Current ThreatQ Version Filter

Trellix EX Operation

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.1.0

Compatible with ThreatQ Versions

>= 4.31.0

Support Tier

ThreatQ Supported

Introduction

The ThreatQuotient for Trellix EX Operation allows you to search for emails alerts in a Trellix EX appliance that contains specific indicators. If any alerts are returned, the data and indicators are parsed and listed in the ThreatQ UI.

The operation provides the following action:

Search for Alerts - submits data to Trellix EX and returns matching alerts.
Search for Indicators - searches for Trellix EX alerts containing Malware or URL/Filename indicators.

The operation is compatible with the following object types:

Indicators (Email Address, Filename, MD5, URL)
Malware

The Trellix EX operation replaces the FireEye EX operation as of version 1.1.0.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Operation option from the Type dropdown (optional).
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
Hostname	Your Hostname or IP address of Trellix EX.
Port	The Communication port. The default value is 443.
Username	Your Username for connecting to Trellix.
Password	Your Password for authenticating with Trellix.
Verify SSL	Enable this parameter to verify SSL when connecting to the Trellix EX instance.

Trellix EX Operation Configuration Screen

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following actions:

Action	Description	Object Type	Object Subtype
Search for Alerts	Searches for Trellix EX alerts containing indicators on MD5 and Email Address.	Indicator	MD5, Email Address
Search for Alerts with Indicator	Searches for Trellix EX alerts containing Malware or URL/Filename indicators	Indicator, Malware	Indicator (Email Address, Filename, MD5, URL)

Search For Alerts, Search for Alerts with Indicator

The Search for Alerts and Search for Alerts with Indicator actions utilize the same endpoint and responses while specific filtering parameters are available based on the object type.

GET https://{hostname}/wsapis/v2.0.0/alerts/{filtering_parameters}

Sample Response:

    {
    "alert": [],
    "appliance": "eMPS",
    "version": "eMPS (eMPS) 8.4.2.888088",
    "msg": "extended",
    "alertsCount": 0
}

ThreatQ provides the following default mapping for these actions:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
.alert[].alertUrl	Indicator.Attribute	Trellix Alert URL	N/A	N/A	N/A
.alert[].severity	Indicator.Attribute	Severity	N/A	N/A	N/A
.alert[].src	Indicator.Attribute	Email Sender	N/A	N/A	N/A
.alert[].src	Related Indicator	Email Address	N/A	N/A	N/A
.alert[].explanation.osChanges[].network.ipaddress	Related Indicator	IP Address	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].md5Sum	Related Indicator	MD5	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].md5sum	Related Indicator	MD5	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].sha1	Related Indicator	SHA-1	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].sha256	Related Indicator	SHA-256	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].sha256sum	Related Indicator	SHA-256	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].url	Related Indicator	URL	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].fqdn	Related Indicator	FQDN	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].domain	Related Indicator	FQDN	N/A	N/A	N/A
.alert[].explanation.malwareDetected.malware[].src_ip	Related Indicator	IP Address	N/A	N/A	N/A

Configuration Options

The two operation actions provide their own configuration options upon run.

Search for Alerts

The Search for Alerts provides the following configuration options:

Parameter	Description
The ID Number for the Alert to Retrieve	Enter the ID number of the alert to retrieve.

Search for Alerts with Indicator

The Search for Alerts with Indicator provides the following configuration options:

Parameter	Description
Enter the Start Time for the Search	Enter the Start Time of the search in the timezone of the Trellix EX appliance in the following format: YYYY-MM-DD HH:MM
Enter the End Time for the Search	Enter the End Time of the search in the timezone of the Trellix EX appliance in the following format: YYYY-MM-DD HH:MM
The ID Number for the Alert to Retrieve	Enter the ID number of the alert to retrieve.

Filter Options per Object Type

The operation supports different filters for each of the objects it is executed on. The following table lists the supported filters.

Object Type	Action	Supports Time Filtering	Supports Alert ID Filtering (optional)
URL	Search for alerts containing URL.	Yes	Yes
MD5	Search for alerts that contain MD5 hash.	No	Yes
Email Address	Search for alerts that match the email address of the malware object sender.	No	Yes
Filename	Search for alerts that contain a malware filename that matches the ThreatQ indicator.	Yes	Yes
Malware Name	Search for alerts that contain a specific malware.	Yes	Yes

Change Log

Version 1.1.0
- Resolved import errors.
- Rebranded operation from FireEye to Trellix to match provider's naming scheme.
Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
Trellix EX Operation Guide v1.1.0	4.31.0 or Greater
FireEye EX Operation Guide v1.0.0	4.31.0 or Greater