This Integration adds automated containment / response capabilities to the MISP platform with McAfee Threat Intelligence Exchange (TIE).
Based on tagging a script will extract suspicious MD5 hashes from a threat event and will automatically set the external or enterprise reputation in the McAfee TIE database. This effectively updates all McAfee managed Endpoints. The MISP tag will get automatically removed after the successfull reputation update.
MISP threat sharing platform is a free and open source software helping information sharing of threat and cyber security indicators. https://github.com/MISP/MISP
McAfee Threat Intelligence Exchange acts as a reputation broker to enable adaptive threat detection and response. https://www.mcafee.com/enterprise/en-us/products/threat-intelligence-exchange.html
MISP platform (Link) (tested with MISP 2.4.117)
PyMISP (Link)
git clone https://github.com/MISP/PyMISP.git
cd PyMISP/
python setup.py installRequests (Link)
OpenDXL SDK (Link)
git clone https://github.com/opendxl/opendxl-client-python.git
cd opendxl-client-python/
python setup.py installOpenDXL TIE SDK (Link)
git clone https://github.com/opendxl/opendxl-tie-client-python.git
cd opendxl-tie-client-python/
python setup.py installMcAfee ePolicy Orchestrator, DXL Broker, Active Response
Enter the MISP url and access key in the misp_tie.py file (line 16 and 17).
Enter the tag in the misp_tie.py file (line 19) that should be used to query MISP events.
Create Certificates for OpenDXL and move them into a centralized folder (Link).
Make sure to authorize the new created certificates in ePO to set McAfee TIE Reputations (Link).
Make sure that the FULL PATH to the config file is entered in line 21 (misp_tie.py).
run the script
python3.8 /home/misp_tie/misp_tie.pyMISP contains global, community and local produced intelligence that can be used to set McAfee TIE reputations (external or enterprise reputations).