Threat Intelligence Exchange integration

Threat Intelligence Exchange verifies the reputation of executable programs on the endpoints connected to these files.

When you add a McAfee ePO device to the ESM, the system automatically detects if a Threat Intelligence Exchange server is connected to the device. If it is, the ESM starts listening in on the DXL and logging events.

Note: You might experience a time delay when the ESM connects to the DXL.

When the Threat Intelligence Exchange server is detected, Threat Intelligence Exchange watchlists, data enrichment, and correlation rules are added automatically and Threat Intelligence Exchange alarms are enabled. You receive a visual notification, which includes a link to the summary of the changes made. You are also notified if the Threat Intelligence Exchange server is added to the McAfee ePO server after the device has been added to the ESM.

Once Threat Intelligence Exchange events are generated, you can view their execution history (see View Threat Intelligence Exchange execution history and set up actions) and select the actions you want to take on the malicious data.

Correlation rules

Six correlation rules are optimized for Threat Intelligence Exchange data. They generate events that you can search and sort through.

  • TIE — GTI reputation changed from clean to dirty
  • TIE — Malicious file (SHA-1) found on increasing number of hosts
  • TIE — Malicious file name found on increasing number of hosts
  • TIE — Multiple malicious files found on single host
  • TIE — TIE reputation changed from clean to dirty
  • TIE — Increase in malicious files found across all hosts

Alarms

The ESM has two alarms that might trigger when important Threat Intelligence Exchange events are detected.

  • TIE bad file threshold exceeded triggers from the correlation rule TIE - Malicious file (SHA-1) found on increasing number of hosts.
  • TIE unknown file executed triggers from a specific TIE event and adds information to the TIE data source IPs watchlist.

Watchlist

The TIE data source IPs watchlist maintains a list of systems that have triggered the TIE unknown file executed alarm. It is a static watchlist with no expiration.

Threat Intelligence Exchange execution history

You can view the execution history for any Threat Intelligence Exchange event (see View Threat Intelligence Exchange execution history and set up actions), which includes a list of the IP addresses that have attempted to execute the file. On this page, you can select an item and take any of these actions:

  • Create a watchlist.
  • Append the information to a watchlist.
  • Create an alarm.
  • Add the information to a blacklist.
  • Export the information to a .csv file.