Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

McAfee

ThreatConnect® and Intel Security have partnered to enable users to detect and act on ThreatConnect intelligence in McAfee Enterprise Security Manager™. With this integration, users can aggregate their internal logs and combine them with validated threat intelligence, to easily spot trends or patterns that are out of the ordinary and act on them efficiently.

See our joint solution brief

Specialties

Integrations

McAfee Advanced Threat Defense (ATD)

Analyze and detonate files or URLs in McAfee Advanced Threat Detection (ATD) from ThreatConnect to understand if they are malicious and any relevant intelligence. Additionally, McAfee ATD Reports can be sent and saved in ThreatConnect, and associated to corresponding intelligence.  With the Playbooks Apps and Templates, users are automatically able to take the following actions:

  • Analyze Files with McAfee ATD - The McAfee API lets users submit a supported file type for McAfee analysis. Use this app to automate the submission of new malware files. The app attempts to detect whether a file is in ZIP format and, if so, automatically unzips it before sending it to the McAfee API.
  • Analyze URLs with McAfee ATD - The McAfee ATD API lets users submit a URL for analysis. Use this app to automate the submission of URLs that point to a hosted file.
  • Retrieve McAfee ATD Reports - The McAfee ATD API lets you submit a URL for analysis. Use this app to get an Analysis report for a specified Task ID or hash value.

This app can be found in the ThreatConnect App Catalog under the name: McAfee ATD

Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

McAfee Data Exchange Layer (DXL)

The ThreatConnect integration with McAfee Data Exchange Layer (DXL) is very comprehensive and allows full bi-directional use cases with McAfee DXL and supported products like ATD, ePO, MAR, and TIE. The Playbook app enables publishing events and invoking services on DXL topics while the service allows users to subscribe to events on DXL topics and trigger Playbooks when there is a match. Here are some example use cases that can be accomplished with this integration. This is not everything that is possible but a good place to start.

  • Subscribe to events on any McAfee DXL topic and trigger a Playbook on relevant matches.
  • Subscribe to McAfee TIE file reputation updates and either save indicators in ThreatConnect or adjust scoring of existing indicators.
  • Subscribe to McAfee ePO events and trigger Playbooks on relevant matches.
  • Subscribe to malware reports from McAfee ATD and automatically create Cases or Incidents with associated indicators in ThreatConnect.
  • Invoke any service on McAfee DXL and use the results in a ThreatConnect Playbook.
  • Publish events on any McAfee DXL topic.
  • Update McAfee TIE file reputations when indicators are added or updated in ThreatConnect.
  • Query McAfee Active Response as part of an endpoint triage or investigation process.
  • Run commands on McAfee ePO as part of an investigation process.

This app can be found in the ThreatConnect App Catalog under the name: McAfee Data Exchange Layer (DXL)

Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

McAfee MVISION Insights

MVISION Insights provides customers direct access to malicious campaign information including Indicators of Compromise (IOC’s), MITRE Techniques, and additional details related to the campaign and adversary. The purpose of the integration is to pull threat data from the MVISION Insights platform on a scheduled basis via MVISION API. The received data will be parsed and mapped to the ThreatConnect indicators and groups.

McAfee MVISION Insights will provide:

  • Campaign details (descriptions, additional links, kb articles, minimum data version, etc.)
  • Indicator of Compromise (IOCs)
  • Galaxy information (MITRE Techniques, Tools, Threat Actors, etc.)

To get this app, click the Download button on the left.

Keep Reading

McAfee Web Gateway

McAfee Web Gateway is a checkpoint that prevents unauthorized traffic from entering your network. With this Playbook app, you can add and remove items from a list on a targeted application within McAfee Web Gateway. The following actions are available:

  • Add to List - This action appends the submitted entries to a list on the target appliance.
  • Remove from List - This action removes the submitted entries from a list on the target appliance.
  • Advanced Request - This action can be used to request additional API endpoints.

This app can be found in the ThreatConnect App Catalog under the name: McAfee Web Gateway

Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

Playbooks

McAfee ATD Playbooks

As part of the Automated Malware Analysis use case, the Detonate File Playbook template makes it easy to process an ATD Malware report as intelligence in ThreatConnect. When the Component is triggered it will retrieve the report from McAfee ATD and then save it as an Incident with associated Indicators in ThreatConnect. This component can be used in a variety of Playbooks and Workflows such as "Malware Processing - McAfee ATD via DXL" and "Detonate File - McAfee ATD".

As part of the Automated Malware Analysis use case, the Create Intelligence from Malware Report Playbook template allows a user to easily pass a suspicious Malware sample to McAfee ATD for analysis. The Playbook begins with a User Action trigger and then sends the Document to McAfee ATD for analysis. The "McAfee ATD - Create Intelligence from Malware Report" component is used to create an Incident and associated Indicators in ThreatConnect from the results.

As part of the Automated Malware Processing use case, the Malware Processing Playbook template provides a starting point for ingesting McAfee ATD Reports from the `/mcafee/event/atd/file/report` topic on DXL. Once a message is received by the Playbook the "McAfee ATD - Create Intelligence from Malware Report" component is used to save the report as an Incident and associated Indicators in ThreatConnect for further correlation and analysis. This playbook requires McAfee ATD to be connected to the DXL fabric.

These Playbook templates can be found in the ThreatConnect App Catalog under the names: Detonate File - McAfee ATD,McAfee ATD - Create Intelligence from Malware Report, and Malware Processing - McAfee ATD via DXL

Keep Reading

Looking for an
integration not shown?