This is the multi-page printable view of this section. Click here to print.
Trellix
- 1: Central Management System (CMS)
- 2: Email Threat Prevention (ETP)
- 3: Endpoint Security (HX)
- 4: ePolicy Orchestrator (EPO)
- 5: MPS
1 - Central Management System (CMS)
Central Management System (CMS): Centralized policy and configuration management platform for Trellix security products.
To onboard such a source to Axoflow, complete the generic appliance onboarding steps.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| Analytics label | Message field | value |
|---|---|---|
vendor |
meta.vendor |
trellix |
product |
meta.product |
cms |
service |
meta.service.name |
fenotify |
You can use the labels as:
- Filter labels on the Analytics page,
- in the Filter By Label field during log tapping.
You can use the message fields
- in Flow Processing steps, for example, in the Query field of Select Messages steps,
- in AQL expressions in the search bars.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:
| sourcetype | source | index |
|---|---|---|
trellix:cms |
trellix:cms |
netops |
Sending data to Google SecOps
When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FIREEYE_CMS.
2 - Email Threat Prevention (ETP)
Email Threat Prevention (ETP): Analyzes and filters email traffic to block phishing, malware, and targeted email-based threats.
To onboard such a source to Axoflow, complete the generic appliance onboarding steps.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| Analytics label | Message field | value |
|---|---|---|
vendor |
meta.vendor |
trellix |
product |
meta.product |
etp |
You can use the labels as:
- Filter labels on the Analytics page,
- in the Filter By Label field during log tapping.
You can use the message fields
- in Flow Processing steps, for example, in the Query field of Select Messages steps,
- in AQL expressions in the search bars.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:
| sourcetype | index |
|---|---|
fe_etp |
fireeye |
Sending data to Google SecOps
When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FIREEYE_ETP.
3 - Endpoint Security (HX)
Endpoint Security (HX): Detects and responds to advanced threats on endpoints using behavior-based analysis and threat intel.
To onboard such a source to Axoflow, complete the generic appliance onboarding steps.
Note that the device can be configured to send logs formatted as JSON or CEF. AxoRouter can automatically parse all flavors.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| Analytics label | Message field | value |
|---|---|---|
vendor |
meta.vendor |
trellix |
product |
meta.product |
hx |
service |
meta.service.name |
cef, fenotify |
You can use the labels as:
- Filter labels on the Analytics page,
- in the Filter By Label field during log tapping.
You can use the message fields
- in Flow Processing steps, for example, in the Query field of Select Messages steps,
- in AQL expressions in the search bars.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:
| sourcetype | index |
|---|---|
hx_json |
fireeye |
fe_json |
fireeye |
hx_cef_syslog |
fireeye |
Tested with: FireEye Add-on for Splunk Enterprise
Sending data to Google SecOps
When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FIREEYE_HX.
Earlier name/vendor
FireEye Endpoint Security (HX)
4 - ePolicy Orchestrator (EPO)
ePolicy Orchestrator (EPO): Analyzes and filters email traffic to block phishing, malware, and targeted email-based threats.
To onboard such a source to Axoflow, complete the generic appliance onboarding steps.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| Analytics label | Message field | value |
|---|---|---|
vendor |
meta.vendor |
trellix |
product |
meta.product |
epo |
You can use the labels as:
- Filter labels on the Analytics page,
- in the Filter By Label field during log tapping.
You can use the message fields
- in Flow Processing steps, for example, in the Query field of Select Messages steps,
- in AQL expressions in the search bars.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:
| sourcetype | index | source |
|---|---|---|
mcafee:epo:syslog |
epav |
trellix_endpoint_security |
Sending data to Google SecOps
When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MCAFEE_EPO.
Earlier name/vendor
McAfee ePolicy Ochestrator (EPO)
5 - MPS
MPS: Appliance for detecting and blocking advanced threats through inline malware inspection.
To onboard such a source to Axoflow, complete the generic appliance onboarding steps.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| Analytics label | Message field | value |
|---|---|---|
vendor |
meta.vendor |
trellix |
product |
meta.product |
mps |
You can use the labels as:
- Filter labels on the Analytics page,
- in the Filter By Label field during log tapping.
You can use the message fields
- in Flow Processing steps, for example, in the Query field of Select Messages steps,
- in AQL expressions in the search bars.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:
| sourcetype | source | index |
|---|---|---|
trellix:mps |
trellix:mps |
netops |