Skip to content

Threat Intelligence Sharing with McAfee OpenDXL and Phantom

License

Notifications You must be signed in to change notification settings

mohlcyber/OpenDXL-Phantom

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
 
 
 
 
 
 

Repository files navigation

OpenDXL-Phantom

License

This integration is focusing on the threat intelligence sharing with McAfee OpenDXL and the orchestrations platform Phantom. This App provides the capability to subscribe and publish DXL Threat Information. This App supports the following actions:

  1. test connectivity - Validate the asset configuration for DXL connectivity.
  2. post ip - Push an event over the McAfee DXL fabric
  3. set reputation - Push a MD5 Hash into the TIE Database
  4. file reputation - Receive File Reputations from McAfee TIE
  5. hunt file - Lookup MD5 Hash with McAfee Active Response
  6. lookup service - Communicate to a DXL services and parse response.
  7. on poll - Subscribe to DXL Topics and poll DXL messages.

More actions will follow in the future.

Component Description

Phantom is a community powered security automation and orchestration platform. https://www.phantom.us/

Prerequisites

Phantom Platform (tested with version 4.6.19142)

McAfee ePolicy Orchestrator (tested with version 5.10)

McAfee DXL Broker (tested with version 5.x)

Configuration

The app includes already OpenDXL libraries that don't need to be configured. The dxl.tgz will download all required dependencies from the internet. If no internet connection is available please use the dxl_standalone.tgz that includes all dependencies already.

Open the Phantom platform and go to Apps. Under Apps click install app and upload the tgz file.

Screenshot 2019-06-13 at 17 48 56

Configure a new asset and provide an asset name. In the asset settings define the ePO IP/Hostname or OpenDXL Broker IP/Hostname, Port, Username and Password. Optionally DXL test message, DXL topic for subscription and a Phantom Authorization Token. The authorization token can be created in the Phantom User Management.

The parser for ATD DXL messages (Topic: /mcafee/event/atd/file/report) and TIE File Reputation Changes (Topic: /mcafee/event/tie/file/repchange/broadcast) are included already.

Screenshot 2019-06-13 at 17 49 54

Click test connectivity. This will check if certificates got created already if not it will generate new certiticates and add them to ePO or OpenDXL Broker. After the certificates got created the app will publish a DXL message on the following test topic - /phantom/event/test.

Screenshot 2019-06-13 at 17 51 59

Optional create an OpenDXL subscriber to listen and visualize the test message. (e.g. https://github.com/opendxl/opendxl-console).

To use the Phantom app to subscribe to DXL messages go to Ingest settings and define the label that should apply to objects from this source. Click poll now.

The poll now will check if a DXL subscriber script is running already and will stop it. It will check if the configured DXL topic is already in the DXL subscriber script. If not it will add the new topic to the script and start the subscriber.

Screenshot 2019-06-13 at 17 54 05

For the TIE component, the certificates must be authorized to Set Enterprise / External Reputations. Follow the following KB.

https://opendxl.github.io/opendxl-tie-client-python/pydoc/basicsetreputationexample.html

The same authotization must be granted to the McAfee Active Response Server API.

https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html

!!! Please keep in mind the username and password will only be used during setup (certificate creation process). Afterward the username and password can be changed !!!

Summary

With this integration it is possible to extend capabilities of the McAfee DXL messaging fabric as well as the Phantom Platform by performing key action for containment and remediation.

About

Threat Intelligence Sharing with McAfee OpenDXL and Phantom

Resources

License

Stars

Watchers

Forks

Packages

No packages published