Showing results for 
Search instead for 
Did you mean: 

ESM 10 - How to Import File Reputations from a Third-Party Tool into McAfee TIE


This guide was created to illustrate the process of importing a reputation from a third party, in this case FireEye, into the TIE server to protect your organizations end points.  TIE maintains a database of information about the files running in your environment.  When a file is determined to be malicious in TIE a policy based action can be taken to protect your organization from malicious files.  File reputations can come from many sources and in this example we'll use a FireEye file analysis result to add this new reputation into the TIE Server, but this procedure can be used for other products as well.


McAfee Enterprise Security Manager (SIEM) ver 10 or newer

McAfee Threat Intelligence Exchange ver. 2.0

FireEye as an added device within the McAfee ESM (with file hash)

Server with SSH and Python enabled (this was tested with Ubuntu Server)


File Reputation information can be passed from a third party security tool to TIE via the McAfee ESM. It relies on the script (located at the end of this document.)

To use the script, it is recommended to set up a Linux server with SSH and Python enabled. It is also required to have the files and from the McAfee Python Remote Client. To download the McAfee Remote Client, go to your McAfee My Products Download Site, select McAfee ePolicy Orchestrator 5.3, and click on the Other tab. Here, you can download the Python Remote Client and within this zip file is the and

Upload the three script files (,, and to a location on the Linux server. This Linux server should be a self standing server and not a McAfee appliance (such as the SIEM or TIE server). In this document, the files were placed in the /var/tmp/tie directory of a Ubuntu Server.

Within the script, modify the ePOIP, ePOUser, and ePOUserPwd to match the configuration of your ePO environment.

Now that the file is in place, we can call the file from the McAfee ESM and automatically feed the third party threat intelligence to McAfee TIE. We'll create a new alarm to provide the feed.

The initial step is to create a new alarm from the Signature ID. Select the Fireeye event with the malicious file hash and click on the details tab.

Click on the 3-dots button and go to Actions --> Create new alarm from --> Signature ID

On the Alarm Settings window give your alarm a name in our case we used "FireEye Pass MD5 to TIE"

Go to the "Actions" tab to configure the action to take when the new alarm is seen in the SIEM.  Check the "Execute remote command:" box and then hit the configure button.  We'd like to pass this the newly imported file hash and threat level to the TIE server.  This will allow threats of specific threat levels to be blocked at all endpoints in our organization.

In the "Execute Remote Command Configuration" use the following python string and the Linux server credentials to configure the alarm and the action. This command calls the script and the [$%File_Hash] is a variable that provides the script with the hash in the File_Hash field of the FireEye event.

Make any other relevant changes to and select "OK".  In the "Alarm Settings window, make any other changes that you feel would apply to your organization and then hit "Finish"

Now, when you receive that event from FireEye, an alarm will be triggered and it will automatically execute the script and pass it the file hash associated with the event.

As the events populate the dashboard you'll also notice the alarm we created has been triggered.  To confirm this open your ePO console go to Menu --> Systems --> TIE Reputations

In the TIE Reputations page find the tab labeled "File Overrides" the newly imported file reputation should be near the top drill into the file reputation by clicking on the event.  A detailed list of the imported information is available for review.


Tags (1)
Version history
Revision #:
1 of 1
Last update:
‎03-16-2017 05:27 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community