MCP.so
Sign In
Servers

Trend Vision One MCP Server

@trendmicro

The Trend Vision One Model Context Protocol (MCP) Server enables natural language interaction between your favourite AI tooling and the Trend Vision One web APIs. This allows users to harness the power of Large Language Models (LLM) to interpret and respond to security events.

The Trend Vision One Model Context Protocol (MCP) Server enables natural language interaction between your favourite AI tooling and the Trend Vision One web APIs.

This allows users to harness the power of Large Language Models (LLM) to interpret and respond to security events.

Example Use Cases

  1. Automating the retrieval and interpretation of security alerts from various Trend Vision One such tools as Workbench, Cloud Posture, and File Security.
  2. Allowing LLMs to gather information about security events and generate meaningful recommendations.
  3. Automating workflows to enhance the configuration of Trend Vision One services.
  4. Interacting with Trend Vision One web APIs without having to learn yet another company's APIs.

Security

  1. Your Trend Vision One API keys should be configured with minimial permissions.
  2. By default the MCP server runs in read-only mode. Be careful when running the server with readonly=false as it may have irreversible consequences.
  3. Data retrieved using the MCP server is processed by the LLM configured in your AI tooling. It is your responsibility to ensure that this LLM is approved by your company for processing sensitive data.
  4. This MCP server is only intended to be used with local integrations and command-line tools via the Standard Input/Output transport. You should never expose this tool to the network.

Getting Started

Prerequisites

  1. You must have a Trend Vision One account and API key.
  2. You must have credits allocated for the services you wish to interact with.
  3. Have Docker installed.
  4. Have the latest version of Visual Studio Code installed.

Use With VSCode + GitHub Copilot

Open the following link in your browser to automatically install the server configuration in Visual Studio Code.

vscode:mcp/install?%7B%22name%22%3A%22trend-vision-one-mcp%22%2C%22inputs%22%3A%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22trend-vision-one-api-key%22%2C%22description%22%3A%22Trend%20Vision%20One%20API%20Key%22%2C%22password%22%3Atrue%7D%2C%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22trend-vision-one-region%22%2C%22description%22%3A%22Trend%20Vision%20One%20Region%22%7D%5D%2C%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-e%22%2C%22TREND_VISION_ONE_API_KEY%22%2C%22ghcr.io%2Ftrendmicro%2Fvision-one-mcp-server%22%2C%22-region%22%2C%22%24%7Binput%3Atrend-vision-one-region%7D%22%2C%22-readonly%3Dtrue%22%5D%2C%22env%22%3A%7B%22TREND_VISION_ONE_API_KEY%22%3A%22%24%7Binput%3Atrend-vision-one-api-key%7D%22%7D%7D

When prompted, enter your Vision One API Key and your Vision One region.

Alternatively, copy the following into your settings.json.

{
    "mcp": {
        "inputs": [
            {
                "type": "promptString",
                "id": "trend-vision-one-api-key",
                "description": "Trend Vision One API Key",
                "password": true
            },
            {
                "type": "promptString",
                "id": "trend-vision-one-region",
                "description": "Trend Vision One Region"
            }
        ],
        "servers": {
            "trend-vision-one-mcp": {
                "command": "docker",
                "args": [
                    "run",
                    "-i",
                    "--rm",
                    "-e",
                    "TREND_VISION_ONE_API_KEY",
                    "ghcr.io/trendmicro/vision-one-mcp-server",
                    "-region",
                    "${input:trend-vision-one-region}",
                    "-readonly=true"
                ],
                "env": {
                    "TREND_VISION_ONE_API_KEY": "${input:trend-vision-one-api-key}"
                }
            }
        }
    },
}

Server Options

OptionDescription
-readonlySpecify whether or not the server should run in readonly mode readonly=true, readonly=false. Default true.
-regionSpecify the Trend Vision One region. Regions are: au, jp, eu, sg, in, us or mea.
-hostSet the Trend Vision One endpoint you want to use. Useful for interacting with internal environments.

Tools

Cloud Posture (Beta)

ToolDescriptionMode
cloud_posture_accounts_list(Beta) List CSPM Accounts.read
cloud_posture_account_checks_list(Beta) List the checks of an account.read
cloud_posture_account_scan(Beta) Start scanning Cloud Posture account.write
cloud_posture_account_scan_settings_get(Beta) Get the scan settings for an account.read
cloud_posture_account_scan_settings_update(Beta) Update an account's scan settings.write
cloud_posture_template_scanner_run(Beta) Scan an infrastructure as code template using the cloud posture template scanner.read
cloud_posture_custom_rules_list(Beta) Displays the custom rules of your company in a paginated list.read
cloud_posture_custom_rule_get(Beta) Returns the configuration of the specified custom rule.read
cloud_posture_custom_rule_create(Beta) Creates a custom rule for your company. Requires Master Administrator role.write
cloud_posture_custom_rule_update(Beta) Updates the specified custom rule. Requires Master Administrator role.write
cloud_posture_custom_rule_delete(Beta) Deletes the specified custom rule permanently. Requires Master Administrator role.write
cloud_posture_custom_rule_test(Beta) Tests the provided custom rule configuration against an account or mock resource data. Requires Master Administrator role.read

Identity and Access Management (IAM)

ToolDescriptionMode
iam_api_keys_listList Vision One API Keys.read
iam_api_keys_deleteDelete Vision One API Keys.write
iam_accounts_listDisplays users, groups, and invitations in the account.read
iam_account_inviteSends an invitation to the specified email address to be added as an account.write
iam_account_updateUpdates the specified account.write
iam_account_deleteDeletes the specified account.write

Workbench

ToolDescriptionMode
workbench_alerts_listList Trend Vision One Workbench Alerts.read
workbench_alert_detail_getDisplays information about the specified alert.read
workbench_observed_attack_techniques_listList observed attack techniques.read

