About the connector
Leveraging the McAfee Data Exchange Layer (DXL), McAfee Threat Intelligence Exchange (TIE) combines multiple threat information sources and instantly shares this data with all your connected security solutions, including third-party solutions.
This document provides information about the McAfee TIE connector, which facilitates automated interactions with McAfee TIE using FortiSOAR™ playbooks. Add the McAfee TIE connector as a step in FortiSOAR™ playbooks and perform automated operations, such as setting the 'Enterprise' reputation of a specified file and retrieving the reputation for the specified hash from McAfee TIE.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-mcafee-tie
Prerequisites to configuring the connector
- You must have the Bundle file that contains the broker CA certificates in the PEM format and the client certificate file and private key file required to access McAfee TIE.
- The FortiSOAR™ server should have outbound connectivity to port 443 on McAfee TIE.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the McAfee Threat Intelligence Exchange connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Broker CA Certificates Content |
Bundle file that contains the broker CA certificates in the PEM format. |
| Client Certificates Content |
Client certificate file in the PEM format. |
| Client Private Key Path |
Client private key file in PEM format. |
| Brokers urls |
List of DXL message brokers that are available for connections on the fabric. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not. |
Note: The procedure for generating certificates is mentioned in the Generating CA Certificates topic.
Generating CA certificates
- Generate the RSA key pairs using open SSL. For more information, refer to the following link: https://opendxl.github.io/opendxl-client-python/pydoc/certcreation.html?highlight=key%20pair
- Login to the ePO server and navigate to Menu > Server Settings:
- On the
Server Settings page, in the Settings Categories field, search for DXL Certificates:
- Select DXL certificates (Third Party):
- Click the Edit option in the bottom-right corner:
- Export the Broker Certificates:
- Export the Broker List:
- Import the client certificate file by clicking the Import option:
- In the Import Certificate(s), browse and upload the generated client.crt file, and then click OK:
- Click the Save option in the bottom-right corner:
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Set File Reputation |
Sets the 'Enterprise' reputation of a file that you have specified in McAfee TIE based on the hash value, trust value, and other input parameters you have specified. |
set_file_reputation
Investigation |
| Get File Reputation |
Retrieves the reputation of a specific file from McAfee TIE based on the hash value you have specified. |
get_file_reputation
Investigation |
| Get File References |
Retrieves the set of systems that have been referenced (generally those that have been executed) for a specific file from McAfee TIE based on the hash value you have specified. |
get_file_references
Investigation |
operation: Set File Reputation
Input parameters
| Parameter |
Description |
| Hash Type |
Type of file hash whose reputation you want to set in McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
| Hash |
Value of the file hash whose reputation you want to set in McAfee TIE. |
| Trust Level |
The trust level that you want to set for the specified file in McAfee TIE. |
| File Name |
(Optional) A file name that you want to associate with the specified file in McAfee TIE. |
| Comment |
(Optional) A comment that you want to associate with the specified file in McAfee TIE. |
Output
The output contains a non-dictionary value.
operation: Get File Reputation
Input parameters
| Parameter |
Description |
| Hash Type |
Type of file hash whose reputation you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
| Hash |
Value of the file hash whose reputation you want to retrieve from McAfee TIE. |
Output
The output contains a non-dictionary value.
operation: Get File References
Input parameters
| Parameter |
Description |
| Hash Type |
Type of file hash whose referenced set of systems (generally those that have been executed) you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
| Hash |
Value of the file hash whose referenced set of systems (generally those that have been executed) you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - McAfee TIE - 1.0.0 playbook collection comes bundled with the McAfee TIE connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the McAfee TIE connector.
- Get File References
- Get File Reputation
- Set File Reputation
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
