Data Exchange Layer Integration Types

Interaction with the DXL fabric is comprised of two primary roles: information consumers and information providers.

Information Consumers

Consumers receive information over the DXL fabric via its multiple communication models.

Event subscriber

An event-based consumer subscribes to topics and passively receives events from publishers (one-to-many communication mode). Common use cases that leverage event subscriber integrations include:

  • Orchestration—A client listens for a particular set of events. Once an event is received an orchestration workflow is initiated. For example, a security product detects that a particular endpoint is sending data to a known command-and-control target and as a reaction sends an event to the DXL fabric. A client listening for the particular event initiates an orchestration workflow that triggers a remediation process utilizing other products available on the fabric.

Service invoker

This is a client that invokes methods on services registered on the DXL fabric, actively requesting information from the service (one-to-one communication mode). Common use cases that leverage service invocation integrations include:

  • Data collection—Security services are invoked over the DXL fabric to query information in real time (e.g., running-processes, etc.) or for forensics-based analysis.
  • Orchestration—As part of an orchestration workflow, various security services are invoked for the purpose of data collection, analytics, and remediation.

Information Providers

These providers distribute information to the DXL fabric via its multiple communication models.

Event publisher

This is a client that periodically publishes events to specific topics on the DXL fabric (one-to-many communication mode). These events will be delivered to consumers that are currently subscribed to those topics. Common use cases that leverage event publisher integrations include:

  • Threat events—Events are sent to the fabric to indicate the presence of a threat (e.g., malware is detected on a particular endpoint).
  • Informational events—Events are sent to the fabric to announce a particular piece of information (e.g., a new vulnerability has been published, a user logged into a system, etc.).

Service providers

This is a client that registers a service with the DXL fabric. A service is comprised of one or more methods that are exposed via corresponding topics. These service methods will be invoked by clients by sending a request message to a topic associated with a service method. Once received, the service replies by sending a response message over the fabric back to the invoking client (one-to-one communication mode). Common service integration models include:

  • Native service—A service developed with a native DXL fabric integration. For example McAfee Threat Intelligence Exchange natively supports communication with DXL fabrics.
  • Wrapped service—A DXL service wrapper is created that delegates invocations to an existing service's API/SDK. For example, a security service that exposes a REST-based API can be easily wrapped by a DXL service wrapper to provide its functionality on the DXL fabric.