Merge pull request #1453 from SEKOIA-IO/feature/vg_trellix_edr_integr…

…ation Feature: Trellix EDR integration
SEKOIA-IO · Mar 12, 2024 · 382792f · 382792f
2 parents 730413b + 680ca53
commit 382792f
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/docs/xdr/features/collect/integrations/endpoint/trellix_edr.md b/docs/xdr/features/collect/integrations/endpoint/trellix_edr.md
@@ -0,0 +1,35 @@
+uuid: 954a6488-6394-4385-8427-621541e881d5
+name: Trellix EDR
+type: intake
+
+## Overview
+
+Trellix has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.
+
+!!! warning
+    Important note - This format is currently in alpha. We highly value your feedback to improve its performance.
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md!}
+
+## Configure
+
+This setup guide will show you how to forward your Trellix EDR events to Sekoia.io.
+
+### Configure OAuth
+
+1. Get `client_id`, `client_secret` and `x-api-token` from your Trellix profile. Ensure that the following scopes are associated to your credentials: soc.act.tg
+2. Make sure you have access to events by making a request from the [documentation](https://developer.manage.trellix.com/mvision/apis/threats)
+
+### Create an intake
+
+Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trellix EDR. Copy the intake key.
+
+### Pull events
+
+To start to pull events, you have to:
+
+1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](../../../automate/library/trellix.md) trigger
+2. Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key
+3. Start the playbook and enjoy your events
diff --git a/docs/xdr/features/collect/integrations/endpoint/trellix_epo.md b/docs/xdr/features/collect/integrations/endpoint/trellix_epo.md
@@ -7,7 +7,7 @@ type: intake
 Trellix ePO - On-prem monitors and manages your network, collects data on events and alerts, creates reports, and automates workflow to streamline product deployments, patch installations, and security updates. As an open and comprehensive platform, Trellix ePO - On-prem integrates more than 150 third-party solutions for faster and more accurate responses.
 
 !!! warning
-    Important note - This format is currently in beta. We highly value your feedback to improve its performance.
+    Important note - This format is currently in alpha. We highly value your feedback to improve its performance.
 
 {!_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md!}
 

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -194,6 +194,7 @@ nav:
             - Trend Micro Apex One: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md
             - Trend Micro Cloud One / Deep Security: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md
           - Trellix ePO: xdr/features/collect/integrations/endpoint/trellix_epo.md
+          - Trellix EDR: xdr/features/collect/integrations/endpoint/trellix_edr.md
           - VMware ESXi: xdr/features/collect/integrations/endpoint/vmware/vmware_esxi.md
           - VMware VCenter: xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md
           - Windows: xdr/features/collect/integrations/endpoint/windows.md