# How to Integrate Retool with Trend Micro

- Tool: Retool
- Difficulty: Advanced
- Time required: 45 minutes
- Last updated: April 2026

## TL;DR

Connect Retool to Trend Micro using a REST API Resource targeting the Trend Micro Cloud One API (cloudone.trendmicro.com/api). Authenticate with a Trend Micro API key passed in the api-secret-key header. Query workload security events, policy status, and detected threats to build a cloud security operations dashboard for SecOps teams monitoring Trend Micro Cloud One environments.

## Why connect Retool to Trend Micro?

Trend Micro Cloud One's console provides detailed security information, but SecOps teams often need to aggregate security event data alongside asset inventory, policy compliance status, and threat intelligence in a single custom dashboard. The native console is purpose-built for security analysts investigating specific incidents — it is less suited for management-level overviews showing security posture across all protected workloads simultaneously, or for combining Trend Micro data with data from SIEM, ticketing, or infrastructure systems already in Retool.

The most impactful use case is a cloud security posture dashboard showing all protected computers with their last security event, policy assignment, protection module status, and days since last pattern update. Security managers can instantly identify computers with outdated protection, misconfigured policies, or recent high-severity events without clicking through each computer in the Cloud One console individually. Retool's Workflow integration enables automated alert escalation: high-severity events can trigger Slack notifications or create JIRA tickets without leaving the Retool ecosystem.

Trend Micro Cloud One's API covers multiple security services: Workload Security (server and VM protection), Container Security, Network Security, and Application Security. The Workload Security API is the most mature and feature-rich for Retool integration, exposing computers (protected workloads), policies, security events (anti-malware, intrusion prevention, firewall, log inspection), and scheduled tasks. The API uses JSON responses and supports pagination via the maxItems and searchCriteria parameters for large environments.

## Before you start

- A Trend Micro Cloud One account with Administrator access to generate API keys
- Trend Micro Workload Security configured with at least one computer or agent deployed
- An API key generated from Cloud One console: Administration → API Keys → Create API Key
- The Cloud One region for your account (visible in the console URL: cloudone.trendmicro.com/app or region-specific subdomains)
- A Retool account with Resource creation permissions

## Step-by-step guide

### 1. Generate a Trend Micro Cloud One API key

Trend Micro Cloud One uses API keys for programmatic access. API keys are created in the Cloud One console with configurable permissions and can be scoped to specific services. In the Cloud One console (cloudone.trendmicro.com/app), log in as an Administrator. Navigate to Administration in the left sidebar, then select API Keys. Click Create API Key. In the API key creation form, provide a descriptive name (e.g., Retool Security Dashboard). Under Role, select a role that grants the permissions needed for your dashboard. For a read-only security dashboard, you can use a role with Read permissions on Computers, Policies, and Events. For write capabilities (e.g., triggering scans from Retool), add Write permissions on the Computers endpoint. Set an expiry for the key — for production integrations, select a long expiry (1-2 years) and set a calendar reminder to rotate before expiry. Do not check Full Access unless specifically required; use the minimum permissions principle. Click Create API Key. Copy the generated API key immediately — Cloud One displays it only once. The key is a long alphanumeric string. Note your Cloud One region — the API base URL varies by region: https://cloudone.trendmicro.com/api is the default US region endpoint. If your account is in a different region (EU, AP, CA, etc.), use the appropriate regional endpoint (e.g., https://de-1.cloudone.trendmicro.com/api for Germany). Check your Cloud One console URL to identify your region.

**Expected result:** You have a Trend Micro Cloud One API key and know your account's regional API endpoint URL. Both are required for configuring the Retool Resource.

