Skip to main content

McAfee Threat Intelligence Exchange v2

This Integration is part of the McAfee Threat Intelligence Exchange Pack.#

Use the McAfee Threat Intelligence Exchange (TIE) integration to get file reputations and the systems that reference the files. Connect to McAfee TIE using the McAfee DXL client. This integration was integrated and tested with version 2.0 of McAfee Threat Intelligence Exchange V2

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Detailed Instructions#

This section includes information required for configuring an integration instance.

Prerequisites - Connect to McAfee Threat Intelligence Exchange (TIE) using the DXL TIE Client#

To connect the McAfee TIE using the DXL TIE client, you need to create certificates and configure DXL. For more information, see the documentation. After you complete this configuration, you will have the following files:

  1. Broker CA certificates (brokercerts.crt file)
  2. Client certificate (client.crt file)
  3. Client private key (client.key file)
  4. Broker list properties file (brokerlist.properties file)

Important: These are the actual certificates, not request certificates.

set-file instruction#

To use the tie-set-file-reputation command, you need to authorize the client (Cortex XSOAR) to run the command. Follow the instructions to do so. In step 4, instead of selecting Active Response Server API, select TIE Server Set Enterprise Reputation.

Dependencies (Python packages)#

You don't need to install the packages, they are included in the Docker image.

Configure McAfee Threat Intelligence Exchange V2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for McAfee Threat Intelligence Exchange V2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Broker CA certificatesFrom `brokercerts.crt` file.True
    Client certificatesFrom `client.crt` file.True
    Client private keyFrom `client.key` file. Make sure that the type of the field is not `encrypted` when filling it out.True
    Broker URLsThe format should be: [ssl://]\<hostname>[:port]. Get the hostname and port from the `brokerlist.properties` file. The broker should be reachable from Cortex XSOAR server.True
    Source ReliabilityReliability of the source providing the intelligence data.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Retrieves the reputations for the specified hashes. Can be "MD5", "SHA1", or "SHA256".

Base Command#

file

Input#

Argument NameDescriptionRequired
fileHashes of the files to query. Supports "MD5", "SHA1", and "SHA256".Required

Context Output#

PathTypeDescription
File.Hashes.typeStringThe type of the hash.
File.Hashes.valueStringThe value of the hash.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description of why this file was found malicious.
DBotScore.ScoreNumberThe actual score.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
McAfee.TIE.FilesReputations.Reputations.HashStringThe value of the hash.
McAfee.TIE.FilesReputations.Reputations.GTI.Provider_IDNumberThe identifier of the particular provider that provided the reputation.
McAfee.TIE.FilesReputations.Reputations.GTI.Trust_LevelNumberThe trust level for the reputation subject.
McAfee.TIE.FilesReputations.Reputations.GTI.Create_DateStringThe time this reputation was created (UTC timezone).
McAfee.TIE.FilesReputations.Reputations.GTI.ProviderStringThe name of the particular provider that provided the reputation.
McAfee.TIE.FilesReputations.Reputations.GTI.Original_ResponseStringThe raw response as returned by the Global Threat Intelligence (GTI) reputation provider.
McAfee.TIE.FilesReputations.Reputations.GTI.First_ContactStringThe time the file was first seen (UTC timezone).
McAfee.TIE.FilesReputations.Reputations.GTI.PrevalenceStringThe number of times the file has been requested.
McAfee.TIE.FilesReputations.Reputations.ATD.Provider_IDNumberThe identifier of the particular provider that provided the reputation.
McAfee.TIE.FilesReputations.Reputations.ATD.Trust_LevelNumberThe trust level for the reputation subject.
McAfee.TIE.FilesReputations.Reputations.ATD.Create_DateStringThe time this reputation was created (UTC timezone).
McAfee.TIE.FilesReputations.Reputations.ATD.ProviderStringThe name of the particular provider that provided the reputation.
McAfee.TIE.FilesReputations.Reputations.ATD.GAM_ScoreStringThe trust score reported by the Gateway Anti-Malware (GAM).
McAfee.TIE.FilesReputations.Reputations.ATD.AV_Engine_ScoreStringThe trust score reported by the Anti-Virus engine.
McAfee.TIE.FilesReputations.Reputations.ATD.Sandbox_ScoreStringThe trust score as a result of the sandbox evaluation.
McAfee.TIE.FilesReputations.Reputations.ATD.VerdictStringThe overall verdict (taking into consideration all available information).
McAfee.TIE.FilesReputations.Reputations.ATD.BehaviorsStringAn encoded structure that contains observed behaviors of the file.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Provider_IDNumberThe identifier of the particular provider that provided the reputation.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Trust_LevelNumberThe trust level for the reputation subject.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Create_DateStringThe time this reputation was created (UTC timezone).
McAfee.TIE.FilesReputations.Reputations.Enterprise.ProviderStringThe name of the particular provider that provided the reputation.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Server_VersionStringThe version of the TIE server that returned the reputations (encoded version string).
McAfee.TIE.FilesReputations.Reputations.Enterprise.First_ContactStringThe time the file was first seen (UTC timezone).
McAfee.TIE.FilesReputations.Reputations.Enterprise.PrevalenceStringThe number of unique systems that have executed the file.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Enterprise_SizeStringThe number of systems within the local enterprise.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Min_Local_RepStringThe lowest reputation found locally on a system.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Max_Local_RepStringThe highest reputation found locally on a system.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Avg_Local_RepStringThe average reputation found locally on systems.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Parent_Min_Local_RepStringThe lowest reputation for the parent found locally on a system.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Parent_Max_Local_RepStringThe highest reputation for the parent found locally on a system.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Parent_Avg_Local_RepStringThe average reputation for the parent found locally on systems.
McAfee.TIE.FilesReputations.Reputations.Enterprise.File_Name_CountStringThe number of unique file names for the file.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Detection_CountStringThe number of detections for the file or certificate.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Last_Detection_TimeStringThe last time a detection occurred (UTC timezone).
McAfee.TIE.FilesReputations.Reputations.Enterprise.Is_PrevalentStringWhether the file is considered to be prevalent within the enterprise.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Child_File_RepsStringThe child file reputations (aggregate string) according to the following format:
- The number of files.
- The maximum trust level found across the files.
- The minimum trust level found across the files.
- The trust level for the last file.
- The average trust level across the files.
McAfee.TIE.FilesReputations.Reputations.Enterprise.Parent_File_RepsStringThe parent file reputations (aggregate string) according to the following format:
- The number of files.
- The maximum trust level found across the files.
- The minimum trust level found across the files.
- The trust level for the last file.
- The average trust level across the files.

Providers Table#

ProviderNumericDescription
GTI1Global Threat Intelligence (GTI).
ENTERPRISE3Enterprise reputation (specific to the local enterprise).
ATD5McAfee Advanced Threat Defense (ATD).

Trust Level Table#

Trust LevelNumericDescription
KNOWN_TRUSTED_INSTALLER100It is a trusted installer.
KNOWN_TRUSTED99It is a trusted file.
MOST_LIKELY_TRUSTED85It is almost certain that the file is trusted.
MIGHT_BE_TRUSTED70It seems to be a benign file.
UNKNOWN50The reputation provider has encountered the file before but the provider can't determine its reputation at the moment.
MIGHT_BE_MALICIOUS30It seems to be a suspicious file.
MOST_LIKELY_MALICIOUS15It is almost certain that the file is malicious.
KNOWN_MALICIOUS1It is a malicious file.
NOT_SET0The file's reputation hasn't been determined yet.

ATD Trust Score Table#

Trust LevelNumericDescription
KNOWN_TRUSTED-1It is a trusted file.
MOST_LIKELY_TRUSTED0It is almost certain that the file is trusted.
MIGHT_BE_TRUSTED1It seems to be a benign file.
UNKNOWN2The reputation provider has encountered the file before but the provider can't determine its reputation at the moment.
MIGHT_BE_MALICIOUS3It seems to be a suspicious file.
MOST_LIKELY_MALICIOUS4It is almost certain that the file is malicious.
KNOWN_MALICIOUS5It is a malicious file.
NOT_SET-2The file's reputation hasn't been determined yet.

Command Example#

!file file=f2c7bb8acc97f92e987a2d4087d021b1,7eb0139d2175739b3ccb0d1110067820be6abd29

Context Example#

{
"DBotScore": [
{
"Indicator": "f2c7bb8acc97f92e987a2d4087d021b1",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "file",
"Vendor": "McAfee Threat Intelligence Exchange V2"
},
{
"Indicator": "7eb0139d2175739b3ccb0d1110067820be6abd29",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "file",
"Vendor": "McAfee Threat Intelligence Exchange V2"
}
],
"File": [
{
"Hashes": [
{
"type": "MD5",
"value": "f2c7bb8acc97f92e987a2d4087d021b1"
}
],
"MD5": "f2c7bb8acc97f92e987a2d4087d021b1"
},
{
"Hashes": [
{
"type": "SHA1",
"value": "7eb0139d2175739b3ccb0d1110067820be6abd29"
}
],
"Malicious": {
"Description": "Trust level is 1",
"Vendor": "McAfee Threat Intelligence Exchange V2"
},
"SHA1": "7eb0139d2175739b3ccb0d1110067820be6abd29"
}
],
"McAfee": {
"TIE": {
"FilesReputations": [
{
"Reputations": {
"Enterprise": {
"Create_Date": "2017-10-15 15:33:20",
"Enterprise_Size": "167565",
"File_Name_Count": "3",
"First_Contact": "2017-10-15 15:33:20",
"Is_Prevalent": "0",
"Prevalence": "4336",
"Provider": "Enterprise reputation",
"Provider_ID": 3,
"Server_Version": "3.0.0.480",
"Trust_Level": 85
},
"GTI": {
"Create_Date": "2017-10-15 15:33:20",
"Original_Response": "2139160704",
"Provider": "Global Threat Intelligence (GTI)",
"Provider_ID": 1,
"Trust_Level": 99
},
"Hash": "f2c7bb8acc97f92e987a2d4087d021b1"
}
},
{
"Reputations": {
"Enterprise": {
"Create_Date": "2017-10-15 16:30:54",
"Enterprise_Size": "167566",
"File_Name_Count": "1",
"First_Contact": "2017-10-15 16:30:54",
"Is_Prevalent": "0",
"Prevalence": "2736",
"Provider": "Enterprise reputation",
"Provider_ID": 3,
"Server_Version": "3.0.0.480",
"Trust_Level": 1
},
"GTI": {
"Create_Date": "2018-06-04 13:31:02",
"Original_Response": "2139160704",
"Provider": "Global Threat Intelligence (GTI)",
"Provider_ID": 1,
"Trust_Level": 99
},
"Hash": "7eb0139d2175739b3ccb0d1110067820be6abd29"
}
}
]
}
}
}

Human Readable Output#

McAfee TIE Hash Reputations For f2c7bb8acc97f92e987a2d4087d021b1:#

Created dateProvider (verbose)Provider IDTrust levelTrust level (verbose)
2017-10-15 15:33:20Global Threat Intelligence (GTI)199KNOWN_TRUSTED
2017-10-15 15:33:20Enterprise reputation385MOST_LIKELY_TRUSTED

McAfee TIE Hash Reputations For 7eb0139d2175739b3ccb0d1110067820be6abd29:#

Created dateProvider (verbose)Provider IDTrust levelTrust level (verbose)
2017-10-15 16:30:54Enterprise reputation31KNOWN_MALICIOUS
2018-06-04 13:31:02Global Threat Intelligence (GTI)199KNOWN_TRUSTED

tie-set-file-reputation#


Sets the “Enterprise” reputation (trust level, filename, and comment) of the specified hashes. Hashes that represent the same file can have a different "Enterprise" reputation if they are given different reputations. Permissions are required to invoke this method. See the instruction section.

Base Command#

tie-set-file-reputation

Input#

Argument NameDescriptionRequired
fileHashes of the files for which to set the reputation. Can be "MD5", "SHA1", or "SHA256".Required
trust_levelThe new trust level for the files. Possible values are: NOT_SET, KNOWN_MALICIOUS, MOST_LIKELY_MALICIOUS, MIGHT_BE_MALICIOUS, UNKNOWN, MIGHT_BE_TRUSTED, MOST_LIKELY_TRUSTED, KNOWN_TRUSTED, KNOWN_TRUSTED_INSTALLER.Required
filenameA file name to associate with the specified files.Optional
commentA comment to associate with the specified files.Optional

Context Output#

There is no context output for this command.

Command Example#

!tie-set-file-reputation file=f2c7bb8acc97f92e987a2d4087d021b1,7eb0139d2175739b3ccb0d1110067820be6abd29 trust_level=MOST_LIKELY_TRUSTED comment="For testing" filename="tesing.exe"

Human Readable Output#

Successfully set files reputation.

tie-file-references#


Retrieves the set of systems which have referenced (typically executed) the specified hashes.

Base Command#

tie-file-references

Input#

Argument NameDescriptionRequired
fileHashes of the files for which to search. Can be "MD5", "SHA1", or "SHA256".Required
query_limitThe maximum number of results to return. The default and maximum number is 500 results.Optional

Context Output#

PathTypeDescription
File.Hashes.typeStringThe type of the hash.
File.Hashes.valueStringThe value of the hash.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
McAfee.TIE.FilesReferences.References.AgentGuidStringThe GUID of the system that referenced the file.
McAfee.TIE.FilesReferences.References.DateStringThe time the system first referenced the file (UTC timezone).
McAfee.TIE.FilesReferences.HashStringThe value of the hash.

Command Example#

!tie-file-references file=f2c7bb8acc97f92e987a2d4087d021b1,7eb0139d2175739b3ccb0d1110067820be6abd29 query_limit=5

Context Example#

{
"File": [
{
"Hashes": [
{
"type": "MD5",
"value": "f2c7bb8acc97f92e987a2d4087d021b1"
}
],
"MD5": "f2c7bb8acc97f92e987a2d4087d021b1"
},
{
"Hashes": [
{
"type": "SHA1",
"value": "7eb0139d2175739b3ccb0d1110067820be6abd29"
}
],
"SHA1": "7eb0139d2175739b3ccb0d1110067820be6abd29"
}
],
"McAfee": {
"TIE": {
"FilesReferences": [
{
"Hash": "f2c7bb8acc97f92e987a2d4087d021b1",
"References": [
{
"AgentGuid": "0c906be0-224c-45d4-8e6f-bc89da69d268",
"Date": "2017-10-15 15:33:20"
},
{
"AgentGuid": "70be2ee9-7166-413b-b03e-64a48f6ab6c8",
"Date": "2017-10-15 15:34:11"
},
{
"AgentGuid": "c21b8995-9c5a-412c-b727-c4284d42380a",
"Date": "2017-10-15 16:30:48"
},
{
"AgentGuid": "24e0e935-2241-47d7-822b-20dfe0fe86de",
"Date": "2017-10-15 16:30:49"
},
{
"AgentGuid": "e50a8b51-2063-42cb-a85f-10bd0a698323",
"Date": "2017-10-15 16:30:51"
}
]
},
{
"Hash": "7eb0139d2175739b3ccb0d1110067820be6abd29",
"References": [
{
"AgentGuid": "157eaf84-88ab-4d95-9456-30878fded9d5",
"Date": "2017-10-15 16:30:54"
},
{
"AgentGuid": "0bbcd439-aaed-4931-b9f4-b37e4a49b980",
"Date": "2017-10-16 13:28:43"
},
{
"AgentGuid": "f87fb2c3-2032-4fc5-a54f-7d36b441a122",
"Date": "2017-10-16 13:28:46"
},
{
"AgentGuid": "33b05a2e-6bb2-46c2-998f-893668c46402",
"Date": "2017-10-16 14:12:17"
},
{
"AgentGuid": "99ed15bb-ebc5-4b48-9a4d-5ad1b30abaac",
"Date": "2017-10-16 14:14:36"
}
]
}
]
}
}
}

Human Readable Output#

References For Hash f2c7bb8acc97f92e987a2d4087d021b1:#

AgentGuidDate
0c906be0-224c-45d4-8e6f-bc89da69d2682017-10-15 15:33:20
70be2ee9-7166-413b-b03e-64a48f6ab6c82017-10-15 15:34:11
c21b8995-9c5a-412c-b727-c4284d42380a2017-10-15 16:30:48
24e0e935-2241-47d7-822b-20dfe0fe86de2017-10-15 16:30:49
e50a8b51-2063-42cb-a85f-10bd0a6983232017-10-15 16:30:51

References For Hash 7eb0139d2175739b3ccb0d1110067820be6abd29:#

AgentGuidDate
157eaf84-88ab-4d95-9456-30878fded9d52017-10-15 16:30:54
0bbcd439-aaed-4931-b9f4-b37e4a49b9802017-10-16 13:28:43
f87fb2c3-2032-4fc5-a54f-7d36b441a1222017-10-16 13:28:46
33b05a2e-6bb2-46c2-998f-893668c464022017-10-16 14:12:17
99ed15bb-ebc5-4b48-9a4d-5ad1b30abaac2017-10-16 14:14:36

Breaking Changes#

The following sections list the changes in this version.

  • You can now pass more than one file to the following commands:
    • tie-set-file-reputation
    • tie-file-references
  • Added additional context outputs to the following commands:
    • file
    • tie-file-references