McAfee ESM in the Cloud

Configure a McAfee ESM cloud device to pull IOCs from Threat Command. You must first add the device to Threat Command and then configure the device to pull IOCs from Threat Command.

Add a McAfee ESM cloud device

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a McAfee ESM cloud to pull IOCs from Threat Command

Integration with McAfee ESM includes two steps:

  1. Create a watchlist
  2. Create an alarm

Create a watchlist

  1. Log in to McAfee ESM Management console.
  2. Select Watchlists: temporary placeholder
  3. Select a Watchlist and click Add: temporary placeholder
  4. Main tab - Add Watchlist details
    • Name – custom name
    • Set type to: Dynamic.
    • Enable automatic updates.
    • Set update interval to 15 minutes:
      temporary placeholder
  5. Sources tab - Add Source details
    1. Set the HTTP/HTTPS source type.
    2. Add the URL taken from the device integration IOC list (ref page 14).
    3. Authentication: None
    4. Method: GET
    5. Test connection
      temporary placeholder
  6. Parsing tab - Set Parsing details
    1. Set the regular expression value to: +
    2. Set 'Matching Group' to: Group1
      temporary placeholder
  7. Values tab - Set and test values
    1. Click run, you should see the IOC values.
    2. Finish
      temporary placeholder

Create an alarm

  1. Select Watchlists
    temporary placeholder
  2. On the Alarms tab, select an alarm and click Add.
    temporary placeholder
  3. Under Condition, add your Match condition. The example below uses ‘Field Match’ to match between Domains and File Hashes to IOCs from Rapid7.
    temporary placeholder
    temporary placeholder