Trellix mVision ePO (apps) (#5794)

amee-sumo · jpipkin1 · web-flow · commit 6b0115fdad6c · 2025-09-15T17:04:08.000Z
* Trellix mVision ePO (apps)

* Update trellix-mvision-epo.md

* Update trellix-mvision-epo.md

* Update blog-service/2025-09-15-apps.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/integrations/saas-cloud/trellix-mvision-epo.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update trellix-mvision-epo.md

---------

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;
diff --git a/blog-service/2025-09-15-apps.md b/blog-service/2025-09-15-apps.md
@@ -0,0 +1,12 @@
+---
+title: Trellix mVision ePO (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - trellix-mvision-epo
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Trellix mVision ePO app for Sumo Logic. This app offers a centralized view of malicious activity, risky endpoints, and unusual network behavior by collecting events logs from the Trellix mVision ePO platform and sending them to Sumo Logic for analysis. [Learn more](/docs/integrations/saas-cloud/trellix-mvision-epo).
diff --git a/cid-redirects.json b/cid-redirects.json
@@ -2930,6 +2930,7 @@
   "/cid/1105": "/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf",
   "/cid/1106": "/docs/integrations/sumo-apps/opentelemetry-collector-insights",
   "/cid/1107": "/docs/integrations/saas-cloud/aws-iam-users",
+  "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo",
   "/Cloud_SIEM_Enterprise": "/docs/cse",
   "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration",
   "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration",
diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md
@@ -186,7 +186,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 | <img src={useBaseUrl('img/integrations/misc/threater-logo.png')} alt="Thumbnail icon" width="75"/> | [Threater](https://www.threater.com/) | Cloud SIEM integration: [Bandura](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/ec354a4c-a761-4e18-8ceb-194d6e8692e2.md) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/threatminer.png')} alt="Thumbnail icon" width="125"/> | [ThreatMiner](https://www.threatminer.org/) | Automation integration: [ThreatMiner](/docs/platform-services/automation-service/app-central/integrations/threatminer/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/threatq.png')} alt="Thumbnail icon" width="75"/> | [ThreatQ](https://www.threatq.com/) | Automation integration: [ThreatQ](/docs/platform-services/automation-service/app-central/integrations/threatq/) |
-|  <img src={useBaseUrl('img/send-data/trellix-logo.png')} alt="Thumbnail icon" width="75"/>   | [Trellix](https://www.trellix.com/en-us/index.html)  | Automation integrations: <br/>- [FireEye AX](/docs/platform-services/automation-service/app-central/integrations/fireeye-ax/) <br/>- [FireEye Central Management (CM)](/docs/platform-services/automation-service/app-central/integrations/fireeye-central-management-cm/) <br/>- [FireEye Email Security (EX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-email-security-ex/) <br/>- [FireEye Endpoint Security (HX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-endpoint-security-hx/) <br/>- [FireEye Helix](/docs/platform-services/automation-service/app-central/integrations/fireeye-helix/) <br/>- [FireEye Network Security (NX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-network-security-nx/) <br/>Cloud SIEM integrations: <br/>- [FireEye](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1430ab5c-7b8b-44e9-a8ec-83076fa374eb.md) <br/>- [Trellix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9bec8407-4182-46ec-99dd-2adfade15652.md) <br/>Collector: [Trellix mVision ePO Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/)	 |
