naftiko: 1.0.0-alpha2 info: label: Trellix Endpoint Security Operations description: Unified capability for SOC analysts and endpoint security engineers to detect, investigate, hunt, and respond to endpoint threats using Trellix EDR and ePO SaaS. Combines threat detection, alert investigation, real-time search, device management, and automated response actions for comprehensive endpoint security operations. tags: - Endpoint Security - Incident Response - Security Operations - Threat Detection - Threat Hunting - XDR created: '2026-05-03' modified: '2026-05-06' binds: - namespace: env keys: TRELLIX_EDR_API_KEY: TRELLIX_EDR_API_KEY TRELLIX_EPO_API_KEY: TRELLIX_EPO_API_KEY capability: consumes: - type: http namespace: trellix-edr baseUri: https://api.manage.trellix.com description: Trellix EDR endpoint detection and response API authentication: type: bearer token: '{{TRELLIX_EDR_API_KEY}}' resources: - name: threats path: /edr/v2/threats description: Detected threats operations: - name: list-threats method: GET description: List detected threats inputParameters: - name: limit in: query type: integer required: false description: Max results - name: since in: query type: string required: false description: Filter by date outputRawFormat: json outputParameters: - name: result type: object value: $. - name: get-threat method: GET description: Get threat details inputParameters: - name: threatId in: path type: string required: true description: Threat identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: detections path: /edr/v2/detections description: Endpoint detections operations: - name: list-detections method: GET description: List detections inputParameters: - name: limit in: query type: integer required: false description: Max results outputRawFormat: json outputParameters: - name: result type: object value: $. - name: alerts path: /edr/v2/alerts description: Security alerts operations: - name: list-alerts method: GET description: List alerts inputParameters: - name: limit in: query type: integer required: false description: Max results outputRawFormat: json outputParameters: - name: result type: object value: $. - name: searches path: /edr/v2/searches description: Real-time searches operations: - name: list-searches method: GET description: List searches outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-search method: POST description: Create a real-time search outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: query: '{{tools.query}}' hosts: '{{tools.hosts}}' - name: reactions path: /edr/v2/reactions description: Response reactions operations: - name: create-reaction method: POST description: Execute a response reaction outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: type: '{{tools.type}}' hostId: '{{tools.hostId}}' - type: http namespace: trellix-epo baseUri: https://api.manage.trellix.com description: Trellix ePO SaaS cloud management API authentication: type: bearer token: '{{TRELLIX_EPO_API_KEY}}' resources: - name: devices path: /epo/v2/devices description: Managed endpoint devices operations: - name: list-devices method: GET description: List managed devices inputParameters: - name: limit in: query type: integer required: false description: Max results - name: filter in: query type: string required: false description: Filter expression outputRawFormat: json outputParameters: - name: result type: object value: $. - name: get-device method: GET description: Get device details inputParameters: - name: deviceId in: path type: string required: true description: Device identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: events path: /epo/v2/events description: Threat events from managed devices operations: - name: list-events method: GET description: List threat events inputParameters: - name: limit in: query type: integer required: false description: Max results - name: since in: query type: string required: false description: Filter by date outputRawFormat: json outputParameters: - name: result type: object value: $. - name: tags path: /epo/v2/tags description: Device tags for grouping and policy application operations: - name: list-tags method: GET description: List tags outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-tag method: POST description: Create a tag outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' description: '{{tools.description}}' - name: groups path: /epo/v2/groups description: Device groups operations: - name: list-groups method: GET description: List device groups outputRawFormat: json outputParameters: - name: result type: object value: $. - name: queries path: /epo/v2/queries description: Saved queries for reporting and hunting operations: - name: list-queries method: GET description: List saved queries outputRawFormat: json outputParameters: - name: result type: object value: $. - name: execute-query method: POST description: Execute a saved query outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: queryId: '{{tools.queryId}}' - name: response-actions path: /epo/v2/response-actions description: Response actions on managed devices operations: - name: create-response-action method: POST