Leveraging the McAfee Data Exchange Layer (DXL), McAfee Threat Intelligence Exchange (TIE) combines multiple threat information sources and instantly shares this data with all your connected security solutions, including third-party solutions.
This document provides information about the McAfee TIE connector, which facilitates automated interactions with McAfee TIE using FortiSOAR™ playbooks. Add the McAfee TIE connector as a step in FortiSOAR™ playbooks and perform automated operations, such as setting the 'Enterprise' reputation of a specified file and retrieving the reputation for the specified hash from McAfee TIE.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-mcafee-tie
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the McAfee Threat Intelligence Exchange connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Broker CA Certificates Content | Bundle file that contains the broker CA certificates in the PEM format. |
Client Certificates Content | Client certificate file in the PEM format. |
Client Private Key Path | Client private key file in PEM format. |
Brokers urls | List of DXL message brokers that are available for connections on the fabric. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
Note: The procedure for generating certificates is mentioned in the Generating CA Certificates topic.
Server Settings
page, in the Settings Categories field, search for DXL Certificates
:The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Set File Reputation | Sets the 'Enterprise' reputation of a file that you have specified in McAfee TIE based on the hash value, trust value, and other input parameters you have specified. | set_file_reputation Investigation |
Get File Reputation | Retrieves the reputation of a specific file from McAfee TIE based on the hash value you have specified. | get_file_reputation Investigation |
Get File References | Retrieves the set of systems that have been referenced (generally those that have been executed) for a specific file from McAfee TIE based on the hash value you have specified. | get_file_references Investigation |
Parameter | Description |
---|---|
Hash Type | Type of file hash whose reputation you want to set in McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Hash | Value of the file hash whose reputation you want to set in McAfee TIE. |
Trust Level | The trust level that you want to set for the specified file in McAfee TIE. |
File Name | (Optional) A file name that you want to associate with the specified file in McAfee TIE. |
Comment | (Optional) A comment that you want to associate with the specified file in McAfee TIE. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hash Type | Type of file hash whose reputation you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Hash | Value of the file hash whose reputation you want to retrieve from McAfee TIE. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hash Type | Type of file hash whose referenced set of systems (generally those that have been executed) you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Hash | Value of the file hash whose referenced set of systems (generally those that have been executed) you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
The output contains a non-dictionary value.
The Sample - McAfee TIE - 1.0.0
playbook collection comes bundled with the McAfee TIE connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the McAfee TIE connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Leveraging the McAfee Data Exchange Layer (DXL), McAfee Threat Intelligence Exchange (TIE) combines multiple threat information sources and instantly shares this data with all your connected security solutions, including third-party solutions.
This document provides information about the McAfee TIE connector, which facilitates automated interactions with McAfee TIE using FortiSOAR™ playbooks. Add the McAfee TIE connector as a step in FortiSOAR™ playbooks and perform automated operations, such as setting the 'Enterprise' reputation of a specified file and retrieving the reputation for the specified hash from McAfee TIE.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-mcafee-tie
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the McAfee Threat Intelligence Exchange connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Broker CA Certificates Content | Bundle file that contains the broker CA certificates in the PEM format. |
Client Certificates Content | Client certificate file in the PEM format. |
Client Private Key Path | Client private key file in PEM format. |
Brokers urls | List of DXL message brokers that are available for connections on the fabric. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
Note: The procedure for generating certificates is mentioned in the Generating CA Certificates topic.
Server Settings
page, in the Settings Categories field, search for DXL Certificates
:The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Set File Reputation | Sets the 'Enterprise' reputation of a file that you have specified in McAfee TIE based on the hash value, trust value, and other input parameters you have specified. | set_file_reputation Investigation |
Get File Reputation | Retrieves the reputation of a specific file from McAfee TIE based on the hash value you have specified. | get_file_reputation Investigation |
Get File References | Retrieves the set of systems that have been referenced (generally those that have been executed) for a specific file from McAfee TIE based on the hash value you have specified. | get_file_references Investigation |
Parameter | Description |
---|---|
Hash Type | Type of file hash whose reputation you want to set in McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Hash | Value of the file hash whose reputation you want to set in McAfee TIE. |
Trust Level | The trust level that you want to set for the specified file in McAfee TIE. |
File Name | (Optional) A file name that you want to associate with the specified file in McAfee TIE. |
Comment | (Optional) A comment that you want to associate with the specified file in McAfee TIE. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hash Type | Type of file hash whose reputation you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Hash | Value of the file hash whose reputation you want to retrieve from McAfee TIE. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hash Type | Type of file hash whose referenced set of systems (generally those that have been executed) you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
Hash | Value of the file hash whose referenced set of systems (generally those that have been executed) you want to retrieve from McAfee TIE. You can choose between MD5, SHA1, or SHA256. |
The output contains a non-dictionary value.
The Sample - McAfee TIE - 1.0.0
playbook collection comes bundled with the McAfee TIE connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the McAfee TIE connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.