Title

The Trellix Data Exchange Layer (DXL) Client policy for all managed systems must be restricted to a selected broker or hub. (Cat II impact)

Discussion

This policy configures whether the DXL client connects to a preferred DXL Broker. In order to force the DXL client to connect specifically to the DXL broker coupled with the Threat Intelligence Exchange (TIE) server, the client needs to be configured to have a client broker preference.

Check Content

If the DXL Broker for the Trellix TIE server is the only DXL Broker in the architecture, this check is Not Applicable. This check must be completed for the active Trellix DXL Client policy that manages managed clients. From the ePO server console, select the Policy Catalog tab. From the Policy Catalog, select the Trellix DXL Client from Products. Under "Actions", select Edit for the policy that manages the managed clients. Under Client Broker Connections, verify the check box for "Restrict to the selected broker or hub" is selected. If under Client Broker Connections, the check box for "Restrict to the selected broker or hub" is not selected, this is a finding.

Fix Text

From the ePO server console, select the Policy Catalog tab. From the Policy Catalog, select the Trellix DXL Client from Products. Under "Actions", select Edit for the policy that manages the managed clients. Under Client Broker Connections, select the check box for "Restrict to the selected broker or hub".

Additional Identifiers

Rule ID: SV-221995r961863_rule

Vulnerability ID: V-221995

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.