This integration is focusing on the threat intelligence sharing with McAfee OpenDXL and the orchestrations platform Phantom. This App provides the capability to subscribe and publish DXL Threat Information. This App supports the following actions:
- test connectivity - Validate the asset configuration for DXL connectivity.
- post ip - Push an event over the McAfee DXL fabric
- set reputation - Push a MD5 Hash into the TIE Database
- file reputation - Receive File Reputations from McAfee TIE
- hunt file - Lookup MD5 Hash with McAfee Active Response
- lookup service - Communicate to a DXL services and parse response.
- on poll - Subscribe to DXL Topics and poll DXL messages.
More actions will follow in the future.
Phantom is a community powered security automation and orchestration platform. https://www.phantom.us/
Phantom Platform (tested with version 4.6.19142)
McAfee ePolicy Orchestrator (tested with version 5.10)
McAfee DXL Broker (tested with version 5.x)
The app includes already OpenDXL libraries that don't need to be configured. The dxl.tgz will download all required dependencies from the internet. If no internet connection is available please use the dxl_standalone.tgz that includes all dependencies already.
Open the Phantom platform and go to Apps. Under Apps click install app and upload the tgz file.
Configure a new asset and provide an asset name. In the asset settings define the ePO IP/Hostname or OpenDXL Broker IP/Hostname, Port, Username and Password. Optionally DXL test message, DXL topic for subscription and a Phantom Authorization Token. The authorization token can be created in the Phantom User Management.
The parser for ATD DXL messages (Topic: /mcafee/event/atd/file/report) and TIE File Reputation Changes (Topic: /mcafee/event/tie/file/repchange/broadcast) are included already.
Click test connectivity. This will check if certificates got created already if not it will generate new certiticates and add them to ePO or OpenDXL Broker. After the certificates got created the app will publish a DXL message on the following test topic - /phantom/event/test.
Optional create an OpenDXL subscriber to listen and visualize the test message. (e.g. https://github.com/opendxl/opendxl-console).
To use the Phantom app to subscribe to DXL messages go to Ingest settings and define the label that should apply to objects from this source. Click poll now.
The poll now will check if a DXL subscriber script is running already and will stop it. It will check if the configured DXL topic is already in the DXL subscriber script. If not it will add the new topic to the script and start the subscriber.
For the TIE component, the certificates must be authorized to Set Enterprise / External Reputations. Follow the following KB.
https://opendxl.github.io/opendxl-tie-client-python/pydoc/basicsetreputationexample.html
The same authotization must be granted to the McAfee Active Response Server API.
https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html
!!! Please keep in mind the username and password will only be used during setup (certificate creation process). Afterward the username and password can be changed !!!
With this integration it is possible to extend capabilities of the McAfee DXL messaging fabric as well as the Phantom Platform by performing key action for containment and remediation.