McAfee Threat Intelligence Exchange

Use the McAfee Threat Intelligence Exchange (TIE) integration to get file reputations and the systems that reference the files.

Detailed Instructions

This section includes information required for configuring an integration instance.

Prerequisites - Connect to McAfee Threat Intelligence Exchange (TIE) using the DXL TIE Client

To connect the McAfee TIE using the DXL TIE client, you need to create certificates and configure DXL. For more information, see the OpenDXL documentation . After you complete this configuration, you will have the following files:

  • Broker CA certificates ( brokercerts.crt file)
  • Client certificate ( client.crt file)
  • Client private key ( client.key file)
  • Broker list properties file (‘brokerlist.properties’ file)

To use the tie-set-file-reputation command, you need to authorize the client (Demisto) to run the command. Follow the instructions in the OpenDXL documentation . In step #4, instead of selecting Active Response Server API , select TIE Server Set Enterprise Reputation .

Dependencies (Python packages)

You don’t need to install the packages, they are included in the Docker image.

Configure McAfee Threat Intelligence Exchange on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for McAfee Threat Intelligence Exchange.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Broker CA certificates content (see brokercerts.crt in Detailed Instructions)
    • Client certificates content (see client.crt in Detailed Instructions)
    • Client private key path (e.g., /usr/config/client.key)
    • A CSV list of broker URLs in the format: [ssl://]<hostname>[:port]) Get the hostname and port from the brokerlist.properties file (in instructions). The broker should be reachable from Demisto server.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get the reputation for a file hash: file
  2. Set the enterprise reputation for a file: tie-set-file-reputation
  3. Get the systems that referenced a file: tie-file-references

1. Get the reputation for a file hash


Retrieves the reputations for the specified hash. Supports MD5 SHA1 & SHA256.

Base Command

file

Input
Argument Name Description Required
file Hash of the file to query. Can be “MD5”, “SHA1”, or “SHA256”. Required

Context Output
Path Type Description
File.MD5 unknown MD5 hash of the file (if supplied).
File.SHA1 unknown SHA1 hash of the file (if supplied).
File.SHA256 unknown MD5 hash of the file (if supplied).
File.TrustLevel unknown File lowest trust level.
File.Vendor unknown Vendor of the file lowest trust level.
DBotScore.Score unknown Vendor used to calculate the score.
DBotScore.Vendor unknown The actual score.
DBotScore.Type unknown Indicator type.
DBotScore.Indicator unknown The hash of the file.

Command Example
!file file=3d720dc2b8b0ff23f616aa850447e702eb89047e
Human Readable Output

image

2. Set the enterprise reputation for a file


Sets the “Enterprise” reputation (trust level) of a specified file. Permissions are required to invoke this method. See the ‘How-to’ in instance instruction.

Base Command

tie-set-file-reputation

Input
Argument Name Description Required
file Hash of the file for which to set the reputation. Can be “MD5”, “SHA1”, or “SHA256”. Required
trust_level The new trust level for the file. Required
filename A file name to associate with the file. Optional
comment A comment to associate with the file. Optional

Context Output

There is no context output for this command.

Command Example
!tie-set-file-reputation file=3b0fcc439a7d83860433d34e564ff1e9ddd4cfaa trust_level=MOST_LIKELY_TRUSTED
Human Readable Output

image

3. Get the systems that referenced a file


Retrieves the set of systems which have referenced (typically executed) the specified file.

Base Command

tie-file-references

Input
Argument Name Description Required
file Hash of the file for which to search. Can be “MD5”, “SHA1”, or “SHA256”. Required

Context Output
Path Type Description
File.MD5 unknown MD5 hash of the file (if supplied).
File.SHA1 unknown SHA1 hash of the file (if supplied).
File.SHA256 unknown SHA256 hash of the file (if supplied).
File.References.AgentGuid unknown The GUID of the system that referenced the file.
File.References.Date unknown The time the system first referenced the file.

Command Example
!tie-file-references file=3d720dc2b8b0ff23f616aa850447e702eb89047e
Human Readable Output

image