Configure Trellix Endpoint Security (ENS) for the EDR connector (edr_trellix_ens). ENS uses OAuth 2.0 client credentials plus a tenant-scoped API key, accessed through ePolicy Orchestrator (ePO). Create client credentials in the Trellix console, grant the required scopes when you create the credential, and supply your tenant ID and API key.
For tenants running Trellix EDR (not ENS), use the Trellix EDR Provider Configuration Guide instead.
This integration supports four operations, gated by two scopes:
| Scope | Operations |
|---|---|
epo.device.r | query_endpoints, get_endpoint |
epo.evt.r | query_threatevents, query_edr_events |
epo.evt.r is a single scope — it is required for both threat events and EDR events. Grant it once to enable both operations.
Alerts, remediation, and realtime search are not supported for ENS. Do not use Trellix EDR scopes (soc.*) for this provider.
API access depends on both your Trellix license entitlements and the OAuth scopes on the client credential. Scopes alone do not unlock operations your tenant is not licensed for.
| License / product area | Operations available | Related scope(s) |
|---|---|---|
| EPO (endpoint management) | Query and retrieve managed endpoints | epo.device.r |
| Trellix ENS | Query threat events and EDR events | epo.evt.r |
Endpoint operations require EPO. Threat and EDR event queries require Trellix ENS. Without the matching license, the related scopes may be unavailable in Client Credentials, and API calls for those operations return not authorized even if a scope is granted.
Log in to your Trellix tenant console.
After log in, click the down arrow in the top right corner and select Client Credentials.
- Click Add
- Give the credential a name and description
- Select all required scopes listed in section 2 — scope selection is configured at credential creation
- Save the generated Client ID and Client Secret
Grant all scopes in the table below on the client credential. Each scope maps to operations described in Supported operations and Prerequisites. Trellix checks license entitlements and scopes on every API call — missing either one causes that operation to be rejected as not authorized.
In Client Credentials, Trellix groups scopes by product area:
| Trellix console category | Scope(s) |
|---|---|
| Devices | epo.device.r |
| EDR Events | epo.evt.r (threat events and EDR events) |
| Scope | Required for | Without this scope |
|---|---|---|
epo.device.r | query_endpoints; get_endpoint | Cannot list or retrieve endpoints; Trellix returns not authorized. |
epo.evt.r | query_threatevents and query_edr_events | Cannot query threat events or EDR events; Trellix returns not authorized. |
Event queries use epo.evt.r under EDR Events in Client Credentials — not Trellix EDR soc.* scopes.
Client ID: OAuth client ID from Client Credentials.
Client Secret: OAuth client secret from Client Credentials.
Tenant ID: Trellix tenant GUID for the customer tenancy. Click Tenant Settings for the Tenant Key.
API Key: Tenant-scoped Trellix API key.
Trellix API requests also send X-Tenant-Id, x-api-key, and a bearer token from https://iam.cloud.trellix.com/iam/v1.0/token.