Security ecosystem tools lack easy access to network data and don’t have visibility into threats detected by DNS security solutions. Being able to detect and respond in real time to network events and threats seen by the DNS protection platform greatly accelerates incident response. However, the lack of easy access to network data inhibits taking the right action based on context. Infoblox integration with McAfee DXL enables ecosystem solutions to take action on network and security events detected by Infoblox and contain threats faster.
Infoblox publishes security and networking event topics, along with context over DXL using outbound RESTful application programming interfaces (APIs). This enables DXL topic subscribers to integrate DDI network changes and identified DNS threats within their solutions and trigger response to these events as needed.
SIA DXL Task Manager which runs on top of McAfee ePO can subscribe to the Infoblox notifications and convert them into ePO threat events, apply policies and enable remediation actions.
Infoblox’s Outbound API integration framework is a new automated way to update both IPAM data (networks, hosts, leases) and DNS threat data into additional ecosystem solutions.
Infoblox DDI provides device discovery and single source of truth for devices and networks. It knows when there are changes in the network, such as new devices joining the network, virtual workloads being spun up, or malicious activities detected by the DNS security solution.
In the attached documents you will find the templates for McAfee integration in PDF and txt format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.
The templates require an extensible attribute described in the table below. It is recommended to inherit attributes with the default values from the network view level.
The ePO GUID of the object if it is known. The template generates a
random GUID if the EA is not defined or contains an empty value.
Provides the last time that an object’s information was sent to McAfee DXL.
“True or False”
Defines if an object should be sent to McAfee DXL.
Thank you very much for those templates.
In the documentation, you are mentionning the ePO extension "SIA DXL Task Manager".
I'm actually struggling on finding this extension.
Can you please share where we can get (or purchase) this extension from.
You will need to talk with your McAfee representative or their support team. Unfortunately, businesses constantly change how their products are licensed and sold and how extensions are handed out so I'm not able to answer your question myself as I'm not a McAfee expert or sales rep. If you got your ePO through a partner or third party then I suggest you start with them, usually they are happy to help and do the leg work for you to keep your continued business.
Hopefully this puts you in the right direction and If you have any more questions let me know and I'll do my best to answer them!
hope this helps,
It was a separate product, which was hard to find. They builded it in into DXL 5.0.
In the DXL 5.0 Release Notes they mentioned it as:
Advances in automation Remote commands that are exposed in McAfee ePO or Security Innovation Alliance Partner products can be called directly over DXL. Invoking remote commands over DXL is useful with automation tasks, whether they are user-driven (orchestrated), or performed without user involvement (automated). For example, DXL can generate a McAfee ePO Threat Event, or a DXL event on any topic via an Automatic Response Action.