ThreatConnect® and Intel Security have partnered to enable users to detect and act on ThreatConnect intelligence in McAfee Enterprise Security Manager™. With this integration, users can aggregate their internal logs and combine them with validated threat intelligence, to easily spot trends or patterns that are out of the ordinary and act on them efficiently.
Analyze and detonate files or URLs in McAfee Advanced Threat Detection (ATD) from ThreatConnect to understand if they are malicious and any relevant intelligence. Additionally, McAfee ATD Reports can be sent and saved in ThreatConnect, and associated to corresponding intelligence. With the Playbooks Apps and Templates, users are automatically able to take the following actions:
Analyze Files with McAfee ATD - The McAfee API lets users submit a supported file type for McAfee analysis. Use this app to automate the submission of new malware files. The app attempts to detect whether a file is in ZIP format and, if so, automatically unzips it before sending it to the McAfee API.
Analyze URLs with McAfee ATD - The McAfee ATD API lets users submit a URL for analysis. Use this app to automate the submission of URLs that point to a hosted file.
Retrieve McAfee ATD Reports - The McAfee ATD API lets you submit a URL for analysis. Use this app to get an Analysis report for a specified Task ID or hash value.
This app can be found in the ThreatConnect App Catalog under the name: McAfee ATD
The ThreatConnect integration with McAfee Data Exchange Layer (DXL) is very comprehensive and allows full bi-directional use cases with McAfee DXL and supported products like ATD, ePO, MAR, and TIE. The Playbook app enables publishing events and invoking services on DXL topics while the service allows users to subscribe to events on DXL topics and trigger Playbooks when there is a match. Here are some example use cases that can be accomplished with this integration. This is not everything that is possible but a good place to start.
Subscribe to events on any McAfee DXL topic and trigger a Playbook on relevant matches.
Subscribe to McAfee TIE file reputation updates and either save indicators in ThreatConnect or adjust scoring of existing indicators.
Subscribe to McAfee ePO events and trigger Playbooks on relevant matches.
Subscribe to malware reports from McAfee ATD and automatically create Cases or Incidents with associated indicators in ThreatConnect.
Invoke any service on McAfee DXL and use the results in a ThreatConnect Playbook.
Publish events on any McAfee DXL topic.
Update McAfee TIE file reputations when indicators are added or updated in ThreatConnect.
Query McAfee Active Response as part of an endpoint triage or investigation process.
Run commands on McAfee ePO as part of an investigation process.
This app can be found in the ThreatConnect App Catalog under the name: McAfee Data Exchange Layer (DXL)
MVISION Insights provides customers direct access to malicious campaign information including Indicators of Compromise (IOC’s), MITRE Techniques, and additional details related to the campaign and adversary. The purpose of the integration is to pull threat data from the MVISION Insights platform on a scheduled basis via MVISION API. The received data will be parsed and mapped to the ThreatConnect indicators and groups.
McAfee Web Gateway is a checkpoint that prevents unauthorized traffic from entering your network. With this Playbook app, you can add and remove items from a list on a targeted application within McAfee Web Gateway. The following actions are available:
Add to List - This action appends the submitted entries to a list on the target appliance.
Remove from List - This action removes the submitted entries from a list on the target appliance.
Advanced Request - This action can be used to request additional API endpoints.
This app can be found in the ThreatConnect App Catalog under the name: McAfee Web Gateway
As part of the Automated Malware Analysis use case, the Detonate File Playbook template makes it easy to process an ATD Malware report as intelligence in ThreatConnect. When the Component is triggered it will retrieve the report from McAfee ATD and then save it as an Incident with associated Indicators in ThreatConnect. This component can be used in a variety of Playbooks and Workflows such as "Malware Processing - McAfee ATD via DXL" and "Detonate File - McAfee ATD".
As part of the Automated Malware Analysis use case, the Create Intelligence from Malware Report Playbook template allows a user to easily pass a suspicious Malware sample to McAfee ATD for analysis. The Playbook begins with a User Action trigger and then sends the Document to McAfee ATD for analysis. The "McAfee ATD - Create Intelligence from Malware Report" component is used to create an Incident and associated Indicators in ThreatConnect from the results.
As part of the Automated Malware Processing use case, the Malware Processing Playbook template provides a starting point for ingesting McAfee ATD Reports from the `/mcafee/event/atd/file/report` topic on DXL. Once a message is received by the Playbook the "McAfee ATD - Create Intelligence from Malware Report" component is used to save the report as an Incident and associated Indicators in ThreatConnect for further correlation and analysis. This playbook requires McAfee ATD to be connected to the DXL fabric.
These Playbook templates can be found in the ThreatConnect App Catalog under the names: Detonate File - McAfee ATD,McAfee ATD - Create Intelligence from Malware Report, and Malware Processing - McAfee ATD via DXL