This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.
The Trellix Enterprise Security Manager Integration supports correlation events when using Trellix Enterprise Security Manager v10.x.
Update Trellix Enterprise Security Manager
To update Trellix Enterprise Security Manager
- Identify or create credentials to access Nitro with reporting permissions, at minimum.
- Ensure that the credentials use Greenwich Mean Time and "YYYY-MM-DD HH:MM:SS" date/time format.
Update the Validation Platform
Prerequisites
Information to gather before you start:
- IP address/host information used to access Trellix (ESM or ePO)
- Port for Trellix (ESM or ePO) communications (default is 443)
- Identify whether the protocol is HTTP or HTTPS for connections to the port (default is HTTPS)
Configuration
To add the Trellix Enterprise Security Manager integration
- Go to Settings > Integrations.
- Click Add Integration > Trellix Enterprise Security Manager.You can add this as either a Local or Remote Integration.
- Enter information for the Host, Port, Protocol, Username and Password or API Token.
- If necessary, modify the Query.
- Expand Advanced options.
- (Optional) Update Query time and Delay time.
The Query time is the amount of time (minutes) before and after the query runs that the platform looks for events, while the Delay time is the amount of time (minutes) that the platform waits to run the first query after a Job Action starts. For example, you configure your integration with the following values: Query time = 5, Query interval = 30 seconds, and Delay time = 0. When a Job Actions starts at 12:00:00, the first time the query runs, the platform looks for events from 11:55:00 to 12:00:00. Then 30 seconds later, it looks for events from 11:55:30 to 12:00:30. This interval continues, with the last query looking from 12:00:00 to 12:05:00. If you instead configured the Delay time to equal 10, it would run the same query, but it wouldn't start that query until 12:10:00.If your monitors are set to run more frequently than the query time, this configuration impacts the pass/fail results for AEDA monitors.
(Optional) Select Enable query for Host CLI Actions and configure the Query. This query will only be used when you run Host CLI Actions.
If you enable the Host CLI Actions query and use the %HOST_CLI_ACTOR_HOSTNAMES% variable, the platform will substitute the plain hostname and the information from the Alternate Hostname field on the Actor configuration page.(Optional) Select Enable query for Malicious DNS Actions and configure the Query. This query will only be used when you run Malicious DNS Actions or Captive DNS Actions.
(Optional) Select Enable query for Email Actions and configure the Query. This query will be only be used when you run Email Actions.
- Verify that the Device List Refresh Interval is correct.
- (Optional) Review and update the Device Type List information.
- Enter the McAfee version.If you are using version 11.0 or greater, you must enter your version number in this field to use the current version of Trellix Enterprise Security Manager's API. By default, version 10 is assumed.
- Modify the number of Query Checks and the Query Check Interval, if needed.
Modify the Query Interval and Event Time Adjustment, if necessary.
(Optional) Assign a Name.
(Optional) Choose Yes to save suspicious events.
Click Submit.
Verify Connectivity
To verify connectivity to Trellix Enterprise Security Manager
Click Test to verify that:
- The Director can communicate with Trellix Enterprise Security Manager IP address on the port specified.
- Credentials are valid and working.