Integrate McAfee ESM as a Subscriber
CTIX can ingest threat data from a multitude of sources in different formats. McAfee ESM is a security information and event management (SIEM) system that compiles malicious data and logs and lets you use them for further threat investigations. Using this integration, you can add IOCs that have been detected and analyzed from within CTIX to watchlists in McAfee Enterprise Security Manager. In McAfee ESM, you can further use the watchlists to trigger alarms or correlation rules.
About McAfee Enterprise Security Manager (ESM)
McAfee Enterprise Security Manager (ESM) is a SIEM solution that collects logs from various sources and correlates events for investigation and incident response.
Configure McAfee ESM as a Subscriber in CTIX
Configure McAfee ESM as a STIX subscriber in the CTIX application to poll for threat data from CTIX using TAXII credentials.
Before you Start
You must have the Create Subscribers, View & Update Subscribers, and View Subscribers permissions in CTIX.
Steps
Sign in to CTIX.
From Administration, select Integration Management, and click Subscribers under FEED CONSUMERS.
Click Add Subscriber.
Enter a subscriber name.
Enter an organization name for the subscriber name.
Select the configured organization type from the drop-down menu.
Enter primary details about the subscriber, such as name, email address, contact number, and contact address.
To enter a secondary contact for the subscriber, click Show Secondary Contact Details.
Enter the IP addresses used for secure threat intel exchange. These IP addresses are allowed, listed, and used for sharing the threat intel.
Select the collections from which the McAfee ESM application can poll for data. You can also modify collection preferences for a subscriber after creating a subscriber.
Enter the confidence score ranging between 0 and 100 for the subscribers to determine the level of confidence that users have for the details shared as the threat intel shared by the subscriber.
Select Email Credentials to receive TAXII server credentials.
Select Include Reference Links to automatically include any reference links in the email sent out to the subscribers.
Click Add Subscriber.
Click Download to download your credentials or click the clipboard icon next to each credential to copy them to your clipboard and then paste them, as needed.
Set Up Cyber Threat Management in McAfee ESM
Set up feeds in McAfee ESM to retrieve indicators of compromise (IOC) from the CTIX application. You can then use these feeds in McAfee ESM to generate watchlists, alarms, and reports related to IOCs retrieved from the CTIX application.
Before you Start
You must have the subscriber details that you created in the CTIX application for McAfee ESM.
Steps
Sign in to McAfee ESM.
In the top-left corner, click the hamburger menu icon.
Click System Properties and then navigate to Cyber Threat Feeds.
Click the Main tab and then click the Add button to provide a name.
Click the Source tab and select TAXII for the source type.
Perform the following actions:
For authentication, select Basic.
For method, select Get.
Provide the username, password, URL, and collection that you generated fin CTIX for setting up McAfee ESM as a subscriber.
Enter the start date in DD/MM/YYYY format.
To test the connection, click Connect.
Click Watchlist and then specify your configurations, including selecting the type and assigning the watchlist to which the IoC must be added. The polling process starts automatically.
To view the IOCs, from the Main Menu, click Watchlist.
You can set the frequency for which the data is polled.
You can also define the investigation process to be performed, when the IOC is identified on the platform by your source, by clicking the Backtrace tab and specifying your preferences.
Note
The TAXII URL poll must follow TAXII standards.Configure McAfee ESM as an Internal Application
Configure McAfee ESM as an internal application in CTIX. McAfee ESM is also available as an out-of-the-box integration tool in the CTIX application.
Before you Start
You must have View & Update Tool Integration permissions.
Steps
Configure the app in CTIX using the following procedure:
Sign in to CTIX.
From Administration, open Integration Management, and click Internal Applications under Tool integrations.
Click Endpoint Detection Response and select McAfee.
Click Add Instance.
Enter the instance name, base URL, username, and password generated from McAfee Enterprise Security Manager (ESM).
To secure the connection between the CTIX server and the McAfee server, select Verify SSL.
Click Save to enable the account.
After the instance is added, click the ellipsis icon and then select Manage.
Click the Manage Action(s) button to enable the action.
Create a Rule to Update Watchlists for McAfee
In the CTIX application, rules are automated tasks that can execute some actions on a trigger. Create a rule in the CTIX application to send IOCs to McAfee ESM.
Before you Start
You must have Create Rule, View & Update Rule permissions.
Steps
Create a rule using the following procedure:
From Main Menu, select Rules under Actions.
Click New Rule.
Enter a rule name and description about the key details of the rule.
To easily identify and categorize components in CTIX, add tags.
Perform the following actions:
Add the source and condition. For more information about adding sources and conditions, see Automation Rules
For action, select Update Watchlist.
For application, select McAfee.
Select the account.
Select the watchlist table.
Click Save.
View CTIX Data in McAfee ESM
Use the following steps to view the CTIX data that is received in the McAfee ESM application.
Sign in to McAfee.
In the top-left corner, click the hamburger menu icon.
From the Investigation Tools section, click Watchlists and select the watchlist that is updated with rules from CTIX.