cancel
Showing results for 
Search instead for 
Did you mean: 

How to Import File Reputations from a Third Party Tool into McAfee TIE

Introduction

This guide was created to illustrate the process of of importing a reputation from a third party, in this case FireEye, into the TIE server to protect your organizations end points.  TIE maintains a database of information about the files running in your environment.  When a file is determined to be malicious in TIE a policy based action can be taken to protect your organization from malicious files.  File reputations can come from many sources and in this example we'll use a FireEye file analysis result to add this new reputation into the TIE Server, but this procedure can be used for other products as well.

Video

Coming Soon

Prerequisites


McAfee Enterprise Security Manager (SIEM) ver 9.x or newer

McAfee Threat Intelligence Exchange ver. 1.2

FireEye as an added device within the McAfee ESM (with file hash)

Server with SSH and Python enabled (this was tested with Ubuntu Server)

Configuration

File Reputation information can be passed from a third party security tool to TIE via the McAfee ESM. It relies on the script addHash.py (located at the end of this document.)

To use the script, it is recommended to set up a Linux server with SSH and Python enabled. It is also required to have the files mcafee.py and urlquote.py from the McAfee Python Remote Client. To download the McAfee Remote Client, go to your McAfee My Products Download Site, select McAfee ePolicy Orchestrator 5.3, and click on the Other tab. Here, you can download the Python Remote Client and within this zip file is the mcafee.py and urlquote.py.



Upload the three script files (addHash.py, mcafee.py, and urlquote.py) to a location on the Linux server. This Linux server should be a self standing server and not a McAfee appliance (such as the SIEM or TIE server). In this document, the files were placed in the /var/tmp/tie directory of a Ubuntu Server.

Within the addHash.py script, modify the ePOIP, ePOUser, and ePOUserPwd to match the configuration of your ePO environment.

Ubuntu-2015-12-14-11-59-53.png

Now that the addHash.py file is in place, we can call the file from the McAfee ESM and automatically feed the third party threat intelligence to McAfee TIE. We'll create a new alarm to provide the feed.

The initial step is to create a new alarm from the Signature ID. Select the Fireeye event with the malicious file hash and click on the details tab. Click on the menu button and go to Actions --> Create new alarm from --> Signature ID

addhash4.png

On the Alarm Settings window give your alarm a name in our case we used "FireEye Pass MD5 to TIE"

Go to the "Actions" tab to configure the action to take when the new alarm is seen in the SIEM.  Check the "Execute remote command:" box and then hit the configure button.  We'd like to pass this the newly imported file hash and threat level to the TIE server.  This will allow threats of specific threat levels to be blocked at all endpoints in our organization.


In the "Execute Remote Command Configuration" use the following python string and the Linux server credentials to configure the alarm and the action. This command calls the addHash.py script and the [$%File_Hash] is a variable that provides the script with the hash in the File_Hash field of the FireEye event.

Make any other relevant changes to and select "OK".  In the "Alarm Settings window, make any other changes that you feel would apply to your organization and then hit "Finish"


Now, when you receive that event from FireEye, it will automatically execute the script and pass it the file hash associated with the event.

As the events populate the dashboard you'll also notice the alarm we created has been triggered.  To confirm this open your ePO console go to Menu --> Systems --> TIE Reputations

In the TIE Reputations page find the tab labeled "File Overrides" the newly imported file reputation should be near the top drill into the file reputation by clicking on the event.  A detailed list of the imported information is available for review.


         

Tags (2)
Attachments
Comments

Having run through the process I have a few questions.

I am looking at a checkpoint event which is being parsed by ESM and includes 3 hash values (MD5, Sha1 and SHA256) the command string you show has File_hash, which is not a field that is being parsed out as far as I can tell.

Do I need to edit the .py script to read MD5_hash  vs the generic File_hash?

Where would I check for any errors that might be created when the alarm runs the python file? Does ESM store those somewhere?

thanks

Yes, the file_hash field does contain an MD5 hash, so if your device is providing an MD5 in a different field, you can use that in the "Execute Remote Command Configuration" step. It might pull up when you click on the little Window with the left arrow.


The ESM doesn't store an error log file on ESM, but you can execute the script directly from the Linux system that is running the script. You might also be able to use something like >> to append the output of when the .py file to a text file. The command would be something like "python addHash.py [MD5_Hash] >> addhash.log" when you execute it directly on the Linux system from the directly where you have the addHash.py. You might also be able to just add the ">> addhash.log" to the end of the "Execute Remote Command Configuration" step, but you might have to test it out. I think my addhash.log file ended up in my home directly, so take a look there if it's not in the same directory that you ran the command in.

Thanks for the update, I am making progress..

I am getting a syntax error when testing from the linux server. the pipe to log does not seem to be working either.  Thanks for your help

[root@centos tie]# python addHash.py 387c08643f20e3786bdc920daf34773e >> addhash.log

  File "addHash.py", line 12

    ePOIP=[192.168.102.190]

                     ^

SyntaxError: invalid syntax

Ah, I see what the issue is. Sorry, I had made a mistake in the script when I tried to sanitize the settings. The configuration ePOIP should have single quotes and not brackets, so it should be ePOIP='192.168.102.190' instead of ePOIP=[192.168.102.190]. Same with the ePOUser and ePOUserPwd settings, none of those settings should have brackets.

I've modified the attachment with the single quotes, but you could probably just go into your file and change them yourself.

Please let me know if this helps. Thanks.

That works much better.  One last question; If I wanted to bring in 3 more fields, what would the command string look like? Do I just add another bracketed field, [$%sha256_hash] or do I add all the fields in one string  [[[$%MD5_Hash $%sha256_hash,$%file_name]]] ?

thanks

Something i don't not understand and maybe it has to do with Legal or (C) Reason.

a) Why does the Endcustomer has to import such files from another Appliance

b) Why does MCAFEE cnetral for all TIE customer import the information as described

Is there a confidential part regarding filenames? As example a bank running certai Binary or EXEand the ydon't want to share that info?

Anybody from Mcafee Marketing or Sales picking up a partner question?

"We are sorry mcafee forum is not atcive monitored because we spend most of our times in HQ on the roller coaster behing the yahoo building?"

Version history
Revision #:
1 of 1
Last update:
‎10-23-2015 08:47 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community