Integration between MISP platform and McAfee Active Response
Switch branches/tags
Nothing to show
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Create LICENSE Feb 23, 2018
README.md v.1.1 Jun 29, 2018
mar.py v.1.1 Jun 29, 2018
misp_mar.py v.1.1 Jun 29, 2018

README.md

MISP - McAfee Active Response integration

License

This Integration adds automated hunting capabilities to the MISP platform with McAfee Active Response.

Based on tagging a script will extract suspicious MD5 hashes from an threat event and will launch automated McAfee Active Response lookups. If indicators found within the enterprise the script will automatically retag the threat event, add sightings and comments with the findings.

screen shot 2018-06-29 at 11 01 15

Component Description

MISP threat sharing platform is a free and open source software helping information sharing of threat and cyber security indicators. https://github.com/MISP/MISP

McAfee Active Response is an endpoint detection and response solution. It provides the cability to query endpoint in real-time. https://www.mcafee.com/in/products/active-response.aspx

Prerequisites

MISP platform (Link) (tested with MISP 2.4.86)

PyMISP (Link)

git clone https://github.com/MISP/PyMISP.git
cd PyMISP/
python setup.py install

Requests (Link)

OpenDXL SDK (Link)

git clone https://github.com/opendxl/opendxl-client-python.git
cd opendxl-client-python/
python setup.py install

OpenDXL MAR SDK (Link)

git clone https://github.com/opendxl/opendxl-mar-client-python.git
cd opendxl-mar-client-python/
python setup.py install

McAfee ePolicy Orchestrator, DXL Broker, Active Response

Configuration

Enter the MISP url and access key in the misp_mar.py file (line 68, 69).

Create a tag that the analyst uses to initiate the hunting process. (e.g. investigate).

Create a tag that will be assigned to event where indicators found. (e.g. Indicator_Found).

Enter the tags in the misp_mar.py file (line 66, 67).

if __name__ == '__main__':

    tag = "investigate" #Enter the tag to search for
    ntag = "indicator_found" #Enter the new tag to assign when indicators found
    url = "https://misp-ip/" #Enter the MISP IP
    key = "api key" #Enter the MISP api key
    

Create Certificates for OpenDXL and move them into the config folder (Link).

Make sure to authorize the new created certificates in ePO to use the McAfee Active Response API (Link).

Make sure that the FULL PATH to the config file is entered in line 10 (mar.py).

Optional

run the script as a cronjob

sudo crontab -e

enter at the bottom e.g.:

*/1 * * * * python /home/misp_mar/misp_mar.py > /home/misp_mar/output.log

This will run the script every minute and create an output file.

Video

IMAGE ALT TEXT HERE

link: https://youtu.be/4AkLaPFCdWY

Summary

MISP contains global, community and locally produced intelligence that can be used with McAfee Active Response for automated threat hunting.