Skip to main content
RapidDev - Software Development Agency
retool-integrationsREST API Resource

How to Integrate Retool with Trend Micro

Connect Retool to Trend Micro using a REST API Resource targeting the Trend Micro Cloud One API (cloudone.trendmicro.com/api). Authenticate with a Trend Micro API key passed in the api-secret-key header. Query workload security events, policy status, and detected threats to build a cloud security operations dashboard for SecOps teams monitoring Trend Micro Cloud One environments.

What you'll learn

  • How to generate a Trend Micro Cloud One API key and configure the api-secret-key header in a Retool Resource
  • How to query Workload Security events, computers, and policies using the Cloud One API
  • How to build a cloud security dashboard with threat event counts and policy compliance status
  • How to use JavaScript transformers to categorize and prioritize security events by severity
  • How to create a computer inventory panel showing protection status across your cloud workloads
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Advanced16 min read45 minutesOtherLast updated April 2026RapidDev Engineering Team
TL;DR

Connect Retool to Trend Micro using a REST API Resource targeting the Trend Micro Cloud One API (cloudone.trendmicro.com/api). Authenticate with a Trend Micro API key passed in the api-secret-key header. Query workload security events, policy status, and detected threats to build a cloud security operations dashboard for SecOps teams monitoring Trend Micro Cloud One environments.

Quick facts about this guide
FactValue
ToolTrend Micro
CategoryOther
MethodREST API Resource
DifficultyAdvanced
Time required45 minutes
Last updatedApril 2026

Why connect Retool to Trend Micro?

Trend Micro Cloud One's console provides detailed security information, but SecOps teams often need to aggregate security event data alongside asset inventory, policy compliance status, and threat intelligence in a single custom dashboard. The native console is purpose-built for security analysts investigating specific incidents — it is less suited for management-level overviews showing security posture across all protected workloads simultaneously, or for combining Trend Micro data with data from SIEM, ticketing, or infrastructure systems already in Retool.

The most impactful use case is a cloud security posture dashboard showing all protected computers with their last security event, policy assignment, protection module status, and days since last pattern update. Security managers can instantly identify computers with outdated protection, misconfigured policies, or recent high-severity events without clicking through each computer in the Cloud One console individually. Retool's Workflow integration enables automated alert escalation: high-severity events can trigger Slack notifications or create JIRA tickets without leaving the Retool ecosystem.

Trend Micro Cloud One's API covers multiple security services: Workload Security (server and VM protection), Container Security, Network Security, and Application Security. The Workload Security API is the most mature and feature-rich for Retool integration, exposing computers (protected workloads), policies, security events (anti-malware, intrusion prevention, firewall, log inspection), and scheduled tasks. The API uses JSON responses and supports pagination via the maxItems and searchCriteria parameters for large environments.

Integration method

REST API Resource

Trend Micro Cloud One connects via Retool's REST API Resource targeting the Cloud One API at https://cloudone.trendmicro.com/api. Authentication uses an API key passed in the api-secret-key request header — generated from the Cloud One console under Administration → API Keys. All API requests proxy through Retool's server-side infrastructure, keeping the API key off the browser and eliminating CORS concerns. You query Workload Security endpoints for events, policies, computers, and intrusion prevention data to build SecOps dashboards.

Prerequisites

  • A Trend Micro Cloud One account with Administrator access to generate API keys
  • Trend Micro Workload Security configured with at least one computer or agent deployed
  • An API key generated from Cloud One console: Administration → API Keys → Create API Key
  • The Cloud One region for your account (visible in the console URL: cloudone.trendmicro.com/app or region-specific subdomains)
  • A Retool account with Resource creation permissions

