Trellix ePO - On Prem

Overview

Trellix ePO is a centralized security management platform to orchestrate and manage all endpoints.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Vendor: Trellix
Supported environment: On Prem
Version compatibility: 5.10
Detection based on: Telemetry
Supported application or feature: Application logs

Configure

This setup guide will show you how to forward your Trellix ePO events to Sekoia.io.

Configure a new server

Sign in to the Trellix ePO platform with administrator permissions.
Click Menu, and then click Configuration > Registered Servers.
Click New Server.
On the Description page, configure these settings :
1. Server type — Select Syslog Server.
2. Name
Click Next.
On the next Registered Server Builder page, configure these settings
1. Server name
2. TCP port number
3. Enable event forwarding
Click Test connection.
Click Save.

Forward logs to Sekoia.io

For more information on forwarding logs to Sekoia.io, see Syslog Forwarding

Create an intake

Go to the intake page and create a new intake from the format Trellix ePO (on-prem).

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

epo_event_1048epo_event_1087epo_event_1088epo_event_1090epo_event_1346update_event_2401update_event_2422update_event_2427

<?xml version="1.0"?>
<EPOEvent>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Windows 10</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName>John_Doe</UserName>
  </MachineInfo>
  <SoftwareInfo ProductName="ENDP_AM_1070LYNX" ProductVersion="10.7.18.211" ProductFamily="TVD">
    <CommonFields>
      <Analyzer>ENDP_AM_1070LYNX</Analyzer>
      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>
      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>
    </CommonFields>
    <Event>
      <EventID>1048</EventID>
      <Severity>1</Severity>
      <GMTTime>2024-12-20T15:35:05</GMTTime>
      <LocalTime>2024-12-20T16:35:05</LocalTime>
      <CommonFields>
        <AnalyzerDATVersion>5922.0</AnalyzerDATVersion>
        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>
        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>
        <DetectedUTC>2024-12-20T15:35:05Z</DetectedUTC>
        <TargetFileName>/var/log/gitlab/sidekiq/current</TargetFileName>
        <TargetProcessName>/opt/gitlab/embedded/bin/svlogd</TargetProcessName>
        <TargetUserName/>
        <ThreatActionTaken>IDS_THREAT_ACTION_ALLOW</ThreatActionTaken>
        <ThreatCategory>ops</ThreatCategory>
        <ThreatHandled>0</ThreatHandled>
        <ThreatName/>
        <ThreatSeverity>4</ThreatSeverity>
        <ThreatType>IDS_ALERT_DET_TYP_NOT</ThreatType>
      </CommonFields>
    </Event>
  </SoftwareInfo>
</EPOEvent>

<?xml version="1.0"?>
<EPOEvent>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Linux</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName>John_Doe</UserName>
  </MachineInfo>
  <SoftwareInfo ProductName="ENDP_AM_1070LYNX" ProductVersion="10.7.18.211" ProductFamily="TVD">
    <CommonFields>
      <Analyzer>ENDP_AM_1070LYNX</Analyzer>
      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>
      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>
    </CommonFields>
    <Event>
      <EventID>1087</EventID>
      <Severity>0</Severity>
      <GMTTime>2024-12-20T15:38:49</GMTTime>
      <LocalTime>2024-12-20T16:38:49</LocalTime>
      <CommonFields>
        <AnalyzerDATVersion>5923.0</AnalyzerDATVersion>
        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>
        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>
        <DetectedUTC>2024-12-20T15:38:49Z</DetectedUTC>
        <ThreatActionTaken>None</ThreatActionTaken>
        <ThreatCategory>ops.scan.start</ThreatCategory>
        <ThreatHandled>1</ThreatHandled>
        <ThreatName>None</ThreatName>
        <ThreatSeverity>6</ThreatSeverity>
        <ThreatType>None</ThreatType>
      </CommonFields>
    </Event>
  </SoftwareInfo>
</EPOEvent>

