Collect Trellix Endpoint Security (HX) alert logs

Supported in:

This document explains how to collect Trellix Endpoint Security (HX) alert logs by setting up a Google Security Operations feed using the Third-Party API.

Trellix Endpoint Security (HX) is an endpoint detection and response platform that generates alerts when threats are detected on managed endpoints, including malware detections, exploit attempts, IOC matches, and real-time indicator alerts. Collecting these alerts in Google SecOps provides centralized visibility into endpoint threats for detection, investigation, and response workflows.

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • Privileged access to the Trellix Endpoint Security (HX) management console
  • Trellix Endpoint Security (HX) with API access enabled
  • One of the following authentication credentials configured (see next section)

Configure Trellix HX API access

To enable Google SecOps to pull alert data, you need API credentials from your Trellix HX environment.

  1. Sign in to the Endpoint Security (HX) Web UI as an administrator.
  2. Go to Admin > Appliance Settings > User Accounts.
  3. Add a new user account with the api_analyst role for use with Google SecOps. Do not reuse the built-in api_analyst account.
  4. Copy and save the following values:
    • Username: The local HX account username.
    • Password: The local HX account password.

Configure a feed in Google SecOps to ingest Trellix HX alert logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Trellix HX Alerts).
  5. Select Third-Party API as the Source type.
  6. Select Trellix HX Alerts as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • HX Endpoint URL: The base URL of your HX appliance (for example, https://htapdeviceproxy.md.mandiant.net/dphb/hx/e32c3284-8317-48f4-b29d-7feb3babc4fc).

    • Authentication: Trellix Local Auth

      • Username: Enter the local HX account username created for this integration.
      • Password: Enter the password for the username.
      • Token API Endpoint Path: /hx/api/v3/token
      • Token Header: X-FeApi-Token

    • Asset namespace: The asset namespace.

    • Ingestion labels: The label to be applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

After setup, the feed begins to retrieve alert logs from the Trellix HX instance in chronological order.

Need more help? Get answers from Community members and Google SecOps professionals.