Step-by-step guide

1

Generate a Trend Micro Cloud One API key

Trend Micro Cloud One uses API keys for programmatic access. API keys are created in the Cloud One console with configurable permissions and can be scoped to specific services. In the Cloud One console (cloudone.trendmicro.com/app), log in as an Administrator. Navigate to Administration in the left sidebar, then select API Keys. Click Create API Key. In the API key creation form, provide a descriptive name (e.g., Retool Security Dashboard). Under Role, select a role that grants the permissions needed for your dashboard. For a read-only security dashboard, you can use a role with Read permissions on Computers, Policies, and Events. For write capabilities (e.g., triggering scans from Retool), add Write permissions on the Computers endpoint. Set an expiry for the key — for production integrations, select a long expiry (1-2 years) and set a calendar reminder to rotate before expiry. Do not check Full Access unless specifically required; use the minimum permissions principle. Click Create API Key. Copy the generated API key immediately — Cloud One displays it only once. The key is a long alphanumeric string. Note your Cloud One region — the API base URL varies by region: https://cloudone.trendmicro.com/api is the default US region endpoint. If your account is in a different region (EU, AP, CA, etc.), use the appropriate regional endpoint (e.g., https://de-1.cloudone.trendmicro.com/api for Germany). Check your Cloud One console URL to identify your region.

Pro tip: Trend Micro Cloud One API keys can be scoped to specific services (Workload Security, Container Security, Network Security). For a Retool dashboard focused on Workload Security, scope the key to Workload Security only. This follows the principle of least privilege and limits potential impact if the key is compromised.

Expected result: You have a Trend Micro Cloud One API key and know your account's regional API endpoint URL. Both are required for configuring the Retool Resource.

2

Configure the Trend Micro Cloud One API Resource in Retool

In Retool, navigate to the Resources tab and click Add Resource. Select REST API from the list. Name the resource Trend Micro Cloud One API. In the Base URL field, enter your regional API endpoint — typically https://cloudone.trendmicro.com/api for US accounts. If your Cloud One account is in a different region, use the appropriate regional subdomain (check your Cloud One console URL for the correct domain). Trend Micro Cloud One's API requires two mandatory headers on every request: the API key authentication header and a content type preference header. In the Headers section, add: First header — name api-secret-key, value {{ config.TRENDMICRO_API_KEY }}. Note the header name is api-secret-key (hyphenated, lowercase) — not Authorization. Second header — name api-version, value v1 — this pins the API to the current stable version. Third header — name Accept, value application/json — to ensure responses are returned as JSON. Create the configuration variable: navigate to Settings → Configuration Variables. Click Add variable, name it TRENDMICRO_API_KEY, paste your API key, and enable the secret toggle. Click Save on the Resource. Test the connection by creating a GET query to /workloadsecurity/computers/search — this endpoint returns a list of protected computers and is a reliable health check. If your account has no computers added yet, the response returns an empty computers array rather than an error, which still confirms authentication is working.

Pro tip: Trend Micro Cloud One uses the custom api-secret-key header rather than the standard Authorization header. If you configure Authorization: Bearer format instead, all requests will return 401 errors. Double-check the header name is exactly 'api-secret-key' in your Retool Resource configuration.

Expected result: The Trend Micro Cloud One API Resource is saved with the base URL and api-secret-key header configured. A test query to /workloadsecurity/computers/search returns computer data or an empty list, confirming API key authentication is valid.

3

Query protected computers and their security status

The computers endpoint is the core resource for workload visibility. Create a query targeting your Trend Micro Cloud One API Resource. Set Method to POST (the Cloud One API uses POST with a search body for filtered queries) and Path to /workloadsecurity/computers/search. Set Body type to JSON. The search endpoint accepts a filter criteria object to narrow results. For a full computer inventory, send an empty body {} or a body with maxItems: 250 to increase the default page size. The response returns an array of computer objects, each with: ID, hostName, displayName, platform (operating system), policyID, lastIPUsed, agentStatus, antiMalwareState, webReputationState, firewallState, intrusionPreventionState, and logInspectionState — these are the protection module status fields. Each state field has values like on, off, or inherited. Add a JavaScript transformer to flatten the nested security module states, map policy IDs to policy names (from a second query), and create a protection summary field indicating how many modules are active. Create a second GET query to /workloadsecurity/policies/search (Method POST, empty body) to fetch all policies for the ID-to-name mapping.

