IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

McAfee Threat Intelligence Exchange Integration for SOAR

  • 1.  McAfee Threat Intelligence Exchange Integration for SOAR

    Posted Fri April 15, 2022 06:08 AM
    We are using McAfee Threat Intelligence Exchange Integration for SOAR, we noticed that not working only for the malware hash value e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    https://exchange.xforce.ibmcloud.com/hub/extension/47f1383c25d0323a0d25770006cfe62a

    For example when we change last number from 55 to 54 as below then working fine e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b854


    2022-04-15 17:42:42,718 INFO [actions_component] Event: <mcafee_tie_search_hash[] (id=23, workflow=mcafee_tie_get_file_reputation, user=resilient@test.com.my) 2022-04-15 09:42:42.630000> Channel: functions.mcafee_tie_search_hash
    2022-04-15 17:42:42,925 DEBUG [actions_component] Task: <function _call_the_task at 0x7fcf8d17a1d0>
    2022-04-15 17:42:42,926 DEBUG [decorators] Thread-4: _call_the_task
    2022-04-15 17:42:42,928 INFO [decorators] [mcafee_tie_search_hash] StatusMessage: Searching Hash...
    2022-04-15 17:42:42,929 DEBUG [mcafee_tie_search_hash] _lookup_hash started for Artifact Type Malware SHA-256 Hash - Artifact Value e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    2022-04-15 17:42:42,933 DEBUG [client] MQTT: Sending PUBLISH (d0, q0, r0, m3), '/mcafee/service/tie/file/reputation', ... (214 bytes)
    2022-04-15 17:42:42,933 DEBUG [stomp_component] send()
    2022-04-15 17:42:42,935 DEBUG [client] Sending SEND frame [headers={'destination': u'/queue/acks.201.mcafee_tie_md', 'correlation-id': u'invid:1533'}, body='{"message": "Searchi...', version=1.2]
    2022-04-15 17:42:42,937 DEBUG [stomp_component] Message sent
    2022-04-15 17:42:42,939 DEBUG [client] MQTT: Received PUBLISH (d0, q0, r0, m0), '/mcafee/client/{230086a7-aab0-4b51-b0a9-0c3fed0789cb}', ... (444 bytes)
    2022-04-15 17:42:42,940 DEBUG [client] Message received for topic /mcafee/client/{230086a7-aab0-4b51-b0a9-0c3fed0789cb}
    2022-04-15 17:42:43,046 ERROR [actions_component] <task[functionworker] (<function _call_the_task at 0x7fcf8d17a1d0>, <mcafee_tie_search_hash[functions.mcafee_tie_search_hash] (id=23, workflow=mcafee_tie_get_file_reputation, user=resilient@testcom.my) 2022-04-15 09:42:42.630000> mcafee_tie_hash_type=u'Malware SHA-256 Hash', mcafee_tie_hash=u'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855')> (<class 'resilient_circuits.action_message.FunctionException_'>):
    Traceback (most recent call last):
    File "/usr/local/lib/python2.7/site-packages/fn_mcafee_tie/components/mcafee_tie_search_hash.py", line 59, in _mcafee_tie_search_hash_function
    reputations_dict = tie_client.get_file_reputation(resilient_hash)
    File "/usr/local/lib/python2.7/site-packages/dxltieclient/client.py", line 396, in get_file_reputation
    response = self._dxl_sync_request(req)
    File "/usr/local/lib/python2.7/site-packages/dxlbootstrap/client.py", line 55, in _dxl_sync_request
    raise Exception("Error: " + res.error_message + " (" + str(res.error_code) + ")")
    Exception: Error: Error during request handling. (0)

    2022-04-15 17:42:43,047 DEBUG [actions_component] Ack ID:BSNSOARRESDR02-33761-1649389748161-3:3:146:1:1
    2022-04-15 17:42:43,048 DEBUG [stomp_component] ack_frame()
    2022-04-15 17:42:43,049 DEBUG [client] Sending ACK frame

    ------------------------------
    Sunil I B
    ------------------------------