The Trend Vision One Model Context Protocol (MCP) Server enables natural language interaction between your favourite AI tooling and the Trend Vision One web APIs.
This allows users to harness the power of Large Language Models (LLM) to interpret and respond to security events.
- Automating the retrieval and interpretation of security alerts from various Trend Vision One such tools as Workbench, Cloud Posture, and File Security.
- Allowing LLMs to gather information about security events and generate meaningful recommendations.
- Automating workflows to enhance the configuration of Trend Vision One services.
- Interacting with Trend Vision One web APIs without having to learn yet another company's APIs.
- Your Trend Vision One API keys should be configured with minimial permissions.
- By default the MCP server runs in read-only mode. Be careful when running the server with
readonly=falseas it may have irreversible consequences. - Data retrieved using the MCP server is processed by the LLM configured in your AI tooling. It is your responsibility to ensure that this LLM is approved by your company for processing sensitive data.
- This MCP server is only intended to be used with local integrations and command-line tools via the Standard Input/Output transport. You should never expose this tool to the network.
- You must have a Trend Vision One account and API key.
- You must have credits allocated for the services you wish to interact with.
- Have Docker installed.
- Have the latest version of Visual Studio Code installed.
Open the following link in your browser to automatically install the server configuration in Visual Studio Code.
vscode:mcp/install?%7B%22name%22%3A%22trend-vision-one-mcp%22%2C%22inputs%22%3A%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22trend-vision-one-api-key%22%2C%22description%22%3A%22Trend%20Vision%20One%20API%20Key%22%2C%22password%22%3Atrue%7D%2C%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22trend-vision-one-region%22%2C%22description%22%3A%22Trend%20Vision%20One%20Region%22%7D%5D%2C%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22-e%22%2C%22TREND_VISION_ONE_API_KEY%22%2C%22ghcr.io%2Ftrendmicro%2Fvision-one-mcp-server%22%2C%22-region%22%2C%22%24%7Binput%3Atrend-vision-one-region%7D%22%2C%22-readonly%3Dtrue%22%5D%2C%22env%22%3A%7B%22TREND_VISION_ONE_API_KEY%22%3A%22%24%7Binput%3Atrend-vision-one-api-key%7D%22%7D%7D
When prompted, enter your Vision One API Key and your Vision One region.
Alternatively, copy the following into your settings.json.
{
"mcp": {
"inputs": [
{
"type": "promptString",
"id": "trend-vision-one-api-key",
"description": "Trend Vision One API Key",
"password": true
},
{
"type": "promptString",
"id": "trend-vision-one-region",
"description": "Trend Vision One Region"
}
],
"servers": {
"trend-vision-one-mcp": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TREND_VISION_ONE_API_KEY",
"ghcr.io/trendmicro/vision-one-mcp-server",
"-region",
"${input:trend-vision-one-region}",
"-readonly=true"
],
"env": {
"TREND_VISION_ONE_API_KEY": "${input:trend-vision-one-api-key}"
}
}
}
},
}| Option | Description |
|---|---|
-readonly |
Specify whether or not the server should run in readonly mode readonly=true, readonly=false. Default true. |
-region |
Specify the Trend Vision One region. Regions are: au, jp, eu, sg, in, us or mea. |
-host |
Set the Trend Vision One endpoint you want to use. Useful for interacting with internal environments. |
| Tool | Description | Mode |
|---|---|---|
cloud_posture_accounts_list |
(Beta) List CSPM Accounts. | read |
cloud_posture_account_checks_list |
(Beta) List the checks of an account. | read |
cloud_posture_account_scan |
(Beta) Start scanning Cloud Posture account. | write |
cloud_posture_account_scan_settings_get |
(Beta) Get the scan settings for an account. | read |
cloud_posture_account_scan_settings_update |
(Beta) Update an account's scan settings. | write |
cloud_posture_template_scanner_run |
(Beta) Scan an infrastructure as code template using the cloud posture template scanner. | read |
cloud_posture_custom_rules_list |
(Beta) Displays the custom rules of your company in a paginated list. | read |
cloud_posture_custom_rule_get |
(Beta) Returns the configuration of the specified custom rule. | read |
cloud_posture_custom_rule_create |
(Beta) Creates a custom rule for your company. Requires Master Administrator role. | write |
cloud_posture_custom_rule_update |
(Beta) Updates the specified custom rule. Requires Master Administrator role. | write |
cloud_posture_custom_rule_delete |
(Beta) Deletes the specified custom rule permanently. Requires Master Administrator role. | write |
cloud_posture_custom_rule_test |
(Beta) Tests the provided custom rule configuration against an account or mock resource data. Requires Master Administrator role. | read |
| Tool | Description | Mode |
|---|---|---|
iam_api_keys_list |
List Vision One API Keys. | read |
iam_api_keys_delete |
Delete Vision One API Keys. | write |
iam_accounts_list |
Displays users, groups, and invitations in the account. | read |
iam_account_invite |
Sends an invitation to the specified email address to be added as an account. | write |
iam_account_update |
Updates the specified account. | write |
iam_account_delete |
Deletes the specified account. | write |
| Tool | Description | Mode |
|---|---|---|
workbench_alerts_list |
List Trend Vision One Workbench Alerts. | read |
workbench_alert_detail_get |
Displays information about the specified alert. | read |
workbench_observed_attack_techniques_list |
List observed attack techniques. | read |
| Tool | Description | Mode |
|---|---|---|
crem_attack_surface_devices_list |
List discovered attack surface devices. | read |
crem_attack_surface_domain_accounts_list |
List discovered attack surface domain accounts. | read |
crem_attack_surface_service_accounts_list |
List discovered service accounts. | read |
crem_attack_surface_global_fqdns_list |
List discovered internet facing domains (Fully Qualified Domain Names). | read |