<?xml version="1.0"?>
<EPOEvent>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Windows 10</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName>John_Doe</UserName>
  </MachineInfo>
  <SoftwareInfo ProductName="ENDP_AM_1070LYNX" ProductVersion="10.7.18.211" ProductFamily="TVD">
    <CommonFields>
      <Analyzer>ENDP_AM_1070LYNX</Analyzer>
      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>
      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>
    </CommonFields>
    <Event>
      <EventID>1088</EventID>
      <Severity>0</Severity>
      <GMTTime>2024-12-20T15:38:47</GMTTime>
      <LocalTime>2024-12-20T16:38:47</LocalTime>
      <CommonFields>
        <AnalyzerDATVersion>5923.0</AnalyzerDATVersion>
        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>
        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>
        <DetectedUTC>2024-12-20T15:38:47Z</DetectedUTC>
        <ThreatActionTaken>None</ThreatActionTaken>
        <ThreatCategory>ops.scan.end</ThreatCategory>
        <ThreatHandled>1</ThreatHandled>
        <ThreatName>None</ThreatName>
        <ThreatSeverity>6</ThreatSeverity>
        <ThreatType>None</ThreatType>
      </CommonFields>
    </Event>
  </SoftwareInfo>
</EPOEvent>

<?xml version="1.0"?>
<EPOEvent>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Windows 10</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName/>
  </MachineInfo>
  <SoftwareInfo ProductName="ENDP_AM_1070LYNX" ProductVersion="10.7.18.211" ProductFamily="TVD">
    <CommonFields>
      <Analyzer>ENDP_AM_1070LYNX</Analyzer>
      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>
      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>
    </CommonFields>
    <Event>
      <EventID>1090</EventID>
      <Severity>1</Severity>
      <GMTTime>2024-12-20T15:17:12</GMTTime>
      <LocalTime>2024-12-20T16:17:12</LocalTime>
      <CommonFields>
        <AnalyzerDATVersion>5920.0</AnalyzerDATVersion>
        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>
        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>
        <DetectedUTC>2024-12-20T15:17:12Z</DetectedUTC>
        <ThreatActionTaken>None</ThreatActionTaken>
        <ThreatCategory>ops.scan.end</ThreatCategory>
        <ThreatHandled>1</ThreatHandled>
        <ThreatName>None</ThreatName>
        <ThreatSeverity>6</ThreatSeverity>
        <ThreatType>None</ThreatType>
      </CommonFields>
      <CustomFields target="EPExtendedEventMT">
        <BladeName>IDS_BLADE_NAME_SPB</BladeName>
        <NaturalLangDescription>IDS_NATURAL_LANG_OAS_FAILED_TO_ENABLE_2</NaturalLangDescription>
      </CustomFields>
    </Event>
  </SoftwareInfo>
</EPOEvent>

<?xml version="1.0"?>
<EPOevent>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <OSName>Windows Server 2012</OSName>
    <UserName>Syst&#xE8;me</UserName>
    <TimeZoneBias>-60</TimeZoneBias>
  </MachineInfo>
  <SoftwareInfo ProductName="ENS Storage Protection" ProductVersion="2.4.0" ProductFamily="ENS">
    <ProductFamily>ENS</ProductFamily>
    <ProductName>ENS Storage Protection</ProductName>
    <ProductVersion>2.4.0</ProductVersion>
    <Event>
      <EventID>1346</EventID>
      <Severity>0</Severity>
      <GMTTime>2024-12-20T15:47:49</GMTTime>
      <CustomFields target="VSAS130_PerformanceMT">
        <EPOLeafNodeAgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</EPOLeafNodeAgentGUID>
        <ReceivedUTC>2024-12-20T15:47:49</ReceivedUTC>
        <DetectedUTC>2024-12-20T15:47:49</DetectedUTC>
        <ScanServer>DESKTOP01</ScanServer>
        <Plugin>ICAP</Plugin>
        <MaxScanThreadsUsed>2</MaxScanThreadsUsed>
        <MaxScanThreadsAllowed>100</MaxScanThreadsAllowed>
        <RequestDenied>0</RequestDenied>
        <RequestAccepted>773</RequestAccepted>
        <ScanTimeExceeded>0</ScanTimeExceeded>
        <FileAccessFailed>0</FileAccessFailed>
        <ProductCode>ENDP_SP_2000</ProductCode>
      </CustomFields>
    </Event>
  </SoftwareInfo>
</EPOevent>

