Best practices to monitor a Threat Intelligence Exchange Server deployment
Last Modified: 2023-05-19 09:19:28 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Best practices to monitor a Threat Intelligence Exchange Server deployment
Technical Articles ID:
KB86314
Last Modified: 2023-05-19 09:19:28 Etc/GMT Environment
Threat Intelligence Exchange (TIE) Server - all supported versions For supported environments, see KB83368 - Supported platforms for Threat Intelligence Exchange Server. SummaryThis article describes several options for monitoring your TIE Server deployment.
NOTE: As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example: Master becomes Primary
Previous versions of TIE Server retain the original Master/Slave designations.Slave becomes Secondary ePolicy Orchestrator (ePO) - Automatic Responses of TIE Server Health TIE Server enables you to use ePO server events to create ePO Automatic Responses, including email notifications, among other possible actions. An ePO server task named TIE Server Monitoring runs hourly. It creates events if TIE Server instances aren't reachable or if their health API doesn't respond. You must create matching ePO Automatic Responses to act when the events are received. The generated event ID range is 37175–37179. Each ID matches a given TIE Server operation mode for better troubleshooting. Create the Automatic Responses under Menu, Automatic Responses, New Response. Set the Event type to Server, filter with the Event ID being Equal to the TIE Server range 37175–37179, and choose the Send Email Action. NOTE: An email account must be configured under Menu, Server Settings, Email Server to receive emails for Automatic Responses. ePO - Product Information at the Device Tree: ePO provides customized product properties for TIE that include relevant metrics on Advanced Threat Defense (ATD) and Global Threat Intelligence (GTI) integrations. Located under System Tree, TIE Server Appliance's System Name, Products, McAfee Threat Intelligence Exchange Server. The screenshot below shows a sample output: ePO - Data Exchange Layer (DXL) Fabric Topology Page:
This page has been available since DXL 1.1 at Menu, Configuration, Server Settings, DXL Topology. The DXL Fabric Topology page displays information about DXL properties, bridges, and services. Each DXL Broker also shows the number of messages per second handled by the DXL services. The following screenshot shows sample output registration information for the TIE service: The TIE Server virtual appliance runs over ePO Web APIs:
DXL Broker offers ePO Web APIs to report the number of connected clients. Any monitoring solution can reuse the ePO Web APIs to monitor services and their health over time to identify issues. The following monitoring remote commands are available since DXL 2.0:
Health Status Feature The overall Health Status for each server can be found on the TIE Server Topology Page. Navigate to Menu, Configuration, Server Settings, and select the "TIE Server Topology Management" section. Here, you can review the DXL, ATD, and GTI connectivity status of each TIE Server instance. You can also see if the database versions within each TIE Server are compatible, and whether the extension version installed and the Server extension version match. There are also sections that describe the performance status, NTP status, Database and storage, and Certificates compliance. For the secondary servers, you can review the Database Replication status as well. Example: TIE Health Status - Primary Server TIE Health Status - Secondary Server Starting with TIE Server 2.0.0, the The MER tool copies all Related Information
For product documents, go to the Product Documentation portal.
Affected ProductsLanguages:This article is available in the following languages: |
|