Trellix

The integration with Trellix Helix is available as a runtime app as well as various Playbook Apps and Templates. With this Trellix Helix runtime app, ThreatConnect users are able to export indicators (addresses, hosts, email addresses, and files (MD5 & SHA1)) to Trellix Helix lists for alerting and detection. Indicators that no longer match the filter can be removed from Trellix automatically. With the Playbooks App and Templates, users are automatically able to:

• Deploy Indicators
• Remove Indicators

These apps can be found in the ThreatConnect App Catalog under the names: Trellix Helix.

With this Playbook app, you can automatically detonate, analyze, and submit files and URLs in FireEye from ThreatConnect to understand if they are malicious and return any contextualized telemetry. This all leads to more informed decision-making and more efficient remediation of malicious files through automation.

The following actions are available within the Playbook App:

• Get Report - Search by a Report ID to retrieve details based on the report.
• Submit File for Analysis - Submit a file for analysis.
• Submit URL for Analysis - Submit a URL for analysis.
• Get File Enrichment - Retrieve details about an analysis by its MD5 Hash ID.
• Get Artifacts - Retrieve artifacts from a report
• Advanced Request - Create a custom API request to the FireEye Detection on Demand API

This app can be found in the ThreatConnect App Catalog under the name: FireEye Detection on Demand 

With these Playbook templates, you can easily add or remove indicators to FireEye Helix from ThreatConnect.

These apps can be found in the THreatConnect App Catalog under the names: FireEye Helix Log Analytics - Deploy Indicators and FireEye Helix Log Analytics - Remove Indicators