computers_transformer.js
1// JavaScript transformer: flatten computer data with protection status summary
2// Input: data = computers search response
3// getPolicy.data = policies search response
4const computers = data.computers || [];
5const policies = getPolicy.data?.policies || [];
6
7// Build policy lookup
8const policyMap = {};
9policies.forEach(p => {
10 policyMap[p.ID] = p.name;
11});
12
13const stateLabel = (state) => {
14 if (!state || state === 'off') return 'Off';
15 if (state === 'on' || state === 'inherited') return 'On';
16 return state;
17};
18
19return computers.map(comp => {
20 const modules = {
21 anti_malware: comp.antiMalware?.state || 'off',
22 firewall: comp.firewall?.state || 'off',
23 ips: comp.intrusionPrevention?.state || 'off',
24 log_inspection: comp.logInspection?.state || 'off',
25 web_reputation: comp.webReputation?.state || 'off'
26 };
27
28 const activeModules = Object.values(modules).filter(s => s !== 'off').length;
29
30 return {
31 id: comp.ID,
32 hostname: comp.hostName || '',
33 display_name: comp.displayName || comp.hostName || '',
34 platform: comp.platform || '',
35 policy_id: comp.policyID,
36 policy_name: policyMap[comp.policyID] || 'No Policy',
37 last_ip: comp.lastIPUsed || '',
38 agent_status: comp.agentCommunicationStatus || '',
39 modules_active: activeModules,
40 modules_total: 5,
41 protection_pct: Math.round((activeModules / 5) * 100) + '%',
42 anti_malware: stateLabel(modules.anti_malware),
43 firewall: stateLabel(modules.firewall),
44 ips: stateLabel(modules.ips),
45 log_inspection: stateLabel(modules.log_inspection),
46 web_reputation: stateLabel(modules.web_reputation)
47 };
48});

Pro tip: Trend Micro Cloud One's computer search endpoint supports filtering by status, policy, and other criteria in the request body's searchCriteria array. Use server-side filtering for large environments (1000+ computers) rather than fetching all computers and filtering in the transformer.

Expected result: The computers query returns a flat array of workload protection objects with policy names, active module counts, and individual module status. The data is ready to bind to a Table component.

4

Query security events for threat monitoring

Build threat visibility by querying security events from Trend Micro's event endpoints. Trend Micro Cloud One Workload Security stores security events in separate collections by event type. Create queries for the primary event types: Anti-Malware events (POST to /workloadsecurity/events/antimalware/search), Intrusion Prevention events (POST to /workloadsecurity/events/intrusionprevention/search), and Firewall events (POST to /workloadsecurity/events/firewall/search). Each query sends a JSON body specifying the time range and sorting: add a searchCriteria with field timeRecorded, operator greater-than, and value {{ new Date(dateRangePicker.value[0]).getTime() }} (Unix milliseconds). Add sortType: 'ID', and maxItems: 100 to limit results. Anti-malware events include fields for computerName, malwareName, malwareType, action (Cleaned, Quarantined, Deleted), and severity. Intrusion Prevention events include rule names and attack severity. Create a JavaScript query that combines events from all three endpoints into a unified event stream with a source_type field added to each event, sorted by time descending. Bind this unified event array to a Table in a security events tab. Add a severity-based conditional formatting rule: events with severity Critical or High get a red background, Medium gets yellow.

