This service provides the ability to integrate various Trellix solutions with Malware Analytic Services such as Detection-On-Demand (Detection as a Service). The following two use cases are implemented in the current design.
- Integrates Trellix Endpoint and Trellix TIE (Threat Intelligence Exchange) with Trellix DoD (Detection-On-Demand).
- Integrates Skyhigh Web Gateway with Trellix DoD (Detection-On-Demand).
This service is written as a flask web application that simulates the ATD|TIS (Advanced Threat Detection | Trellix Intelligence Sandbox) APIs. This service can be used with every Trellix solution that natively integrates with ATD|TIS.
This is proof of concept code only. In production please make sure to not store username, password and API keys in clear text inside the script.
-
Install > Python3.6
-
Make sure the following dependencies are installed
python3 -m pip install requests flask -
Place the app.py and report.json in a folder and browse to that folder location (e.g. location /opt/app/)
cd /opt/app/ -
Enter a username and password in line 17 and 18. This username and password will need to be the same as configured in TIE and MWG.
-
Generate an API Key in DOD and enter this key in line 21.
-
Run the flask app with the following command. Specify the listening IP address and Port. (e.g. listen on all IPs and port 8080)
flask run --host 0.0.0.0 --port 8080
-
Open the TIE Server Policy in EPO and select the Sandboxing Tab inside the policy.
-
Enter the username and password entered in Installation Step 4.
-
Configure the IP address and Port to point to the Flask Application.
-
Open the Web Gateway Policy and import a new Rule Set from the Library.
-
Add the Advanced Threat Detection Rule Set or modify the existing ATD policy.
-
Configure the Policy to point to the Flask App and enter the username and password entered in Installation Step 4.
