McAfee Active Response

This integration was integrated and tested with version 2.1.0 of McAfee Active Response.

Playbooks

  • Endpoint data collection
  • MAR - Endpoint data collection

Use Cases

Capture and monitor events, files, host flows, process objects, context, and system state changes that may be indicators of attack (IoAs) or attack components lying dormant.

Create a McAfee DXL Certificate for McAfee Active Response

To configure an instance of McAfee Active Response, you first need to create a McAfee DXL certificate and add the certificate to the McAfee Intelligence Exchange integration.

Prerequisite

Before you create a McAfee DXL certificate, make sure you have a Broker CA certificate ( brokercerts.crt ).

  1. Generate a certificate signing request (CSR) with a tool such as CSR generator.
    image
  2. Save the CSR and the private key as separate files.
  3. Access your McAfee ePolicy Orchestrator environment.
  4. Navigate to Server Settings .
    image
  5. Select DXL Certificates and click Edit .
    image
  6. Click Import CSR and select the CSR file you created previously.
  7. Select your certificate and click Export Certificate .
    This generates a CRT file.
  8. Add your certificate to Restrict Send Certificates and Restrict Receive Certificates .
  9. In Demisto, search for McAfee Active Response integration and click Add instance .
    • Broker CA certificates content - The content of the brokercerts.crt
    • Client certificates content - The content of the CRT file you created previously.
    • Client private key path - The content of the private key file you created previously.
    • Brokers urls - Broker server IP address, port: 8883.
    • Use Load-Balancing Group - Should be enabled.

McAfee_Active_Response.png

Configure McAfee Active Response on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for McAfee Active Response.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Broker CA certificates content (see brokercerts.crt in the Deatiled Instructions section)
    • Client certificates content (see client.crt in the Deatiled Instructions section)
    • Client private key content (see client.key in the Deatiled Instructions section)
    • Brokers URLs (CSV list in the form of - [ssl://][:port]) - Get the hostname and port from brokerlist.properties file in the Deatiled Instructions section. Note that the broker should be reachable from Demisto server.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Search endpoint data


Executes a search for endpoint data.

Base Command

mar-search

Input
Argument Name Description Required
collector The collector to query. Required
prejection-collector Prejection collector to return. By default, the prejection collector is equal to the collector. Optional
outputs CSV fields (outputs). Run the mar-collectors-list command to view all collectors and fields command for all collectors’ outputs. If not supplied, all outputs are displayed. Optional
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR unknown MAR results in a given collector, e.g., '‘MAR.HostInfo`. For information about possible output paths, run the mar-collectors-list command.
MAR unknown MAR Results in a given collector, e.g., '‘MAR.HostInfo`. For information about possible output paths, run the mar-collectors-list command.

Command Example
!mar-search collector=Processes
Context Example
{
    "MAR": {
        "Services": [
            {
                "status": "Running", 
                "description": "Base Filtering Engine", 
                "startuptype": "Automatic", 
                "created_at": "2019-02-06T17:16:25.193Z", 
                "user": "NT AUTHORITY\\LocalService", 
                "name": "BFE"
            }, 
            {
                "status": "Running", 
                "description": "Diagnostic Policy Service", 
                "startuptype": "Automatic (Delayed Start)", 
                "created_at": "2019-02-06T17:16:25.193Z", 
                "user": "NT AUTHORITY\\LocalService", 
                "name": "DPS"
            }, 
            {
                "status": "Stopped", 
                "description": "Encrypting File System (EFS)", 
                "startuptype": "Manual", 
                "created_at": "2019-02-06T17:16:25.193Z", 
                "user": "LocalSystem", 
                "name": "EFS"
            }
        ]
    }
}
Human Readable Output

image

2. Get a list of collectors


Returns a list of all collectors and their outputs.

Base Command

mar-collectors-list

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
!mar-collectors-list
Human Readable Output

image

3. Search endpoint data crossed by multiple collectors


Searches endpoint data crossed by multiple collectors.