combine_events.js
1// JavaScript query: combine security events from multiple endpoint queries
2// Assumes: getAMEvents.data, getIPSEvents.data, getFWEvents.data all fetched
3const amEvents = getAMEvents.data?.events || [];
4const ipsEvents = getIPSEvents.data?.events || [];
5const fwEvents = getFWEvents.data?.events || [];
6
7const severityOrder = { Critical: 4, High: 3, Medium: 2, Low: 1, Unknown: 0 };
8
9const normalizeEvent = (event, type) => ({
10 event_id: event.eventID || event.ID,
11 event_type: type,
12 computer: event.computerName || event.hostName || '',
13 time: event.logDate || event.timeRecorded,
14 time_display: event.logDate ? new Date(event.logDate).toLocaleString() : '',
15 severity: event.severity || 'Unknown',
16 severity_order: severityOrder[event.severity] || 0,
17 threat_name: event.malwareName || event.reason || event.data || '',
18 action: event.action || event.logType || '',
19 details: JSON.stringify(event).substring(0, 200)
20});
21
22const allEvents = [
23 ...amEvents.map(e => normalizeEvent(e, 'Anti-Malware')),
24 ...ipsEvents.map(e => normalizeEvent(e, 'Intrusion Prevention')),
25 ...fwEvents.map(e => normalizeEvent(e, 'Firewall'))
26];
27
28return allEvents.sort((a, b) => b.severity_order - a.severity_order);

Pro tip: Trend Micro Cloud One's event endpoints use Unix millisecond timestamps (not ISO 8601 strings) for time-based filtering. When passing date range values from a Retool DateRangePicker, convert to milliseconds using new Date(dateValue).getTime() in the query body.

Expected result: The combined events query returns a unified array of security events from anti-malware, intrusion prevention, and firewall sources, sorted by severity. The data displays in a Table with event type and severity columns for quick incident triage.

5

Build the cloud security operations dashboard

Assemble the full SecOps dashboard. Use a Tab component to separate views: Computer Inventory tab and Security Events tab. In the Computer Inventory tab: drag a Table and bind it to the computers transformer output. Show columns: Display Name, Platform, Policy, Protection (active/total modules), Agent Status. Add conditional formatting: red row where modules_active is less than 3, green for full protection. Add Stat components at the top showing: Total Computers, Fully Protected (all 5 modules on), Partial Protection (1-4 modules on), and Not Protected (0 modules on). Add a policy filter Select and platform filter Select above the Table. In the Security Events tab: drag a Table bound to the combined events query. Show Event Type, Computer, Severity, Threat Name, Action, and Time columns. Apply conditional row colors by severity. Add a DateRangePicker for the event query time range (default last 24 hours). Add Bar Charts showing event count by severity and by event type for the selected period. In the Stat row, show: Total Events, Critical Count, High Count, and Affected Computers (unique computer count from events array). Add an event handler on Table row click in the Security Events tab to show a Modal with full event details. For enterprise security operations requiring Trend Micro Cloud One integrated with SIEM tools, ticketing systems, and threat intelligence feeds in a unified Retool security platform, RapidDev's team can architect comprehensive SecOps dashboards.

security_posture_stats.js
1// JavaScript query: security posture summary stats
2const computers = getComputers.data || [];
3const events = getAllEvents.data || [];
4
5const fullyProtected = computers.filter(c => c.modules_active === 5).length;
6const partialProtected = computers.filter(c => c.modules_active > 0 && c.modules_active < 5).length;
7const unprotected = computers.filter(c => c.modules_active === 0).length;
8
9const criticalEvents = events.filter(e => e.severity === 'Critical').length;
10const highEvents = events.filter(e => e.severity === 'High').length;
11const affectedComputers = new Set(events.map(e => e.computer)).size;
12
13return {
14 total_computers: computers.length,
15 fully_protected: fullyProtected,
16 partial_protected: partialProtected,
17 unprotected: unprotected,
18 protection_rate: computers.length > 0
19 ? ((fullyProtected / computers.length) * 100).toFixed(0) + '%'
20 : '0%',
21 total_events: events.length,
22 critical_events: criticalEvents,
23 high_events: highEvents,
24 affected_computers: affectedComputers
25};

Pro tip: Set the Security Events tab's date range default to last 4 hours rather than last 24 hours for initial load — security event endpoints can return thousands of events for active environments, and a shorter default window keeps initial query times manageable.

Expected result: A complete cloud security operations dashboard shows a Computer Inventory tab with protection status per workload and a Security Events tab with real-time threat events. Summary Stats show overall security posture metrics at the top of each tab.

