Trellix (McAfee) ENS Integration
Overview
Trellix Endpoint Security (formerly McAfee ENS) provides threat prevention, firewall, and web control for endpoints. KYRA MDR collects Trellix events via the ePO syslog integration for centralized security monitoring. Supports Trellix ENS 10.7+ and ePO 5.10+.
Prerequisites
- A KYRA MDR Collector installed and running
- Trellix ePolicy Orchestrator (ePO) server access
- Registered Server configuration permissions in ePO
- Network connectivity from ePO to the collector on port 514
Configuration
Configure syslog forwarding in Trellix ePO:
- Log in to the ePO Console
- Navigate to Configuration > Registered Servers
- Click New Server and select Syslog Server
- Configure:
Server Name: KYRA-MDRServer Type: SyslogHost: <collector-ip>Port: 514Protocol: TCPFormat: Common Event Format (CEF)- Navigate to Automation > Automatic Responses
- Create a response rule that sends events to the KYRA-MDR syslog server
- Select event types: Threat Events, Compliance Events, and System Events
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Threat Prevention | Malware detections and blocks | Endpoint malware defense |
| Firewall | Endpoint firewall events | Host-based network control |
| Web Control | URL access and block events | Web security enforcement |
| Adaptive Threat | ATP behavioral detections | Advanced threat defense |
| Access Protection | File and registry protection | Host integrity monitoring |
| DLP | Data loss prevention events | Sensitive data protection |
Troubleshooting
No events in syslog: Verify the Automatic Response rule is enabled and configured to send events to the registered syslog server.
CEF formatting issues: Ensure the syslog format is set to CEF in the registered server configuration.
High volume: Use event filters in the Automatic Response rule to send only security-relevant events.
Contact kyra@seekerslab.com for support.