You may also download a PDF version of this guide.

Product Overview

Trellix Endpoint Security (HX) is an endpoint protection platform designed to detect, investigate, and respond to advanced threats. It combines traditional anti-malware capabilities with modern endpoint detection and response (EDR) to provide multiple layers of defense. The platform offers real-time visibility into endpoint activity, allowing security teams to quickly identify Indicators of Compromise (IOCs). By collecting detailed forensic data from endpoints, Trellix HX enables rapid investigations into alerts to determine the full scope of an attack. Its threat intelligence-driven approach helps to uncover stealthy and persistent threats, and it provides response capabilities to contain compromised systems and remediate threats across the enterprise.

Detection Strategy for Endpoint Integrations

Detection

Our endpoint detection strategy focuses on two common signal types: process and network events. By integrating directly with EDR vendors, we can process security alerts to extract evidence and normalize event details. These normalized signals are then processed through our detection engine to look for signs of post-exploitation activity.

In addition to categorical handling of vendors' security alerts, Expel maintains a large library of behavioral detections to augment vendor detections. When a threat is detected, our automated response bot, Ruxie, takes action by enriching evidence fields with first- and third-party threat intelligence. Additional Ruxie actions query a wide span of technologies directly to arm analysts with key pieces of investigative information and related events.

Response

Endpoints provide rich context for processes and also support other types of Expel Alerts. For example, we use source device identification across a number of alert types when a source IP or hostname is available, because it provides rich context about the actor behind the activity.

Additionally, endpoints provide valuable information for network alerts to help identify what process triggered a connection.

To learn more about our overall approach to detection strategy, see About Detection Strategy in the Help Center.

What We Support for Trellix Endpoint Security (HX)

To see a comprehensive list of the most up-to-date Expel detection rules, vendor detection rules, opt-in detections, and available DUETs (did you expect this) that we support for Trellix Endpoint Security (HX), you can visit the Detections page in Workbench or ask your Sales or Support rep for the most recent download.

Additional Details and Common Questions

Console Access

A vendor alert does not typically include all of the contextual timeline activity surrounding the event of interest. Because this integration does not allow us to get all necessary data via the API, we will ask you for a certain level of console access during onboarding.

The level of access that we require is meant to support essential triage and research activities, and to help us determine the vector and extent of attacker activity for an identified threat. At minimum, we will ask for visibility into alert data, timeline events recorded, and live response/real time response shell (if applicable).

DUET

A DUET (did you expect this) rule flags certain events as needing an immediate verification or notification, and bypasses the normal internal event triage process. The events subject to DUET rules contain behaviors that are not typically indicative of true security incidents, as they are related to policy violations or potential risk.

There are a number of workflows that a DUET may follow. When enabled, the activity will be flagged for investigation and will be routed to you (rather than to us) to take a specified first action. To see the specific DUET rules currently supported for this integration, visit the Detections page in Workbench.