<?xml version="1.0"?>
<UpdateEvents>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Windows 10</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName>John_Doe,Jane_Doe,Olivier_Martin</UserName>
  </MachineInfo>
  <McAfeeCommonUpdater ProductName="Trellix Agent" ProductVersion="5.0.0" ProductFamily="TVD">
    <UpdateEvent>
      <EventID>2401</EventID>
      <Severity>0</Severity>
      <GMTTime>2024-12-20T15:35:50</GMTTime>
      <ProductID>AMCORDAT2000</ProductID>
      <Locale>0409</Locale>
      <Error>0</Error>
      <Type>AMCore</Type>
      <Version>5746.0</Version>
      <InitiatorID>EPOAGENT3000</InitiatorID>
      <InitiatorType>OnDemand</InitiatorType>
      <SiteName>ePO_SK-INTG</SiteName>
      <Description>N/A</Description>
    </UpdateEvent>
  </McAfeeCommonUpdater>
</UpdateEvents>

<?xml version="1.0"?>
<UpdateEvents>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Windows 10</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName/>
  </MachineInfo>
  <McAfeeCommonUpdater ProductName="Trellix Agent" ProductVersion="5.0.0" ProductFamily="TVD">
    <UpdateEvent>
      <EventID>2422</EventID>
      <Severity>4</Severity>
      <GMTTime>2024-12-20T16:06:08</GMTTime>
      <ProductID>DXL_____1000</ProductID>
      <Locale>0409</Locale>
      <Error>59</Error>
      <Type>Policy Enforcement</Type>
      <Version>N/A</Version>
      <InitiatorID>EPOAGENT3000</InitiatorID>
      <InitiatorType>N/A</InitiatorType>
      <SiteName>N/A</SiteName>
      <Description>N/A</Description>
    </UpdateEvent>
  </McAfeeCommonUpdater>
</UpdateEvents>

<?xml version="1.0"?>
<UpdateEvents>
  <MachineInfo>
    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>
    <MachineName>DESKTOP01</MachineName>
    <RawMACAddress>38596153343D</RawMACAddress>
    <IPAddress>1.2.3.4</IPAddress>
    <AgentVersion>5.8.2.929</AgentVersion>
    <OSName>Windows 10</OSName>
    <TimeZoneBias>-60</TimeZoneBias>
    <UserName>John_Doe</UserName>
  </MachineInfo>
  <McAfeeCommonUpdater ProductName="Trellix Agent" ProductVersion="5.0.0" ProductFamily="TVD">
    <UpdateEvent>
      <EventID>2427</EventID>
      <Severity>4</Severity>
      <GMTTime>2024-12-20T16:05:50</GMTTime>
      <ProductID>ENDPATP_1070</ProductID>
      <Locale>040c</Locale>
      <Error>83</Error>
      <Type>Property Collection</Type>
      <Version>N/A</Version>
      <InitiatorID>EPOAGENT3000</InitiatorID>
      <InitiatorType>N/A</InitiatorType>
      <SiteName>N/A</SiteName>
      <Description>N/A</Description>
    </UpdateEvent>
  </McAfeeCommonUpdater>
</UpdateEvents>

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
`Application logs`	collect detections from the agent

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	``
Category	`configuration`, `intrusion_detection`
Type	`allowed`, `change`, `info`

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

epo_event_1048.jsonepo_event_1087.jsonepo_event_1088.jsonepo_event_1090.jsonepo_event_1346.jsonupdate_event_2401.jsonupdate_event_2422.jsonupdate_event_2427.json

