Skip to content

Trellix ePO


Trellix ePO - On-prem monitors and manages your network, collects data on events and alerts, creates reports, and automates workflow to streamline product deployments, patch installations, and security updates. As an open and comprehensive platform, Trellix ePO - On-prem integrates more than 150 third-party solutions for faster and more accurate responses.


Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Benefit from SEKOIA.IO built-in rules and upgrade Trellix EPO [ALPHA] with the following detection capabilities out-of-the-box.

SEKOIA.IO x Trellix EPO [ALPHA] on ATT&CK Navigator

AdFind Usage

Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects

  • Effort: elementary
Adexplorer Usage

Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.

  • Effort: advanced
Bloodhound and Sharphound Tools Usage

Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.

  • Effort: intermediate
CMSTP Execution

Detects various indicators of Microsoft Connection Manager Profile Installer execution

  • Effort: intermediate
Certificate Authority Modification

Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.

  • Effort: master
Exfiltration And Tunneling Tools Execution

Execution of well known tools for data exfiltration and tunneling

  • Effort: advanced
Kernel Module Alteration

Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

  • Effort: advanced
Network Scanning and Discovery

Tools and command lines used for network discovery from current system

  • Effort: advanced
Network Sniffing

List of common tools used for network packages sniffing

  • Effort: advanced
Network Sniffing Windows

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

  • Effort: intermediate
PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

  • Effort: elementary
PsExec Process

Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators.

  • Effort: advanced
RDP Session Discovery

Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.

  • Effort: advanced
RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

  • Effort: elementary
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Suspicious Double Extension

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns

  • Effort: elementary
System Info Discovery

System info discovery, attempt to detects basic command use to fingerprint a host

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Application logs collect detections from the agent

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category intrusion_detection, process
Type ``

Event Samples

Find below few samples of events and how they are normalized by

    "message": "{\"timestamp\":\"2023-06-16T14:55:19.595Z\",\"autoguid\":\"d40cdc38-cd2e-4605-a119-d6b4b00b4c1c\",\"detectedutc\":\"1686927090000\",\"receivedutc\":\"1686927319594\",\"agentguid\":\"d751670f-2c24-422a-af97-23a008522910\",\"analyzer\":\"ENDP_AM_1070\",\"analyzername\":\"Trellix Endpoint Security\",\"analyzerversion\":\"\",\"analyzerhostname\":\"hyrvrxzcyuaz-vm\",\"analyzeripv4\":\"\",\"analyzeripv6\":\"/0:0:0:0:0:ffff:a00:404\",\"analyzermac\":\"6045bdeef272\",\"analyzerdatversion\":null,\"analyzerengineversion\": \"analyzer_engine_version_1\",\"analyzerdetectionmethod\":\"Exploit Prevention\",\"sourcehostname\":null,\"sourceipv4\":\"\",\"sourceipv6\":\"/0:0:0:0:0:ffff:a00:404\",\"sourcemac\":null,\"sourceusername\":\"test_source_username\",\"sourceprocessname\":\"test_source_process_name\",\"sourceurl\":null,\"targethostname\":null,\"targetipv4\":\"\",\"targetipv6\":\"/0:0:0:0:0:ffff:a00:404\",\"targetmac\":null,\"targetusername\":\"hyrvrxzcyuaz-vm\\\\adminuser\",\"targetport\":2081,\"targetprotocol\":null,\"targetprocessname\":\"POWERSHELL.EXE\",\"targetfilename\":\"C:\\\\WINDOWS\\\\SYSTEM32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\POWERSHELL.EXE\",\"threatcategory\":\"\",\"threateventid\":18054,\"threatseverity\":\"2\",\"threatname\":\"ExP:Illegal API Use\",\"threattype\":\"IDS_THREAT_TYPE_VALUE_BOP\",\"threatactiontaken\":\"IDS_ACTION_WOULD_BLOCK\",\"threathandled\":true,\"nodepath\":\"1\\\\1016600\\\\1089555\",\"targethash\":\"bcf01e61144d6d6325650134823198b8\",\"sourceprocesshash\":null,\"sourceprocesssigned\":null,\"sourceprocesssigner\":null,\"sourcefilepath\":null}",
    "event": {
        "kind": "event",
        "category": [
        "type": [
    "@timestamp": "2023-06-16T14:55:19.595000Z",
    "observer": {
        "vendor": "Trellix",
        "product": "ePO"
    "agent": {
        "id": "d751670f-2c24-422a-af97-23a008522910"
    "source": {
        "user": {
            "name": "test_source_username"
        "ip": "",
        "address": ""
    "user": {
        "name": "test_source_username",
        "target": {
            "name": "hyrvrxzcyuaz-vm\\adminuser"
    "process": {
        "name": "test_source_process_name"
    "destination": {
        "user": {
            "name": "hyrvrxzcyuaz-vm\\adminuser"
        "ip": "",
        "port": 2081,
        "address": ""
    "host": {
        "name": "hyrvrxzcyuaz-vm"
    "trellix": {
        "event": {
            "id": "d40cdc38-cd2e-4605-a119-d6b4b00b4c1c",
            "detect_date": "1686927090000",
            "receive_date": "1686927319594"
        "analyzer": {
            "name": "Trellix Endpoint Security",
            "version": "",
            "host": "hyrvrxzcyuaz-vm",
            "detection_method": "Exploit Prevention",
            "engine_version": "analyzer_engine_version_1"
        "threat": {
            "name": "ExP:Illegal API Use",
            "category": "",
            "event_id": "18054",
            "severity": "2",
            "type": "IDS_THREAT_TYPE_VALUE_BOP",
            "action_taken": "IDS_ACTION_WOULD_BLOCK",
            "is_handled": "true"
    "related": {
        "user": [
        "ip": [

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated. keyword Unique identifier of this agent.
destination.ip ip IP address of the destination.
destination.port long Port of the destination. keyword Short name or login of the user.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy. keyword Name of the host.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer. keyword Process name.
source.ip ip IP address of the source. keyword Short name or login of the user.
trellix.analyzer.detection_method keyword Trellix analyzer detection method
trellix.analyzer.engine_version keyword Trellix analyzer engine version keyword Trellix analyzer host keyword Trellix analyzer name
trellix.analyzer.version keyword Trellix analyzer version
trellix.event.detect_date keyword Trellix event detect date keyword Trellix event id
trellix.event.receive_date keyword Trellix event receive date
trellix.threat.action_taken keyword Trellix threat action taken
trellix.threat.category keyword Trellix threat category
trellix.threat.event_id keyword Trellix threat event id
trellix.threat.is_handled keyword Trellix threat is handled status keyword Trellix threat name
trellix.threat.severity keyword Trellix threat severity
trellix.threat.type keyword Trellix threat type keyword Short name or login of the user. keyword Short name or login of the user.


This setup guide will show you how to forward your Trellix ePO events to

Configure OAuth

  1. Get client_id, client_secret and x-api-token from your Trellix profile. Ensure that the following scopes are associated to your credentials: epo.evt.r, epo.pevt.r, epo.pevt.rp, epo.qery.g, epo.qery.u, epo.reg_token, epo.resp.ra,
  2. Make sure you have access to events by making a request from the documentation

Create an intake

Go to the intake page and create a new intake from the format Trellix. Copy the intake key.

Pull events

To start to pull events, you have to:

  1. Go to the playbooks page and create a new playbook with the Trellix trigger
  2. Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key
  3. Start the playbook and enjoy your events