The Trellix ESM connector interacts with the Trellix ESM server.

The integration uses the Trellix ESM API to upload indicators to watchlists based on at least one user-defined saved ThreatQ Threat Library search. These searches are used to keep the data within the Trellix ESM watchlists fresh, and it ages out stale data with every execution.

The integration also polls for Alarms that have names starting with ThreatQ. These alarms are brought over as Sighting type events in ThreatQ. This provides feedback to the threat analysts working with ThreatQ, giving them information on sightings of IoCs within the customer environment.