Trellix ePO All in one

The Trellix (McAfee) ePO Splunk Technology Add-on enables Splunk users to reliably collect, normalize, and analyze security telemetry from Trellix ePolicy Orchestrator (ePO) in one centralized platform. Many organizations running Trellix ePO lack a native, CIM-compliant integration with Splunk, making it difficult to correlate endpoint security data with other security and IT signals. This app addresses that gap by providing a production-ready integration that ingests threat events, malware detections, endpoint and agent health, policy compliance, quarantine activity, updates, and user audit logs via the ePO REST API (and syslog where applicable). All data is normalized to the Splunk Common Information Model (CIM), allowing immediate use with Splunk Enterprise Security, Security Essentials, and custom SOC workflows. By combining secure data collection, enterprise-grade reliability, and a comprehensive all-in-one security dashboard, the add-on helps SOC teams, security engineers, and Splunk administrators gain clear visibility into endpoint threats, compliance posture, and operational health—without building and maintaining custom integrations. Note: This is a community-maintained, non-official add-on. It is not affiliated with Splunk or Trellix. "/sarat1kyan/TA-trellix-epo"