Trellix Endpoint Security (HX)

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

2) From the FireEye HX Console:

3) From the Samurai MDR portal:

Connectivity Requirements

SourceDestinationPortDescription
Samurai Local CollectorTrellix Endpoint Security ServerTCP/443API access
Trellix Endpoint Security ServerSamurai Local CollectorUDP/514

TCP/514
Log forwarding

Create Users

Users must be created with minimum roles in order to allow NTT to collect evidence information for analysis enrichment. For further reference please consult Chapter 3: Local Authentication of the Trellix FireEye System Security Guide (we reference v2021.1)

Perform the following steps:

  • Login to the Endpoint Security Web UI with admin access
  • Navigate to Admin > Appliance Settings
  • Click User Accounts and specify the following information to create a new user account for NTT:
AccountParameter
User Nameyou choose however we recommend: api_analyst_ntt
Roleapi_admin
Password[Set secure password]

mceclip0.png NTT recommends that you set a password of minimum eight-character length, with random characters including digits and symbols, and that you set a different passwords for each account.

Verify the logins using the above accounts as you will need this information to Complete the Trellix Endpoint Security (HX) Integration

Acquisition Setting

Configure the Acquisition setting to enable triage file retrieval:

  • Login to the Endpoint Security Web UI with admin access
  • Navigate to Admin > Acquisition Settings
  • Turn on File & Data Acquisition.
  • Click Save.

For further reference please consult Configuring File Acquisition Settings in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)

Enable Auto Triage

Configure the auto triage setting to make triage files available in the HX instance:

  • Login to the Endpoint Security Web UI with admin access
  • Navigate to Admin > Triage Settings
  • On the Automatic Triages settings page, toggle the Triage Settings switch to ON
  • Click Save.

For further reference please consult the Configuring Automatic Triage section in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)

Data Acquisition Script Setting

Configure the Data Acquisition setting to enable event log retrieval:

  • Login to the Endpoint Security Web UI with admin access
  • Navigate to Admin > Data Acquisition Scripts
  • Click Standard Investigative Details.
  • On the Script Description page, click ACTIONS and select Edit
  • Click Event Logs and then enable Security logs in the Windows event logs section.
  • Click Save.

For further reference please consult the Acquisition Data Type Reference section in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)

Configuration for Log Collection

Configure a syslog server (the Samurai Local Collector) using the CLI.

mceclip0.png There is no remote syslog configuration by default.

# show logging 
  Local logging level: notice 
	Override for class cef: none 
  Remote syslog default level: notice.
  • Go to CLI Configuration mode and enter the following commands to configure syslog:
hostname > enable
hostname # configure terminal
hostname (config) # logging [IP Address of your Local Collector] trap none
hostname (config) # logging [IP Address of your Local Collector] trap overrride class cef 
priority info
hostname # logging [IP Address of your Local Collector] protocol tcp
hostname (config) # (config) # write memory
  • Configure RFC-3339 Time Format
hostname > enable
hostname # configure terminal
hostname (config) # logging fields timestamp format rfc-3339
hostname (config) # (config) # write memory

For further reference please consult Chapter 13: Log Management of the Endpoint Security Server System Administration Guide (we reference Release 5.3)

Polling Configuration

This configuration is not mandatory but recommended to configure certain parameters in order to fully align with our service.

Perform the following steps:

  • Login to the Endpoint Security Web UI with admin access
  • Navigate to Admin > Policies
  • From the Policies page, click Agent Default policy to edit the policy
  • From the Edit Policy page, select Polling and overwrite the parameters highlighted in the table below
ParametersTime
① Polling agents1 minute
② Fastpoll agents30 seconds
③ Request sysinfo10 minutes
④ Poll for agent config15 minutes
  • Click Save to apply the configuration

For further reference please consult Configuring Polling from the Endpoint Security xAgent Administration Guide (we reference Release 35.31.0)

Complete the Trellix Endpoint Security (HX) Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Trellix Endpoint Security (HX)

  5. Select the intended Samurai Local Collector

  6. You will be presented with the Local Collector IP Address on the left of the screen

  7. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  8. Enter the following information:

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description (optional) - if completed will appear in the Samurai MDR portal for you to easily reference)
    • Devicename - an arbitrary name to identify FireEye HX
    • Username - enter a username (created under Create Users)
    • Password - specify password to use (created under Create Users)
    • Hostname / IP - IP address or hostname of the manager
    • Custom Port (optional)- if you have changed the default port enter the port number, if not, we default to 443
  9. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.