Trellix TIE Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.3.0 |
| Compatible with ThreatQ Versions | >= 6.7.3 |
| Support Tier | ThreatQ Supported |
Introduction
The Trellix TIE operation provides Get and Set actions against a TIE-configured server.
- The Get action queries the configured TIE server for any threat information for the indicator in question.
- The Set action sets the Enterprise Threat Level of the indicator in question on the Trellix TIE server.
The operation provides the following actions:
- Query Reputation - queries a Trellix TIE server for additional attributes relevant to certain indicators.
- Set Reputation - sets the Enterprise reputation for an indicator.
The operation is compatible with the following indicator types:
- MD5
- SHA-1
- SHA-256
Prerequisites
The integration requires the following:
-
ePO hostname or IP Address, ePO username and ePO Password.
-
The OpenDXL Python client used by this integration must have permission to send messages to the
/mcafee/service/tie/file/reputation/settopic which is part of theTIE Server Set Enterprise Reputationauthorization group. Run theQuery Reputationaction to generate the ePO managed certificates. Then log into Trellix ePO console to authorize the generated credentials.The following page provides an example of authorizing a Python client to send messages to an
authorization group. While the example is based on McAfee Active Response (MAR), the instructions are the same with the exception of swapping theTIE Server Set Enterprise Reputationauthorization groupin place ofActive Response Server API:https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html
Additionally, all prerequisites from the following link should be fulfilled:
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the integration .whl file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the .whl file using one of the following methods:
- Drag and drop the file into the dialog box
- Select Click to Browse to locate the file on your local machine
ThreatQ will inform you if the operation already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the operation contains changes to the user configuration. The new user configurations will overwrite the existing ones for the operation and will require user confirmation before proceeding.
The operation is now installed and will be displayed in the ThreatQ UI. You will still need to configure and then enable the operation.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description PO IP The IP Address of the Trellix EPO server. EPO Login Your EPO login. EPO Password Your EPO password. EPO Port Optional - If left empty, the default port, 8443, will be used. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Query Reputation | Query a Trellix TIE server for additional attributes relevant to certain indicators. | Indicator | MD-5, SHA-1, SHA-256 |
| Set Reputation Might Be Malicious | Set the Enterprise reputation for an indicator. | Indicator | MD5, SHA-1, SHA-256 |
| Set Reputation Most Likely Malicious | Set the Enterprise reputation for an indicator. | Indicator | MD5, SHA-1, SHA-256 |
| Set Reputation Unknown | Set the Enterprise reputation for an indicator. | Indicator | MD5, SHA-1, SHA-256 |
| Set Reputation Known Malicious | Set the Enterprise reputation for an indicator. | Indicator | MD5, SHA-1, SHA-256 |
| Set Reputation Known Trusted | Set the Enterprise reputation for an indicator. | Indicator | MD5, SHA-1, SHA-256 |
| Set Reputation Known Trusted Installer | Set the Enterprise reputation for an indicator. | Indicator | MD5, SHA-1, SHA-256 |
Query Reputation
The Query Reputation action will create several attributes for an indicator depending upon how much information the Trellix ecosystem has about this indicator.
The action uses the function get_file_reputation from dxltieclient library. See the following for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/basicgetreputationexample.html.
Sample Response:
{
"1": {
"trustLevel": 1,
"createDate": 1742561512,
"attributes": {
"2120340": "2134902792"
},
"providerId": 1
},
"3": {
"trustLevel": 50,
"createDate": 1742561512,
"attributes": {
"2101652": "0",
"2114965": "0",
"2098277": "0",
"2139285": "289919230306943286",
"2111893": "1",
"2123156": "0",
"2102165": "1742561512"
},
"providerId": 3
}
}ThreatQuotient provides the following mapping for the action based on items within the provider information (.1 and .3).
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published date | Examples | Notes |
|---|---|---|---|---|---|
.trustLevel |
Indicator.Attribute | {PROVIDER_NAME} Trust Level |
N/A | Unknown |
Converted to string according to Trust Level Mapping |
.createDate |
Indicator.Attribute | {PROVIDER_NAME} Created At |
N/A | Fri Mar 21 12:51:52 2025 |
Converted to human readable timestamp |
.attributes[PREVALENCE_ID] |
Indicator.Attribute | {PROVIDER_NAME} Prevalence |
N/A | 0 |
PREVALENCE_ID taken from File Enterprise Attributes Mapping |
.attributes[DETECTION_COUNT_ID] |
Indicator.Attribute | {PROVIDER_NAME} Count |
N/A | N/A | DETECTION_COUNT_ID taken from File Enterprise Attributes Mapping |
File Provider Mapping
The following is the File provider mapping for the action. See the following for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.constants.html#dxltieclient.constants.FileProvider.
