McAfee Active Response
This Integration is part of the McAfee Active Response Pack.#
This integration was integrated and tested with version 2.1.0 of McAfee Active Response.
Playbooks
- Endpoint data collection
- MAR - Endpoint data collection
Use Cases
Capture and monitor events, files, host flows, process objects, context, and system state changes that may be indicators of attack (IoAs) or attack components lying dormant.
Create a McAfee DXL Certificate for McAfee Active Response
To configure an instance of McAfee Active Response, you first need to create a McAfee DXL certificate and add the certificate to the McAfee Intelligence Exchange integration.
Prerequisite
Before you create a McAfee DXL certificate, make sure you have a Broker CA certificate (
brokercerts.crt
).
-
Generate a certificate signing request (CSR) with a tool such as
CSR generator.
- Save the CSR and the private key as separate files.
- Access your McAfee ePolicy Orchestrator environment.
-
Navigate to
Server Settings
.
-
Select
DXL Certificates
and click
Edit
.
- Click Import CSR and select the CSR file you created previously.
-
Select your certificate and click
Export Certificate
.
This generates a CRT file. - Add your certificate to Restrict Send Certificates and Restrict Receive Certificates .
-
In Cortex XSOAR, search for
McAfee Active Response
integration and click
Add instance
.
-
Broker CA certificates content
- The content of the
brokercerts.crt - Client certificates content - The content of the CRT file you created previously.
- Client private key path - The content of the private key file you created previously.
- Brokers urls - Broker server IP address, port: 8883.
- Use Load-Balancing Group - Should be enabled.
-
Broker CA certificates content
- The content of the
Configure McAfee Active Response on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for McAfee Active Response.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
-
Broker CA certificates content (see
brokercerts.crtin the Deatiled Instructions section) -
Client certificates content (see
client.crtin the Deatiled Instructions section) -
Client private key content (see
client.keyin the Deatiled Instructions section) -
Brokers URLs (CSV list in the form of - [ssl://][:port]) - Get the hostname and port from
brokerlist.propertiesfile in the Deatiled Instructions section. Note that the broker should be reachable from Cortex XSOAR server.
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search endpoint data: mar-search
- Get a list of collectors: mar-collectors-list
- Search endpoint data crossed by multiple collectors: mar-search-multiple
- Get information for services: mar-search-services
- Get information for processes: mar-search-processes
- Get information for WinRegistry: mar-search-win-registry
- Get information for files: mar-search-files
- Get information for USB-connected devices: mar-search-usb-connected-storage-devices
- Get information for user profiles: mar-search-user-profiles
- Get information for scheduled tasks: mar-search-scheduled-tasks
- Get information for hosts: mar-search-host-info
1. Search endpoint data
Executes a search for endpoint data.
Base Command
mar-search
Input
| Argument Name | Description | Required |
|---|---|---|
| collector | The collector to query. | Required |
| prejection-collector | Prejection collector to return. By default, the prejection collector is equal to the collector. | Optional |
| outputs |
CSV fields (outputs). Run the
mar-collectors-list
command to view all collectors and fields command for all collectors’ outputs. If not supplied, all outputs are displayed.
|
Optional |
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR | unknown | MAR results in a given collector, e.g., '‘MAR.HostInfo`. For information about possible output paths, run the mar-collectors-list command. |
| MAR | unknown | MAR Results in a given collector, e.g., '‘MAR.HostInfo`. For information about possible output paths, run the mar-collectors-list command. |
Command Example
!mar-search collector=Processes
Context Example
{
"MAR": {
"Services": [
{
"status": "Running",
"description": "Base Filtering Engine",
"startuptype": "Automatic",
"created_at": "2019-02-06T17:16:25.193Z",
"user": "NT AUTHORITY\\LocalService",
"name": "BFE"
},
{
"status": "Running",
"description": "Diagnostic Policy Service",
"startuptype": "Automatic (Delayed Start)",
"created_at": "2019-02-06T17:16:25.193Z",
"user": "NT AUTHORITY\\LocalService",
"name": "DPS"
},
{
"status": "Stopped",
"description": "Encrypting File System (EFS)",
"startuptype": "Manual",
"created_at": "2019-02-06T17:16:25.193Z",
"user": "LocalSystem",
"name": "EFS"
}
]
}
}
Human Readable Output
2. Get a list of collectors
Returns a list of all collectors and their outputs.
