Posts by peruzzijl

    Has any thought been put around adding some level of Authentication to the Open DXL fabric? As of now we only know that applications/certificates/tags have authorization to specific services, however, the receiving end has no idea about WHO is sending these requests. A username would be quite helpful when requests are received so that a very bare minimum it could be tracked. With more and more items connecting to the fabric I believe the who will be just as important as the what. This could be done upon registration of the service and added to the request object prior to submitting a request to a service. Services that require authentication would need to have a session key in-order to submit the request and the receiving end would get the session key where it could look up the user information if needed (force some sort of state on the open dxl app as to limit the amount of data being sent with every response).

    Any chance there is planning to request access credentials over dxl to connect to atd soap services? This helps us not have to store login info in our applications to submit files to atd, having a simple json request object for an oauth2 type response over dxl would be much more secure/easier when connecting to the web based sdk (in my opinion), over storing passwords locally...

    Tychon has a lot of APIs that can be accessed via DXL, the ePO remoting service and our server side micro services on ePO. Through DXL we can give you access to:


    1. Executing Power Shell Scripts across your enterprise and seeing real-time results from those scripts.

    2. Running WMI Queries against windows systems.

    3. Querying the file system and looking into our historical journal to include MD5, SHA1, SHA256 and Fuzzy Hashes.

    Another note, when using Open DXL with no McAfee agent installed the DXL Broker will issue a random identifier to clients that is reset with every new connect. Tracking Open DXL Clients is better accomplished with your own implementation.

    Tychon (Commercial) will support STIX submissions and receipt over DXL, users will be able receive a feed of incidents from open cases being created from the Tychon UI. They can also submit IOCs and STIX queries over DXL to query endpoints in real-time.


    There is a slight issue however, with the limited size of a DXL message and the bloat of the STIX XML format its best to send queries in smaller formats through the Tychon SDK.

    You can modify the size if needed by modifying the config file on your dxl broker /opt/McAfee/dxlbroker/conf/dxlbroker.conf and modify this setting:


    # The message size limit

    messageSizeLimit=1048576


    Of course you'd have to do this across all your production DXL brokers to make it work beyond your lab.