Trellix XDR Integration
Forward database audit events to Trellix XDR for extended detection and response. Correlate database activity with endpoint and network telemetry for comprehensive threat visibility.
XDR Platform
Unified detection across endpoint, network, email, and now database for complete security coverage.
Threat Intelligence
Automatic enrichment with Trellix threat intelligence for context-aware alerts.
Investigations
Automated investigation workflows with database activity as evidence.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "trellix-prod") |
| provider | select | Yes | trellix | SIEM provider - select "Trellix XDR" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| api_url | string | Yes | - | Trellix API endpoint (e.g., "https://api.trellix.com") |
| api_key | password | Yes | - | Trellix API key for event ingestion |
| client_id | string | Yes | - | OAuth client ID for authentication |
2 Trellix-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| tenant_id | string | Yes | - | Trellix tenant ID |
| data_source | string | No | DBaudit | Data source identifier for events |
| event_type | string | No | database_audit | Event type classification |
| threat_intel | boolean | No | true | Enable threat intelligence enrichment |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
1
Create API Credentials
Create API credentials in Trellix with event ingestion permissions.
# Create API Credentials in Trellix:
# 1. Log in to Trellix ePO Console
# 2. Navigate to Configuration → API Credentials
# 3. Click "Create New Credentials"
# 4. Configure the following:
# - Name: DBaudit Integration
# - Type: API Key with OAuth
# - Permissions: Event Ingestion, Threat Intelligence
# 5. Copy the API Key and Client ID
# Trellix API endpoints by region:
# - US: https://api.manage.trellix.com
# - EU: https://api.manage.trellix.eu
# - APAC: https://api.manage.trellix.com.au
# Required permissions:
# - siem.events.write - Event ingestion
# - threats.read - Threat intelligence lookup
# - investigations.write - Create investigations
2
Test API Connection
Verify the credentials can authenticate and send events.
# Test Trellix API connection
# First, get OAuth token
curl -X POST "https://api.manage.trellix.com/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_API_KEY" \
-d "scope=siem.events.write"
# Use token to test event ingestion
curl -X POST "https://api.manage.trellix.com/v1/events" \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"events": [{
"dataSource": "DBaudit",
"eventType": "test",
"timestamp": "2024-01-15T10:30:45Z",
"event": {"message": "Test event from DB Audit"}
}]
}'
# Expected response:
{
"status": "success",
"eventsReceived": 1
}
3
Configure in DB Audit
Add the Trellix XDR integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select Trellix XDR as the provider
- Enter your API URL, API key, and client ID
- Enter your tenant ID
- Select event types to forward
- Test the connection and save
4
Create Detection Rules (Optional)
Create detection rules to alert on suspicious database activity.
// Trellix XDR Detection Rule
// Detection → Rules → Create Rule
Rule Name: Suspicious Database Data Exfiltration
Description: Detects queries returning large amounts of sensitive data
// Query
dataSource = "DBaudit"
AND event.action.type = "SELECT"
AND event.action.rowsAffected > 10000
AND event.classification.containsPii = true
// Rule Configuration
Severity: High
Priority: 2
// MITRE ATT&CK Mapping
Tactic: Collection (TA0009)
Technique: Data from Information Repositories (T1213)
// Alert Actions
- Create Investigation
- Notify SOC Team
- Enrich with Threat Intelligence
- Correlate with EDR events
// Investigation Playbook
1. Identify source workstation from IP
2. Check for file downloads on endpoint
3. Review network connections
4. Assess data sensitivity
Event Format
Events are sent to Trellix in a structured format optimized for XDR correlation.
{
"timestamp": "2024-01-15T10:30:45.123Z",
"dataSource": "DBaudit",
"eventType": "database_audit",
"tenantId": "your-tenant-id",
"severity": "MEDIUM",
"event": {
"type": "audit_event",
"database": {
"name": "production-postgres",
"type": "postgresql",
"host": "db.example.com"
},
"actor": {
"user": "app_user",
"ip": "10.0.1.50",
"application": "backend-api"
},
"action": {
"type": "SELECT",
"object": "customers",
"schema": "public",
"statement": "SELECT * FROM customers WHERE...",
"rowsAffected": 1500
},
"classification": {
"containsPii": true,
"dataTypes": ["email", "phone"]
}
},
"threatIndicators": [],
"mitreTactics": ["TA0009"],
"mitreTechniques": ["T1213"]
}
XDR Investigation Queries
Use these queries to investigate database-related threats in Trellix XDR.
// Trellix XDR Investigation Queries
// All DB Audit events
dataSource = "DBaudit"
// Filter by severity
dataSource = "DBaudit" AND severity = "HIGH"
// Large data access patterns
dataSource = "DBaudit"
AND event.action.type = "SELECT"
AND event.action.rowsAffected > 10000
// Specific user activity
dataSource = "DBaudit"
AND event.actor.user = "app_user"
// Failed authentication attempts
dataSource = "DBaudit"
AND event.type = "auth_failure"
| GROUP BY event.actor.ip
| COUNT() as failures
| FILTER failures > 5
// PII access monitoring
dataSource = "DBaudit"
AND event.classification.containsPii = true
| GROUP BY event.actor.user, event.database.name
| COUNT() as piiAccess
// Cross-source correlation
(dataSource = "DBaudit" AND event.actor.ip = "10.0.1.50")
OR (dataSource = "EDR" AND srcIp = "10.0.1.50")
| SORT timestamp
Sample Investigation
Trellix XDR automatically correlates database events with endpoint and network telemetry.
// Trellix XDR Investigation - Database Exfiltration
Investigation ID: INV-2024-0115-001
Created: 2024-01-15T10:35:00Z
Status: Active
Priority: High
// Timeline of Events:
10:30:45 - Database Query (DBaudit)
User: app_user
Database: production-postgres
Action: SELECT * FROM customers
Rows: 15,000
Contains PII: true
10:31:02 - File Created (EDR)
Endpoint: WORKSTATION-42
User: app_user
Path: C:\Export\customer_data.csv
Size: 2.8 MB
10:31:15 - Network Connection (NDR)
Source: WORKSTATION-42
Destination: 185.x.x.x (external)
Protocol: HTTPS
Bytes: 3.1 MB
// Threat Intelligence Enrichment
Destination IP: Known data exfiltration endpoint
Risk Score: 85/100
First Seen: 2024-01-10
// Recommended Actions
1. Isolate WORKSTATION-42
2. Revoke app_user database access
3. Initiate incident response
Troubleshooting
OAuth authentication failed
Verify the client ID and API key are correct. Check that the credentials have the required scopes.
Tenant not found
Ensure the tenant ID matches your Trellix account. Find it in ePO Console under Organization settings.
Events not appearing in XDR
Events may take a few minutes to be indexed. Filter by dataSource="DBaudit" in the investigation console.
Rate limiting (429)
Reduce batch_size or increase flush_interval_seconds. Contact Trellix support for higher rate limits.
Ready to Integrate with Trellix XDR?
Start forwarding database audit events to Trellix in minutes.