Trellix

Overview

Configuring a cloud source in Scope is a two-step process.

  • Generating Trellix API credentials in the Trellix Console. Please refer to Section 1 – Trellix Setup

  • Setting up the Trellix cloud source in the Scope application. Please refer to Section 2 – Scope Setup

Trellix Setup

To get started, you’ll need to generate the following credentials in the Trellix ePO Console or Trellix Developer Portal –

  1. Client ID
  2. Client Secret
  3. API Key

Step 1: Obtain the Client ID, Client Secret and API Key

  • Log into the Trellix Developer Portal.

  • Navigate to the Self Service tab.

  • Under API Access Management, click Configure.

  • In the API Access Management screen:

    • Copy the generated API Key.

    • Enter a user-defined name in the Client Type field.

    • Select the Events API.

    • Click Select All under the method types to enable ingestion of threat events.

    • Click Request.

      Note: Client types and scopes are governed by Trellix and may take a few days for review and approval. Trellix may contact the customer for additional details before approving the client type and scope.

  • Once the Client Type and Scope are approved, generate the Client ID and Client Secret.

The API Key, Client ID and Client Secret are to be configured in Scope Setup: Step 1 for initiating the Trellix log ingestion.

Scope Setup

Step 1: Trellix Cloud Source Registration in the Scope Application

Once the credentials are generated, they must be configured in the Scope application to establish the connection and enable data ingestion from the Trellix environment.

In the Scope application, to register a Trellix cloud source, navigate to the cloud source registration page –

  • Log into the Scope application

  • Select the required Organization from the Organization dropdown

  • Navigate to the side menu -> Administration

  • Navigate to the Cloud sources tab

  • Click on the +Add Source button

  • In the Add Source pop-up, provide the parameters below.

    • Source: Select the Trellix source from the Source dropdown.

    • Site: The user defined name for the Trellix cloud source.

    • Client ID: The Client ID generated in Step 1.

    • Client Secret: The Client Secret generated in Step 1.

      API Key: The API Key generated in Step 1.

    • Polling Interval: The polling interval for making periodic API calls to the Trellix ePO API. The user can select the time interval from the dropdown.

    • Contact Email: The email address of the person who registers the Trellix cloud source in Scope.

Once the required connection parameters are entered, the Trellix cloud source registration is complete in Scope and is ready for ingestion of Trellix logs.