MISP - McAfee Active Response integration
This Integration adds automated hunting capabilities to the MISP platform with McAfee Active Response.
Based on tagging a script will extract suspicious MD5 hashes from an threat event and will launch automated McAfee Active Response lookups. If indicators found within the enterprise the script will automatically retag the threat event, add sightings and comments with the findings.
MISP threat sharing platform is a free and open source software helping information sharing of threat and cyber security indicators. https://github.com/MISP/MISP
McAfee Active Response is an endpoint detection and response solution. It provides the cability to query endpoint in real-time. https://www.mcafee.com/in/products/active-response.aspx
MISP platform (Link) (tested with MISP 2.4.86)
git clone https://github.com/MISP/PyMISP.git cd PyMISP/ python setup.py install
OpenDXL SDK (Link)
git clone https://github.com/opendxl/opendxl-client-python.git cd opendxl-client-python/ python setup.py install
OpenDXL MAR SDK (Link)
git clone https://github.com/opendxl/opendxl-mar-client-python.git cd opendxl-mar-client-python/ python setup.py install
McAfee ePolicy Orchestrator, DXL Broker, Active Response
Enter the MISP url and access key in the misp_mar.py file (line 68, 69).
Create a tag that the analyst uses to initiate the hunting process. (e.g. investigate).
Create a tag that will be assigned to event where indicators found. (e.g. Indicator_Found).
Enter the tags in the misp_mar.py file (line 66, 67).
if __name__ == '__main__': tag = "investigate" #Enter the tag to search for ntag = "indicator_found" #Enter the new tag to assign when indicators found url = "https://misp-ip/" #Enter the MISP IP key = "api key" #Enter the MISP api key
Create Certificates for OpenDXL and move them into the config folder (Link).
Make sure to authorize the new created certificates in ePO to use the McAfee Active Response API (Link).
Make sure that the FULL PATH to the config file is entered in line 10 (mar.py).
run the script as a cronjob
sudo crontab -e
enter at the bottom e.g.:
*/1 * * * * python /home/misp_mar/misp_mar.py > /home/misp_mar/output.log
This will run the script every minute and create an output file.
MISP contains global, community and locally produced intelligence that can be used with McAfee Active Response for automated threat hunting.