AiStrike Documentation

Trellix Helix

Ingest alerts from Trellix Helix into AiStrike and perform remediation actions (such as adding entities to blocklists) via the Helix API.

FireEye and McAfee Enterprise merged to form Trellix. FireEye Helix is now Trellix Helix.

Prerequisites

  • Access to the Trellix Helix console.

  • Admin rights to generate and manage API keys.

  • An AiStrike tenant configured to accept external alert ingestion.

Required permissions

The API token needs read-only permission for all services (tap.*.list, tap.*.browse) and full permissions on Cases and Rules, covering: Alerts, Events, Search, List, Cases, Rules, Users, Roles, Assets, Appliance, Archive.

Generate an API token

  1. Log in to the Trellix Helix Console.

  2. Go to Identity & Access Management → API Keys → Create API Key.

  3. Provide an API Key Name (e.g. AIStrikeIntegration), an expiration date, and select the required products.

  4. Click Next, assign the permissions above, click Create, and copy the API token.

Keep the API token secure — it must be included in all integration requests.

Determine your Helix instance ID

On the IAM page, select the Organization Settings tab. The instance ID is shown in the upper-left corner and uniquely identifies your Helix instance.

Verify

Use the token in the x-fireeye-api-key header and run a health check:

GET /helix/id/<instance-id>/api/v3/appliances/health HTTP/1.1
Host: helix.eu.fireeye.com
x-fireeye-api-key: <YOUR_API_KEY>

Connector configuration

Parameter

Description

Configuration Name

e.g. AiStrike_integration

Description

Free text

API URL

API root of your Helix instance, e.g. https://helix.eu.fireeye.com/helix/id/{id}/

API Token

The token generated above