Common use cases

Cloud workload security posture dashboard

Build a Retool dashboard showing all Trend Micro-protected computers with their security status: active protection modules, last policy update, last anti-malware scan, and recent event counts by severity. A Table with color-coded status indicators lets SecOps managers see at a glance which workloads have protection gaps or recent high-severity alerts. Filter controls narrow the view by policy group, cloud region, or event type.

Retool Prompt

Build a Retool Trend Micro workload security dashboard that queries all protected computers via the Cloud One API. Show a Table with computer name, policy name, active protection modules, last scan time, and event counts (critical, high, medium, low) for the past 7 days. Color-code rows where critical events exceed 0 or where protection modules are disabled. Add a policy filter dropdown.

Copy this prompt to try it in Retool

Security event investigation panel

Create a Retool event investigation panel showing recent security events with severity classification, event type, source computer, and recommended remediation actions. Query intrusion prevention, anti-malware, and firewall events for a date range. A Bar Chart shows event volume by type and severity over time. Clicking an event row shows full event details including the threat name, detection method, and affected process.

Retool Prompt

Build a Retool Trend Micro event investigation panel that queries security events for a selected computer or all computers for a date range. Show a Table with event time, severity, event type (anti-malware, IPS, firewall), computer name, threat name, and action taken. Add a Bar Chart of event count by severity per day. Include an event detail panel that shows on row click.

Copy this prompt to try it in Retool

Policy compliance and coverage report

Build a Retool compliance report showing which computers have the correct security policies applied, which modules (anti-malware, firewall, IPS, log inspection) are enabled, and which workloads are unprotected or running outdated patterns. Query computers and their policy assignments, then compare against required policy templates to identify coverage gaps. Export the compliance report as CSV for audit purposes.

Retool Prompt

Build a Retool Trend Micro compliance report that queries all computers and their assigned policies via the Cloud One API. Compare policy assignments against a required policy list from a Retool database. Show a Table with computer name, assigned policy, compliance status, enabled modules, and pattern update age. Highlight non-compliant rows in red. Add a CSV export button.

Copy this prompt to try it in Retool

Troubleshooting

API returns 401 Unauthorized with 'Missing or invalid API key' message

Cause: The api-secret-key header is not configured, uses an incorrect header name (e.g., Authorization instead of api-secret-key), or the API key has expired.

Solution: Verify the Resource has a header named exactly api-secret-key (all lowercase, hyphenated) with the API key value. Confirm the API key is still valid in the Cloud One console: Administration → API Keys — check the expiry date and status. If expired or revoked, generate a new API key and update the TRENDMICRO_API_KEY configuration variable.

Computer search returns 403 Forbidden despite valid API key

Cause: The API key's associated role lacks Read permission for the Workload Security - Computers resource, or the API key is scoped to a different Cloud One service.

Solution: In the Cloud One console, navigate to Administration → API Keys. Find your API key and check its role assignment. The role must include Read (at minimum) for Workload Security. If the role is too restrictive, edit the role to add Workload Security read permissions, or create a new API key with a more permissive role. Update the configuration variable with the new key if regenerated.

Event search returns 400 Bad Request when adding time-based search criteria

Cause: The timestamp value in the searchCriteria is in the wrong format — Cloud One expects Unix milliseconds (a number), not an ISO date string.

Solution: Ensure the time value in the searchCriteria is a numeric Unix millisecond timestamp, not a string. Convert date values to milliseconds: new Date('2024-01-01').getTime() returns 1704067200000. Do not wrap the value in quotes — it must be a JSON number, not a JSON string. Test with a hardcoded millisecond value first to isolate the issue from dynamic value generation.

typescript
1// Correct searchCriteria format for time filtering
2{
3 "searchCriteria": [
4 {
5 "fieldName": "logDate",
6 "numericTest": "greater-than",
7 "numericValue": {{ new Date(dateRangePicker.value[0]).getTime() }}
8 }
9 ],
10 "maxItems": 100,
11 "sortType": "ID"
12}

Computer query succeeds but returns fewer computers than expected

Cause: The default maxItems for search endpoints is 10 or 25 in some Cloud One API versions, and computers beyond this limit are not returned without explicit pagination.

