Skip to main content

Trellix_ePO

Download With Dependencies

Parsing and modeling rules for Trelix ePO logs via syslog in XML format

This pack includes:

  • Timestamp parsing.
  • XML format field extraction.
  • Log normalization - XDM mapping for key event types.

Supported Event Types:

Key Mcafee/Trellix products event types - Threat Prevention, Virus Scan, DLP, ATP, Endpoint Security.

Supported Timestamp Formats:

Timestamp is extracted from the GMTTime field with the following format - yyyy-mm-ddTHH:MM:SS

Data Collection

To configure Trellix ePO to send logs to Cortex XSIAM, follow the steps below.

Trellix ePO side

  1. Log in to the Trellix ePO main console.
  2. On the main menu, go to Configuration > Registered Servers.
  3. Click New Server and select Syslog Server as the Server type, name it and click Next.
  4. In the Server name field enter the IP address or fully qualified domain name (FQDN) of your broker-vm.
  5. Specify the port through which the ePO will send logs to the broker-vm. The default port is 6514 and it only supports syslog event forwarding via TLS protocol.
  6. Check Enable event forwarding.
  7. Click Test connection. If the test was successful, click Save.
  • Note that the test connection stage will only work after you finish the configuration on the broker-vm side and open the selected port on your firewall.

For more information, see this article.

Cortex XSIAM side

To create or configure the Broker VM, use the information described here.

Broker VM

Follow the steps below to configure the Broker VM to receive Trellix ePO logs.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following parameters:
    -----------------------------------------------------------------------------------------------------------------------------------------------------------
    | Parameter: : | Value : |
    |-------------------------|-------------------------------------------------------------------------------------------------------------------------------|
    | Protocol | Select Secure TCP. |
    | Port | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Trellix ePO. |
    | Vendor | Enter trellix. |
    | Product | Enter epo. |
    | Server Certificate | Select the .crt file you created. See the attached Trellix documentation for help with using openssl. |
    | Private Key | Select the .key file you created. |
    | Minimal TLS Version | Select 1.2. |
    -----------------------------------------------------------------------------------------------------------------------------------------------------------
  5. After the data starts flowing into Cortex XSIAM, you can query the collected logs under the trellix_epo_raw dataset.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedNovember 26, 2024
Last ReleaseNovember 26, 2024
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.