McAfee ESM
Connector Category: Endpoint Detection Response (EDR)
About Integration
McAfee Enterprise Security Manager (ESM) is the core device of the McAfee Security Information Event Management (SIEM) solution that enables analysts to identify vulnerabilities and hunt threats. Using this integration, you can add IOCs that have been detected and analyzed within Intel Exchange to watchlists in McAfee ESM.
The McAfee ESM internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Watchlist | This action adds IOCs retrieved from Intel Exchange to the watchlist of McAfee ESM. |
To configure McAfee ESM as an internal application, follow these steps:
Configure McAfee ESM as an Internal Application
Configure McAfee ESM as an internal application to upload watchlist keywords to McAfee ESM.
Before you Start
You must have the base URL, username, and password of your McAfee ESM account.
You must have the view and update tool integration permissions in Intel Exchange.
Steps
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.
Search and select McAfee.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name to identify. For example, Prod_McAfee.
Base URL: Enter the base URL of your McAfee ESM instance. For example,
https://api.mcafee.com.Username: Enter the username of your McAfee ESM API credential.
Password: Enter the password of your McAfee ESM API credential.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and McAfee ESM servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
The McAfee ESM instance is configured and you can view the Update Watchlist action provided by the McAfee ESM internal application. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable Update Watchlist App Action
After configuring the McAfee ESM application on Intel Exchange, enable the Update Watchlistaction to upload and delete indicators.
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.
Search and select McAfee.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Actions.
Select the action and turn on the toggles to enable.
Click Save.
The action is enabled and is now ready to use.
Create Rule to Update Watchlist in McAfee ESM
Create a rule to upload specific indicators from Intel Exchange to the McAfee ESM watchlist.
Before you Start
You must have the View Rules, Create Rules, and Update Rules permissions.
Steps
To create a rule to upload indicators to the McAfee ESM watchlist, do the following:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name and click Submit.
In Source, select the source and collection from which you want to upload indicators.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator.
Rule Type: Select a rule type to apply specific conditions.
In Actions, enter the following details:
Actions: Select Update Watchlist.
Application: Select McAfee.
Account: Select the McAfee ESM instance you have configured.
Watchlist Table: Select the watchlist table to update.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
The rule is created and indicators will be uploaded to McAfee ESM based on the configured sources and conditions when you run the rule.