McAfee Data Exchange Layer (DXL)
The ThreatConnect integration with McAfee Data Exchange Layer (DXL) is very comprehensive and allows full bi-directional use cases with McAfee DXL and supported products like ATD, ePO, MAR, and TIE. The Playbook app enables publishing events and invoking services on DXL topics while the service allows users to subscribe to events on DXL topics and trigger Playbooks when there is a match. Here are some example use cases that can be accomplished with this integration. This is not everything that is possible but a good place to start.
- Subscribe to events on any McAfee DXL topic and trigger a Playbook on relevant matches.
- Subscribe to McAfee TIE file reputation updates and either save indicators in ThreatConnect or adjust scoring of existing indicators.
- Subscribe to McAfee ePO events and trigger Playbooks on relevant matches.
- Subscribe to malware reports from McAfee ATD and automatically create Cases or Incidents with associated indicators in ThreatConnect.
- Invoke any service on McAfee DXL and use the results in a ThreatConnect Playbook.
- Publish events on any McAfee DXL topic.
- Update McAfee TIE file reputations when indicators are added or updated in ThreatConnect.
- Query McAfee Active Response as part of an endpoint triage or investigation process.
- Run commands on McAfee ePO as part of an investigation process.
This app can be found in the ThreatConnect App Catalog under the name: McAfee Data Exchange Layer (DXL)