Solution: Add maxItems to the search request body with a higher value (e.g., 250 or 5000). For environments with more than 5000 computers, implement pagination using the searchCriteria with an ID greater-than filter, fetching subsequent pages starting after the last ID from the previous response. Retool Workflows are suited for multi-page data aggregation.

Best practices

  • Store the Trend Micro Cloud One API key in a Retool configuration variable marked as secret — API keys grant access to security event data and computer configurations that are sensitive operational information.
  • Create API keys with the minimum required permissions for your use case — a read-only dashboard does not need write permissions on the Computers or Policies endpoints, reducing risk if the key is compromised.
  • Set API key expiry dates and implement rotation procedures — track expiry dates in a calendar and update the Retool configuration variable before expiration to prevent dashboard outages.
  • Use the regional API endpoint that matches your Cloud One account region — using the wrong region endpoint results in 404 errors even with valid credentials, since your data is only accessible from the correct regional endpoint.
  • Cache the computers and policies queries aggressively (10-15 minutes) since infrastructure inventories change slowly — only the events queries need frequent refresh for active security monitoring.
  • Filter security events server-side using searchCriteria rather than fetching all events and filtering in JavaScript — large environments can have tens of thousands of events per day, making server-side filtering essential for performance.
  • Display event severity with both color coding and text labels — relying on color alone is not accessible, and text labels (Critical, High, Medium, Low) ensure all users can interpret severity regardless of color perception.

Alternatives

Frequently asked questions

What is the difference between Trend Micro Cloud One Workload Security and the other Cloud One services?

Trend Micro Cloud One is an umbrella platform with multiple security services: Workload Security protects servers and VMs (the most mature and API-rich service, covered in this guide), Container Security protects Kubernetes workloads, Network Security provides cloud network intrusion prevention, Application Security protects APIs and applications, and Conformity checks cloud configurations against compliance frameworks. Each service has its own API endpoints under the Cloud One API base URL.

How do I find my Cloud One region, and how does it affect the API endpoint?

Your Cloud One region is visible in the console URL when logged in. The default US region uses cloudone.trendmicro.com. Regional deployments use subdomain prefixes: de-1.cloudone.trendmicro.com for Germany, au-1.cloudone.trendmicro.com for Australia, jp-1.cloudone.trendmicro.com for Japan, and similar patterns for other regions. Always use the API endpoint matching your account's region — cross-region API calls return 404 errors because data is not replicated across regions.

Can I trigger security scans or policy changes from Retool?

Yes, if your API key role has Write permissions on the relevant resources. To trigger an anti-malware scan on a specific computer, POST to /workloadsecurity/computers/{id}/tasks/antimalwarescan. To change a computer's policy assignment, PUT to /workloadsecurity/computers/{id} with a body containing the new policyID. Always add confirmation dialogs before triggering scans or policy changes, as these operations can impact production workload performance.

How far back do Trend Micro Cloud One security events go?

Trend Micro Cloud One retains security events for 90 days by default on standard plans. Enterprise plans may have extended retention. For longer-term security analytics, consider exporting events regularly to a time-series database or data warehouse using a Retool Workflow that runs on a schedule and stores events in Retool Database or a connected PostgreSQL instance.

Does the Trend Micro API support webhook notifications for real-time event alerts?

Trend Micro Cloud One supports Event Forwarding rather than webhooks — you configure Cloud One to forward security events to a SIEM (Splunk, Elasticsearch, etc.) or a webhook endpoint via the Cloud One console under Event Forwarding settings. Retool Workflows can receive these forwarded events at a webhook trigger endpoint, enabling real-time event processing and notifications from Trend Micro Cloud One in your Retool environment.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire Retool integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.