+| <img src={useBaseUrl('img/send-data/trellix-logo.png')} alt="Thumbnail icon" width="75"/> | [Trellix](https://www.trellix.com/en-us/index.html)  | App: [Trellix mVision ePO](/docs/integrations/saas-cloud/trellix-mvision-epo) <br/>Automation integrations: <br/>- [FireEye AX](/docs/platform-services/automation-service/app-central/integrations/fireeye-ax/) <br/>- [FireEye Central Management (CM)](/docs/platform-services/automation-service/app-central/integrations/fireeye-central-management-cm/) <br/>- [FireEye Email Security (EX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-email-security-ex/) <br/>- [FireEye Endpoint Security (HX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-endpoint-security-hx/) <br/>- [FireEye Helix](/docs/platform-services/automation-service/app-central/integrations/fireeye-helix/) <br/>- [FireEye Network Security (NX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-network-security-nx/) <br/>Cloud SIEM integrations: <br/>- [FireEye](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1430ab5c-7b8b-44e9-a8ec-83076fa374eb.md) <br/>- [Trellix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9bec8407-4182-46ec-99dd-2adfade15652.md) <br/>Collector: [Trellix mVision ePO Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/)	 |
 |  <img src={useBaseUrl('https://upload.wikimedia.org/wikipedia/commons/f/f4/Trend_Micro_logo.svg')} alt="Thumbnail icon" width="75"/>   |  [Trend Micro](https://www.trendmicro.com/en_us/business.html) | Apps: <br/>- [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/) <br/>- [Trend Micro Vision One](/docs/integrations/saas-cloud/trend-micro-vision-one/) <br/>Automation integrations: <br/>- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/) <br/>- [Trend Micro Vision One](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/) <br/>Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md) <br/>Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)|
 | <img src={useBaseUrl('img/integrations/webhooks/neoload-logo.png')} alt="Thumbnail icon" width="75"/> | [Tricentis](https://www.tricentis.com/) | Webhook: [NeoLoad](/docs/integrations/webhooks/neoload/) |
 | <img src={useBaseUrl('img/send-data/trust-login-icon.png')} alt="Thumbnail icon" width="50"/> | [Trust Login](https://trustlogin.com/en/) | App: [Trust Login](/docs/integrations/saas-cloud/trust-login) <br/> Cloud SIEM integration: [Trust Login](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/78eae2f3-199e-48ca-aaf6-53f6a19e854a.md) <br/>Collector: [Trust Login Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trust-login-source) |
diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md
@@ -411,6 +411,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.
   <p>Gain comprehensive visibility and actionable insights into your organization's security posture.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/integrations/saas-cloud/trellix-mvision-epo"><img src={useBaseUrl('img/send-data/trellix-logo.png')} alt="icon" width="100"/><h4>Trellix mVision ePO</h4></a>
+  <p>Detect, analyze, and respond faster to threats with Trellix mVision ePO for Sumo Logic.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/integrations/saas-cloud/trend-micro-vision-one"><img src={useBaseUrl('img/send-data/trend-micro-vision-one.png')} alt="icon" width="140"/><h4>Trend Micro Vision One</h4></a>
diff --git a/docs/integrations/saas-cloud/trellix-mvision-epo.md b/docs/integrations/saas-cloud/trellix-mvision-epo.md
@@ -0,0 +1,175 @@
+---
+id: trellix-mvision-epo
+title: Trellix mVision ePO
+sidebar_label: Trellix mVision ePO
+description: The Trellix mVision ePO app for Sumo Logic enables security analysts to detect, analyze, and respond to threats to reduce false negatives, accelerate investigations, and strengthen endpoint protection.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/send-data/trellix-logo.png')} alt="Trust-Login-icon" width="90" />
+
+The Sumo Logic app for Trellix mVision ePO provides centralized visibility into endpoint threats, enabling security teams to detect, analyze, and respond to risks across their environment. It aggregates data on detections, remediation failures, severity, and suspicious behaviors to highlight high-priority incidents and defense gaps.
+
+By analyzing threat categories, attack types, geolocation, and detection methods, the app reveals patterns of malicious activity, risky endpoints, and unusual network behavior. Features such as C2 callback detection, embargoed region activity, file quarantines, and user-targeted attacks offer actionable insights into threat propagation and impacted assets.
+
+With comprehensive summaries, trend analysis, geographical mapping, and device-level detail, the app helps organizations prioritize threats, reduce false negatives, accelerate investigations, and strengthen endpoint protection.
