Collect Trellix Endpoint Security (HX) Bulk Acquisition Result Packages

Supported in:

This document explains how to collect Trellix Endpoint Security (HX) bulk data acquisition results by setting up a Google Security Operations feed using the Third-Party API.

You can acquire data from a host using the Endpoint Security (HX) Web UI. Multiple data acquisitions can be requested simultaneously from a host. In addition, you can select multiple hosts and request data acquisitions from them.

This feed supports the following types of event buffer audit results:

  • ipv4NetworkEvent
  • processEvent
  • fileWriteEvent
  • dnsLookupEvent
  • imageLoadEvent
  • regKeyEvent
  • urlMonitorEvent

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • Privileged access to the Trellix Endpoint Security (HX) management console
  • Trellix Endpoint Security (HX) with API access enabled
  • One of the following authentication credentials configured (see next section)

Configure Trellix HX API access

To enable Google SecOps to pull audit event data, you need API credentials from your Trellix HX environment. Trellix Local authentication uses a local user account on the HX appliance to generate an API token.

  1. Sign in to the Endpoint Security (HX) Web UI as an administrator.
  2. Go to Admin > Appliance Settings > User Accounts.
  3. Add a new user account with the api_analyst role for use with Google SecOps. Do not reuse the built-in api_analyst account.
  4. Copy and save the following values:
    • Username: The local HX account username.
    • Password: The local HX account password.

Configure a feed in Google SecOps to ingest Trellix HX audit event logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Trellix HX Audit Events).
  5. Select Third-Party API as the Source type.
  6. Select Trellix HX Audit Events as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • HX Device URL: The URL of your HX device (for example, https://irbvzh7894.hex3.helix.apps.fireeye.com/).

    • Authentication: Trellix Local Auth

      • Username: Enter the local HX account username created for this integration.
      • Password: Enter the password for the username.
      • Token API Endpoint Path: /hx/api/v3/token
      • Token Header: X-FeApi-Token

    • Asset namespace: The asset namespace.

    • Ingestion labels: The label to be applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

After setup, the feed begins to retrieve audit event logs from the Trellix HX instance in chronological order.

Need more help? Get answers from Community members and Google SecOps professionals.