Base Command

mar-search-multiple

Input
Argument Name Description Required
collectors The collectors to query. Required
filter_collector The collector to filter by, e.g., HostInfo Optional
filter-by Field name (output) of filter_collector to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields. Optional
filter-operator Filtering operatior Optional
filter-value Filtering value of the filter-by field Optional

Context Output
Path Type Description
Mar.SearchMultiple unknown The result of the search query. For information about possible output paths, run the mar-collectors-list command.

Command Example
!mar-search-multiple collectors=Services,HostInfo
Context Example
{
    "MAR": {
        "SearchMultiple": [
            {
                "status": "Stopped", 
                "description": "Volume Shadow Copy", 
                "startuptype": "Manual", 
                "ip_address": "192.168.1.156", 
                "created_at": "2019-02-06T17:20:57.204Z", 
                "hostname": "WIN-AQ0LQQOG4Q7", 
                "user": "LocalSystem", 
                "os": "Microsoft Windows [Version 6.3.9600]", 
                "name": "VSS"
            }, 
            {
                "status": "Running", 
                "description": "Network Store Interface Service", 
                "startuptype": "Automatic", 
                "ip_address": "192.168.1.156", 
                "created_at": "2019-02-06T17:20:57.204Z", 
                "hostname": "WIN-AQ0LQQOG4Q7", 
                "user": "NT Authority\\LocalService", 
                "os": "Microsoft Windows [Version 6.3.9600]", 
                "name": "nsi"
            }
        ]
    }
}
Human Readable Output

image

4. Get information for services


Returns services information from McAfee Active Response.

Base Command

mar-search-services

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors’ outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.Services.Name unknown Service name.
MAR.Services.Description unknown Service description.
MAR.Services.Status unknown Service status.
MAR.Services.Startuptype unknown Service startup type.
MAR.Services.User unknown Service user.

Command Example
!mar-search-services
Context Example
{
    "MAR": {
        "Services": [
            {
                "Status": "Running", 
                "Description": "Base Filtering Engine", 
                "Startuptype": "Automatic", 
                "created_at": "2019-03-06T15:04:16.193Z", 
                "User": "NT AUTHORITY\\LocalService", 
                "Name": "BFE"
            }, 
            {
                "Status": "Running", 
                "Description": "Diagnostic Policy Service", 
                "Startuptype": "Automatic (Delayed Start)", 
                "created_at": "2019-03-06T15:04:16.193Z", 
                "User": "NT AUTHORITY\\LocalService", 
                "Name": "DPS"
            }, 
            {
                "Status": "Stopped", 
                "Description": "Encrypting File System (EFS)", 
                "Startuptype": "Manual", 
                "created_at": "2019-03-06T15:04:16.193Z", 
                "User": "LocalSystem", 
                "Name": "EFS"
            }
        ]
    }
}
Human Readable Output

image

5. Get information for processes


Returns processes information from McAfee Active Response.

Base Command

mar-search-processes

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.Processes.Name unknown Process name.
MAR.Processes.Id unknown Process ID.
MAR.Processes.Parentname unknown Process parent name.
MAR.Processes.Size unknown Process size.
MAR.Processes.Md5 unknown Process MD5 hash.
MAR.Processes.Sha1 unknown Process SHA-1 hash.
MAR.Processes.Cmdline unknown Process command line.
MAR.Processes.Imagepath unknown Process image path.
MAR.Processes.Kerneltime unknown Process kernel time.
MAR.Processes.Usertime unknown Process user time.
MAR.Processes.Uptime unknown Process up time.
MAR.Processes.User unknown Process user.
MAR.Processes.User_id unknown Process user ID.