### 2. Configure the Trend Micro Cloud One API Resource in Retool

In Retool, navigate to the Resources tab and click Add Resource. Select REST API from the list. Name the resource Trend Micro Cloud One API. In the Base URL field, enter your regional API endpoint — typically https://cloudone.trendmicro.com/api for US accounts. If your Cloud One account is in a different region, use the appropriate regional subdomain (check your Cloud One console URL for the correct domain). Trend Micro Cloud One's API requires two mandatory headers on every request: the API key authentication header and a content type preference header. In the Headers section, add: First header — name api-secret-key, value {{ config.TRENDMICRO_API_KEY }}. Note the header name is api-secret-key (hyphenated, lowercase) — not Authorization. Second header — name api-version, value v1 — this pins the API to the current stable version. Third header — name Accept, value application/json — to ensure responses are returned as JSON. Create the configuration variable: navigate to Settings → Configuration Variables. Click Add variable, name it TRENDMICRO_API_KEY, paste your API key, and enable the secret toggle. Click Save on the Resource. Test the connection by creating a GET query to /workloadsecurity/computers/search — this endpoint returns a list of protected computers and is a reliable health check. If your account has no computers added yet, the response returns an empty computers array rather than an error, which still confirms authentication is working.

**Expected result:** The Trend Micro Cloud One API Resource is saved with the base URL and api-secret-key header configured. A test query to /workloadsecurity/computers/search returns computer data or an empty list, confirming API key authentication is valid.

### 3. Query protected computers and their security status

The computers endpoint is the core resource for workload visibility. Create a query targeting your Trend Micro Cloud One API Resource. Set Method to POST (the Cloud One API uses POST with a search body for filtered queries) and Path to /workloadsecurity/computers/search. Set Body type to JSON. The search endpoint accepts a filter criteria object to narrow results. For a full computer inventory, send an empty body {} or a body with maxItems: 250 to increase the default page size. The response returns an array of computer objects, each with: ID, hostName, displayName, platform (operating system), policyID, lastIPUsed, agentStatus, antiMalwareState, webReputationState, firewallState, intrusionPreventionState, and logInspectionState — these are the protection module status fields. Each state field has values like on, off, or inherited. Add a JavaScript transformer to flatten the nested security module states, map policy IDs to policy names (from a second query), and create a protection summary field indicating how many modules are active. Create a second GET query to /workloadsecurity/policies/search (Method POST, empty body) to fetch all policies for the ID-to-name mapping.

```
// JavaScript transformer: flatten computer data with protection status summary
// Input: data = computers search response
// getPolicy.data = policies search response
const computers = data.computers || [];
const policies = getPolicy.data?.policies || [];

// Build policy lookup
const policyMap = {};
policies.forEach(p => {
  policyMap[p.ID] = p.name;
});

const stateLabel = (state) => {
  if (!state || state === 'off') return 'Off';
  if (state === 'on' || state === 'inherited') return 'On';
  return state;
};

return computers.map(comp => {
  const modules = {
    anti_malware: comp.antiMalware?.state || 'off',
    firewall: comp.firewall?.state || 'off',
    ips: comp.intrusionPrevention?.state || 'off',
    log_inspection: comp.logInspection?.state || 'off',
    web_reputation: comp.webReputation?.state || 'off'
  };

  const activeModules = Object.values(modules).filter(s => s !== 'off').length;

  return {
    id: comp.ID,
    hostname: comp.hostName || '',
    display_name: comp.displayName || comp.hostName || '',
    platform: comp.platform || '',
    policy_id: comp.policyID,
    policy_name: policyMap[comp.policyID] || 'No Policy',
    last_ip: comp.lastIPUsed || '',
    agent_status: comp.agentCommunicationStatus || '',
    modules_active: activeModules,
    modules_total: 5,
    protection_pct: Math.round((activeModules / 5) * 100) + '%',
    anti_malware: stateLabel(modules.anti_malware),
    firewall: stateLabel(modules.firewall),
    ips: stateLabel(modules.ips),
    log_inspection: stateLabel(modules.log_inspection),
    web_reputation: stateLabel(modules.web_reputation)
  };
});
```

**Expected result:** The computers query returns a flat array of workload protection objects with policy names, active module counts, and individual module status. The data is ready to bind to a Table component.

