trellix-enterprise / mvision-edr-activity-feed Goto Github PK

Why do I have to run a docker image to forward threat events to ESM? Why doesn't the ESM have the capability to pull threat events directly from EDR?

Hello, I am receiving forbidden errors when testing EDR endpoints with the mvision_edr_creds_generator client and secret.

Does anyone know if the creds generator will work with the developer portal APIs https://www.mcafee.com/enterprise/en-us/solutions/mvision/developer-portal.html?

We are currently ignoring the --consumer-timeout parameter. We need to map this to the session_timeout on the OpenDXL SDK

When my org enforce enabled MFA for authen, so How to use this tool with those account?

Hi there! I had posted this question on the Trellix community forums and was referred to here for an answer to my question. I am hoping that someone will be able to point me in the right direction here.

Right now we are grabbing MVISION EDR cloud logs using this mvision-edr-activity-feed script. The script is currently subscribed to case, case-mgmt-events, threat, and threatEvents. However, we are finding that the information in the events is missing some of the details we are looking for. For example, we might get a threat event that includes the name of the file or process detected as a threat, the location on disk of the file, as well as the hashes. However, we would also like to pull in specific information from the host that this file/process is running on.

For example, in our MVISION EDR cloud portal we see host information like what is highlighted in red here:

We are interested in pulling out some of this information into the activity feed such as some of the DNS activity entries from the host.

Is there a way to modify the script to capture this information, or would we need to pull this information a different way? It wasn't clear to me what all of the different types of feeds are that can be pulled using the script or if this script will even allow us to grab the additional details we are wanting. Any advice on how to accomplish this is greatly appreciated! Thank you for your help!

When pulling threat events, the tool is not receiving all events that I can see on the EDR monitoring dashboard, how can I achieve this?

Also, I currently do not receive the hostname in the threat event payload, is there a way that I can achieve this?

Is there a way to pull EDR threat detections using this tool?
When testing, I only receive empty payloads

When I ran setup.py, I got the following error and could not setup.

Installed /usr/local/lib/python3.9/dist-packages/furl-2.0.0-py3.9.egg
Searching for dxlstreamingclient==0.1.2
Reading https://pypi.org/simple/dxlstreamingclient/
No local packages or working download links found for dxlstreamingclient==0.1.2
error: Could not find suitable distribution for Requirement.parse('dxlstreamingclient==0.1.2')

It can't seem to find the 0.1.2 module for dxlstreamingclient on the following site.

Hello,

I have got an official notification from Trellix, former McAfee, which the domain is changed from mcafee.com to trellix.com.
Could you confirm whether mvision-edr-activity-feed is affected by this change?

Trellix SNS [email protected]
Please bookmark the SNS Subscription Center, to securely update your SNS subscription preferences.
McAfee | SNS

Trellix and Skyhigh Security will change their company domains from mcafee.com to trellix.com. This change is planned for December 12, 2022.

After that date, to sign into the products, use the URL:

https://auth.ui.trellix.com

Please update your bookmarks. This will also impact signing in using your SSO or IDP and may require reconfiguration. For more information, see KB96089 - IAM domain name change from mcafee.com to trellix.com.
We will update the documentation with more information in the coming weeks. If you have any questions, contact Trellix Support.

We are currently adding the samples folder into the package, which results in the addition of a top-level samples module in Python when installing our module. This causes confusion, because the top-level package will always shadow the local samples folder. For example, if I modify one of the samples in the local folder (e.g., samples.individual), and then try to load the modified module, I'll still be using the previous version that is now installed in my Python module directory. Another example is adding a new local sample on the samples folder (e.g., samples/foobar.py) and then trying to load this module: This will fail because the global samples folder will override the local one, and the new file is not available on the global module (this happened to #40).