Command Example
!mar-search-processes
Context Example
{
    "MAR": {
        "Processes": [
            {
                "Uptime": 8468384, 
                "Imagepath": "C:\\WINDOWS\\SYSTEM32\\CSRSS.EXE", 
                "User_id": "S-1-5-18", 
                "Name": "CSRSS.EXE", 
                "Usertime": 3, 
                "created_at": "2019-02-07T09:16:39.195Z", 
                "Parentname": "-", 
                "Cmdline": "-", 
                "Sha1": "C79E4586989EBB8E8F8084B5EB49AFBFD243A625", 
                "User": "NT AUTHORITY\\SYSTEM", 
                "Kerneltime": 16, 
                "Size": 2048, 
                "Id": 336, 
                "Md5": "B2D3F07F5E8A13AF988A8B3C0A800880"
            }, 
            {
                "Uptime": 8468383, 
                "Imagepath": "C:\\WINDOWS\\SYSTEM32\\WININIT.EXE", 
                "User_id": "S-1-5-18", 
                "Name": "WININIT.EXE", 
                "Usertime": "-", 
                "created_at": "2019-02-07T09:16:39.195Z", 
                "Parentname": "-", 
                "Cmdline": "wininit.exe", 
                "Sha1": "83D158A31A41C3FC37DB569F187108C754C629C8", 
                "User": "NT AUTHORITY\\SYSTEM", 
                "Kerneltime": "-", 
                "Size": 840, 
                "Id": 388, 
                "Md5": "D9516405E05F24EDCD90B1988FAF3948"
            }
        ]
    }
}
Human Readable Output

image

6. Get information for WinRegistry


Returns WinRegistry information from McAfee Active Response.

Base Command

mar-search-win-registry

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.WinRegistry.Keypath unknown WinRegistry key path.
MAR.WinRegistry.Keyvalue unknown WinRegistry key value.
MAR.WinRegistry.Valuedata unknown WinRegistry value data.
MAR.WinRegistry.Valuetype unknown WinRegistry value type.

Command Example
!mar-search-win-registry

7. Get information for files


Returns file information from McAfee Active Response.

Base Command

mar-search-files

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.Files.Name unknown File name.
MAR.Files.Dir unknown File directory.
MAR.Files.Full_name unknown File full name.
MAR.Files.Size unknown File size.
MAR.Files.Last_write unknown File last write.
MAR.Files.MD5 unknown File MD5 hash.
MAR.Files.Sha1 unknown File SHA-1 hash.
MAR.Files.Created_at unknown Datetime the file was created.
MAR.Files.Deleted_at unknown Datetime the file was deleted.

Command Example
!mar-search-files

8. Get information for USB-connected devices


Returns information for USB connected devices from McAfee Active Response.

Base Command

mar-search-usb-connected-storage-devices

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.UsbConnectedStorageDevices.Vendor_id unknown USB connected storage devices vendor ID.
MAR.UsbConnectedStorageDevices.Product_id unknown USB connected storage devices product ID.
MAR.UsbConnectedStorageDevices.Serial_number unknown USB connected storage devices serial number.
MAR.UsbConnectedStorageDevices.Device_type unknown USB connected storage devices type.
MAR.UsbConnectedStorageDevices.Guid unknown USB connected storage devices GUID.
MAR.UsbConnectedStorageDevices.Last_connection_time unknown USB connected storage devices last connection time.
MAR.UsbConnectedStorageDevices.User_name unknown USB connected storage devices user name.
MAR.UsbConnectedStorageDevices.Last_time_used_by_user unknown Last time USB connected storage devices were last used by a user.

Command Example
!mar-search-usb-connected-storage-devices

9. Get information for user profiles


Returns user profile information from McAfee Active Response.

Base Command

mar-search-user-profiles

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.UserProfiles.Accountdisabled unknown User profile account disabled.
MAR.UserProfiles.Domain unknown User profile domain.
MAR.UserProfiles.Fullname unknown User profile full name.
MAR.UserProfiles.Installdate unknown User profile install date.
MAR.UserProfiles.Localaccount unknown User profile local account.
MAR.UserProfiles.Lockedout unknown User profile lockedout.
MAR.UserProfiles.Accountname unknown User profile account name.
MAR.UserProfiles.Sid unknown User profile SID.
MAR.UserProfiles.Passwordexpires unknown User profile password expired.

