Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version	2.0.0
Compatible with ThreatQ Versions	>= 4.40.0
McAfee ePolicy Orchestrator (ePO) Versions	5.9.0
Support Tier	ThreatQ Supported

Introduction

The Trellix ePolicy Orchestrator (ePO) operation allows users to manage system tags in Trellix ePO.

The operation provides the following actions:

• Manage Tags Apply - applies tag(s) to systems in ePO.
• Manage Tags Exclude - adds exclude tag(s) to systems in ePO.
• Manage Tags Clear tags - removes tag(s) from systems in ePO.
• Get System Information -  prints the complete information about the endpoint from ePO.

The operation is compatible with the Assets custom object type.  

Prerequisites

The following is required in order to install and run the operation:

• Assets object installed on your ThreatQ instance.
• Route between ThreatQ and Trellix ePO.
• Trellix products:
  • ePO with an installed Endpoint Security extension
• Trellix ePO username and password to use with the integration

Asset Object

The integration requires the Asset object.  The Asset installation files are included with the integration download on the ThreatQ Marketplace.  The Asset object must be installed prior to installing the integration.  

You do not have to install the Asset object if you are running ThreatQ version 5.10.0 or greater as the object has been seeded as a default system object.

See the Custom Objects topic for steps on how to install the required custom object.

Installation

The operation requires the installation of a custom object before installing the actual operation if your are on ThreatQ version 5.9.0 or earlier.  See the Prerequisites chapter for more details.  The custom object must be installed prior to installing the operation.  Attempting to install the operation without the custom object will cause the operation install process to fail. 

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Operation option from the Type dropdown (optional).
3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   EPO Hostname	The hostname or IP address for ePO.
   ePO Port	The ePO communication port. The default is 8443 and can be changed if needed.
   ePO Username	Your username for ePO.
   ePO Password	Your password for ePO.
   Verify SSL	Check this option to verify your certificate when connecting to Trellix ePO.

   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following actions:

Action	Action Subtype	Description	Object Type
Manage Tags	Apply	Apply tag(s) to systems in ePO.	Asset
Manage Tags	Exclude	Add exclude tag(s) to systems in ePO.	Asset
Manage Tags	Clear	Remove tag(s) from systems in ePO.	Asset
Get System Information	N/A	Prints the complete information about the endpoint from ePO.	Asset

Manage Tags - Apply

The Manage Tags - Apply action applies tag(s) to systems in ePO.

POST https://<Trellix ePO Host>/remote/system.applyTag

Manage Tags - Exclude

The Manage Tags Exclude action adds excluded tag(s) to systems in ePO.

POST https://<Trellix ePO Host>/remote/system.excludeTag

Manage Tags - Clear

The Manage Tags - Clear action removes tags from systems in ePO.  

POST https://<Trellix ePO Host>/remote/system.clearTag

Get System Information

The Get System Information action prints the complete information about the endpoint from ePO.

POST https://<Trellix ePO Host>/remote/system.find

Change Log

• Version 2.0.0
  • Rebranded integration from McAfee ePO to Trellix ePO
  • Resolved a bug regarding Asset naming.  
• Version 1.0.0
  • Initial release