|
node[k].event[m].objectType |
Integer |
Specifies the type of object For possible values, see Threat Investigation API Node Types. |
|
node[k].event[m].operation |
Integer |
Specifies the type of operation associated with the event For possible values, see Threat Investigation API Operation Types. |
|
node[k].event[m].meta |
Object |
Container for meta objects |
|
node[k].event[m].meta[n].metaHashId |
String |
Unique hash ID assigned to the object |
|
node[k].event[m].meta[n].metaType |
Integer |
Specifies the type of metadata For possible values, see Threat Investigation API Metadata Types. |
|
node[k].event[m].timestamp |
Integer |
Date and time when event was recorded, in unix timestamp format. |
|
node[k].event[m].isMatched |
Boolean |
Tags an event as a matched object, if both `isMatched` and `isNodeSymbol` are true |
|
node[k].event[m].isSymbolEvent |
Boolean |
Tags an event as a represented node, if isSymbolEvent is true |
|
node[k].event[m].riskLevel |
Integer |
Specifies the risk level of the node For possible values, see Threat Investigation API Risk Levels. |
|
node[k].event[m].isExpanded |
Boolean |
Tags an event as visible on the root cause chain |
|
node[k].event[m].rating.score |
Integer |
Rating provided by Trend Micro intelligence |
|
node[k].event[m].rating.metaType |
Integer |
Specifies the type of metadata For possible values, see Threat Investigation API Metadata Types. |
|
node[k].event[m].rating.hasInvalidSigner |
Boolean |
Indicates the object has an invalid signer |
|
node[k].event[m].assessmentValue |
String |
Value of the criteria used in the investigation |
|
node[k].event[m].assessmentType |
Integer |
Specifies the type of criteria used in the investigation For possible values, see Threat Investigation API Assessment Criteria Types. |
|
node[k].riskLevel |
Integer |
Specifies the risk level of the node For possible values, see Threat Investigation API Risk Levels. |
|
node[k].groupNo |
Integer |
Indicates the group where the node belongs |
|
node[k].nodeImage |
Integer |
Specifies the image type assigned to the node For possible values, see Threat Investigation API Node Image Types. |
|
node[k].isAVNode |
Boolean |
Tags the node as "First Observed Object" , if isAVNode is true, |
|
node[k].isAVChain |
Boolean |
If isAVChain is true, the isAVChain property of the related nodes are also tagged as true |
|
group[o].groupNo |
Integer |
Indicates the group where the node belongs |
|
group[o].timestamp |
Integer |
The event recorded time for a group, in unix timestamp format |
| exceedLeafModuleCountLimit |
Boolean |
Indicates that the investigation returned more than 1000 matched objects |
|
matchedObject |
Object array |
Container for matchedObject objects |
|
matchedObject[p].isSymbolEvent |
Boolean |
Reserved parameter |
|
matchedObject[p].objectName |
String |
Name of the object |
|
matchedObject[p].nodeId |
String |
ID of the node |
|
matchedObject[p].objectType |
Integer |
Specifies the type of object For possible values, see Threat Investigation API Node Types. |
|
matchedObject[p].groupNo |
Integer |
Indicates the group where the node belongs |
For more information about standard responses and response codes for this API, see the following topics: