Table of contents

Trend Vision One extended detection and response (XDR) custom script

Custom script tasks are only available for Trend Cloud One - Endpoint & Workload Security customers using Deep Security Agent version 20.0.0-5137 or later for Linux and Windows.

PowerShell scripts executed on Windows endpoints have the following recommendations:

  • The target endpoint's PowerShell execution policy should be set to RemoteSigned to prevent scripts from being blocked. RemoteSigned is the default execution policy.
  • The PowerShell session language mode should be set to FullLanguage to prevent scripts from being blocked. FullLanguage is the default language mode for default sessions on all versions of Windows except for Windows RT.
  • The script file must not include interactive functions. Because scripts run in silent mode, interactive functions will cause scripts to time out.

To learn more about the above settings, see Microsoft PowerShell official documentation.

Remote custom scripts allow users with Master Administrator and Security Analyst roles to directly access target endpoints to run previously uploaded PowerShell and Bash script files.

Run a remote custom script task

In Trend Vision One, execute a PowerShell or Bash script on a target endpoint:

  1. Identify the endpoint you want to investigate and access the context or response menu and select Run Remote Custom Script.

    The Run Remote Custom Script Task screen appears and Trend Vision One attempts to connect to the endpoint.

    Trend Vision One only permits you to execute one custom script file per session. The target endpoint must be online in order to connect successfully.

  2. Select a custom script file from the list.

    To add a custom script, click Go to Custom Scripts management to open the Response Management application in a new browser tab. Select the Custom Scripts tab and upload the new script.

  3. Optionally, specify arguments you want added to the script during execution. Arguments are limited to 8000 characters maximum.

  4. Optionally, specify a Description for the response or event.

  5. Click Create.

    Trend Vision One creates the task and displays the current command status in the Response Management app.

  6. Monitor the task status from the Response Management application.

  7. Optionally, retrieve the session history as a TXT file:

    • Use the Search field or select Run Remote Custom Script from the Action list.
    • Select Task ID and click Details > Download and save the file.

Task statuses include:

  • In Progress icon In progress: Trend Vision One sent the command to the managing server and is waiting for a response.
  • Successful icon Successful: The managing server successfully received the command.
  • Unsuccessful icon Unsuccessful: An error or time-out occurred when attempting to send the command to the managing server, the Security Agent is offline for more than 12 hours, or the command execution timed out.

Trigger a custom script using Remote Shell

You can trigger a custom scripts using the Remote Shell run command. For more information, see Remote Shell.