Base Command
mar-collectors-list
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!mar-collectors-list
Human Readable Output
3. Search endpoint data crossed by multiple collectors
Searches endpoint data crossed by multiple collectors.
Base Command
mar-search-multiple
Input
| Argument Name | Description | Required |
|---|---|---|
| collectors | The collectors to query. | Required |
| filter_collector | The collector to filter by, e.g., HostInfo | Optional |
| filter-by |
Field name (output) of
filter_collector
to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields.
|
Optional |
| filter-operator | Filtering operatior | Optional |
| filter-value |
Filtering value of the
filter-by
field
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mar.SearchMultiple | unknown | The result of the search query. For information about possible output paths, run the mar-collectors-list command. |
Command Example
!mar-search-multiple collectors=Services,HostInfo
Context Example
{
"MAR": {
"SearchMultiple": [
{
"status": "Stopped",
"description": "Volume Shadow Copy",
"startuptype": "Manual",
"ip_address": "192.168.1.156",
"created_at": "2019-02-06T17:20:57.204Z",
"hostname": "WIN-AQ0LQQOG4Q7",
"user": "LocalSystem",
"os": "Microsoft Windows [Version 6.3.9600]",
"name": "VSS"
},
{
"status": "Running",
"description": "Network Store Interface Service",
"startuptype": "Automatic",
"ip_address": "192.168.1.156",
"created_at": "2019-02-06T17:20:57.204Z",
"hostname": "WIN-AQ0LQQOG4Q7",
"user": "NT Authority\\LocalService",
"os": "Microsoft Windows [Version 6.3.9600]",
"name": "nsi"
}
]
}
}
Human Readable Output
4. Get information for services
Returns services information from McAfee Active Response.
Base Command
mar-search-services
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors’ outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.Services.Name | unknown | Service name. |
| MAR.Services.Description | unknown | Service description. |
| MAR.Services.Status | unknown | Service status. |
| MAR.Services.Startuptype | unknown | Service startup type. |
| MAR.Services.User | unknown | Service user. |
Command Example
!mar-search-services
Context Example
{
"MAR": {
"Services": [
{
"Status": "Running",
"Description": "Base Filtering Engine",
"Startuptype": "Automatic",
"created_at": "2019-03-06T15:04:16.193Z",
"User": "NT AUTHORITY\\LocalService",
"Name": "BFE"
},
{
"Status": "Running",
"Description": "Diagnostic Policy Service",
"Startuptype": "Automatic (Delayed Start)",
"created_at": "2019-03-06T15:04:16.193Z",
"User": "NT AUTHORITY\\LocalService",
"Name": "DPS"
},
{
"Status": "Stopped",
"Description": "Encrypting File System (EFS)",
"Startuptype": "Manual",
"created_at": "2019-03-06T15:04:16.193Z",
"User": "LocalSystem",
"Name": "EFS"
}
]
}
}
Human Readable Output
5. Get information for processes
Returns processes information from McAfee Active Response.