### 4. Query security events for threat monitoring

Build threat visibility by querying security events from Trend Micro's event endpoints. Trend Micro Cloud One Workload Security stores security events in separate collections by event type. Create queries for the primary event types: Anti-Malware events (POST to /workloadsecurity/events/antimalware/search), Intrusion Prevention events (POST to /workloadsecurity/events/intrusionprevention/search), and Firewall events (POST to /workloadsecurity/events/firewall/search). Each query sends a JSON body specifying the time range and sorting: add a searchCriteria with field timeRecorded, operator greater-than, and value {{ new Date(dateRangePicker.value[0]).getTime() }} (Unix milliseconds). Add sortType: 'ID', and maxItems: 100 to limit results. Anti-malware events include fields for computerName, malwareName, malwareType, action (Cleaned, Quarantined, Deleted), and severity. Intrusion Prevention events include rule names and attack severity. Create a JavaScript query that combines events from all three endpoints into a unified event stream with a source_type field added to each event, sorted by time descending. Bind this unified event array to a Table in a security events tab. Add a severity-based conditional formatting rule: events with severity Critical or High get a red background, Medium gets yellow.

```
// JavaScript query: combine security events from multiple endpoint queries
// Assumes: getAMEvents.data, getIPSEvents.data, getFWEvents.data all fetched
const amEvents = getAMEvents.data?.events || [];
const ipsEvents = getIPSEvents.data?.events || [];
const fwEvents = getFWEvents.data?.events || [];

const severityOrder = { Critical: 4, High: 3, Medium: 2, Low: 1, Unknown: 0 };

const normalizeEvent = (event, type) => ({
  event_id: event.eventID || event.ID,
  event_type: type,
  computer: event.computerName || event.hostName || '',
  time: event.logDate || event.timeRecorded,
  time_display: event.logDate ? new Date(event.logDate).toLocaleString() : '',
  severity: event.severity || 'Unknown',
  severity_order: severityOrder[event.severity] || 0,
  threat_name: event.malwareName || event.reason || event.data || '',
  action: event.action || event.logType || '',
  details: JSON.stringify(event).substring(0, 200)
});

const allEvents = [
  ...amEvents.map(e => normalizeEvent(e, 'Anti-Malware')),
  ...ipsEvents.map(e => normalizeEvent(e, 'Intrusion Prevention')),
  ...fwEvents.map(e => normalizeEvent(e, 'Firewall'))
];

return allEvents.sort((a, b) => b.severity_order - a.severity_order);
```

**Expected result:** The combined events query returns a unified array of security events from anti-malware, intrusion prevention, and firewall sources, sorted by severity. The data displays in a Table with event type and severity columns for quick incident triage.

### 5. Build the cloud security operations dashboard

Assemble the full SecOps dashboard. Use a Tab component to separate views: Computer Inventory tab and Security Events tab. In the Computer Inventory tab: drag a Table and bind it to the computers transformer output. Show columns: Display Name, Platform, Policy, Protection (active/total modules), Agent Status. Add conditional formatting: red row where modules_active is less than 3, green for full protection. Add Stat components at the top showing: Total Computers, Fully Protected (all 5 modules on), Partial Protection (1-4 modules on), and Not Protected (0 modules on). Add a policy filter Select and platform filter Select above the Table. In the Security Events tab: drag a Table bound to the combined events query. Show Event Type, Computer, Severity, Threat Name, Action, and Time columns. Apply conditional row colors by severity. Add a DateRangePicker for the event query time range (default last 24 hours). Add Bar Charts showing event count by severity and by event type for the selected period. In the Stat row, show: Total Events, Critical Count, High Count, and Affected Computers (unique computer count from events array). Add an event handler on Table row click in the Security Events tab to show a Modal with full event details. For enterprise security operations requiring Trend Micro Cloud One integrated with SIEM tools, ticketing systems, and threat intelligence feeds in a unified Retool security platform, RapidDev's team can architect comprehensive SecOps dashboards.

```
// JavaScript query: security posture summary stats
const computers = getComputers.data || [];
const events = getAllEvents.data || [];

const fullyProtected = computers.filter(c => c.modules_active === 5).length;
const partialProtected = computers.filter(c => c.modules_active > 0 && c.modules_active < 5).length;
const unprotected = computers.filter(c => c.modules_active === 0).length;

const criticalEvents = events.filter(e => e.severity === 'Critical').length;
const highEvents = events.filter(e => e.severity === 'High').length;
const affectedComputers = new Set(events.map(e => e.computer)).size;

return {
  total_computers: computers.length,
  fully_protected: fullyProtected,
  partial_protected: partialProtected,
  unprotected: unprotected,
  protection_rate: computers.length > 0
    ? ((fullyProtected / computers.length) * 100).toFixed(0) + '%'
    : '0%',
  total_events: events.length,
  critical_events: criticalEvents,
  high_events: highEvents,
  affected_computers: affectedComputers
};
```

**Expected result:** A complete cloud security operations dashboard shows a Computer Inventory tab with protection status per workload and a Security Events tab with real-time threat events. Summary Stats show overall security posture metrics at the top of each tab.

