Trellix Endpoint Security (HX)

Samurai [Local] Collector	Samurai [Cloud] Collector

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

Connectivity Requirements

2) From the FireEye HX Console:

Create Users
Acquisition Setting
Enable Auto Triage
Data Acquisition Script Setting
Configuration for Log Collection
Polling Configuration

3) From the Samurai MDR portal:

Complete the Trellix Endpoint Security (HX) Integration

Connectivity Requirements

Source	Destination	Port	Description
Samurai Local Collector	Trellix Endpoint Security Server	TCP/443	API access
Trellix Endpoint Security Server	Samurai Local Collector	UDP/514 TCP/514	Log forwarding

Create Users

Users must be created with minimum roles in order to allow NTT to collect evidence information for analysis enrichment. For further reference please consult Chapter 3: Local Authentication of the Trellix FireEye System Security Guide (we reference v2021.1)

Perform the following steps:

Login to the Endpoint Security Web UI with admin access
Navigate to Admin > Appliance Settings
Click User Accounts and specify the following information to create a new user account for NTT:

Account	Parameter
User Name	you choose however we recommend: api_analyst_ntt
Role	api_admin
Password	[Set secure password]

NTT recommends that you set a password of minimum eight-character length, with random characters including digits and symbols, and that you set a different passwords for each account.

Verify the logins using the above accounts as you will need this information to Complete the Trellix Endpoint Security (HX) Integration

Acquisition Setting

Configure the Acquisition setting to enable triage file retrieval:

Login to the Endpoint Security Web UI with admin access
Navigate to Admin > Acquisition Settings
Turn on File & Data Acquisition.
Click Save.

For further reference please consult Configuring File Acquisition Settings in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)

Enable Auto Triage

Configure the auto triage setting to make triage files available in the HX instance:

Login to the Endpoint Security Web UI with admin access
Navigate to Admin > Triage Settings
On the Automatic Triages settings page, toggle the Triage Settings switch to ON
Click Save.

For further reference please consult the Configuring Automatic Triage section in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)

Data Acquisition Script Setting

Configure the Data Acquisition setting to enable event log retrieval:

Login to the Endpoint Security Web UI with admin access
Navigate to Admin > Data Acquisition Scripts
Click Standard Investigative Details.
On the Script Description page, click ACTIONS and select Edit
Click Event Logs and then enable Security logs in the Windows event logs section.
Click Save.

For further reference please consult the Acquisition Data Type Reference section in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)

Configuration for Log Collection

Configure a syslog server (the Samurai Local Collector) using the CLI.

There is no remote syslog configuration by default.

# show logging 
  Local logging level: notice 
	Override for class cef: none 
  Remote syslog default level: notice.

Go to CLI Configuration mode and enter the following commands to configure syslog:

hostname > enable
hostname # configure terminal
hostname (config) # logging [IP Address of your Local Collector] trap none
hostname (config) # logging [IP Address of your Local Collector] trap overrride class cef 
priority info
hostname # logging [IP Address of your Local Collector] protocol tcp
hostname (config) # (config) # write memory

Configure RFC-3339 Time Format

hostname > enable
hostname # configure terminal
hostname (config) # logging fields timestamp format rfc-3339
hostname (config) # (config) # write memory

For further reference please consult Chapter 13: Log Management of the Endpoint Security Server System Administration Guide (we reference Release 5.3)

Polling Configuration

This configuration is not mandatory but recommended to configure certain parameters in order to fully align with our service.

Perform the following steps:

Login to the Endpoint Security Web UI with admin access
Navigate to Admin > Policies
From the Policies page, click Agent Default policy to edit the policy
From the Edit Policy page, select Polling and overwrite the parameters highlighted in the table below

Parameters	Time
① Polling agents	1 minute
② Fastpoll agents	30 seconds
③ Request sysinfo	10 minutes
④ Poll for agent config	15 minutes

Click Save to apply the configuration

For further reference please consult Configuring Polling from the Endpoint Security xAgent Administration Guide (we reference Release 35.31.0)

Complete the Trellix Endpoint Security (HX) Integration

Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Trellix Endpoint Security (HX)
Select the intended Samurai Local Collector
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
- Description (optional) - if completed will appear in the Samurai MDR portal for you to easily reference)
- Devicename - an arbitrary name to identify FireEye HX
- Username - enter a username (created under Create Users)
- Password - specify password to use (created under Create Users)
- Hostname / IP - IP address or hostname of the manager
- Custom Port (optional)- if you have changed the default port enter the port number, if not, we default to 443
Click on Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.