{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-guides/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Trellix ENS EDR Provider Configuration Guide","siteUrl":"https://docs.synqly.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure Trellix Endpoint Security (ENS) for the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/connectors/edr/overview"},"children":["EDR connector"]}," (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["edr_trellix_ens"]},"). ENS uses OAuth 2.0 client credentials plus a tenant-scoped API key, accessed through ePolicy Orchestrator (ePO). Create client credentials in the Trellix console, grant the required scopes when you create the credential, and supply your tenant ID and API key."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For tenants running ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Trellix EDR"]}," (not ENS), use the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/provider-configuration/trellix-edr-setup"},"children":["Trellix EDR Provider Configuration Guide"]}," instead."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"supported-operations","__idx":0},"children":["Supported operations"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This integration supports four operations, gated by two scopes:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Scope"},"children":["Scope"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Operations"},"children":["Operations"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.device.r"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_endpoints"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["get_endpoint"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.evt.r"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_threatevents"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_edr_events"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.evt.r"]}," is a single scope — it is required for ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["both"]}," threat events and EDR events. Grant it once to enable both operations."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Alerts, remediation, and realtime search are not supported for ENS. Do not use Trellix EDR scopes (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["soc.*"]},") for this provider."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":1},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["API access depends on ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["both"]}," your Trellix license entitlements and the OAuth scopes on the client credential. Scopes alone do not unlock operations your tenant is not licensed for."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"License / product area"},"children":["License / product area"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Operations available"},"children":["Operations available"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Related scope(s)"},"children":["Related scope(s)"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["EPO"]}," (endpoint management)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Query and retrieve managed endpoints"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.device.r"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Trellix ENS"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Query threat events and EDR events"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.evt.r"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Endpoint operations require ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["EPO"]},". Threat and EDR event queries require ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Trellix ENS"]},". Without the matching license, the related scopes may be unavailable in Client Credentials, and API calls for those operations return not authorized even if a scope is granted."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"1-create-client-credentials","__idx":2},"children":["1. Create client credentials"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"step-1-log-in-to-the-trellix-tenant","__idx":3},"children":["Step 1: Log in to the Trellix tenant"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Log in to your Trellix tenant console."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"step-2-open-client-credentials","__idx":4},"children":["Step 2: Open Client Credentials"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After log in, click the down arrow in the top right corner and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Credentials"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"step-3-add-a-new-credential","__idx":5},"children":["Step 3: Add a new credential"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Give the credential a name and description"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["all"]}," required scopes listed in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#2-add-scopes"},"children":["section 2"]}," — scope selection is configured at credential creation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Save the generated ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"2-add-scopes","__idx":6},"children":["2. Add scopes"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Grant ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["all"]}," scopes in the table below on the client credential. Each scope maps to operations described in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#supported-operations"},"children":["Supported operations"]}," and ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#prerequisites"},"children":["Prerequisites"]},". Trellix checks license entitlements and scopes on every API call — missing either one causes that operation to be rejected as ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not authorized"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Credentials"]},", Trellix groups scopes by product area:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Trellix console category"},"children":["Trellix console category"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Scope(s)"},"children":["Scope(s)"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Devices"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.device.r"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["EDR Events"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.evt.r"]}," (threat events and EDR events)"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"required-scopes","__idx":7},"children":["Required scopes"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Scope"},"children":["Scope"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Required for"},"children":["Required for"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Without this scope"},"children":["Without this scope"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.device.r"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_endpoints"]},"; ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["get_endpoint"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cannot list or retrieve endpoints; Trellix returns not authorized."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.evt.r"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_threatevents"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_edr_events"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cannot query threat events or EDR events; Trellix returns not authorized."]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Event queries use ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["epo.evt.r"]}," under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["EDR Events"]}," in Client Credentials — not Trellix EDR ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["soc.*"]}," scopes."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"3-configure-the-integration","__idx":8},"children":["3. Configure the integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]},": OAuth client ID from Client Credentials."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]},": OAuth client secret from Client Credentials."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant ID"]},": Trellix tenant GUID for the customer tenancy. Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant Settings"]}," for the Tenant Key."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API Key"]},": Tenant-scoped Trellix API key."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Trellix API requests also send ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["X-Tenant-Id"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["x-api-key"]},", and a bearer token from ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://iam.cloud.trellix.com/iam/v1.0/token"]},"."]}]},"headings":[{"value":"Supported operations","id":"supported-operations","depth":2},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"1. Create client credentials","id":"1-create-client-credentials","depth":2},{"value":"Step 1: Log in to the Trellix tenant","id":"step-1-log-in-to-the-trellix-tenant","depth":3},{"value":"Step 2: Open Client Credentials","id":"step-2-open-client-credentials","depth":3},{"value":"Step 3: Add a new credential","id":"step-3-add-a-new-credential","depth":3},{"value":"2. Add scopes","id":"2-add-scopes","depth":2},{"value":"Required scopes","id":"required-scopes","depth":3},{"value":"3. Configure the integration","id":"3-configure-the-integration","depth":2}],"frontmatter":{"slug":"guides/provider-configuration/trellix-ens-edr-setup","seo":{"title":"Trellix ENS EDR Provider Configuration Guide"}},"lastModified":"2026-06-17T23:59:06.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/provider-configuration/trellix-ens-edr-setup","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}