## Best practices

- Store the Trend Micro Cloud One API key in a Retool configuration variable marked as secret — API keys grant access to security event data and computer configurations that are sensitive operational information.
- Create API keys with the minimum required permissions for your use case — a read-only dashboard does not need write permissions on the Computers or Policies endpoints, reducing risk if the key is compromised.
- Set API key expiry dates and implement rotation procedures — track expiry dates in a calendar and update the Retool configuration variable before expiration to prevent dashboard outages.
- Use the regional API endpoint that matches your Cloud One account region — using the wrong region endpoint results in 404 errors even with valid credentials, since your data is only accessible from the correct regional endpoint.
- Cache the computers and policies queries aggressively (10-15 minutes) since infrastructure inventories change slowly — only the events queries need frequent refresh for active security monitoring.
- Filter security events server-side using searchCriteria rather than fetching all events and filtering in JavaScript — large environments can have tens of thousands of events per day, making server-side filtering essential for performance.
- Display event severity with both color coding and text labels — relying on color alone is not accessible, and text labels (Critical, High, Medium, Low) ensure all users can interpret severity regardless of color perception.

## Use cases

### Cloud workload security posture dashboard

Build a Retool dashboard showing all Trend Micro-protected computers with their security status: active protection modules, last policy update, last anti-malware scan, and recent event counts by severity. A Table with color-coded status indicators lets SecOps managers see at a glance which workloads have protection gaps or recent high-severity alerts. Filter controls narrow the view by policy group, cloud region, or event type.

Prompt example:

```
Build a Retool Trend Micro workload security dashboard that queries all protected computers via the Cloud One API. Show a Table with computer name, policy name, active protection modules, last scan time, and event counts (critical, high, medium, low) for the past 7 days. Color-code rows where critical events exceed 0 or where protection modules are disabled. Add a policy filter dropdown.
```

### Security event investigation panel

Create a Retool event investigation panel showing recent security events with severity classification, event type, source computer, and recommended remediation actions. Query intrusion prevention, anti-malware, and firewall events for a date range. A Bar Chart shows event volume by type and severity over time. Clicking an event row shows full event details including the threat name, detection method, and affected process.

Prompt example:

```
Build a Retool Trend Micro event investigation panel that queries security events for a selected computer or all computers for a date range. Show a Table with event time, severity, event type (anti-malware, IPS, firewall), computer name, threat name, and action taken. Add a Bar Chart of event count by severity per day. Include an event detail panel that shows on row click.
```

### Policy compliance and coverage report

Build a Retool compliance report showing which computers have the correct security policies applied, which modules (anti-malware, firewall, IPS, log inspection) are enabled, and which workloads are unprotected or running outdated patterns. Query computers and their policy assignments, then compare against required policy templates to identify coverage gaps. Export the compliance report as CSV for audit purposes.

Prompt example:

```
Build a Retool Trend Micro compliance report that queries all computers and their assigned policies via the Cloud One API. Compare policy assignments against a required policy list from a Retool database. Show a Table with computer name, assigned policy, compliance status, enabled modules, and pattern update age. Highlight non-compliant rows in red. Add a CSV export button.
```

## Troubleshooting

### API returns 401 Unauthorized with 'Missing or invalid API key' message

Cause: The api-secret-key header is not configured, uses an incorrect header name (e.g., Authorization instead of api-secret-key), or the API key has expired.

Solution: Verify the Resource has a header named exactly api-secret-key (all lowercase, hyphenated) with the API key value. Confirm the API key is still valid in the Cloud One console: Administration → API Keys — check the expiry date and status. If expired or revoked, generate a new API key and update the TRENDMICRO_API_KEY configuration variable.

