TIE - IOC Hunt
This Playbook is part of the McAfee Threat Intelligence Exchange Pack.#
Hunts for sightings of MD5 hash, SHA1 hash and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well).
Input:
- Hash (default, takes all deferent hashes from context)
Output:
- All agents that files with "Hash" has been executed on (TIE)
- Enrich Agents info from ePO
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
This playbook does not use any sub-playbooks.
Integrations#
- McAfee Threat Intelligence Exchange
- McAfee ePO v2
Scripts#
- EPOFindSystem
- Exists
Commands#
- tie-file-references
- epo-find-system
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| Hash | The hash to hunt. Can be, "MD5", "SHA1", or "SHA256". The default is set to all hashes | ${.=val.File.map(function(f) {return [f.MD5, f.SHA1, f.SHA256];}).reduce(function(a, b){return a.concat(b);}, []).filter(function (val1) {return val1;})} | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