Cyber Risk & Exposure Management (CREM)

ToolDescriptionMode
crem_attack_surface_devices_listList discovered attack surface devices.read
crem_attack_surface_domain_accounts_listList discovered attack surface domain accounts.read
crem_attack_surface_service_accounts_listList discovered service accounts.read
crem_attack_surface_global_fqdns_listList discovered internet facing domains (Fully Qualified Domain Names).read
crem_attack_surface_public_ips_listList discovered public IP addresses.read
crem_attack_surface_cloud_assets_listList discovered cloud assets.read
crem_attack_surface_high_risk_users_listList high risk users.read
crem_attack_surface_cloud_asset_profile_getGet a cloud asset's profile.read
crem_attack_surface_cloud_asset_risk_indicators_listList a cloud asset's risk indicators.read
crem_attack_surface_local_apps_listList discovered local applications.read
crem_attack_surface_local_app_profile_getGet a local app's profile.read
crem_attack_surface_local_app_risk_indicators_listList a local app's risk indicators.read
crem_attack_surface_local_app_devices_listDisplays the devices with the specified local application installed.read
crem_attack_surface_local_app_executable_files_listDisplays the local applications installed executable files.read
crem_attack_surface_custom_tags_listList tag definitions.read

Cloud Account Management (CAM)

ToolDescriptionMode
cam_alibaba_account_getGet the details of an Alibaba account managed by Cloud Account Manangement.read
cam_alibaba_accounts_listDisplays all Alibaba Cloud accounts connected to Trend Vision One in a paginated list.read
cam_aws_accounts_listList AWS accounts managed by Cloud Account Management.read
cam_aws_account_getGet the details of an AWS account managed by Cloud Account Management.read
cam_gcp_accounts_listList Google Cloud Projects managed by Cloud Account Management.read
cam_gcp_account_getGet the details of a GCP project managed by Cloud Account Manangement.read

Email Security

ToolDescriptionMode
email_security_accounts_listReturns all email accounts managed by an email protection solution or with email sensor detection enabled.read
email_security_domains_listReturns all email domains managed by an email protection solution.read
email_security_servers_listReturns all email servers managed by an on-premises email protection solution.read

Container Security

ToolDescriptionMode
container_security_ecs_clusters_listDisplays all registered Amazon Elastic Container Service (ECS) clusters in a paginated listread
container_security_image_vulnerabilities_listDisplays the container image vulnerabilities detected in Kubernetes and Amazon ECS clusters for your accountread
container_security_k8_cluster_getDisplays the details of the specified Kubernetes clusterread
container_security_k8_clusters_listDisplays all registered Kubernetes clustersread
container_security_k8_images_listDisplays the Kubernetes images that are running in all clusters for your accountread

Endpoint Security

ToolDescriptionMode
endpoint_security_agent_update_policies_listDisplays the available agent update policiesread
endpoint_security_endpoint_getDisplays the detailed profile of the specified endpointread
endpoint_security_endpoints_listDisplays a detailed list of your endpointsread
endpoint_security_task_getDisplays the status of the specified taskread
endpoint_security_tasks_listDisplays the tasks of your endpoints in a paginated listread
endpoint_security_version_control_policies_listDisplays your Endpoint Version Control policiesread

AI Security

ToolDescriptionMode
aisecurity_guardrails_applyEvaluates prompts against AI guard policies and returns the recommended action (Allow/Block) with reasons for any policy violations detectedread

Cloud Risk Management

ToolDescriptionMode
cloud_risk_management_accounts_listDisplays the cloud accounts you can access in a paginated listread
cloud_risk_management_account_scan_rules_getDisplays the settings for all rules of the specified account in a paginated listread
cloud_risk_management_services_listRetrieves a list of cloud services and their associated rules supported by Cloud Risk Managementread

Threat Intelligence

ToolDescriptionMode
threatintel_suspicious_objects_listRetrieves information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs in the Suspicious Object Listread
threatintel_suspicious_objects_addAdds information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs to the Suspicious Object Listwrite
threatintel_suspicious_objects_deleteDeletes information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs from the Suspicious Object Listwrite
threatintel_exceptions_listRetrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception Listread
threatintel_exceptions_addAdds domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs to the Exception Listwrite
threatintel_exceptions_deleteDeletes the specified objects from the Exception Listwrite
threatintel_intelligence_reports_listRetrieves a list of custom intelligence reports created from imported or retrieved dataread
threatintel_intelligence_report_getDownloads a custom intelligence report as a STIX Bundleread
threatintel_intelligence_reports_deleteDeletes the specified custom intelligence reportswrite
threatintel_sweep_triggerSearches your environment for threat indicators specified in a custom intelligence reportwrite
threatintel_tasks_listDisplays information about threat intelligence tasks and asynchronous jobsread
threatintel_task_results_getRetrieves the results of a threat intelligence taskread
threatintel_feed_indicators_listRetrieves a list of IoCs from Trend Threat Intelligence Feedread
threatintel_feeds_listRetrieves a list of intelligence reports from the Trend Threat Intelligence Feed with associated objects and relationshipsread
threatintel_feed_filter_definition_getRetrieves supported filter keys and values for Trend Threat Intelligence Feed queriesread

Architecture

high-level architecture

Examples

Start a Scan With Cloud Posture

starting a cloud posture scan

Domain Account Analysis

domain account analysis domain account analysis

Deleting Expired Trend Vision One API Keys

deleting API keys

Filtering Attack Surface Devices

filtering attack surface devicies

Change Log

See releases.

Contibuting

Please see the contributing guide.

Code of Conduct

This project adopts the Go Code of Conduct.

More from Other