{
    "message": "<?xml version=\"1.0\"?>\n<EPOEvent>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Windows 10</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName>John_Doe</UserName>\n  </MachineInfo>\n  <SoftwareInfo ProductName=\"ENDP_AM_1070LYNX\" ProductVersion=\"10.7.18.211\" ProductFamily=\"TVD\">\n    <CommonFields>\n      <Analyzer>ENDP_AM_1070LYNX</Analyzer>\n      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>\n      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>\n    </CommonFields>\n    <Event>\n      <EventID>1048</EventID>\n      <Severity>1</Severity>\n      <GMTTime>2024-12-20T15:35:05</GMTTime>\n      <LocalTime>2024-12-20T16:35:05</LocalTime>\n      <CommonFields>\n        <AnalyzerDATVersion>5922.0</AnalyzerDATVersion>\n        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>\n        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>\n        <DetectedUTC>2024-12-20T15:35:05Z</DetectedUTC>\n        <TargetFileName>/var/log/gitlab/sidekiq/current</TargetFileName>\n        <TargetProcessName>/opt/gitlab/embedded/bin/svlogd</TargetProcessName>\n        <TargetUserName/>\n        <ThreatActionTaken>IDS_THREAT_ACTION_ALLOW</ThreatActionTaken>\n        <ThreatCategory>ops</ThreatCategory>\n        <ThreatHandled>0</ThreatHandled>\n        <ThreatName/>\n        <ThreatSeverity>4</ThreatSeverity>\n        <ThreatType>IDS_ALERT_DET_TYP_NOT</ThreatType>\n      </CommonFields>\n    </Event>\n  </SoftwareInfo>\n</EPOEvent>",
    "event": {
        "action": "IDS_THREAT_ACTION_ALLOW",
        "category": [
            "intrusion_detection"
        ],
        "code": "1048",
        "dataset": "EPOEvents",
        "severity": 1,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-12-20T15:35:05Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "file": {
        "name": "/var/log/gitlab/sidekiq/current"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows 10"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "process": {
        "executable": "/opt/gitlab/embedded/bin/svlogd",
        "name": "svlogd"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "John_Doe"
        ]
    },
    "threat": {
        "indicator": {
            "sightings": 0
        }
    },
    "trellix": {
        "event": {
            "detect_date": "2024-12-20T15:35:05.000000Z"
        },
        "threat": {
            "action_taken": "IDS_THREAT_ACTION_ALLOW",
            "category": "ops",
            "severity": "4",
            "type": "IDS_ALERT_DET_TYP_NOT"
        }
    },
    "user": {
        "name": "John_Doe"
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<EPOEvent>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Linux</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName>John_Doe</UserName>\n  </MachineInfo>\n  <SoftwareInfo ProductName=\"ENDP_AM_1070LYNX\" ProductVersion=\"10.7.18.211\" ProductFamily=\"TVD\">\n    <CommonFields>\n      <Analyzer>ENDP_AM_1070LYNX</Analyzer>\n      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>\n      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>\n    </CommonFields>\n    <Event>\n      <EventID>1087</EventID>\n      <Severity>0</Severity>\n      <GMTTime>2024-12-20T15:38:49</GMTTime>\n      <LocalTime>2024-12-20T16:38:49</LocalTime>\n      <CommonFields>\n        <AnalyzerDATVersion>5923.0</AnalyzerDATVersion>\n        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>\n        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>\n        <DetectedUTC>2024-12-20T15:38:49Z</DetectedUTC>\n        <ThreatActionTaken>None</ThreatActionTaken>\n        <ThreatCategory>ops.scan.start</ThreatCategory>\n        <ThreatHandled>1</ThreatHandled>\n        <ThreatName>None</ThreatName>\n        <ThreatSeverity>6</ThreatSeverity>\n        <ThreatType>None</ThreatType>\n      </CommonFields>\n    </Event>\n  </SoftwareInfo>\n</EPOEvent>",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "1087",
        "dataset": "EPOEvents",
        "severity": 0,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-12-20T15:38:49Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Linux"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "John_Doe"
        ]
    },
    "threat": {
        "indicator": {
            "sightings": 1
        }
    },
    "trellix": {
        "event": {
            "detect_date": "2024-12-20T15:38:49.000000Z"
        },
        "threat": {
            "category": "ops.scan.start",
            "severity": "6"
