Collect Trellix Endpoint Security (HX) host inventory logs

Supported in:

This document explains how to collect Trellix Endpoint Security (HX) host inventory logs by setting up a Google Security Operations feed using the Third-Party API.

Trellix Endpoint Security (HX) maintains an inventory of all managed hosts including hostname, operating system, agent version, domain membership, and last check-in status. Collecting host inventory data in Google SecOps enables asset tracking, compliance monitoring, and correlation of endpoint context with security events.

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • Privileged access to the Trellix Endpoint Security (HX) management console
  • Trellix Endpoint Security (HX) with API access enabled
  • One of the following authentication credentials configured (see next section)

Configure Trellix HX API access

To enable Google SecOps to pull host inventory data, you need API credentials from your Trellix HX environment.

  1. Sign in to the Endpoint Security (HX) Web UI as an administrator.
  2. Go to Admin > Appliance Settings > User Accounts.
  3. Add a new user account with the api_analyst role for use with Google SecOps. Do not reuse the built-in api_analyst account.
  4. Copy and save the following values:
    • Username: The local HX account username.
    • Password: The local HX account password.

Configure a feed in Google SecOps to ingest Trellix HX host inventory logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Trellix HX Hosts).
  5. Select Third-Party API as the Source type.
  6. Select Trellix HX Hosts as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • HX Device URL: The URL of your HX device (for example, https://irbvzh7894.hex3.helix.apps.fireeye.com/).

    • Authentication: Trellix Local Auth

      • Username: Enter the local HX account username created for this integration.
      • Password: Enter the password for the username.
      • Token API Endpoint Path: /hx/api/v3/token
      • Token Header: X-FeApi-Token

    • Asset namespace: The asset namespace.

    • Ingestion labels: The label to be applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

After setup, the feed begins to retrieve host inventory logs from the Trellix HX instance in chronological order.

Need more help? Get answers from Community members and Google SecOps professionals.