Trellix
Visualize Trellix Endpoint protection groups and its corresponding protected devices and findings and monitor changes through alerts and queries.
- Installation guide
- Trellix data model
Installation
To use this integration, JupiterOne requires Client Credentials to a Trellix account. The process to obrain credentials is described in Trellix documentation under the 'API Access Management' section. There, you will need to request a client ID and Secret. Follow instructions specified and make sure you request a client that has access to at least the following scopes:
- Devices Read Scope (epo.device.r)
- Groups Read Scope (epo.grps.r)
- Threats Read Scope (soc.act.tg)
After requesting the client, you will need to wait for Trellix to approve it. Once approved you will get the Cliend ID and Secret that you can use to integrate with JupiterOne.
Configuration in JupiterOne
To install the Trellix integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Trellix. Click New Instance to begin configuring your integration, providing the following:
API Key: unique identifier used to authenticate and control access to Trellix API. You should be able to find it here
Client ID: Public identifier for the client created for Jupiter One who must have access to the previously mentioned scopes.
Client Secret: Private key pair of the Client ID, both are necessary to be able to authenticate the user in Trellix.
Account Name used to identify the Trellix account in JupiterOne.
Description to assist in identifying the integration instance, if desired.
Vulnerability Filters: here you will be able to customize what severities you want to fetch when retrieving threats.
Data Source Settigns: here you will be able to customize the steps to be ingested. If desired, specific steps can be enabled/disabled from here.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Trellix
Data Model
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | trellix_account | Account |
| Device | trellix_device | Device |
| Group | trellix_group | Group |
| Service | trellix_endpoint_protection | Service |
| Threat | trellix_threat | Finding |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
trellix_account | HAS | trellix_device |
trellix_account | HAS | trellix_endpoint_protection |
trellix_account | HAS | trellix_group |
trellix_device | ASSIGNED | trellix_group |
trellix_threat | EXPLOITS | trellix_device |