        }
    },
    "user": {
        "name": "John_Doe"
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<EPOEvent>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Windows 10</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName>John_Doe</UserName>\n  </MachineInfo>\n  <SoftwareInfo ProductName=\"ENDP_AM_1070LYNX\" ProductVersion=\"10.7.18.211\" ProductFamily=\"TVD\">\n    <CommonFields>\n      <Analyzer>ENDP_AM_1070LYNX</Analyzer>\n      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>\n      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>\n    </CommonFields>\n    <Event>\n      <EventID>1088</EventID>\n      <Severity>0</Severity>\n      <GMTTime>2024-12-20T15:38:47</GMTTime>\n      <LocalTime>2024-12-20T16:38:47</LocalTime>\n      <CommonFields>\n        <AnalyzerDATVersion>5923.0</AnalyzerDATVersion>\n        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>\n        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>\n        <DetectedUTC>2024-12-20T15:38:47Z</DetectedUTC>\n        <ThreatActionTaken>None</ThreatActionTaken>\n        <ThreatCategory>ops.scan.end</ThreatCategory>\n        <ThreatHandled>1</ThreatHandled>\n        <ThreatName>None</ThreatName>\n        <ThreatSeverity>6</ThreatSeverity>\n        <ThreatType>None</ThreatType>\n      </CommonFields>\n    </Event>\n  </SoftwareInfo>\n</EPOEvent>",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "1088",
        "dataset": "EPOEvents",
        "severity": 0,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-12-20T15:38:47Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows 10"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "John_Doe"
        ]
    },
    "threat": {
        "indicator": {
            "sightings": 1
        }
    },
    "trellix": {
        "event": {
            "detect_date": "2024-12-20T15:38:47.000000Z"
        },
        "threat": {
            "category": "ops.scan.end",
            "severity": "6"
        }
    },
    "user": {
        "name": "John_Doe"
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<EPOEvent>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Windows 10</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName/>\n  </MachineInfo>\n  <SoftwareInfo ProductName=\"ENDP_AM_1070LYNX\" ProductVersion=\"10.7.18.211\" ProductFamily=\"TVD\">\n    <CommonFields>\n      <Analyzer>ENDP_AM_1070LYNX</Analyzer>\n      <AnalyzerName>Trellix Endpoint Security</AnalyzerName>\n      <AnalyzerVersion>10.7.18.211</AnalyzerVersion>\n    </CommonFields>\n    <Event>\n      <EventID>1090</EventID>\n      <Severity>1</Severity>\n      <GMTTime>2024-12-20T15:17:12</GMTTime>\n      <LocalTime>2024-12-20T16:17:12</LocalTime>\n      <CommonFields>\n        <AnalyzerDATVersion>5920.0</AnalyzerDATVersion>\n        <AnalyzerDetectionMethod>OAS</AnalyzerDetectionMethod>\n        <AnalyzerEngineVersion>6720.10487</AnalyzerEngineVersion>\n        <DetectedUTC>2024-12-20T15:17:12Z</DetectedUTC>\n        <ThreatActionTaken>None</ThreatActionTaken>\n        <ThreatCategory>ops.scan.end</ThreatCategory>\n        <ThreatHandled>1</ThreatHandled>\n        <ThreatName>None</ThreatName>\n        <ThreatSeverity>6</ThreatSeverity>\n        <ThreatType>None</ThreatType>\n      </CommonFields>\n      <CustomFields target=\"EPExtendedEventMT\">\n        <BladeName>IDS_BLADE_NAME_SPB</BladeName>\n        <NaturalLangDescription>IDS_NATURAL_LANG_OAS_FAILED_TO_ENABLE_2</NaturalLangDescription>\n      </CustomFields>\n    </Event>\n  </SoftwareInfo>\n</EPOEvent>",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "1090",
        "dataset": "EPOEvents",
        "severity": 1,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-12-20T15:17:12Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows 10"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "threat": {
        "indicator": {
            "sightings": 1
        }
    },
    "trellix": {
        "event": {
            "detect_date": "2024-12-20T15:17:12.000000Z"
        },
        "threat": {
            "category": "ops.scan.end",
            "severity": "6"
        }