crem_attack_surface_public_ips_list |
List discovered public IP addresses. | read |
crem_attack_surface_cloud_assets_list |
List discovered cloud assets. | read |
crem_attack_surface_high_risk_users_list |
List high risk users. | read |
crem_attack_surface_cloud_asset_profile_get |
Get a cloud asset's profile. | read |
crem_attack_surface_cloud_asset_risk_indicators_list |
List a cloud asset's risk indicators. | read |
crem_attack_surface_local_apps_list |
List discovered local applications. | read |
crem_attack_surface_local_app_profile_get |
Get a local app's profile. | read |
crem_attack_surface_local_app_risk_indicators_list |
List a local app's risk indicators. | read |
crem_attack_surface_local_app_devices_list |
Displays the devices with the specified local application installed. | read |
crem_attack_surface_local_app_executable_files_list |
Displays the local applications installed executable files. | read |
crem_attack_surface_custom_tags_list |
List tag definitions. | read |
| Tool | Description | Mode |
|---|---|---|
cam_alibaba_account_get |
Get the details of an Alibaba account managed by Cloud Account Manangement. | read |
cam_alibaba_accounts_list |
Displays all Alibaba Cloud accounts connected to Trend Vision One in a paginated list. | read |
cam_aws_accounts_list |
List AWS accounts managed by Cloud Account Management. | read |
cam_aws_account_get |
Get the details of an AWS account managed by Cloud Account Management. | read |
cam_gcp_accounts_list |
List Google Cloud Projects managed by Cloud Account Management. | read |
cam_gcp_account_get |
Get the details of a GCP project managed by Cloud Account Manangement. | read |
| Tool | Description | Mode |
|---|---|---|
email_security_accounts_list |
Returns all email accounts managed by an email protection solution or with email sensor detection enabled. | read |
email_security_domains_list |
Returns all email domains managed by an email protection solution. | read |
email_security_servers_list |
Returns all email servers managed by an on-premises email protection solution. | read |
| Tool | Description | Mode |
|---|---|---|
container_security_ecs_clusters_list |
Displays all registered Amazon Elastic Container Service (ECS) clusters in a paginated list | read |
container_security_image_vulnerabilities_list |
Displays the container image vulnerabilities detected in Kubernetes and Amazon ECS clusters for your account | read |
container_security_k8_cluster_get |
Displays the details of the specified Kubernetes cluster | read |
container_security_k8_clusters_list |
Displays all registered Kubernetes clusters | read |
container_security_k8_images_list |
Displays the Kubernetes images that are running in all clusters for your account | read |
| Tool | Description | Mode |
|---|---|---|
endpoint_security_agent_update_policies_list |
Displays the available agent update policies | read |
endpoint_security_endpoint_get |
Displays the detailed profile of the specified endpoint | read |
endpoint_security_endpoints_list |
Displays a detailed list of your endpoints | read |
endpoint_security_task_get |
Displays the status of the specified task | read |
endpoint_security_tasks_list |
Displays the tasks of your endpoints in a paginated list | read |
endpoint_security_version_control_policies_list |
Displays your Endpoint Version Control policies | read |
| Tool | Description | Mode |
|---|---|---|
aisecurity_guardrails_apply |
Evaluates prompts against AI guard policies and returns the recommended action (Allow/Block) with reasons for any policy violations detected | read |
| Tool | Description | Mode |
|---|---|---|
cloud_risk_management_accounts_list |
Displays the cloud accounts you can access in a paginated list | read |
cloud_risk_management_account_scan_rules_get |
Displays the settings for all rules of the specified account in a paginated list | read |
cloud_risk_management_services_list |
Retrieves a list of cloud services and their associated rules supported by Cloud Risk Management | read |
| Tool | Description | Mode |
|---|---|---|
threatintel_suspicious_objects_list |
Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs in the Suspicious Object List | read |
threatintel_suspicious_objects_add |
Adds information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs to the Suspicious Object List | write |
threatintel_suspicious_objects_delete |
Deletes information about domains, file SHA-1, file SHA-256, IP addresses, email addresses, or URLs from the Suspicious Object List | write |
threatintel_exceptions_list |
Retrieves information about domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs in the Exception List | read |
threatintel_exceptions_add |
Adds domains, file SHA-1, file SHA-256, IP addresses, sender addresses, or URLs to the Exception List | write |
threatintel_exceptions_delete |
Deletes the specified objects from the Exception List | write |
threatintel_intelligence_reports_list |
Retrieves a list of custom intelligence reports created from imported or retrieved data | read |
threatintel_intelligence_report_get |
Downloads a custom intelligence report as a STIX Bundle | read |
threatintel_intelligence_reports_delete |
Deletes the specified custom intelligence reports | write |
threatintel_sweep_trigger |
Searches your environment for threat indicators specified in a custom intelligence report | write |
threatintel_tasks_list |
Displays information about threat intelligence tasks and asynchronous jobs | read |
threatintel_task_results_get |
Retrieves the results of a threat intelligence task | read |
threatintel_feed_indicators_list |
Retrieves a list of IoCs from Trend Threat Intelligence Feed | read |
threatintel_feeds_list |
Retrieves a list of intelligence reports from the Trend Threat Intelligence Feed with associated objects and relationships | read |
threatintel_feed_filter_definition_get |
Retrieves supported filter keys and values for Trend Threat Intelligence Feed queries | read |
See releases.
Please see the contributing guide.
This project adopts the Go Code of Conduct.