Integration between MISP platform and McAfee Active Response
Switch branches/tags
Nothing to show
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Create LICENSE Feb 23, 2018 v.1.1 Jun 29, 2018 v.1.1 Jun 29, 2018 v.1.1 Jun 29, 2018

MISP - McAfee Active Response integration


This Integration adds automated hunting capabilities to the MISP platform with McAfee Active Response.

Based on tagging a script will extract suspicious MD5 hashes from an threat event and will launch automated McAfee Active Response lookups. If indicators found within the enterprise the script will automatically retag the threat event, add sightings and comments with the findings.

screen shot 2018-06-29 at 11 01 15

Component Description

MISP threat sharing platform is a free and open source software helping information sharing of threat and cyber security indicators.

McAfee Active Response is an endpoint detection and response solution. It provides the cability to query endpoint in real-time.


MISP platform (Link) (tested with MISP 2.4.86)

PyMISP (Link)

git clone
cd PyMISP/
python install

Requests (Link)

OpenDXL SDK (Link)

git clone
cd opendxl-client-python/
python install

OpenDXL MAR SDK (Link)

git clone
cd opendxl-mar-client-python/
python install

McAfee ePolicy Orchestrator, DXL Broker, Active Response


Enter the MISP url and access key in the file (line 68, 69).

Create a tag that the analyst uses to initiate the hunting process. (e.g. investigate).

Create a tag that will be assigned to event where indicators found. (e.g. Indicator_Found).

Enter the tags in the file (line 66, 67).

if __name__ == '__main__':

    tag = "investigate" #Enter the tag to search for
    ntag = "indicator_found" #Enter the new tag to assign when indicators found
    url = "https://misp-ip/" #Enter the MISP IP
    key = "api key" #Enter the MISP api key

Create Certificates for OpenDXL and move them into the config folder (Link).

Make sure to authorize the new created certificates in ePO to use the McAfee Active Response API (Link).

Make sure that the FULL PATH to the config file is entered in line 10 (


run the script as a cronjob

sudo crontab -e

enter at the bottom e.g.:

*/1 * * * * python /home/misp_mar/ > /home/misp_mar/output.log

This will run the script every minute and create an output file.





MISP contains global, community and locally produced intelligence that can be used with McAfee Active Response for automated threat hunting.