McAfee Threat Intelligence Exchange (Deprecated)
This Integration is part of the McAfee Threat Intelligence Exchange Pack.#
Deprecated
Use McAfee Threat Intelligence Exchange V2 integration instead.
Use the McAfee Threat Intelligence Exchange (TIE) integration to get file reputations and the systems that reference the files.
Detailed Instructions
This section includes information required for configuring an integration instance.
Prerequisites - Connect to McAfee Threat Intelligence Exchange (TIE) using the DXL TIE Client
To connect the McAfee TIE using the DXL TIE client, you need to create certificates and configure DXL. For more information, see the OpenDXL documentation . After you complete this configuration, you will have the following files:
-
Broker CA certificates (
brokercerts.crtfile) -
Client certificate (
client.crtfile) -
Client private key (
client.keyfile) - Broker list properties file (‘brokerlist.properties’ file)
To use the tie-set-file-reputation command, you need to authorize the client (Cortex XSOAR) to run the command. Follow the instructions in the OpenDXL documentation . In step #4, instead of selecting Active Response Server API , select TIE Server Set Enterprise Reputation .
Dependencies (Python packages)
You don’t need to install the packages, they are included in the Docker image.
Configure McAfee Threat Intelligence Exchange on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for McAfee Threat Intelligence Exchange.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
-
Broker CA certificates content (see
brokercerts.crtin Detailed Instructions) -
Client certificates content (see
client.crtin Detailed Instructions) - Client private key path (e.g., /usr/config/client.key)
-
A CSV list of broker URLs in the format: [ssl://]<hostname>[:port]) Get the hostname and port from the
brokerlist.propertiesfile (in instructions). The broker should be reachable from Cortex XSOAR server.
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get the reputation for a file hash: file
- Set the enterprise reputation for a file: tie-set-file-reputation
- Get the systems that referenced a file: tie-file-references
1. Get the reputation for a file hash
Retrieves the reputations for the specified hash. Supports MD5 SHA1 & SHA256.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | Hash of the file to query. Can be “MD5”, “SHA1”, or “SHA256”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.MD5 | unknown | MD5 hash of the file (if supplied). |
| File.SHA1 | unknown | SHA1 hash of the file (if supplied). |
| File.SHA256 | unknown | MD5 hash of the file (if supplied). |
| File.TrustLevel | unknown | File lowest trust level. |
| File.Vendor | unknown | Vendor of the file lowest trust level. |
| DBotScore.Score | unknown | Vendor used to calculate the score. |
| DBotScore.Vendor | unknown | The actual score. |
| DBotScore.Type | unknown | Indicator type. |
| DBotScore.Indicator | unknown | The hash of the file. |
Command Example
!file file=3d720dc2b8b0ff23f616aa850447e702eb89047e
Human Readable Output
2. Set the enterprise reputation for a file
Sets the “Enterprise” reputation (trust level) of a specified file. Permissions are required to invoke this method. See the ‘How-to’ in instance instruction.
Base Command
tie-set-file-reputation
Input
| Argument Name | Description | Required |
|---|---|---|
| file | Hash of the file for which to set the reputation. Can be “MD5”, “SHA1”, or “SHA256”. | Required |
| trust_level | The new trust level for the file. | Required |
| filename | A file name to associate with the file. | Optional |
| comment | A comment to associate with the file. | Optional |
Context Output
There is no context output for this command.
Command Example
!tie-set-file-reputation file=3b0fcc439a7d83860433d34e564ff1e9ddd4cfaa trust_level=MOST_LIKELY_TRUSTED
Human Readable Output
3. Get the systems that referenced a file
Retrieves the set of systems which have referenced (typically executed) the specified file.
Base Command
tie-file-references
Input
| Argument Name | Description | Required |
|---|---|---|
| file | Hash of the file for which to search. Can be “MD5”, “SHA1”, or “SHA256”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.MD5 | unknown | MD5 hash of the file (if supplied). |
| File.SHA1 | unknown | SHA1 hash of the file (if supplied). |
| File.SHA256 | unknown | SHA256 hash of the file (if supplied). |
| File.References.AgentGuid | unknown | The GUID of the system that referenced the file. |
| File.References.Date | unknown | The time the system first referenced the file. |
Command Example
!tie-file-references file=3d720dc2b8b0ff23f616aa850447e702eb89047e
Human Readable Output
