Ingest alerts from Trellix Helix into AiStrike and perform remediation actions (such as adding entities to blocklists) via the Helix API.
FireEye and McAfee Enterprise merged to form Trellix. FireEye Helix is now Trellix Helix.
Prerequisites
-
Access to the Trellix Helix console.
-
Admin rights to generate and manage API keys.
-
An AiStrike tenant configured to accept external alert ingestion.
Required permissions
The API token needs read-only permission for all services (tap.*.list, tap.*.browse) and full permissions on Cases and Rules, covering: Alerts, Events, Search, List, Cases, Rules, Users, Roles, Assets, Appliance, Archive.
Generate an API token
-
Log in to the Trellix Helix Console.
-
Go to Identity & Access Management → API Keys → Create API Key.
-
Provide an API Key Name (e.g.
AIStrikeIntegration), an expiration date, and select the required products. -
Click Next, assign the permissions above, click Create, and copy the API token.
Keep the API token secure — it must be included in all integration requests.
Determine your Helix instance ID
On the IAM page, select the Organization Settings tab. The instance ID is shown in the upper-left corner and uniquely identifies your Helix instance.
Verify
Use the token in the x-fireeye-api-key header and run a health check:
GET /helix/id/<instance-id>/api/v3/appliances/health HTTP/1.1
Host: helix.eu.fireeye.com
x-fireeye-api-key: <YOUR_API_KEY>
Connector configuration
|
Parameter |
Description |
|---|---|
|
Configuration Name |
e.g. |
|
Description |
Free text |
|
API URL |
API root of your Helix instance, e.g. |
|
API Token |
The token generated above |