Trellix EDR
Copy link

The Trellix EDR event source enables Rapid7 MDR to ingest endpoint detection alerts from the Trellix EDR platform.

This integration is limited to Trellix EDR and does not support Trellix ePolicy Orchestrator (ePO), which is designed for endpoint policy management rather than detailed threat telemetry.

ℹ️

Page Updated for EA Release

This content reflects updates made for the Early Access (EA) release of the cloud service event source integration with Trellix EDR.

Scope
Copy link

Trellix EDR produces 2 object types:

  • Alerts – discrete detection events containing process, user, and host context.
  • Threats – collections of related alerts grouped by Trellix correlation logic.

Rapid7 MDR collects alerts because they provide the detailed telemetry needed for investigation and response. While “threats” offer a high-level roll-up, they can suppress critical raw data. MDR ensures customers still gain this higher-level context by correlating related alerts into Investigations within SIEM (InsightIDR).

Requirements
Copy link

To configure this event source, you must generate and provide the following:

  • Client ID
  • Client Secret
  • API Token

Generate the Trellix EDR API token, Client ID, and Client Secret
Copy link

  1. Log in to the Trellix UAM portal: https://uam.ui.trellix.com/clientcreds.html 
  2. Record the API Token displayed above the Token Endpoint.
  3. Create a new client:
    1. On the top right of the screen, click Add.
    2. Select the EDR threats scope (soc.act.tg).
    3. Click Create.
  4. Record the Client ID and Client Secret shown after creation. These are only displayed once.

Configure the Trellix EDR event source in SIEM (InsightIDR)
Copy link

Task 1: Select Trellix EDR
Copy link

  1. From the Command Platform main menu, go to Data Connectors > Data Collectors.
  2. Go to the Event Sources tab, then click Add Event Source.
  3. Do one of the following:
    1. Search for Trellix EDR in the event sources search bar.
    2. In the Product Type filter, select Cloud Service.
  4. Select the Trellix EDR event source tile.

Task 2: Set up your collection method
Copy link

  1. Name the event source. This will become the name of the log that contains the event data in Log Search.
  2. Optionally, select the option to send unparsed data.
  3. Click Add a New Connection.
  4. In the Create a Cloud Connection screen, enter a name for the new connection.
  5. In the API Token field, enter the API Token that you obtained in the requirements.
  6. In the Client ID field, enter the Client ID that you obtained in the requirements.
  7. In the Client Secret field, enter the Client Secret that you obtained in the requirements.
  8. Click Save & Test Connection.
  9. Click Save.

Example Alert
Copy link

The following example alert is from the Trellix EDR documentation .

{
      "type": "alerts",
      "id": "01b51c67-0904-c5cf-002a-7003d125b2a2.346565425a0b6b2b7174aa555f67a043",
      "attributes": {
        "Trace_Id": "71d3a718-9095-494c-ada5-7134dbeaa564",
        "Parent_Trace_Id": "ffc4c8eb-6cf9-4b59-8416-b14d55d290dd",
        "Root_Trace_Id": "ffc4c8eb-6cf9-4b59-8416-b14d55d290dd",
        "DetectionDate": "2024-06-19T07:44:55.708+00:00",
        "Event_Date": "2024-06-19T07:43:17.567Z",
        "Activity": "Threat Detected",
        "Severity": "s0",
        "Score": 25,
        "Detection_Tags": [
          "@ATA.Execution",
          "@ATA.Persistence",
          "@ATA.PrivilegeEscalation",
          "@ATE.T1059",
          "@ATE.T1547.009",
          "@MSI._file_sysscript"
        ],
        "Related_Trace_Id": [
          "22ee44a6-3b26-4bb5-811e-c5e399069a64"
        ],
        "RuleId": "_file_sysscript",
        "Rank": 25,
        "Pid": 6600,
        "Version": "undefined",
        "Parents_Trace_Id": [
          "ffc4c8eb-6cf9-4b59-8416-b14d55d290dd",
          "5824f090-791e-47d5-a5ba-3abcb4f9d2b9",
          "599463c2-7f27-41c0-a096-21de1018bfa8",
          "5e910e15-c8d4-4724-af28-09be2b48abd9"
        ],
        "ProcessName": "SDXHelper.exe",
        "User": {
          "domain": "CDA",
          "name": "cdaauto"
        },
        "CommandLine": "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\SDXHelper.exe\" -Embedding",
        "Hash_Id": "h7GhOs3Jm6Buj+LuzOOHBg==",
        "Host_OS": "windows",
        "Host_Name": "302W1022H264",
        "MAGUID": "ADB3C24C-232B-11EF-3D71-005056AC48D2",
        "Artifact": "Threat"
      }
    }

Notes
Copy link

  • Only alerts are ingested; “threats” are excluded by design.
  • Alerts are automatically correlated into Investigations in SIEM (InsightIDR) to provide higher-level visibility.
  • Ensure the EDR threats scope (soc.act.tg) is selected; without this, data will not flow.
  • Store credentials securely. Client secrets cannot be retrieved again after creation.