Trellix

Visualize Trellix Endpoint protection groups and its corresponding protected devices and findings and monitor changes through alerts and queries.

Installation guide

Installation

To use this integration, JupiterOne requires Client Credentials to a Trellix account. The process to obrain credentials is described in Trellix documentation under the 'API Access Management' section. There, you will need to request a client ID and Secret. Follow instructions specified and make sure you request a client that has access to at least the following scopes:

• Devices Read Scope (epo.device.r)
• Groups Read Scope (epo.grps.r)
• Threats Read Scope (soc.act.tg)

After requesting the client, you will need to wait for Trellix to approve it. Once approved you will get the Cliend ID and Secret that you can use to integrate with JupiterOne.

Configuration in JupiterOne

To install the Trellix integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Trellix. Click New Instance to begin configuring your integration, providing the following:

• API Key: unique identifier used to authenticate and control access to Trellix API. You should be able to find it here

• Client ID: Public identifier for the client created for Jupiter One who must have access to the previously mentioned scopes.

• Client Secret: Private key pair of the Client ID, both are necessary to be able to authenticate the user in Trellix.

• Account Name used to identify the Trellix account in JupiterOne.

• Description to assist in identifying the integration instance, if desired.

• Vulnerability Filters: here you will be able to customize what severities you want to fetch when retrieving threats.

• Data Source Settigns: here you will be able to customize the steps to be ingested. If desired, specific steps can be enabled/disabled from here.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Trellix data model

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Account	trellix_account	Account
Device	trellix_device	Device
Group	trellix_group	Group
Service	trellix_endpoint_protection	Service
Threat	trellix_threat	Finding

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
trellix_account	HAS	trellix_device
trellix_account	HAS	trellix_endpoint_protection
trellix_account	HAS	trellix_group
trellix_device	ASSIGNED	trellix_group
trellix_threat	EXPLOITS	trellix_device

Trellix types

Trellix Account

trellix_account inherits from Account

Property	Type	Description	Specifications
description	string

---

Trellix Endpoint Protection

trellix_endpoint_protection inherits from Service

---

Trellix Group

trellix_group inherits from Group

Property	Type	Description	Specifications
groupTypeId	number
parentId	number
l1ParentId	number
l2ParentId	number
nodePath	string
nodeTextPath	string
nodeTextPath2	string
notes	array of strings

---

Trellix Device

trellix_device inherits from Device

Property	Type	Description	Specifications
hardwareVendor	string
hardwareModel	string
hardwareSerial	string
name	string
parentId	number
agentState	number
nodePath	string
agentPlatform	string
agentVersion	string
createdOn	number
managed	string
tenantId	number
tags	array of strings
excludedTags	string
managedState	number
computerName	string
domainName	string
ipAddress	string
cpuType	string
cpuSpeed	number
numOfCpu	number
totalPhysicalMemory	number
macAddress	string
userName	string
ipHostName	string
isPortable	string

---