Hello everyone, I hope you guys can help me figure this out since I've been thinking a lot about it since yesterday.

I'm by no means an expert in Splunk. However, I've been tasked with integrating Trellix EDR log files into Splunk. I found an app in the splunkbase site (https://splunkbase.splunk.com/app/6480) that could be the answer to my task. I installed the app in the heavy forwarder as I have done before while integrating Rapid 7 logs and followed the brief guide provided by the author of the guide.

However, this is where the problems start. After I configured input settings, I didn't recieve a single log file. I checked the logs and found out that the problem had something to do with SSL Certificates.

ERROR pid=7210 tid=MainThread file=base_modinput.py:log_error:309 | Error in input_module_trellix_edr_input.get_threats() - line 127 : HTTPSConnectionPool(host='api.soc.us-east-1.mcafee.com', port=443): Max retries exceeded with url: /ft/api/v2/ft/threats?sort=-lastDetected&filter=%7B%22severities%22:%20%5B%22s0%22,%20%22s1%22,%20%22s2%22,%20%22s3%22,%20%22s4%22,%20%22s5%22%5D,%20%22scoreRange%22:%20%5B30%5D%7D&from=1686690509938&limit=10000&skip=0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')))

 I immediately started googling that error and found out that it was probably an outdated SSL Certificate. Thing is, when I connected to the heavy forwarder through SSH and tried to update the python SSL Certificates through pip I found out that you couldn't do that in a splunk server. I found a workaround that implied that I could somehow disable the SSL check, I spend hours looking at the most suspicious .py files but couldn't find where that check was made (It also didn't help that I know next to nothing of python). I also tried playing with the settings of the input, trying out different regions, etc, but it was all for naught. Ultimately, I started thinking that it was a problem caused by outdated SSL Certificates hardcoded in the app (don't really know if that's possible)

I ended up deciding to contact support. It was at that time that I noticed that this app wasn't supported by Splunk and that I had to contact the developer of the app if I wanted any kind of support. I did some research on mister "Martin Ohl" and found out that he no longers works at Trellix (no wonder why the app never had an update). I went to Trellix's support page and couldn't find a support email so I started dwelling in their support and FAQ web. I could not find any single post or hint about a possible integration with any SIEM not just Splunk.

So I thought that posting my case in the Splunk Community Forums was my best bet. I'd appreciate any hint, insight or even an anecdote about a similar case. If anyone has managed to integrate Trellix into Splunk It'd be a lot of help if you could share your experience. Or even if someone knows how to deal with the SSL Certificates thing.

I'll be uploading a pdf file with more detail about the error log I recieved. Thanks in advance.