McAfee ESM

Configure a McAfee ESM on-premises device to pull IOCs from Threat Command.

The following table shows device-specific integration characteristics:

CharacteristicDescription
Method of pullAll IOCs that were discovered are pulled.
IOC types supportedDomains, MD5 file hashes, IP addresses, and URLs.
IOC group limitationEach IOC group can contain only one type of IOC.
For multiple types, create multiple IOC groups.
Device IOC limitThe device is limited to 300,000 IOCs.

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to the Threat Command virtual appliance.
  2. Configure the device to pull IOCs from Threat Command.

Add a McAfee ESM on-premises device

The procedure to add the device to Threat Command is different depending on the version of the Threat Command virtual appliance in your environment. To determine which version is running, see Determine the Version of Virtual Appliance.

Add the on-premises device

Add the device in virtual appliance v3.9

Prerequisites:

  • The Threat Command virtual appliance web interface is configured and you can access it.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the virtual appliance using the web access username and password.
  3. From the Devices page, click Devices (Pull).
  4. Click Add new device.
  5. In the Devices (Pull) screen, set up the new device:
    1. Type a user-defined, unique device name.
    2. Select the device type.
    3. Click Create.
  6. Verify that the new device was added:
    1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
    2. From the main menu, select Automation > Integrations.
      If this window is already open, refresh it by selecting Automation > Integrations from the menu.
      The new device is displayed in the On-Premises tab.
      TC
Add the device in virtual appliance v4.0

Prerequisites:

  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation > Integrations.
  3. From the Integrations page, click On-Premises.
  4. Click Add new device.
  5. In the Add New On-Premises Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.

Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a McAfee ESM on-premises device to pull IOCs from Threat Command

Configuration for on-premises devices

When configuring an on-premises device, it is important to know which version of the Threat Command virtual appliance is running in your environment. This will affect which Rapid7 URL is displayed in the Device Details screen and also which URL to copy into the device management console.

tc

When running version 4.0 or later, the Legacy URL should be used only with Rapid7 support.

To determine which version of the virtual appliance is running, see Determine the version of virtual appliance.

Integration with McAfee ESM includes two steps:

  1. Create a watchlist
  2. Create an alarm

Create a watchlist:

  1. Log in to McAfee ESM Management console.
  2. Select Watchlists: temporary placeholder
  3. Select a Watchlist and click Add: temporary placeholder
  4. Main tab - Add Watchlist details
  • Name – custom name
  • Set type to: Dynamic.
  • Enable automatic updates.
  • Set update interval to 15 minutes:
    temporary placeholder
  1. Sources tab - Add Source details
    1. Set the HTTP/HTTPS source type.
    2. Add the URL taken from the device integration IOC list (ref page 14).
      • For virtual appliance v4.0 or later: Use theFeed URL.
      • For virtual appliance v3.9 or earlier: Use the Legacy URL.
    3. Authentication: None
    4. Method: GET
    5. Test connection
      temporary placeholder
  2. Parsing tab - Set Parsing details 3. Set the regular expression value to: + 4. Set 'Matching Group' to: Group1
    temporary placeholder
  3. Values tab - Set and test values
    1. Click run, you should see the IOC values.
    2. Finish
      temporary placeholder

Create an alarm

  1. Select Watchlists
    temporary placeholder
  2. On the Alarms tab, select an alarm and click Add.
    temporary placeholder
  3. Under Condition, add your Match condition. The example below uses ‘Field Match’ to match between Domains and File Hashes to IOCs from Rapid7.
    temporary placeholder
    temporary placeholder