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<EPOevent>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <OSName>Windows Server 2012</OSName>\n    <UserName>Syst&#xE8;me</UserName>\n    <TimeZoneBias>-60</TimeZoneBias>\n  </MachineInfo>\n  <SoftwareInfo ProductName=\"ENS Storage Protection\" ProductVersion=\"2.4.0\" ProductFamily=\"ENS\">\n    <ProductFamily>ENS</ProductFamily>\n    <ProductName>ENS Storage Protection</ProductName>\n    <ProductVersion>2.4.0</ProductVersion>\n    <Event>\n      <EventID>1346</EventID>\n      <Severity>0</Severity>\n      <GMTTime>2024-12-20T15:47:49</GMTTime>\n      <CustomFields target=\"VSAS130_PerformanceMT\">\n        <EPOLeafNodeAgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</EPOLeafNodeAgentGUID>\n        <ReceivedUTC>2024-12-20T15:47:49</ReceivedUTC>\n        <DetectedUTC>2024-12-20T15:47:49</DetectedUTC>\n        <ScanServer>DESKTOP01</ScanServer>\n        <Plugin>ICAP</Plugin>\n        <MaxScanThreadsUsed>2</MaxScanThreadsUsed>\n        <MaxScanThreadsAllowed>100</MaxScanThreadsAllowed>\n        <RequestDenied>0</RequestDenied>\n        <RequestAccepted>773</RequestAccepted>\n        <ScanTimeExceeded>0</ScanTimeExceeded>\n        <FileAccessFailed>0</FileAccessFailed>\n        <ProductCode>ENDP_SP_2000</ProductCode>\n      </CustomFields>\n    </Event>\n  </SoftwareInfo>\n</EPOevent>",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "1346",
        "dataset": "EPOEvents",
        "severity": 0,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-12-20T15:47:49Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows Server 2012"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "Syst\u00e8me"
        ]
    },
    "user": {
        "name": "Syst\u00e8me"
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<UpdateEvents>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Windows 10</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName>John_Doe,Jane_Doe,Olivier_Martin</UserName>\n  </MachineInfo>\n  <McAfeeCommonUpdater ProductName=\"Trellix Agent\" ProductVersion=\"5.0.0\" ProductFamily=\"TVD\">\n    <UpdateEvent>\n      <EventID>2401</EventID>\n      <Severity>0</Severity>\n      <GMTTime>2024-12-20T15:35:50</GMTTime>\n      <ProductID>AMCORDAT2000</ProductID>\n      <Locale>0409</Locale>\n      <Error>0</Error>\n      <Type>AMCore</Type>\n      <Version>5746.0</Version>\n      <InitiatorID>EPOAGENT3000</InitiatorID>\n      <InitiatorType>OnDemand</InitiatorType>\n      <SiteName>ePO_SK-INTG</SiteName>\n      <Description>N/A</Description>\n    </UpdateEvent>\n  </McAfeeCommonUpdater>\n</UpdateEvents>",
    "event": {
        "category": [
            "configuration"
        ],
        "code": "2401",
        "dataset": "UpdateEvents",
        "reason": "N/A",
        "severity": 0,
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-12-20T15:35:50Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows 10"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "trellix": {
        "update_event": {
            "initiator": {
                "id": "EPOAGENT3000",
                "type": "OnDemand"
            },
            "product_id": "AMCORDAT2000",
            "site_name": "ePO_SK-INTG",
            "type": "AMCore",
            "usernames": [
                "Jane_Doe",
                "John_Doe",
                "Olivier_Martin"
            ]
        }
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<UpdateEvents>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Windows 10</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName/>\n  </MachineInfo>\n  <McAfeeCommonUpdater ProductName=\"Trellix Agent\" ProductVersion=\"5.0.0\" ProductFamily=\"TVD\">\n    <UpdateEvent>\n      <EventID>2422</EventID>\n      <Severity>4</Severity>\n      <GMTTime>2024-12-20T16:06:08</GMTTime>\n      <ProductID>DXL_____1000</ProductID>\n      <Locale>0409</Locale>\n      <Error>59</Error>\n      <Type>Policy Enforcement</Type>\n      <Version>N/A</Version>\n      <InitiatorID>EPOAGENT3000</InitiatorID>\n      <InitiatorType>N/A</InitiatorType>\n      <SiteName>N/A</SiteName>\n      <Description>N/A</Description>\n    </UpdateEvent>\n  </McAfeeCommonUpdater>\n</UpdateEvents>",
    "event": {
        "category": [
            "configuration"
        ],
        "code": "2422",
        "dataset": "UpdateEvents",
        "reason": "N/A",
        "severity": 4,
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-12-20T16:06:08Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows 10"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "trellix": {
        "update_event": {
            "initiator": {
                "id": "EPOAGENT3000",
                "type": "N/A"
            },
            "product_id": "DXL_____1000",
            "site_name": "N/A",
            "type": "Policy Enforcement"
        }
    }
}