description: Create a response action outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: type: '{{tools.type}}' deviceId: '{{tools.deviceId}}' exposes: - type: rest port: 8080 namespace: trellix-endpoint-ops-api description: Unified REST API for Trellix endpoint security operations. resources: - path: /v1/threats name: threats description: Detected threats from EDR operations: - method: GET name: list-threats description: List detected threats call: trellix-edr.list-threats with: limit: rest.limit since: rest.since outputParameters: - type: object mapping: $. - path: /v1/detections name: detections description: Endpoint detections operations: - method: GET name: list-detections description: List detections call: trellix-edr.list-detections with: limit: rest.limit outputParameters: - type: object mapping: $. - path: /v1/alerts name: alerts description: Security alerts operations: - method: GET name: list-alerts description: List alerts call: trellix-edr.list-alerts with: limit: rest.limit outputParameters: - type: object mapping: $. - path: /v1/devices name: devices description: Managed endpoint devices from ePO operations: - method: GET name: list-devices description: List managed devices call: trellix-epo.list-devices with: limit: rest.limit filter: rest.filter outputParameters: - type: object mapping: $. - path: /v1/events name: events description: Threat events from ePO operations: - method: GET name: list-events description: List threat events call: trellix-epo.list-events with: limit: rest.limit since: rest.since outputParameters: - type: object mapping: $. - path: /v1/searches name: searches description: Real-time endpoint searches operations: - method: GET name: list-searches description: List active searches call: trellix-edr.list-searches outputParameters: - type: object mapping: $. - method: POST name: create-search description: Create real-time search call: trellix-edr.create-search outputParameters: - type: object mapping: $. - path: /v1/reactions name: reactions description: EDR response reactions operations: - method: POST name: create-reaction description: Execute response reaction call: trellix-edr.create-reaction outputParameters: - type: object mapping: $. - path: /v1/response-actions name: response-actions description: ePO response actions operations: - method: POST name: create-response-action description: Create response action call: trellix-epo.create-response-action outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: trellix-endpoint-ops-mcp transport: http description: MCP server for AI-assisted endpoint security operations, threat hunting, and incident response. tools: - name: edr-list-threats description: List threats detected by Trellix EDR for incident investigation and triage. hints: readOnly: true openWorld: true call: trellix-edr.list-threats with: limit: tools.limit since: tools.since outputParameters: - type: object mapping: $. - name: edr-list-detections description: List endpoint detections from EDR for threat hunting and analysis. hints: readOnly: true openWorld: true call: trellix-edr.list-detections with: limit: tools.limit outputParameters: - type: object mapping: $. - name: edr-list-alerts description: List security alerts from EDR for SOC triage and prioritization. hints: readOnly: true openWorld: true call: trellix-edr.list-alerts with: limit: tools.limit outputParameters: - type: object mapping: $. - name: edr-create-search description: Create a real-time search across endpoints to hunt for indicators of compromise. hints: readOnly: false destructive: false idempotent: false call: trellix-edr.create-search with: query: tools.query hosts: tools.hosts outputParameters: - type: object mapping: $. - name: edr-create-reaction description: Execute an EDR response reaction on an endpoint (isolate, collect artifacts, terminate process). hints: readOnly: false destructive: true idempotent: false call: trellix-edr.create-reaction with: type: tools.type hostId: tools.hostId outputParameters: - type: object mapping: $. - name: epo-list-devices description: List managed endpoint devices from ePO SaaS for asset inventory and status checks. hints: readOnly: true openWorld: true call: trellix-epo.list-devices with: limit: tools.limit filter: tools.filter outputParameters: - type: object mapping: $. - name: epo-list-events description: List threat events from ePO SaaS for incident correlation and reporting. hints: readOnly: true openWorld: true call: trellix-epo.list-events with: limit: tools.limit since: tools.since outputParameters: - type: object mapping: $. - name: epo-execute-query description: Execute a saved ePO query for security reporting and compliance checks. hints: readOnly: true openWorld: false call: trellix-epo.execute-query with: queryId: tools.queryId outputParameters: - type: object mapping: $. - name: epo-create-response-action description: Create an ePO response action on a managed device (quarantine, run scan, apply policy). hints: readOnly: false destructive: true idempotent: false call: trellix-epo.create-response-action with: type: tools.type deviceId: tools.deviceId outputParameters: - type: object mapping: $.