Table of contents

Trend Micro Vision One (XDR) Custom Script

Custom script tasks are only available for Trend Micro Cloud One - Workload Security customers using Deep Security Agent version 20.0.0-5137+ for Linux or Windows.

PowerShell scripts executed on Windows endpoints have the following recommendations:

  • The target endpoint's PowerShell execution policy should be set to RemoteSigned to prevent scripts from being blocked. RemoteSigned is the default execution policy.
  • The PowerShell session language mode should be set to FullLanguage to prevent scripts from being blocked. FullLanguage is the default language mode for default sessions on all versions of Windows except for Windows RT.
  • The script file must not include interactive functions. Because scripts run in silent mode, interactive functions will cause scripts to time out.

To learn more about the above settings, please consult the Microsoft PowerShell official documentation.

Remote custom scripts allow users with "Master Administrator" and "Security Analyst" roles to directly access target endpoints to run previously uploaded PowerShell and Bash script files.

Run a remote custom script task

In Trend Micro Vision One, execute a PowerShell or Bash script on a target endpoint:

  1. Identify the endpoint you want to investigate and access the context or response menu and select Run Remote Custom Script.

    The Run Remote Custom Script Task screen appears and Trend Micro Vision One attempts to connect to the endpoint.

    Trend Micro Vision One only permits you to execute one custom script file per session. The target endpoint must be online in order to connect successfully.

  2. Select a custom script file from the drop-down list.

    To add a custom script, click the Go to Custom Scripts management link to open the Response Management app in a new browser tab. Click the Custom Scripts tab and upload the new script.

  3. (Optional) Specify arguments you want added to the script during execution. Arguments are limited to 8000 characters maximum.

  4. (Optional) Specify a Description for the response or event.

  5. Click Create.

    Trend Micro Vision One creates the task and displays the current command status in the Response Management app.

  6. Monitor the task status from the Response Management app.

  7. (Optional) Retreive the session history as a TXT file:

    • Use the Search field or select Run Remote Custom Script from the Action drop-down list.
    • Select "Task ID" and click Details > Download and save the file.

Task statuses include:

  • In Progress icon In progress: Trend Micro Vision One sent the command to the managing server and is waiting for a response.
  • Successful icon Successful: The managing server successfully received the command.
  • Unsuccessful icon Unsuccessful: An error or time-out occurred when attempting to send the command to the managing server, the Security Agent is offline for more than 12 hours, or the command execution timed out.

Trigger a custom script using Remote Shell

You can trigger a custom scripts using the Remote Shell run command. For more information, see Remote Shell.