+
+:::info
+This app includes [built-in monitors](#trellix-mvision-epo-alerts). For details on creating custom monitors, refer to [Create monitors for Trellix mVision ePO app](#create-monitors-for-the-trellix-mvision-epo-app).
+:::
+
+## Log types
+
+This app uses Sumo Logic’s [Trellix mVision ePO Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/) to collect event logs from the Trellix mVision ePO platform.
+
+## Sample log message
+
+<details>
+<summary>Event Log</summary>
+
+```json
+{
+           "id": "b311da30-82ef-40ae-a1c7-74h6s4",
+           "type": "MVEvents",
+           "links": {
+               "self": "/epo/v2/events/b311da30-82ef-40ae-a1c7-74h6s4"
+           },
+           "attributes": {
+               "timestamp": "2023-06-09T16:40:49.510Z",
+               "autoguid": "b04478e5-424c-44b0-ba78-f5e27dff4b3c",
+               "detectedutc": "1686285700000",
+               "receivedutc": "1686328849509",
+               "agentguid": "a8c0a97d-f57c-43fc-b611-92499cb40846",
+               "analyzer": "ENDP_AM_1070",
+               "analyzername": "Trellix Endpoint Security",
+               "analyzerversion": "10.7.0.5786",
+               "analyzerhostname": "DESKTOP",
+               "analyzeripv4": "172.20.10.2",
+               "analyzeripv6": "/0:0:0:0:0:ffff:ac14:a02",
+               "analyzermac": "a87eeabc2b1d",
+               "analyzerdatversion": "5186.0",
+               "analyzerengineversion": "6600.9927",
+               "analyzerdetectionmethod": "On-Access Scan",
+               "sourcehostname": null,
+               "sourceipv4": "172.20.10.2",
+               "sourceipv6": "/0:0:0:0:0:ffff:ac14:a02",
+               "sourcemac": null,
+               "sourceusername": null,
+               "sourceprocessname": "C:\\Windows\\explorer.exe",
+               "sourceurl": null,
+               "targethostname": null,
+               "targetipv4": "172.20.10.2",
+               "targetipv6": "/0:0:0:0:0:ffff:ac14:a02",
+               "targetmac": null,
+               "targetusername": "DESKTOP\\Sumo",
+               "targetport": null,
+               "targetprotocol": null,
+               "targetprocessname": null,
+               "targetfilename": "C:\\Users\\Sumo\\AppData\\Local\\Temp\\Temp1_7ev3n.zip\\Endermanch@7ev3n.exe",
+               "threatcategory": "av.detect",
+               "threateventid": 1027,
+               "threatseverity": "2",
+               "threatname": "Ransomware-HIZ!9F8BC96C96D4",
+               "threattype": "trojan",
+               "threatactiontaken": "IDS_ALERT_ACT_TAK_DEL",
+               "threathandled": true,
+               "nodepath": "1\\1048078\\1116857",
+               "targethash": "9f8bc96c96d43ecb69f883388d228754",
+               "sourceprocesshash": null,
+               "sourceprocesssigned": null,
+               "sourceprocesssigner": null,
+               "sourcefilepath": null
+           }
+       }
+```
+</details>
+
+## Sample queries
+
+```sql title="Total Threat Detections"
+_sourceCategory="Trellix-mVision-ePO"
+| json "id", "attributes.threathandled", "attributes.threatseverity", "attributes.threattype", "attributes.threatcategory", "attributes.analyzerdetectionmethod", "attributes.targethostname", "attributes.threatname", "attributes.analyzeripv4", "attributes.timestamp", "attributes.sourcehostname", "attributes.sourceusername", "attributes.sourceprocessname", "attributes.targetprocessname", "attributes.threatactiontaken", "attributes.targetfilename", "attributes.targethash", "attributes.sourceipv4", "attributes.targetipv4", "attributes.targetport", "attributes.targetprotocol", "attributes.sourceurl", "attributes.targetusername", "attributes.targetipv6" as id, threat_handled, threat_severity, threat_type, threat_category, analyzer_detection_method, target_hostname, threat_name, analyzer_ipv4, timestamp, source_hostname, source_username, source_processname, target_processname, threat_action_taken, target_filename, target_hash, source_ipv4, target_ipv4, target_port, target_protocol, source_url, target_username, target_ipv6 nodrop
+
+| if ((threat_severity matches "1"), "Low", threat_severity) as threat_severity
