ThreatConnect and McAfee DXL: Better Integrations with the McAfee Stack

ThreatConnect has partnered with security giant McAfee and released multiple Playbook Apps and one App Service for McAfee DXL. McAfee DXL is a communication fabric and it allows us to easily connect with nearly every piece of McAfee technology.  The Playbook Apps will allow you to Publish Events and Invoke Services on DXL topics while the App Service will allow you to subscribe to events on DXL topics and trigger playbooks when there is a match.

This next bit will help to explain what the McAfee products are and some use cases that are available with this integration.

McAfee Data Exchange Layer (DXL) communication fabric connects and optimizes security actions across multiple vendor products as well as internally developed and open source solutions. Enterprises gain secure, real-time access to new data and lightweight, instant interactions with other products. Use cases available include:

  • Subscribe to events on any McAfee DXL Topic and trigger a Playbook on relevant matches.
  • Invoke any Service on McAfee DXL and use the results in a ThreatConnect Playbook.
  • Publish events on any McAfee DXL topic.

McAfee Threat Intelligence Exchange (TIE) provides a framework personalized to your environment where your security products collectively pinpoint threats and act as a unified threat defense system. Use cases available include:

  • Subscribe to McAfee TIE file reputation updates and either save indicators in ThreatConnect or adjust the scoring of existing indicators.
  • Update McAfee TIE file reputations when indicators are added or updated in ThreatConnect.

McAfee Active Response (MAR) is an endpoint detection and response tool. It allows you to capture and monitor events, files, host flows, process objects, context, and system state changes that may be indicators of attack or dormant attack components. Use cases available include:

  • Query McAfee Active Response (MAR) as part of an endpoint triage or investigation process.

McAfee Advanced Threat Defense (ATD) enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike traditional sandboxes, it includes additional inspection capabilities that broaden detection and expose evasive threats. Use cases available include:

  • Subscribe to malware reports from McAfee ATD and automatically create Cases or Incidents with associated indicators.

McAfee DXL – Ingest ATD Report as Incidents Playbook App

McAfee ePolicy Orchestrator (ePO) is the central software repository for all McAfee product installations, updates, and other content. Use cases available include:

  • Subscribe to McAfee ePO events and trigger Playbooks on relevant matches.
  • Run commands on McAfee ePO as part of an investigation process.

McAfee DXL – Get System Info from ePO

Again, these are just a few use cases available with this new integration. We fully expect more use cases to be discovered and more Playbook apps and templates to be added over time. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the McAfee Playbook Apps. If you’re not yet a customer and are interested in ThreatConnect, contact sales@threatconnect.com.

About the Author
Jeff Quist

Jeff Quist, Product Marketing Manager at ThreatConnect, has 9 years of experience in Sales, Marketing, Product Management, and Product Marketing, mainly in technology and financial services. His professional experience and empathy for customers and partners help him to develop engaging marketing content and empower sales teams. Jeff lives in New York City and in his free time, he enjoys sketching, reading sci-fi novels, and supporting the Boston Bruins.