This integration is focusing on the threat intelligence sharing with McAfee NSM and the orchestrations platform Phantom. The Phantom NSM App provides the capability to publish and ingest threat information.
This App supports the following actions:
- test connectivity - validate the asset configuration for connectivity using supplied configuration
- block ip - quarantine an IP address for a given time
- unblock ip - unquarantine an IP address
- get alert - Get Alert Details from McAfee NSM
- on poll - ingest McAfee NSM Alerts automatically
Phantom is a community powered security automation and orchestration platform. https://www.phantom.us/
McAfee NSM gives visibility and control over all McAfee IPS sensors deployed across the enterprise network. https://www.mcafee.com/us/products/network-security-platform.aspx
Phantom Platform tested with version 3.0.284
McAfee NSM 9.1.x (will also work with older NSM versions)
Download the Latest release, open the Phantom Platform and and go to Apps. Under Apps click install app and upload the tgz file.
Configure a new asset and provide an asset name. In the asset settings define the NSM IP address or hostname, username and password. To ingest alerts provide details what kind of alerts should be ingested, the time and optional a filter for ingestion.
If no SensorID is defined click the test connectivity button. The app will recognized that there is no SensorID defined and will get all available SensorIDs.
Enter the required SensorID in the configuration save and test the connectivity again.
The block and unblock IP action will quarentine the IP for a given time.
For alert ingestions go to Ingest settings and poll now. The app will reach out to NSM and ingest alerts basend on the configured settings.
With this integration it is possible to integrate McAfee NSM and the orchestration platform Phantom by performing key action for threat hunting and response.