Trellix (FireEye) Endpoint Security (HX)

What is FireEye Endpoint Security (HX)?

FireEye Endpoint Security is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response. Its controller functionality that Vectra makes API calls to for integration, can exist as part of a cloud service, a physical appliance, or a virtual machine running in the customer environment. The integration with Vectra works the same regardless of deployment type. Only the URL for the API integration changes based on your implementation.

Integration:

How does FireEye Endpoint Security integrate with my Vectra platform?

Integration with FireEye Endpoint Security adds host context to aid in host identification during a security investigation. When Detect sees a host session come online, it polls FireEye Endpoint Security for host information. Host information may include the following:

• Machine ID

• Machine name

• Operating system

• Isolation status

FireEye Endpoint Security host context is available under the Host Details tab of individual Host pages.

How do I enable the Fireeye Endpoint Security integration in Detect?

FireEye Endpoint Security is configured under the EDR Integrations Tab. In your Detect UI, navigate to Settings -> EDR Integrations -> FireEye Endpoint Security:

• Select Editon the far right-hand side within the FireEye Endpoint Security row.

• Toggle Enable integration with FireEye Endpoint Securityto On.

• Enter your Fireeye Endpoint Security Hostname, Username, and The username and password should be for an account with role: Api_Admin. If you do not have your Hostname, Username, Password, or know how to create an account with the correct role, please see next section for details on where to locate them.

• Click Save.

• Once the credentials have been validated, the UI will provide confirmation that your configuration has been saved.

• Your FireEye Endpoint Security EDR setup is now complete.

Where can I find my FireEye Information to integrate with Vectra?

To get credentials for FireEye Endpoint Security for use with Vectra:

• Log into your FireEye Dashboard

• Navigate to Admin > Appliance Settings > User Accounts

• Here you will see all the user accounts that you have created. In order to get the Vectra EDR Integration working, there needs to be a user with the role Api Admin.

• If you do not have this user, please follow the steps below. However, if you do have a user with this role, use the password and user name when setting up the FireEye Integration.

• Navigate to the Add New User.

• Create a new user with the role Api Admin.

• Remember your username and password.

• This will be the user that you use when setting up the EDR integration in the Vectra dashboard.

Why do I not see FireEye Endpoint Security as an External Connector?

Vectra introduced native integration support for FireEye Endpoint Security in release version 6.6. Please make sure you are running Detect version 6.6 or greater. You can check the current software version by navigating to Settings -> General -> Version in the Detect UI.

Can I use Advanced search to query for FireEye Endpoint Security hosts?

Right now, we do not have support for advanced search for FireEye Endpoint Security host artifacts. We plan on releasing this feature in a coming releasing.

Can FireEye Endpoint Security be used for Host Lockdown?

Yes, Detect release version 6.6 introduced support for Host Lockdown using FireEye Endpoint Security. For more details, please check this article.