Console
    Start free

    Collect Trellix Endpoint Security (HX) host inventory logs

    Supported in:

    This document explains how to collect Trellix Endpoint Security (HX) host inventory logs by setting up a Google Security Operations feed using the Third-Party API.

    Trellix Endpoint Security (HX) maintains an inventory of all managed hosts including hostname, operating system, agent version, domain membership, and last check-in status. Collecting host inventory data in Google SecOps enables asset tracking, compliance monitoring, and correlation of endpoint context with security events.

    Before you begin

    Ensure that you have the following prerequisites:

    • A Google SecOps instance
    • Privileged access to the Trellix Endpoint Security (HX) management console
    • Trellix Endpoint Security (HX) with API access enabled
    • One of the following authentication credentials configured (see next section)

    Configure Trellix HX API access

    To enable Google SecOps to pull host inventory data, you need API credentials from your Trellix HX environment. Choose one of the following authentication methods.

    1. Sign in to the Trellix IAMdashboard (the URL ends with trellix.com ).
    2. Hover over the user menu icon in the upper-right corner and select Client Credentials.
    3. Click Add.
    4. Enter a description (for example, Google SecOps HX Hosts Integration ).
    5. Select the required service scopesfor HX API access.
    6. Click Create.
    7. The Client Secretappears in a dialog and is only displayed once. Copy and store it securely now, as it cannot be viewed again.

    8. Copy and save the following values from the Client Credentials Managementpage:

      • Client ID
      • Client Secret
      • Token Scope(the service scope you selected)

    Option B: Trellix Local authentication

    Trellix Local authentication uses a local user account on the HX appliance to generate an API token.

    1. Sign in to the Endpoint Security (HX) Web UI as an administrator.
    2. Go to Admin > Appliance Settings > User Accounts.
    3. Add a new user account with the api_analyst role for use with Google SecOps. Do not reuse the built-in api_analyst account.
    4. Copy and save the following values:
      • Username: The local HX account username.
      • Password: The local HX account password.
      • Token API Endpoint Path: The API endpoint path used to request the token (for example, /hx/api/v3/token ).
      • Token Header: The HTTP header used for the authentication token (for example, X-FeApi-Token ).

    Configure a feed in Google SecOps to ingest Trellix HX host inventory logs

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed (for example, Trellix HX Hosts ).
    5. Select Third-Party APIas the Source type.
    6. Select Trellix HX Hostsas the Log type.
    7. Click Next.

    8. Specify values for the following input parameters:

      • HX Device URL: The URL of your HX device (for example, https://irbvzh7894.hex3.helix.apps.fireeye.com/ ).

      • Authentication: Select the authentication method and provide the corresponding credentials:

        • Trellix IAM Auth: Enter the Client ID, Client Secret, and Token Scope.
        • Trellix Local Auth: Enter the Username, Password, Token API Endpoint Path, and Token Header.

      • Asset namespace: The asset namespace .

      • Ingestion labels: The label to be applied to the events from this feed.

    9. Click Next.

    10. Review your new feed configuration in the Finalizescreen, and then click Submit.

    After setup, the feed begins to retrieve host inventory logs from the Trellix HX instance in chronological order.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: