MCAFEE THREAT INTELLIGENCE EXCHANGE RESILIENT THREAT SERVICE INTEGRATION GUIDE V1.0

Similar documents
git-pr Release dev2+ng5b0396a

Anomali ThreatStream IBM Resilient App

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Feed Cache for Umbraco Version 2.0

X Generic Event Extension. Peter Hutterer

puppet-diamond Documentation

Migration Tool. Migration Tool (Beta) Technical Note

McAfee Threat Intelligence Exchange Installation Guide. (McAfee epolicy Orchestrator)

McAfee Endpoint Security

McAfee Web Gateway

KEMP Driver for Red Hat OpenStack. KEMP LBaaS Red Hat OpenStack Driver. Installation Guide

RTI Connext DDS Core Libraries

mp3fm Documentation Release Akshit Agarwal

twstock Documentation

McAfee Advanced Threat Defense Release Notes

Incident Response Platform Integrations BigFix Function V1.1.0 Release Date: October 2018

McAfee Advanced Threat Defense Migration Guide

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

deepatari Documentation

disspcap Documentation

jumpssh Documentation

RSA Two Factor Authentication

McAfee Threat Intelligence Exchange Installation Guide

McAfee Firewall Enterprise epolicy Orchestrator Extension

McAfee Threat Intelligence Exchange Product Guide. (McAfee epolicy Orchestrator)

Tenable Hardware Appliance Upgrade Guide

Colgate, WI

MOVE AntiVirus page-level reference

Hyper-V - Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper-V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide

McAfee Content Security Reporter Release Notes. (McAfee epolicy Orchestrator)

BME280 Documentation. Release Richard Hull

Open Source Used In Cisco Configuration Professional for Catalyst 1.0

Sensor-fusion Demo Documentation

Tailor Documentation. Release 0.1. Derek Stegelman, Garrett Pennington, and Jon Faustman

sensor-documentation Documentation

Firewall Enterprise epolicy Orchestrator

McAfee Endpoint Security Threat Prevention Installation Guide - macos

Splunk. Splunk. Deployment Guide

HTNG Web Services Product Specification. Version 2011A

Product overview. McAfee Web Protection Hybrid Integration Guide. Overview

utidylib Documentation Release 0.4

HTNG Web Services Product Specification. Version 2014A

McAfee Content Security Reporter 2.6.x Installation Guide

PyCon APAC 2014 Documentation

Guest Book. The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Endpoint Intelligence Agent 2.2.0

McAfee Boot Attestation Service 3.5.0

inflection Documentation

Product Guide. McAfee GetClean. version 2.0

Dellve CuDNN Documentation

Elegans Documentation

McAfee Web Gateway Administration

Instagram PHP Documentation

Moodle. Moodle. Deployment Guide

RTXAGENDA v Use Manual. A program, free and easy to use, to modify your RT4 phonebook, on PC.

Addendum. McAfee Virtual Advanced Threat Defense

XEP-0099: IQ Query Action Protocol

RTXAGENDA v Use Manual. A program, free and easy to use, to modify your RT4, RT5 or RT6 phonebook, on PC.

dublincore Documentation

Stonesoft Management Center. Release Notes Revision A

McAfee MOVE AntiVirus Installation Guide. (McAfee epolicy Orchestrator)

McAfee Content Security Reporter 2.6.x Migration Guide

LoadMaster Clustering

TWO-FACTOR AUTHENTICATION Version 1.1.0

Stonesoft Management Center. Release Notes Revision A

Firebase PHP SDK. Release

NTLM NTLM. Feature Description

Migration Guide. McAfee Content Security Reporter 2.4.0

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

McAfee Web Gateway

LoadMaster for Azure (Marketplace Classic Interface)

VMware vcenter Log Insight Manager. Deployment Guide

Packet Trace Guide. Packet Trace Guide. Technical Note

Product Guide. McAfee Advanced Threat Defense 4.2.0

Folder Poll General User s Guide

McAfee Active Response 2.1.0

XEP-0361: Zero Handshake Server to Server Protocol

SafeNet Authentication Client

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

retask Documentation Release 1.0 Kushal Das

Addendum. McAfee Virtual Advanced Threat Defense

agate-sql Documentation

Product Guide. McAfee Web Gateway Cloud Service

McAfee MVISION Endpoint 1811 Installation Guide

josync Documentation Release 1.0 Joel Goop and Jonas Einarsson

Boot Attestation Service 3.0.0

LANDISVIEW Beta v1.0-user Guide

McAfee Web Gateway

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

Adobe Connect. Adobe Connect. Deployment Guide

============================================================

PHP-FCM Documentation

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee MVISION Mobile Microsoft Intune Integration Guide

Edge Security Pack (ESP)

Spotter Documentation Version 0.5, Released 4/12/2010

LoadMaster VMware Horizon (with View) 6. Deployment Guide

aiounittest Documentation

HYCU SCOM Management Pack for F5 BIG-IP

Transcription:

MCAFEE THREAT INTELLIGENCE EXCHANGE RESILIENT THREAT SERVICE INTEGRATION GUIDE V1.0

Copyright IBM Corporation 2018 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. McAfee and the McAfee logo, McAfee Web Gateway, McAfee Advanced Threat Defense, epolicy Orchestrator, and McAfee epo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Page 2

Table of Contents 1. Introduction... 5 2. Installation... 6 2.1. Install the Python components... 7 2.2. Configure and Provision the OpenDXL Client... 7 2.3. Configure and Run the Python components... 8 3. Register the Threat Service... 9 4. Customer Support and Feedback... 9 Page 3

1. Introduction As part of the incident response, artifacts (or evidence) may be added to an incident for tracking and analysis. This integration provides automatic investigation of file reputation, using McAfee Threat Intelligence Exchange, for Resilient artifacts. When a malware sample is uploaded to the Resilient incident, its hashes (MD5, SHA1 and SHA256) are automatically sent to threat intelligence lookup. Also, when a file hash is directly entered into the Resilient platform, or added to the incident by an automated source such as a SIEM, these hashes are also automatically investigated. Page 5

When a file reputation is most likely malicious, the McAfee Threat Intelligence Exchange threat service provides the following information: Enterprise Trust Level, Enterprise Average Local Trust Level, Enterprise Prevalence, Enterprise Size, Enterprise First Contact Date, GTI (Global Threat Intelligence) Trust Level, GTI Prevalence, GTI First Contact, ATD (McAfee Advanced Threat Defense) Trust Level, MWG (McAfee Web Gateway) Trust Level 2. Installation Before registering McAfee Threat Intelligence Exchange as a threat service with the Resilient platform, verify that your environment conforms to the following prerequisites: Resilient platform is version 28 or later. Resilient platform is connected to the internet. You have a Resilient account to use for the custom threat service. For Resilient platforms at version 28 or earlier, this must be the Master Administrator account. For Resilient platform version 29 or later, this can be any account that has the permission to create incidents and view and modify administrator and customization settings. You need to know the account username and password. You have access to the command line of the Resilient appliance, which hosts the Resilient platform. You have configured McAfee TIE, and network connectivity to enable the DXL (Data Exchange Layer) connection between the Resilient platform and your McAfee TiE server. Page 6

2.1. Install the Python components The integration is a Web Service, called by the Resilient platform to query each artifact. It runs in the resilient-circuits integration framework. Three components are required for this: rc-webserver, a web server component, rc-cts, a custom threat service lookup component, rc-cts-mcafeetie, the integration with McAfee Threat Intelligence Exchange. Each of these components is included with the ZIP file that you downloaded. Additionally, the ZIP file contains current versions of the resilient and resilient-circuits components that make up the framework, and the OpenDXL Python Client. Perform the following to install the integration on the Resilient appliance: 1. Copy the ZIP file to the appliance using SCP. The file should be copied to the home directory of the resadmin user. 2. Log in to the Resilient appliance as resadmin using an SSH client, such as PuTTY. 3. At the prompt, unzip the integration. unzip mcafeetie-1.0.0.zip 4. Change to the mcafeetie subdirectory and install the Python packages. cd mcafeetie-1.0.0 sudo pip install r requirements.txt --find-links. 2.2. Configure and Provision the OpenDXL Client Before installing the integration, you must configure OpenDXL. This is the data exchange layer that allows communication with McAfee products including McAfee TIE. Provisioning can be done using the OpenDXL Python Client s command line interface (CLI), the OpenDXL Broker Management Console, or an external certificate authority. Refer to the OpenDXL instructions for more details. Page 7

2.3. Configure and Run the Python components The resilient-circuits components run as an unprivileged user, typically named `integration`. If you do not already have an `integration` user configured on your appliance, create it now. Perform the following to configure and run the integration: 1. Using sudo, become the integration user. sudo su - integration 2. Create or update the Resilient-circuits configuration file. resilient-circuits config -u 3. Edit the resilient-circuits configuration file. a. In the [resilient] section, ensure that you provide all the information needed to connect to the Resilient platform. b. In the [webserver] section, change the values to suit your preference if necessary. [webserver] # IP or DNS for the web server. Default is localhost. # server=0.0.0.0 # Port for the web server. Default is 9000. # port=9000 # Set the web server to use secure protocol. secure=1 means HTTPS, and secure=0 means HTTP. Default is 0 # secure=1 # The cert file is the private key certificate for the TLS server. This is required if secure=1. Default is None. # certfile=~/.resilient/ssl.cer c. In the [mcafee] section, be sure to specify the correct path to the OpenDXLclient configuration file. [mcafee] dxlclient_config=/home/resilient/.resilient/mcafee_tie/dxlclient.c onfig 4. Run the integration with the following command: resilient-circuits run The resilient-circuits command starts, loads its components, and continues to run until interrupted. If it stops immediately with an error message, check your configuration values and retry. Page 8

3. Register the Threat Service Perform the following to register the integration as a Resilient threat service: 1. Log in to the Resilient appliance using an SSH client, such a PuTTY. 2. At the prompt, enter the following command. sudo resutil threatserviceedit -name "McAfee Threat Intelligence Exchange" resturl 'http://localhost:9000/cts/mcafeetie' 3. Once completed, test the connectivity using the following command. If the previous step was successful, you should see a success message. sudo resutil threatservicetest -name " McAfee Threat Intelligence Exchange" 4. Log into the Resilient platform using the Resilient account defined in Prerequisites then click on your username and select Administrator Settings in the drop-down menu. 5. Click the Threat Sources tab and scroll down until you find McAfee Threat Intelligence Exchange. Make sure that it is set to ON. NOTE: If you need to disable your product threat service, you can turn the threat service to OFF. If you need to remove the threat service, log in to the Resilient appliance using an SSH client and type the following command: sudo resutil threatservicedel -name "McAfee Threat Intelligence Exchange" 4. Customer Support and Feedback See the McAfee Threat Intelligence Exchange (TIE) DXL Python Client Library Documentation for installation instructions, API documentation, and examples. For bugs, questions and discussions please use the GitHub Issues web site. Support for the Resilient platform is available from support@resilientsystems.com. Page 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback