IBM Security QRadar SOAR

 View Only

McAfee Threat Intelligence Exchange Integration for SOAR

  • 1.  McAfee Threat Intelligence Exchange Integration for SOAR

    Posted Fri April 15, 2022 06:08 AM
    We are using McAfee Threat Intelligence Exchange Integration for SOAR, we noticed that not working only for the malware hash value e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    https://exchange.xforce.ibmcloud.com/hub/extension/47f1383c25d0323a0d25770006cfe62a

    For example when we change last number from 55 to 54 as below then working fine e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b854


    2022-04-15 17:42:42,718 INFO [actions_component] Event: <mcafee_tie_search_hash[] (id=23, workflow=mcafee_tie_get_file_reputation, user=resilient@test.com.my) 2022-04-15 09:42:42.630000> Channel: functions.mcafee_tie_search_hash
    2022-04-15 17:42:42,925 DEBUG [actions_component] Task: <function _call_the_task at 0x7fcf8d17a1d0>
    2022-04-15 17:42:42,926 DEBUG [decorators] Thread-4: _call_the_task
    2022-04-15 17:42:42,928 INFO [decorators] [mcafee_tie_search_hash] StatusMessage: Searching Hash...
    2022-04-15 17:42:42,929 DEBUG [mcafee_tie_search_hash] _lookup_hash started for Artifact Type Malware SHA-256 Hash - Artifact Value e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    2022-04-15 17:42:42,933 DEBUG [client] MQTT: Sending PUBLISH (d0, q0, r0, m3), '/mcafee/service/tie/file/reputation', ... (214 bytes)
    2022-04-15 17:42:42,933 DEBUG [stomp_component] send()
    2022-04-15 17:42:42,935 DEBUG [client] Sending SEND frame [headers={'destination': u'/queue/acks.201.mcafee_tie_md', 'correlation-id': u'invid:1533'}, body='{"message": "Searchi...', version=1.2]
    2022-04-15 17:42:42,937 DEBUG [stomp_component] Message sent
    2022-04-15 17:42:42,939 DEBUG [client] MQTT: Received PUBLISH (d0, q0, r0, m0), '/mcafee/client/{230086a7-aab0-4b51-b0a9-0c3fed0789cb}', ... (444 bytes)
    2022-04-15 17:42:42,940 DEBUG [client] Message received for topic /mcafee/client/{230086a7-aab0-4b51-b0a9-0c3fed0789cb}
    2022-04-15 17:42:43,046 ERROR [actions_component] <task[functionworker] (<function _call_the_task at 0x7fcf8d17a1d0>, <mcafee_tie_search_hash[functions.mcafee_tie_search_hash] (id=23, workflow=mcafee_tie_get_file_reputation, user=resilient@testcom.my) 2022-04-15 09:42:42.630000> mcafee_tie_hash_type=u'Malware SHA-256 Hash', mcafee_tie_hash=u'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855')> (<class 'resilient_circuits.action_message.FunctionException_'>):
    Traceback (most recent call last):
    File "/usr/local/lib/python2.7/site-packages/fn_mcafee_tie/components/mcafee_tie_search_hash.py", line 59, in _mcafee_tie_search_hash_function
    reputations_dict = tie_client.get_file_reputation(resilient_hash)
    File "/usr/local/lib/python2.7/site-packages/dxltieclient/client.py", line 396, in get_file_reputation
    response = self._dxl_sync_request(req)
    File "/usr/local/lib/python2.7/site-packages/dxlbootstrap/client.py", line 55, in _dxl_sync_request
    raise Exception("Error: " + res.error_message + " (" + str(res.error_code) + ")")
    Exception: Error: Error during request handling. (0)

    2022-04-15 17:42:43,047 DEBUG [actions_component] Ack ID:BSNSOARRESDR02-33761-1649389748161-3:3:146:1:1
    2022-04-15 17:42:43,048 DEBUG [stomp_component] ack_frame()
    2022-04-15 17:42:43,049 DEBUG [client] Sending ACK frame

    ------------------------------
    Sunil I B
    ------------------------------