{
    "message": "<?xml version=\"1.0\"?>\n<UpdateEvents>\n  <MachineInfo>\n    <AgentGUID>{7434b2ff-872c-42e3-88f1-3e09ae7e33ee}</AgentGUID>\n    <MachineName>DESKTOP01</MachineName>\n    <RawMACAddress>38596153343D</RawMACAddress>\n    <IPAddress>1.2.3.4</IPAddress>\n    <AgentVersion>5.8.2.929</AgentVersion>\n    <OSName>Windows 10</OSName>\n    <TimeZoneBias>-60</TimeZoneBias>\n    <UserName>John_Doe</UserName>\n  </MachineInfo>\n  <McAfeeCommonUpdater ProductName=\"Trellix Agent\" ProductVersion=\"5.0.0\" ProductFamily=\"TVD\">\n    <UpdateEvent>\n      <EventID>2427</EventID>\n      <Severity>4</Severity>\n      <GMTTime>2024-12-20T16:05:50</GMTTime>\n      <ProductID>ENDPATP_1070</ProductID>\n      <Locale>040c</Locale>\n      <Error>83</Error>\n      <Type>Property Collection</Type>\n      <Version>N/A</Version>\n      <InitiatorID>EPOAGENT3000</InitiatorID>\n      <InitiatorType>N/A</InitiatorType>\n      <SiteName>N/A</SiteName>\n      <Description>N/A</Description>\n    </UpdateEvent>\n  </McAfeeCommonUpdater>\n</UpdateEvents>",
    "event": {
        "category": [
            "configuration"
        ],
        "code": "2427",
        "dataset": "UpdateEvents",
        "reason": "N/A",
        "severity": 4,
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-12-20T16:05:50Z",
    "agent": {
        "id": "7434b2ff-872c-42e3-88f1-3e09ae7e33ee",
        "version": "5.8.2.929"
    },
    "host": {
        "ip": "1.2.3.4",
        "mac": "38596153343D",
        "name": "DESKTOP01",
        "os": {
            "full": "Windows 10"
        }
    },
    "observer": {
        "product": "ePO",
        "vendor": "Trellix"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "trellix": {
        "update_event": {
            "initiator": {
                "id": "EPOAGENT3000",
                "type": "N/A"
            },
            "product_id": "ENDPATP_1070",
            "site_name": "N/A",
            "type": "Property Collection",
            "usernames": [
                "John_Doe"
            ]
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
`@timestamp`	`date`	Date/time when the event originated.
`agent.id`	`keyword`	Unique identifier of this agent.
`agent.version`	`keyword`	Version of the agent.
`event.action`	`keyword`	The action captured by the event.
`event.category`	`keyword`	Event category. The second categorization field in the hierarchy.
`event.code`	`keyword`	Identification code for this event.
`event.dataset`	`keyword`	Name of the dataset.
`event.provider`	`keyword`	Source of the event.
`event.reason`	`keyword`	Reason why this event happened, according to the source
`event.severity`	`long`	Numeric severity of the event.
`event.type`	`keyword`	Event type. The third categorization field in the hierarchy.
`file.name`	`keyword`	Name of the file including the extension, without the directory.
`host.ip`	`ip`	Host ip addresses.
`host.mac`	`keyword`	Host MAC addresses.
`host.name`	`keyword`	Name of the host.
`host.os.full`	`keyword`	Operating system name, including the version or code name.
`observer.product`	`keyword`	The product name of the observer.
`observer.vendor`	`keyword`	Vendor name of the observer.
`process.executable`	`keyword`	Absolute path to the process executable.
`process.name`	`keyword`	Process name.
`threat.indicator.sightings`	`long`	Number of times indicator observed
`trellix.event.detect_date`	`keyword`	Trellix event detect date
`trellix.threat.action_taken`	`keyword`	Trellix threat action taken
`trellix.threat.category`	`keyword`	Trellix threat category
`trellix.threat.severity`	`keyword`	Trellix threat severity
`trellix.threat.type`	`keyword`	Trellix threat type
`trellix.update_event.initiator.id`	`keyword`
`trellix.update_event.initiator.type`	`keyword`
`trellix.update_event.product_id`	`keyword`
`trellix.update_event.site_name`	`keyword`
`trellix.update_event.type`	`keyword`
`trellix.update_event.usernames`	`array`
`user.name`	`keyword`	Short name or login of the user.
`user.target.name`	`keyword`	Short name or login of the user.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.