This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Trellix Endpoint Security (HX)

    Samurai [Local] CollectorSamurai [Cloud] Collector
    Picture1.svg

    To complete this Integration you will need to:

    1) Ensure Connectivity Requirements are in place

    2) From the FireEye HX Console:

    3) From the Samurai MDR portal:

    Connectivity Requirements

    SourceDestinationPortDescription
    Samurai Local CollectorTrellix Endpoint Security ServerTCP/443API access
    Trellix Endpoint Security ServerSamurai Local CollectorUDP/514

    TCP/514
    Log forwarding

    Create Users

    Perform the following steps:

    • Login to the Endpoint Security Web UI with admin access
    • Navigate to Admin > Appliance Settings
    • Click User Accounts and specify the following information to create a new user account for NTT:
    AccountParameter
    User Nameyou choose however we recommend: api_analyst_ntt
    Roleapi_admin
    Password[Set secure password]

    Verify the logins using the above accounts as you will need this information to Complete the Trellix Endpoint Security (HX) Integration

    Acquisition Setting

    Configure the Acquisition setting to enable triage file retrieval:

    • Login to the Endpoint Security Web UI with admin access
    • Navigate to Admin > Acquisition Settings
    • Turn on File & Data Acquisition.
    • Click Save.

    Enable Auto Triage

    Configure the auto triage setting to make triage files available in the HX instance:

    • Login to the Endpoint Security Web UI with admin access
    • Navigate to Admin > Triage Settings
    • On the Automatic Triages settings page, toggle the Triage Settings switch to ON
    • Click Save.

    Data Acquisition Script Setting

    Configure the Data Acquisition setting to enable event log retrieval:

    • Login to the Endpoint Security Web UI with admin access
    • Navigate to Admin > Data Acquisition Scripts
    • Click Standard Investigative Details.
    • On the Script Description page, click ACTIONS and select Edit
    • Click Event Logs and then enable Security logs in the Windows event logs section.
    • Click Save.

    Configuration for Log Collection

    Configure a syslog server (the Samurai Local Collector) using the CLI.

    # show logging 
      Local logging level: notice 
    	Override for class cef: none 
      Remote syslog default level: notice.
    
    • Go to CLI Configuration mode and enter the following commands to configure syslog:
    hostname > enable
    hostname # configure terminal
    hostname (config) # logging [IP Address of your Local Collector] trap none
    hostname (config) # logging [IP Address of your Local Collector] trap overrride class cef 
    priority info
    hostname # logging [IP Address of your Local Collector] protocol tcp
    hostname (config) # (config) # write memory
    
    • Configure RFC-3339 Time Format
    hostname > enable
    hostname # configure terminal
    hostname (config) # logging fields timestamp format rfc-3339
    hostname (config) # (config) # write memory
    

    Polling Configuration

    This configuration is not mandatory but recommended to configure certain parameters in order to fully align with our service.

    Perform the following steps:

    • Login to the Endpoint Security Web UI with admin access
    • Navigate to Admin > Policies
    • From the Policies page, click Agent Default policy to edit the policy
    • From the Edit Policy page, select Polling and overwrite the parameters highlighted in the table below
    ParametersTime
    ① Polling agents1 minute
    ② Fastpoll agents30 seconds
    ③ Request sysinfo10 minutes
    ④ Poll for agent config15 minutes
    • Click Save to apply the configuration

    Complete the Trellix Endpoint Security (HX) Integration

    1. Login to the Samurai MDR portal

    2. Click Telemetry and select Integrations from the main menu

    3. Click Create

    4. Find and select Trellix Endpoint Security (HX)

    5. Select the intended Samurai Local Collector

    6. You will be presented with the Local Collector IP Address on the left of the screen

    7. To configure Extended Telemetry Collection ensure it is enabled via the toggle

    8. Enter the following information:

      • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
      • Description (optional) - if completed will appear in the Samurai MDR portal for you to easily reference)
      • Devicename - an arbitrary name to identify FireEye HX
      • Username - enter a username (created under Create Users)
      • Password - specify password to use (created under Create Users)
      • Hostname / IP - IP address or hostname of the manager
      • Custom Port (optional)- if you have changed the default port enter the port number, if not, we default to 443
    9. Click on Finish

    Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.