+| if ((threat_severity matches "2" or threat_severity matches "3"), "Medium", threat_severity) as threat_severity
+| if ((threat_severity matches "4"), "High", threat_severity) as threat_severity
+
+| where threat_severity matches "{{threat_severity}}"
+| where threat_name matches "{{threat_name}}"
+| where threat_category matches "{{threat_category}}"
+| where threat_type matches "{{threat_type}}"
+
+| count by id
+| count
+```
+
+## Collection configuration and app installation
+
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
+
+<CollectionConfiguration/>
+
+:::important
+Use the [Cloud-to-Cloud Integration for Trellix mVision ePO](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Trellix mVision ePO app is properly integrated and configured to collect and analyze your Trellix mVision ePO data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
+
+## Viewing the Trellix mVision ePO dashboards​​
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Security
+
+The **Trellix mVision ePO - Security** dashboard offers a unified view of endpoint threat activity and overall security posture. It tracks total detections, failed remediations, severity levels, and detection trends, helping teams quickly assess threat impact and scale.
+
+The dashboard provides real-time insights into suspicious processes, malicious file quarantines, C2 callbacks, user-targeted attacks, and unusual network port usage. It highlights threat activity by type, category, detection method, and affected endpoints, with geographical visualizations, including threats from embargoed regions, for added context.
+
+By consolidating this information, the dashboard enables faster threat detection, analysis, and response, reducing dwell time and enhancing endpoint defenses.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Trellix-mVision-ePO/Trellix+mVision+ePO+-+Security.png' alt="Trellix-mVision-ePO–Security-Dashboard" />
+
+## Create monitors for the Trellix mVision ePO app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Trellix mVision ePO alerts
+
+| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | 
+|:--|:--|:--|:--|
+| `Trellix mVision ePO - High-Severity Malware Detected` | This alert is triggered when malware with critical severity is detected. It helps prioritize threats that require immediate attention and investigation. | Critical | Count > 0 |
+| `Trellix mVision ePO – High-Severity Threat Not Remediated` | This alert is triggered when high-severity threats are detected but not successfully remediated. This alert helps you to identify persistent threats or failed containment efforts. | Critical | Count > 0|
+| `Trellix mVision ePO – Unusual Network Port Used in Malicious Activity` | This alert is triggered when high-severity threat events use unusual network ports outside standard ranges (80, 22, 443, 53, 3389). This alert helps you detect potential secret communication channels. | Critical | Count > 0|
+| `Trellix mVision ePO - Repeated Infections on Same Host` | This alert is triggered when more than three threat events occur on the same endpoint within one hour. This alert helps you to detect repeated compromise or reinfection of a host. | Critical | Count > 0|
+| `Trellix mVision ePO - Multiple Hosts Affected by Same Threat` | This alert is triggered when the same threat indicator appears across more than five unique hosts within 30 minutes. This alert helps you to detect a widespread or rapidly propagating attack. | Critical | Count > 0|
+
+## Upgrading/Downgrading the Trellix mVision ePO app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the Trellix mVision ePO app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>
diff --git a/sidebars.ts b/sidebars.ts
@@ -2607,6 +2607,7 @@ integrations: [
           'integrations/saas-cloud/symantec-web-security-service',
           'integrations/saas-cloud/sysdig-secure',
           'integrations/saas-cloud/tenable',
+          'integrations/saas-cloud/trellix-mvision-epo',
           'integrations/saas-cloud/trend-micro-vision-one',
           'integrations/saas-cloud/trust-login',
           'integrations/saas-cloud/vectra',