Base Command
mar-search-processes
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.Processes.Name | unknown | Process name. |
| MAR.Processes.Id | unknown | Process ID. |
| MAR.Processes.Parentname | unknown | Process parent name. |
| MAR.Processes.Size | unknown | Process size. |
| MAR.Processes.Md5 | unknown | Process MD5 hash. |
| MAR.Processes.Sha1 | unknown | Process SHA-1 hash. |
| MAR.Processes.Cmdline | unknown | Process command line. |
| MAR.Processes.Imagepath | unknown | Process image path. |
| MAR.Processes.Kerneltime | unknown | Process kernel time. |
| MAR.Processes.Usertime | unknown | Process user time. |
| MAR.Processes.Uptime | unknown | Process up time. |
| MAR.Processes.User | unknown | Process user. |
| MAR.Processes.User_id | unknown | Process user ID. |
Command Example
!mar-search-processes
Context Example
{
"MAR": {
"Processes": [
{
"Uptime": 8468384,
"Imagepath": "C:\\WINDOWS\\SYSTEM32\\CSRSS.EXE",
"User_id": "S-1-5-18",
"Name": "CSRSS.EXE",
"Usertime": 3,
"created_at": "2019-02-07T09:16:39.195Z",
"Parentname": "-",
"Cmdline": "-",
"Sha1": "C79E4586989EBB8E8F8084B5EB49AFBFD243A625",
"User": "NT AUTHORITY\\SYSTEM",
"Kerneltime": 16,
"Size": 2048,
"Id": 336,
"Md5": "B2D3F07F5E8A13AF988A8B3C0A800880"
},
{
"Uptime": 8468383,
"Imagepath": "C:\\WINDOWS\\SYSTEM32\\WININIT.EXE",
"User_id": "S-1-5-18",
"Name": "WININIT.EXE",
"Usertime": "-",
"created_at": "2019-02-07T09:16:39.195Z",
"Parentname": "-",
"Cmdline": "wininit.exe",
"Sha1": "83D158A31A41C3FC37DB569F187108C754C629C8",
"User": "NT AUTHORITY\\SYSTEM",
"Kerneltime": "-",
"Size": 840,
"Id": 388,
"Md5": "D9516405E05F24EDCD90B1988FAF3948"
}
]
}
}
Human Readable Output
6. Get information for WinRegistry
Returns WinRegistry information from McAfee Active Response.
Base Command
mar-search-win-registry
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.WinRegistry.Keypath | unknown | WinRegistry key path. |
| MAR.WinRegistry.Keyvalue | unknown | WinRegistry key value. |
| MAR.WinRegistry.Valuedata | unknown | WinRegistry value data. |
| MAR.WinRegistry.Valuetype | unknown | WinRegistry value type. |
Command Example
!mar-search-win-registry
7. Get information for files
Returns file information from McAfee Active Response.
Base Command
mar-search-files
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.Files.Name | unknown | File name. |
| MAR.Files.Dir | unknown | File directory. |
| MAR.Files.Full_name | unknown | File full name. |
| MAR.Files.Size | unknown | File size. |
| MAR.Files.Last_write | unknown | File last write. |
| MAR.Files.MD5 | unknown | File MD5 hash. |
| MAR.Files.Sha1 | unknown | File SHA-1 hash. |
| MAR.Files.Created_at | unknown | Datetime the file was created. |
| MAR.Files.Deleted_at | unknown | Datetime the file was deleted. |
Command Example
!mar-search-files
8. Get information for USB-connected devices
Returns information for USB connected devices from McAfee Active Response.
Base Command
mar-search-usb-connected-storage-devices
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.UsbConnectedStorageDevices.Vendor_id | unknown | USB connected storage devices vendor ID. |
| MAR.UsbConnectedStorageDevices.Product_id | unknown | USB connected storage devices product ID. |
| MAR.UsbConnectedStorageDevices.Serial_number | unknown | USB connected storage devices serial number. |
| MAR.UsbConnectedStorageDevices.Device_type | unknown | USB connected storage devices type. |
| MAR.UsbConnectedStorageDevices.Guid | unknown | USB connected storage devices GUID. |
| MAR.UsbConnectedStorageDevices.Last_connection_time | unknown | USB connected storage devices last connection time. |
| MAR.UsbConnectedStorageDevices.User_name | unknown | USB connected storage devices user name. |
| MAR.UsbConnectedStorageDevices.Last_time_used_by_user | unknown | Last time USB connected storage devices were last used by a user. |
Command Example
!mar-search-usb-connected-storage-devices
9. Get information for user profiles
Returns user profile information from McAfee Active Response.
