New Trellix Endpoint Security: CCF Connector Unlocks ePO Threat Visibility in Sentinel

What Changed

Microsoft introduced a new Trellix solution providing comprehensive endpoint security visibility through the Codeless Connector Framework (CCF). The solution includes a CCF-based data connector and normalizing parser for ingesting security events from Trellix ePO (ePolicy Orchestrator).

Data Source

• Product: Trellix Endpoint Security via ePO (ePolicy Orchestrator)
• API Endpoint: /epo/v2/events with OAuth2 client credentials authentication
• Data Volume: Configurable pagination with 1000-event pages, 30-minute query windows

Ingestion Mechanism

• Framework: CCF (Codeless Connector Framework) with DCR-based ingestion
• Authentication: OAuth2 client credentials with API key header authentication
• Target Table: TrellixEvents_CL (custom logs) and SentinelTrellixEvents (normalized)
• Rate Limiting: 3 queries per second with automatic pagination handling

Detection Surface Unlocked

The connector ingests comprehensive endpoint security telemetry including:

• Threat Intelligence: Threat category, severity, type, and response actions
• Endpoint Context: Agent details, analyzer versions, and detection methods
• Network Artifacts: Source/target IP addresses (IPv4/IPv6), hostnames, MAC addresses, protocols, and ports
• Process Artifacts: Process names, file paths, and file hashes
• User Context: Source and target usernames for attribution
• Temporal Data: Detection timestamps, receipt times, and event correlation IDs

Security Impact

This solution addresses an endpoint visibility gap by providing:

• Malware Detection Events: Real-time threat detection and response status
• Lateral Movement Tracking: Network communications between endpoints via source/target mapping
• Process Monitoring: Executable analysis and behavioral detection coverage
• Threat Response Validation: Confirmation of security actions taken by Trellix agents

The normalized parser (TrellixEvents) creates a unified view across both legacy (TrellixEvents_CL) and current table schemas, ensuring detection compatibility during migrations.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/SentinelTrellixEvents.json
.script/tests/KqlvalidationsTests/CustomTables/TrellixEvents_CL.json
Solutions/Trellix/Data Connectors/Trellix_CCF/TrellixEvents_Table.json
Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_DCR.json
Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_DataConnectorDefinition.json
Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_PollingConfig.json
Solutions/Trellix/Package/testParameters.json
Solutions/Trellix/Parsers/TrellixEvents.yaml
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Trellix.json, createUiDefinition.json, mainTemplate.json)