McAfee DXL
Use the McAfee DXL integration to connect and optimize security actions across multiple vendor products.
How to Create the RSA Key Pair
Before you configure the ePO server, you need to generate the RSA key pair. Make sure that openssl is installed.
- Open a new directory.
- Download the sh script and move it to the new directory.
- Run the script.
- Complete the required fields, except the challenge password and the optional company name (leave empty).
The certificate (client.crt) is valid for 365 days (you can change the value in the script).
After the script finishes running, you should have the following files.
Configure the ePO Server
To configure the ePO server, you need to upload the public key.
- In ePO server go to Menu > Server Settings.
- Under DXL certificates (Third Party) click Edit.
- download the brokers certificate.
- Download the brokers list.
- Click Import and select the client.crt file.
- Click Save.
- Test the integration (it may take a few minutes until the key is enabled).
Configure McAfee DXL on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for McAfee DXL.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| broker_ca_bundle | Broker CA certificates content (see brokercerts.crt in the instructions). | True |
| cert_file | Client certificates content (see client.crt in the instructions). | True |
| private_key | Client private key content (e.g. client.key) | True |
| broker_urls | Brokers URLs (comma separated list in the form of [ssl://]<hostname>[:port]). Get the hostname & port from the brokerlist.properties file in the instructions. Note that the broker should be reachable from the Demisto server. | True |
| push_ip_topic | The topic for which to publish the 'dxl-push-ip'. | False |
| push_url_topic | The topic for which to publish the 'dxl-push-url'. | False |
| push_domain_topic | The topic for which to publish the 'dxl-push-domain'. | False |
| push_hash_topic | The topic for which to publish the 'dxl-push-hash'. | False |
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Send an event to DXL
Sends the specified event to the DXL fabric.
Base Command
dxl-send-event
Input
| Argument Name | Description | Required |
|---|---|---|
| topic | The topic for which to publish the message. | Required |
| payload | The event payload. | Required |
Context Output
There is no context output for this command.
Command Example
dxl-send-event topic="TOPIC_NAME" payload="The message"
Human Readable Output
Successfully sent event
2. Push an IP address to DXL
Pushes an IP address to the DXL fabric.
Base Command
dxl-push-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to push to the DXL fabric. | Required |
| trust_level | The new trust level for the IP address. Can be: "NOT_SET", "KNOWN_MALICIOUS", "MOST_LIKELY_MALICIOUS", "UNKNOWN", "MIGHT_BE_TRUSTED", "MOST_LIKELY_TRUSTED", "KNOWN_TRUSTED", or "KNOWN_TRUSTED_INSTALLER". | Required |
| topic | The topic for which to publish the 'dxl-push-ip'. | Optional |
Context Output
There is no context output for this command.
Command Example
dxl-push-ip ip="104.196.188.170" trust_level="KNOWN_TRUSTED" topic="IP_LISTENER"
Human Readable Output
Successfully pushed ip 104.196.188.170 with trust level KNOWN_TRUSTED
3. Push the URL to DXL
Pushes the URL to the DXL fabric.
Base Command
dxl-push-url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to push to the DXL fabric. | Required |
| trust_level | The new trust level for the URL. Can be: "NOT_SET", "KNOWN_MALICIOUS", "MOST_LIKELY_MALICIOUS", "UNKNOWN", "MIGHT_BE_TRUSTED", "MOST_LIKELY_TRUSTED", "KNOWN_TRUSTED", or "KNOWN_TRUSTED_INSTALLER". | Required |
| topic | The topic for which to publish the 'dxl-push-url'. | Optional |
Context Output
There is no context output for this command.
Command Example
dxl-push-url url="https://www.demisto.com" trust_level="KNOWN_TRUSTED" topic="URL_LISTENER"
Human Readable Output
Successfully pushed URL https://www.demisto.com with trust level KNOWN_TRUSTED
4. Push a domain to DXL
Pushes a domain to the DXL fabric
Base Command
dxl-push-domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain to push to the DXL fabric. | Required |
| trust_level | The new trust level for the domain. Can be: "NOT_SET", "KNOWN_MALICIOUS", "MOST_LIKELY_MALICIOUS", "UNKNOWN", "MIGHT_BE_TRUSTED", "MOST_LIKELY_TRUSTED", "KNOWN_TRUSTED", or "KNOWN_TRUSTED_INSTALLER". | Required |
| topic | The topic for which to publish the 'dxl-push-domain'. | Optional |
Context Output
There is no context output for this command.
Command Example
dxl-push-domain domain="demisto.com" trust_level="KNOWN_TRUSTED" topic="DOMAIN_LISTENER"
Human Readable Output
Successfully pushed domain demisto.com with trust level KNOWN_TRUSTED
5. Push a file hash to DXL
Pushes a file hash to the DXL fabric.
Base Command
dxl-push-hash
Input
| Argument Name | Description | Required |
|---|---|---|
| hash | The hash to push to the DXL fabric. | Required |
| trust_level | The new trust level for the domain. Can be: "NOT_SET", "KNOWN_MALICIOUS", "MOST_LIKELY_MALICIOUS", "UNKNOWN", "MIGHT_BE_TRUSTED", "MOST_LIKELY_TRUSTED", "KNOWN_TRUSTED", or "KNOWN_TRUSTED_INSTALLER". | Required |
| topic | The topic for which to publish the 'dxl-push-hash'. | Optional |
Context Output
There is no context output for this command.
Command Example
dxl-push-hash hash="HASH_TO_SEND" trust_level="KNOWN_TRUSTED" topic="HASH_LISTENER"
Human Readable Output
Successfully pushed hash HASH_TO_SEND with trust level KNOWN_TRUSTED