This integration is focusing on the threat intelligence sharing with McAfee OpenDXL and the orchestrations platform Phantom. This App provides the capability to publish Threat Information from Phantom to the McAfee Data Exchange Layer messaging bus. This App supports the following actions:
- push md5 hash into the TIE Database with a reputation score - dxl push md5
- push an event over the McAfee DXL fabric - dxl push ip
- validate the asset configuration for DXL connectivity - test connectivity
More actions will follow.
Phantom is a community powered security automation and orchestration platform. https://www.phantom.us/
Phantom Platform tested with version 2.1.486
McAfee OpenDXL Certificate Files Creation (Link)
Download the Latest release and extract the files. Move the certificates and config files (mentioned in the prerequisites) into the certs folder. The app includes already OpenDXL library files (DXL 3.1.0.586, TIE 0.1.0) that don't need to be configured.
Open the Phantom platform and go to Apps. Under Apps click install app and upload the tgz file.
Configure a new asset and provide an asset name. In the asset settings define a DXL topic and a test message.
Click test connectivity. This will publish a DXL message on the configured topic.
Optional create a OpenDXL subscriber to listen and visualize the test message.
For the TIE component the Python client must be authorized to send messages to the /mcafee/service/tie/file/reputation/set topic which is part of the TIE Server Set Enterprise Reputation authorization group. Follow the following KB.
https://opendxl.github.io/opendxl-tie-client-python/pydoc/basicsetreputationexample.html
https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html
With this integration it is possible to extend capabilities of the McAfee DXL messaging fabric as well as the Phantom Platform by performing key action for containment and remediation.