Command Example
!mar-search-user-profiles
Context Example
{
    "MAR": {
       "UserProfiles": [
            {
                "Domain": "-", 
                "Installdate": "2017-10-02T06:15:20.000Z", 
                "Localaccount": "False", 
                "created_at": "2019-03-06T15:39:44.193Z", 
                "Sid": "S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133", 
                "Accountname": "MSSQL$SQLEXPRESS", 
                "Lockedout": "-", 
                "Fullname": "-", 
                "Accountdisabled": "-", 
                "Passwordexpires": "-"
            }, 
            {
                "Domain": "WIN-AQ0LQQOG4Q7", 
                "Installdate": "2017-09-17T02:20:46.000Z", 
                "Localaccount": "True", 
                "created_at": "2019-03-06T15:39:44.193Z", 
                "Sid": "S-1-5-21-2851129524-1971544412-1620677069-500", 
                "Accountname": "Administrator", 
                "Lockedout": "False", 
                "Fullname": "-", 
                "Accountdisabled": "False", 
                "Passwordexpires": "False"
            }, 
            {
                "Domain": "WIN-AQ0LQQOG4Q7", 
                "Installdate": "-", 
                "Localaccount": "True", 
                "created_at": "2019-03-06T15:39:44.193Z", 
                "Sid": "S-1-5-21-2851129524-1971544412-1620677069-501", 
                "Accountname": "Guest", 
                "Lockedout": "False", 
                "Fullname": "-", 
                "Accountdisabled": "True", 
                "Passwordexpires": "False"
            }
        ]
    }
}
Human Readable Output

image

10. Get information for scheduled tasks


Returns scheduled task information from McAfee Active Response.

Base Command

mar-search-scheduled-tasks

Input
Argument Name Description Required
filter-by Field name (output) to filter by (e.g. ip_address). Run mar-collectors-list to view all collectors and fields command for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.ScheduledTasks.Folder unknown Scheduled tasks folder.
MAR.ScheduledTasks.Taskname unknown Scheduled tasks name.
MAR.ScheduledTasks.Status unknown Scheduled tasks status.
MAR.ScheduledTasks.Last_run unknown Scheduled tasks last run
MAR.ScheduledTasks.Username unknown Scheduled tasks user name.
MAR.ScheduledTasks.Schedule_on unknown Scheduled tasks schedule on.

Command Example
!mar-search-scheduled-tasks
Context Example
{
    "MAR": {
       "ScheduledTasks": [
            {
                "Status": "Ready", 
                "Username": "SYSTEM", 
                "created_at": "2019-03-06T15:41:29.195Z", 
                "Schedule_on": "Log On, Daily", 
                "Last_run": "2019-03-05T16:54:08.000Z", 
                "Taskname": "GoogleUpdateTaskMachineCore", 
                "Folder": "/"
            }, 
            {
                "Status": "Disabled", 
                "Username": "SYSTEM", 
                "created_at": "2019-03-06T15:41:29.195Z", 
                "Schedule_on": "Idle", 
                "Last_run": "2017-09-17T02:32:59.000Z", 
                "Taskname": ".NET Framework NGEN v4.0.30319 64 Critical", 
                "Folder": "/Microsoft/Windows/.NET Framework"
            }
        ]
    }
}
Human Readable Output

image

11. Get information for hosts


Returns host information from McAfee Active Response.

Base Command

mar-search-host-info

Input
Argument Name Description Required
filter-by Field name (output) to filter by, e.g., ip_address. Run the mar-collectors-list command to view all collectors and fields for all collectors outputs. Optional
filter-operator Filtering operator. Optional
filter-value Filtering value of the filter-by field. Optional

Context Output
Path Type Description
MAR.HostInfo.Hostname unknown Host name.
MAR.HostInfo.Ip_address unknown Host IP address.
MAR.HostInfo.Os unknown Host operating system.

Command Example
!mar-search-host-info
Context Example
{
    "MAR": {
       "HostInfo": [
            {
                "Os": "Microsoft Windows [Version 6.3.9600]", 
                "created_at": "2019-03-06T15:44:10.192Z", 
                "Hostname": "WIN-AQ0LQQOG4Q7", 
                "Ip_address": "192.168.1.156"
            }
        ]
    }
}
Human Readable Output

image