Trellix Endpoint Security (HX)
Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
---|---|---|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From the FireEye HX Console:
- Create Users
- Acquisition Setting
- Enable Auto Triage
- Data Acquisition Script Setting
- Configuration for Log Collection
- Polling Configuration
3) From the Samurai MDR portal:
Connectivity Requirements
Source | Destination | Port | Description |
---|---|---|---|
Samurai Local Collector | Trellix Endpoint Security Server | TCP/443 | API access |
Trellix Endpoint Security Server | Samurai Local Collector | UDP/514 TCP/514 | Log forwarding |
Create Users
Users must be created with minimum roles in order to allow NTT to collect evidence information for analysis enrichment. For further reference please consult Chapter 3: Local Authentication of the Trellix FireEye System Security Guide (we reference v2021.1)
Perform the following steps:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Appliance Settings
- Click User Accounts and specify the following information to create a new user account for NTT:
Account | Parameter |
---|---|
User Name | you choose however we recommend: api_analyst_ntt |
Role | api_admin |
Password | [Set secure password] |
NTT recommends that you set a password of minimum eight-character length, with random characters including digits and symbols, and that you set a different passwords for each account.
Verify the logins using the above accounts as you will need this information to Complete the Trellix Endpoint Security (HX) Integration
Acquisition Setting
Configure the Acquisition setting to enable triage file retrieval:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Acquisition Settings
- Turn on File & Data Acquisition.
- Click Save.
For further reference please consult Configuring File Acquisition Settings in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)
Enable Auto Triage
Configure the auto triage setting to make triage files available in the HX instance:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Triage Settings
- On the Automatic Triages settings page, toggle the Triage Settings switch to ON
- Click Save.
For further reference please consult the Configuring Automatic Triage section in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)
Data Acquisition Script Setting
Configure the Data Acquisition setting to enable event log retrieval:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Data Acquisition Scripts
- Click Standard Investigative Details.
- On the Script Description page, click ACTIONS and select Edit
- Click Event Logs and then enable Security logs in the Windows event logs section.
- Click Save.
For further reference please consult the Acquisition Data Type Reference section in the Trellix Endpoint Security Server User Guide (we reference Release 5.3)
Configuration for Log Collection
Configure a syslog server (the Samurai Local Collector) using the CLI.
There is no remote syslog configuration by default.
# show logging
Local logging level: notice
Override for class cef: none
Remote syslog default level: notice.
- Go to CLI Configuration mode and enter the following commands to configure syslog:
hostname > enable
hostname # configure terminal
hostname (config) # logging [IP Address of your Local Collector] trap none
hostname (config) # logging [IP Address of your Local Collector] trap overrride class cef
priority info
hostname # logging [IP Address of your Local Collector] protocol tcp
hostname (config) # (config) # write memory
- Configure RFC-3339 Time Format
hostname > enable
hostname # configure terminal
hostname (config) # logging fields timestamp format rfc-3339
hostname (config) # (config) # write memory
For further reference please consult Chapter 13: Log Management of the Endpoint Security Server System Administration Guide (we reference Release 5.3)
Polling Configuration
This configuration is not mandatory but recommended to configure certain parameters in order to fully align with our service.
Perform the following steps:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Policies
- From the Policies page, click Agent Default policy to edit the policy
- From the Edit Policy page, select Polling and overwrite the parameters highlighted in the table below
Parameters | Time |
---|---|
① Polling agents | 1 minute |
② Fastpoll agents | 30 seconds |
③ Request sysinfo | 10 minutes |
④ Poll for agent config | 15 minutes |
- Click Save to apply the configuration
For further reference please consult Configuring Polling from the Endpoint Security xAgent Administration Guide (we reference Release 35.31.0)
Complete the Trellix Endpoint Security (HX) Integration
Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Trellix Endpoint Security (HX)
Select the intended Samurai Local Collector
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
- Description (optional) - if completed will appear in the Samurai MDR portal for you to easily reference)
- Devicename - an arbitrary name to identify FireEye HX
- Username - enter a username (created under Create Users)
- Password - specify password to use (created under Create Users)
- Hostname / IP - IP address or hostname of the manager
- Custom Port (optional)- if you have changed the default port enter the port number, if not, we default to 443
Click on Finish
For general information on Integrations refer to the Integrations article.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.