Base Command
mar-search-user-profiles
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.UserProfiles.Accountdisabled | unknown | User profile account disabled. |
| MAR.UserProfiles.Domain | unknown | User profile domain. |
| MAR.UserProfiles.Fullname | unknown | User profile full name. |
| MAR.UserProfiles.Installdate | unknown | User profile install date. |
| MAR.UserProfiles.Localaccount | unknown | User profile local account. |
| MAR.UserProfiles.Lockedout | unknown | User profile lockedout. |
| MAR.UserProfiles.Accountname | unknown | User profile account name. |
| MAR.UserProfiles.Sid | unknown | User profile SID. |
| MAR.UserProfiles.Passwordexpires | unknown | User profile password expired. |
Command Example
!mar-search-user-profiles
Context Example
{
"MAR": {
"UserProfiles": [
{
"Domain": "-",
"Installdate": "2017-10-02T06:15:20.000Z",
"Localaccount": "False",
"created_at": "2019-03-06T15:39:44.193Z",
"Sid": "S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133",
"Accountname": "MSSQL$SQLEXPRESS",
"Lockedout": "-",
"Fullname": "-",
"Accountdisabled": "-",
"Passwordexpires": "-"
},
{
"Domain": "WIN-AQ0LQQOG4Q7",
"Installdate": "2017-09-17T02:20:46.000Z",
"Localaccount": "True",
"created_at": "2019-03-06T15:39:44.193Z",
"Sid": "S-1-5-21-2851129524-1971544412-1620677069-500",
"Accountname": "Administrator",
"Lockedout": "False",
"Fullname": "-",
"Accountdisabled": "False",
"Passwordexpires": "False"
},
{
"Domain": "WIN-AQ0LQQOG4Q7",
"Installdate": "-",
"Localaccount": "True",
"created_at": "2019-03-06T15:39:44.193Z",
"Sid": "S-1-5-21-2851129524-1971544412-1620677069-501",
"Accountname": "Guest",
"Lockedout": "False",
"Fullname": "-",
"Accountdisabled": "True",
"Passwordexpires": "False"
}
]
}
}
Human Readable Output
10. Get information for scheduled tasks
Returns scheduled task information from McAfee Active Response.
Base Command
mar-search-scheduled-tasks
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by (e.g. ip_address). Run
mar-collectors-list
to view all collectors and fields command for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.ScheduledTasks.Folder | unknown | Scheduled tasks folder. |
| MAR.ScheduledTasks.Taskname | unknown | Scheduled tasks name. |
| MAR.ScheduledTasks.Status | unknown | Scheduled tasks status. |
| MAR.ScheduledTasks.Last_run | unknown | Scheduled tasks last run |
| MAR.ScheduledTasks.Username | unknown | Scheduled tasks user name. |
| MAR.ScheduledTasks.Schedule_on | unknown | Scheduled tasks schedule on. |
Command Example
!mar-search-scheduled-tasks
Context Example
{
"MAR": {
"ScheduledTasks": [
{
"Status": "Ready",
"Username": "SYSTEM",
"created_at": "2019-03-06T15:41:29.195Z",
"Schedule_on": "Log On, Daily",
"Last_run": "2019-03-05T16:54:08.000Z",
"Taskname": "GoogleUpdateTaskMachineCore",
"Folder": "/"
},
{
"Status": "Disabled",
"Username": "SYSTEM",
"created_at": "2019-03-06T15:41:29.195Z",
"Schedule_on": "Idle",
"Last_run": "2017-09-17T02:32:59.000Z",
"Taskname": ".NET Framework NGEN v4.0.30319 64 Critical",
"Folder": "/Microsoft/Windows/.NET Framework"
}
]
}
}
Human Readable Output
11. Get information for hosts
Returns host information from McAfee Active Response.
Base Command
mar-search-host-info
Input
| Argument Name | Description | Required |
|---|---|---|
| filter-by |
Field name (output) to filter by, e.g., ip_address. Run the
mar-collectors-list
command to view all collectors and fields for all collectors outputs.
|
Optional |
| filter-operator | Filtering operator. | Optional |
| filter-value |
Filtering value of the
filter-by
field.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MAR.HostInfo.Hostname | unknown | Host name. |
| MAR.HostInfo.Ip_address | unknown | Host IP address. |
| MAR.HostInfo.Os | unknown | Host operating system. |
Command Example
!mar-search-host-info
Context Example
{
"MAR": {
"HostInfo": [
{
"Os": "Microsoft Windows [Version 6.3.9600]",
"created_at": "2019-03-06T15:44:10.192Z",
"Hostname": "WIN-AQ0LQQOG4Q7",
"Ip_address": "192.168.1.156"
}
]
}
}
Human Readable Output