| Trellix Provider ID | Trellix Provider Name | ThreatQ Provider Name |
|---|---|---|
| 1 | GTI | GTI |
| 3 | ENTERPRISE | Enterprise |
| 5 | ATD | ATD |
Trust Level Mapping
The reputation attribute values are created from the mapping given in the table below. See the following for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.constants.html#dxltieclient.constants.TrustLevel.
| Trellix Reputation Score | ThreatQ Trust Level Attribute Value |
|---|---|
| 0 | Not Set |
| 1 | Known Malicious |
| 15 | Most Likely Malicious |
| 30 | Might Be Malicious |
| 50 | Unknown |
| 70 | Might Be Trusted |
| 85 | Most Likely Trusted |
| 99 | Known Trusted |
| 100 | Known Trusted Installer |
File Enterprise Attributes Mapping
The following is the File Enterprise Attributes mapping for the action. See the following for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.constants.html#dxltieclient.constants.FileEnterpriseAttrib.
| Trellix File Enterprise Attribute ID | Trellix File Enterprise Attribute Name | ThreatQ File enterprise Attribute Name |
|---|---|---|
| 2113685 | DETECTION_COUNT | Count |
| 2101652 | PREVALENCE | Prevalence |
Set Reputation Might Be Malicious
The Set Reputation Might Be Malicious action allows the user to set the Enterprise reputation trust level for a hash in the Trellix TIE Database to Might Be Malicious
The action uses the function set_file_reputation from dxltieclient library. See the following link for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.client.html?highlight=set_file_reputation#dxltieclient.client.TieClient.set_file_reputation.
Set Reputation Most Likely Malicious
The Set Reputation Most Likely Malicious action allows the user to set the Enterprise reputation trust level for a hash in the Trellix TIE Database to Most Likely Malicious
The action uses the function set_file_reputation from dxltieclient library. See the following link for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.client.html?highlight=set_file_reputation#dxltieclient.client.TieClient.set_file_reputation.
Set Reputation Unknown
The Set Reputation Unknown action allows the user to set the Enterprise reputation trust level for a hash in the Trellix TIE Database to Unknown
The action uses the function set_file_reputation from dxltieclient library. See the following link for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.client.html?highlight=set_file_reputation#dxltieclient.client.TieClient.set_file_reputation.
Set Reputation Known Malicious
The Set Reputation Known Malicious action allows the user to set the Enterprise reputation trust level for a hash in the Trellix TIE Database to Known Malicious
The action uses the function set_file_reputation from dxltieclient library. See the following link for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.client.html?highlight=set_file_reputation#dxltieclient.client.TieClient.set_file_reputation.
Set Reputation Known Trusted
This operation allows the user to set the Enterprise reputation trust level for a hash in the Trellix TIE Database to Known Trusted
This operation uses the function set_file_reputation from dxltieclient library. See the following link for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.client.html?highlight=set_file_reputation#dxltieclient.client.TieClient.set_file_reputation.
Set Reputation Known Trusted Installer
The Set Reputation Known Trusted Installer action allows the user to set the Enterprise reputation trust level for a hash in the Trellix TIE Database to Known Trusted Installer
The action uses the function set_file_reputation from dxltieclient library. See the following link for more information: https://opendxl.github.io/opendxl-tie-client-python/pydoc/dxltieclient.client.html?highlight=set_file_reputation#dxltieclient.client.TieClient.set_file_reputation.
Change Log
- Version 1.3.0
- Updated integration name from McAfee TIE Operation to Trellix TIE Operation.
- Updated the minimum ThreatQ version to 6.7.3.
- Version 1.2.0
- Automatic certificate regeneration will now only be performed if credentials are changed.
- Version 1.1.0
- Fixed a Reputation bug.
- Added
Set Reputation Known Trusted Installeraction. - Attribute names synced with McAfee TIE Reputation Change integration.
- Version 1.0.1
- Updated dependancies.
- Version 1.0.0
- Initial Release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| McAfee TIE Operation Guide v1.3.0 | 6.7.3 or Greater |
| McAfee TIE Operation Guide v1.2.0 | 4.30.0 or Greater |
| McAfee TIE Operation Guide v1.1.0 | 4.30.0 or Greater |
| McAfee TIE Operation Guide v1.0.1 | 4.30.0 or Greater |
| McAfee TIE Operation Guide v1.0.0 | 4.11.0 or Greater |