### Computer search returns 403 Forbidden despite valid API key

Cause: The API key's associated role lacks Read permission for the Workload Security - Computers resource, or the API key is scoped to a different Cloud One service.

Solution: In the Cloud One console, navigate to Administration → API Keys. Find your API key and check its role assignment. The role must include Read (at minimum) for Workload Security. If the role is too restrictive, edit the role to add Workload Security read permissions, or create a new API key with a more permissive role. Update the configuration variable with the new key if regenerated.

### Event search returns 400 Bad Request when adding time-based search criteria

Cause: The timestamp value in the searchCriteria is in the wrong format — Cloud One expects Unix milliseconds (a number), not an ISO date string.

Solution: Ensure the time value in the searchCriteria is a numeric Unix millisecond timestamp, not a string. Convert date values to milliseconds: new Date('2024-01-01').getTime() returns 1704067200000. Do not wrap the value in quotes — it must be a JSON number, not a JSON string. Test with a hardcoded millisecond value first to isolate the issue from dynamic value generation.

```
// Correct searchCriteria format for time filtering
{
  "searchCriteria": [
    {
      "fieldName": "logDate",
      "numericTest": "greater-than",
      "numericValue": {{ new Date(dateRangePicker.value[0]).getTime() }}
    }
  ],
  "maxItems": 100,
  "sortType": "ID"
}
```

### Computer query succeeds but returns fewer computers than expected

Cause: The default maxItems for search endpoints is 10 or 25 in some Cloud One API versions, and computers beyond this limit are not returned without explicit pagination.

Solution: Add maxItems to the search request body with a higher value (e.g., 250 or 5000). For environments with more than 5000 computers, implement pagination using the searchCriteria with an ID greater-than filter, fetching subsequent pages starting after the last ID from the previous response. Retool Workflows are suited for multi-page data aggregation.

## Frequently asked questions

### What is the difference between Trend Micro Cloud One Workload Security and the other Cloud One services?

Trend Micro Cloud One is an umbrella platform with multiple security services: Workload Security protects servers and VMs (the most mature and API-rich service, covered in this guide), Container Security protects Kubernetes workloads, Network Security provides cloud network intrusion prevention, Application Security protects APIs and applications, and Conformity checks cloud configurations against compliance frameworks. Each service has its own API endpoints under the Cloud One API base URL.

### How do I find my Cloud One region, and how does it affect the API endpoint?

Your Cloud One region is visible in the console URL when logged in. The default US region uses cloudone.trendmicro.com. Regional deployments use subdomain prefixes: de-1.cloudone.trendmicro.com for Germany, au-1.cloudone.trendmicro.com for Australia, jp-1.cloudone.trendmicro.com for Japan, and similar patterns for other regions. Always use the API endpoint matching your account's region — cross-region API calls return 404 errors because data is not replicated across regions.

### Can I trigger security scans or policy changes from Retool?

Yes, if your API key role has Write permissions on the relevant resources. To trigger an anti-malware scan on a specific computer, POST to /workloadsecurity/computers/{id}/tasks/antimalwarescan. To change a computer's policy assignment, PUT to /workloadsecurity/computers/{id} with a body containing the new policyID. Always add confirmation dialogs before triggering scans or policy changes, as these operations can impact production workload performance.

### How far back do Trend Micro Cloud One security events go?

Trend Micro Cloud One retains security events for 90 days by default on standard plans. Enterprise plans may have extended retention. For longer-term security analytics, consider exporting events regularly to a time-series database or data warehouse using a Retool Workflow that runs on a schedule and stores events in Retool Database or a connected PostgreSQL instance.

### Does the Trend Micro API support webhook notifications for real-time event alerts?

Trend Micro Cloud One supports Event Forwarding rather than webhooks — you configure Cloud One to forward security events to a SIEM (Splunk, Elasticsearch, etc.) or a webhook endpoint via the Cloud One console under Event Forwarding settings. Retool Workflows can receive these forwarded events at a webhook trigger endpoint, enabling real-time event processing and notifications from Trend Micro Cloud One in your Retool environment.

---

Source: https://www.rapidevelopers.com/retool-integrations/trend-micro
© RapidDev — https://www.rapidevelopers.com/retool-integrations/trend-micro
