ESM 10 - How to Import File Reputations from a Third-Party Tool into McAfee TIE

Version 2

    Introduction

     

    This guide was created to illustrate the process of importing a reputation from a third party, in this case FireEye, into the TIE server to protect your organizations end points.  TIE maintains a database of information about the files running in your environment.  When a file is determined to be malicious in TIE a policy based action can be taken to protect your organization from malicious files.  File reputations can come from many sources and in this example we'll use a FireEye file analysis result to add this new reputation into the TIE Server, but this procedure can be used for other products as well.

     

     

    Prerequisites



    McAfee Enterprise Security Manager (SIEM) ver 10 or newer

    McAfee Threat Intelligence Exchange ver. 2.0

    FireEye as an added device within the McAfee ESM (with file hash)

    Server with SSH and Python enabled (this was tested with Ubuntu Server)

     

    Configuration

     

    File Reputation information can be passed from a third party security tool to TIE via the McAfee ESM. It relies on the script addHash.py (located at the end of this document.)

     

    To use the script, it is recommended to set up a Linux server with SSH and Python enabled. It is also required to have the files mcafee.py and urlquote.py from the McAfee Python Remote Client. To download the McAfee Remote Client, go to your McAfee My Products Download Site, select McAfee ePolicy Orchestrator 5.3, and click on the Other tab. Here, you can download the Python Remote Client and within this zip file is the mcafee.py and urlquote.py.





     

    Upload the three script files (addHash.py, mcafee.py, and urlquote.py) to a location on the Linux server. This Linux server should be a self standing server and not a McAfee appliance (such as the SIEM or TIE server). In this document, the files were placed in the /var/tmp/tie directory of a Ubuntu Server.

     

    Within the addHash.py script, modify the ePOIP, ePOUser, and ePOUserPwd to match the configuration of your ePO environment.

     

    Now that the addHash.py file is in place, we can call the file from the McAfee ESM and automatically feed the third party threat intelligence to McAfee TIE. We'll create a new alarm to provide the feed.

     

    The initial step is to create a new alarm from the Signature ID. Select the Fireeye event with the malicious file hash and click on the details tab.

     

    Click on the 3-dots button and go to Actions --> Create new alarm from --> Signature ID

     

     

     

     

    On the Alarm Settings window give your alarm a name in our case we used "FireEye Pass MD5 to TIE"

     

     

    Go to the "Actions" tab to configure the action to take when the new alarm is seen in the SIEM.  Check the "Execute remote command:" box and then hit the configure button.  We'd like to pass this the newly imported file hash and threat level to the TIE server.  This will allow threats of specific threat levels to be blocked at all endpoints in our organization.

     



    In the "Execute Remote Command Configuration" use the following python string and the Linux server credentials to configure the alarm and the action. This command calls the addHash.py script and the [$%File_Hash] is a variable that provides the script with the hash in the File_Hash field of the FireEye event.

     

     

    Make any other relevant changes to and select "OK".  In the "Alarm Settings window, make any other changes that you feel would apply to your organization and then hit "Finish"



    Now, when you receive that event from FireEye, an alarm will be triggered and it will automatically execute the script and pass it the file hash associated with the event.

     

    As the events populate the dashboard you'll also notice the alarm we created has been triggered.  To confirm this open your ePO console go to Menu --> Systems --> TIE Reputations

     

     

    In the TIE Reputations page find the tab labeled "File Overrides" the newly imported file reputation should be near the top drill into the file reputation by clicking on the event.  A detailed list of the imported information is available for review.