Trellix ePO

Overview

Trellix ePO - On-prem monitors and manages your network, collects data on events and alerts, creates reports, and automates workflow to streamline product deployments, patch installations, and security updates. As an open and comprehensive platform, Trellix ePO - On-prem integrates more than 150 third-party solutions for faster and more accurate responses.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Benefit from SEKOIA.IO built-in rules and upgrade Trellix EPO [ALPHA] with the following detection capabilities out-of-the-box.

SEKOIA.IO x Trellix EPO [ALPHA] on ATT&CK Navigator

AdFind Usage

Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects

Effort: elementary

Adexplorer Usage

Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.

Effort: advanced

Bloodhound and Sharphound Tools Usage

Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.

Effort: intermediate

CMSTP Execution

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Effort: intermediate

Certificate Authority Modification

Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.

Effort: master

Exfiltration And Tunneling Tools Execution

Execution of well known tools for data exfiltration and tunneling

Effort: advanced

Kernel Module Alteration

Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

Effort: advanced

Network Scanning and Discovery

Tools and command lines used for network discovery from current system

Effort: advanced

Network Sniffing

List of common tools used for network packages sniffing

Effort: advanced

Network Sniffing Windows

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Effort: intermediate

PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

Effort: elementary

PsExec Process

Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators.

Effort: advanced

RDP Session Discovery

Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.

Effort: advanced

RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

Effort: elementary

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

Effort: elementary

Suspicious Double Extension

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns

Effort: elementary

System Info Discovery

System info discovery, attempt to detects basic command use to fingerprint a host

Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
`Application logs`	collect detections from the agent

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	`event`
Category	`intrusion_detection`, `process`
Type	``

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

epo_event.json

{
    "message": "{\"timestamp\":\"2023-06-16T14:55:19.595Z\",\"autoguid\":\"d40cdc38-cd2e-4605-a119-d6b4b00b4c1c\",\"detectedutc\":\"1686927090000\",\"receivedutc\":\"1686927319594\",\"agentguid\":\"d751670f-2c24-422a-af97-23a008522910\",\"analyzer\":\"ENDP_AM_1070\",\"analyzername\":\"Trellix Endpoint Security\",\"analyzerversion\":\"10.7.0.5786\",\"analyzerhostname\":\"hyrvrxzcyuaz-vm\",\"analyzeripv4\":\"10.0.4.4\",\"analyzeripv6\":\"/0:0:0:0:0:ffff:a00:404\",\"analyzermac\":\"6045bdeef272\",\"analyzerdatversion\":null,\"analyzerengineversion\": \"analyzer_engine_version_1\",\"analyzerdetectionmethod\":\"Exploit Prevention\",\"sourcehostname\":null,\"sourceipv4\":\"10.0.4.4\",\"sourceipv6\":\"/0:0:0:0:0:ffff:a00:404\",\"sourcemac\":null,\"sourceusername\":\"test_source_username\",\"sourceprocessname\":\"test_source_process_name\",\"sourceurl\":null,\"targethostname\":null,\"targetipv4\":\"10.0.4.5\",\"targetipv6\":\"/0:0:0:0:0:ffff:a00:404\",\"targetmac\":null,\"targetusername\":\"hyrvrxzcyuaz-vm\\\\adminuser\",\"targetport\":2081,\"targetprotocol\":null,\"targetprocessname\":\"POWERSHELL.EXE\",\"targetfilename\":\"C:\\\\WINDOWS\\\\SYSTEM32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\POWERSHELL.EXE\",\"threatcategory\":\"hip.bo\",\"threateventid\":18054,\"threatseverity\":\"2\",\"threatname\":\"ExP:Illegal API Use\",\"threattype\":\"IDS_THREAT_TYPE_VALUE_BOP\",\"threatactiontaken\":\"IDS_ACTION_WOULD_BLOCK\",\"threathandled\":true,\"nodepath\":\"1\\\\1016600\\\\1089555\",\"targethash\":\"bcf01e61144d6d6325650134823198b8\",\"sourceprocesshash\":null,\"sourceprocesssigned\":null,\"sourceprocesssigner\":null,\"sourcefilepath\":null}",
    "event": {
        "kind": "event",
        "category": [
            "intrusion_detection"
        ],
        "type": [
            "denied"
        ]
    },
    "@timestamp": "2023-06-16T14:55:19.595000Z",
    "observer": {
        "vendor": "Trellix",
        "product": "ePO"
    },
    "agent": {
        "id": "d751670f-2c24-422a-af97-23a008522910"
    },
    "source": {
        "user": {
            "name": "test_source_username"
        },
        "ip": "10.0.4.4",
        "address": "10.0.4.4"
    },
    "user": {
        "name": "test_source_username",
        "target": {
            "name": "hyrvrxzcyuaz-vm\\adminuser"
        }
    },
    "process": {
        "name": "test_source_process_name"
    },
    "destination": {
        "user": {
            "name": "hyrvrxzcyuaz-vm\\adminuser"
        },
        "ip": "10.0.4.5",
        "port": 2081,
        "address": "10.0.4.5"
    },
    "host": {
        "name": "hyrvrxzcyuaz-vm"
    },
    "trellix": {
        "event": {
            "id": "d40cdc38-cd2e-4605-a119-d6b4b00b4c1c",
            "detect_date": "1686927090000",
            "receive_date": "1686927319594"
        },
        "analyzer": {
            "name": "Trellix Endpoint Security",
            "version": "10.7.0.5786",
            "host": "hyrvrxzcyuaz-vm",
            "detection_method": "Exploit Prevention",
            "engine_version": "analyzer_engine_version_1"
        },
        "threat": {
            "name": "ExP:Illegal API Use",
            "category": "hip.bo",
            "event_id": "18054",
            "severity": "2",
            "type": "IDS_THREAT_TYPE_VALUE_BOP",
            "action_taken": "IDS_ACTION_WOULD_BLOCK",
            "is_handled": "true"
        }
    },
    "related": {
        "user": [
            "hyrvrxzcyuaz-vm\\adminuser",
            "test_source_username"
        ],
        "ip": [
            "10.0.4.4",
            "10.0.4.5"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
`@timestamp`	`date`	Date/time when the event originated.
`agent.id`	`keyword`	Unique identifier of this agent.
`destination.ip`	`ip`	IP address of the destination.
`destination.port`	`long`	Port of the destination.
`destination.user.name`	`keyword`	Short name or login of the user.
`event.category`	`keyword`	Event category. The second categorization field in the hierarchy.
`event.kind`	`keyword`	The kind of the event. The highest categorization field in the hierarchy.
`host.name`	`keyword`	Name of the host.
`observer.product`	`keyword`	The product name of the observer.
`observer.vendor`	`keyword`	Vendor name of the observer.
`process.name`	`keyword`	Process name.
`source.ip`	`ip`	IP address of the source.
`source.user.name`	`keyword`	Short name or login of the user.
`trellix.analyzer.detection_method`	`keyword`	Trellix analyzer detection method
`trellix.analyzer.engine_version`	`keyword`	Trellix analyzer engine version
`trellix.analyzer.host`	`keyword`	Trellix analyzer host
`trellix.analyzer.name`	`keyword`	Trellix analyzer name
`trellix.analyzer.version`	`keyword`	Trellix analyzer version
`trellix.event.detect_date`	`keyword`	Trellix event detect date
`trellix.event.id`	`keyword`	Trellix event id
`trellix.event.receive_date`	`keyword`	Trellix event receive date
`trellix.threat.action_taken`	`keyword`	Trellix threat action taken
`trellix.threat.category`	`keyword`	Trellix threat category
`trellix.threat.event_id`	`keyword`	Trellix threat event id
`trellix.threat.is_handled`	`keyword`	Trellix threat is handled status
`trellix.threat.name`	`keyword`	Trellix threat name
`trellix.threat.severity`	`keyword`	Trellix threat severity
`trellix.threat.type`	`keyword`	Trellix threat type
`user.name`	`keyword`	Short name or login of the user.
`user.target.name`	`keyword`	Short name or login of the user.

Configure

This setup guide will show you how to forward your Trellix ePO events to Sekoia.io.

Configure OAuth

Get client_id, client_secret and x-api-token from your Trellix profile. Ensure that the following scopes are associated to your credentials: epo.evt.r, epo.pevt.r, epo.pevt.rp, epo.qery.g, epo.qery.u, epo.reg_token, epo.resp.ra, epo.resp.ru
Make sure you have access to events by making a request from the documentation

Create an intake

Go to the intake page and create a new intake from the format Trellix. Copy the intake key.

Pull events

To start to pull events, you have to:

Go to the playbooks page and create a new playbook with the Trellix trigger
Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key
Start the playbook and enjoy your events