We use Trellix Helix Connect because it is a SaaS solution. I think it has its own infrastructure rather than AWS or another provider. We use the Helix SaaS and a component called Evidence Collector that gets the logs from on-premise infrastructure and sends them to SaaS. I believe everything about Trellix Helix Connect is SaaS-based.
We use Evidence Collector which can be installed with the on-premise infrastructure to collect components such as files and IPS. This product receives the logs from the infrastructure and sends the information to Helix.
The best feature of Trellix Helix Connect is its quick implementation.
The integration with Mandiant is another significant advantage. When investigating an incident, we have access to IOCs and can receive results from Mandiant about these IOCs, similar to what VirusTotal offers. We can search and utilize this integration effectively.
We utilize the artificial intelligence capabilities in Trellix Helix Connect. We can perform some customization by providing parameters in the YARA from Helix, which provides valuable analysis points.
The solution allows users to create reports more quickly with comprehensive information, which can be expanded within minutes. This demonstrates the effectiveness of Trellix Helix Connect's automation capabilities for reducing incident response times.
The timeout of the tenant is an area that needs improvement. When investigating and gathering information from the Helix tenant for extended periods, disconnections occur. This results in lost work and the need to restart investigations due to disconnected sessions.
It is problematic when progress is lost and investigations must be restarted, resulting in lost information and significant time wastage.
The capability to integrate with other TIPs or cybersecurity intelligence sources could be improved to determine whether IOCs are malicious, similar to Mandiant's functionality.
The capacity to reduce false positives needs improvement as we receive many alerts from Helix that turn out to be false positives upon investigation. Enhanced capability in this area would make the system more efficient and easier to use.
The dashboards could be improved as customers frequently request real-time SOC dashboard displays for Helix.
The support for Trellix Helix Connect is not satisfactory. We experience difficulties accessing personnel with deep knowledge of Helix. We have numerous tickets to understand and resolve problems. It is not an easy product to support on a daily basis.
The support would rate a three out of ten. It can take one to four weeks to connect with someone who truly understands Helix and can provide solutions. This makes the product difficult to maintain.
The solution can be challenging for analysts with lower skill levels. The syntax for finding findings requires specific knowledge, making it more difficult for initial users.
Trellix Helix Connect is generally easy to use, but the Evidence Collector component presents more challenges.
This review rates Trellix Helix Connect as 6 out of 10.
