Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Trellix MVISION EDR Threats for ThreatQ enables analysts to automatically ingest Assets, Attack Patterns, Indicators, Attributes, TTPs, and Tags.

The integration provides the following feed:

• Trellix MVISION EDR Threats - ingests indicators and their attributes.

The integration ingests the following system objects:

• Assets
• Attack Patterns
• Events
• Indicators
• TTPs

The Trellix MVISION EDR Threats CDF replaces the McAfee MVISION EDR CDF integration.  

Prerequisites

The following is required in order to successfully install and use the integration:

• Access to Trellix MVISION EDR
• Trellix API Key, Client ID, and Client Secret Credentials with the following scope permissions: soc.hts.c soc.hts.r soc.rts.c soc.rts.r soc.qry.pr.  See the Generating Credentials for Trellix MVISION EDR section for further details
• Asset Object

Generating Credentials for Trellix MVISION EDR

In order to use this integration, you will need to obtain an API Key, Client ID, and Client Secret from the Trellix Developer Portal. Previous versions of this integration (McAfee MVISION EDR CDF v1.0.1 and earlier), the integration utilized a now-deprecated authentication strategy. Since then, Trellix has placed the MVISION EDR APIs under their standardized IAM OAuth Authentication strategy.

Below are instructions on how you can obtain these credentials to use with the integration:

1. Log into your Trellix MVISION EDR instance.
2. Navigate to Trellix's Developer Portal: https://www.mcafee.com/enterprise/en-us/solutions/mvision/developer-portal.html
3. Click on the Documentation tab and then the Trellix API link.
4. Click the Self-Service tab on the sidebar and then the API Access Management sub-tab.

   The API Access Management page will load. You can view your Trellix API Key and generate a Client ID and Secret.

5. Enter a client name and the following scopes when requesting for your client credentials: soc.hts.c soc.hts.r soc.rts.c soc.rts.r soc.qry.pr
6. Once submitted, Trellix will need to approve the credentials. After approval, the credentials can be used with this integration.

Asset Object

The integration requires the Asset object.  The Asset installation files are included with the integration download on the ThreatQ Marketplace.  The Asset object must be installed prior to installing the integration.  

You do not have to install the Asset object if you are running ThreatQ version 5.10.0 or greater as the object has been seeded as a default system object.

Installation

The CDF requires the installation of a custom object before installing the actual CDF if your are on ThreatQ version 5.9.0 or earlier.  See the Prerequisites chapter for more details.  The custom object must be installed prior to installing the CDF.  Attempting to install the CDF without the custom object will cause the CDF install process to fail. 

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the integration zip file.
3. Extract the contents of the zip file and, if you are on ThreatQ version 5.9 or earlier, install the required Asset custom object.
4. Navigate to the integrations management page on your ThreatQ instance.
5. Click on the Add New Integration button.
6. Upload the yaml file using one of the following methods:
   • Drag and drop the file into the dialog box
   • Select Click to Browse to locate the integration file on your local machine

   ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

7. If prompted, select the individual feeds to install and click Install. The feed will be added to the integrations page. 

You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Commercial option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Trellix API Key	Your Trellix MVISION API Key, obtained from the Trellix Developer Portal.
   Client ID	Your Trellix MVISION Client ID, obtained from the Trellix Developer Portal.
   Client Secret	Your Trellix MVISION Client Secret, obtained from the Trellix Developer Portal.
   Verify SSL	Enable this paramater to verify the SSL certificate presented by the Trellix host.
   Threat Severity	Allows you to select one or more threat severity levels to filter your results by.  Options include: Very Low (s0) Low (s1) Medium (s2) - default Medium-High (s3) - default High (s4) - default Critical (s5) - default
   Add Detection Tags to Threats	If enabled, detection tags will be bundled up and added to all imported threats (hashes).
   Import Detections as Related Events	If enabled, detections will be brought in as related events to the threats.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

{
    "total": 2,
    "skipped": 0,
    "items": 1,
    "threats": [
        {
            "id": "452825",
            "aggregationKey": "P_5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393",
            "severity": "s1",
            "rank": 88,
            "score": 38,
            "name": "rundll32.exe",
            "type": "pe",
            "status": "viewed",
            "firstDetected": "2022-02-11T21:16:56Z",
            "lastDetected": "2022-02-11T21:16:56Z",
            "hashes": {
                "sha256": "5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393",
                "sha1": "D4AC232D507769FFD004439C15302916A40D9831",
                "md5": "6C308D32AFA41D26CE2A0EA8F7B79565"
            }
        }
    ]
}

{
    "total": 1,
    "skipped": 0,
    "items": 1,
    "detections": [
        {
            "id": "45154556",
            "traceId": "de298c04-296d-4ae7-8fdc-6d7bcda30733",
            "firstDetected": "2022-02-11T21:16:56Z",
            "severity": "s1",
            "rank": 88,
            "tags": [
                "@MSI._reg_ep0029_intranet",
                "@MSI._reg_ep0037_iepages",
                "@ATE.T1112",
                "@ATA.DefenseEvasion"
            ],
            "host": {
                "maGuid": "32EDA829-0106-451D-9273-E099D04D81AE",
                "hostname": "tis-epo-testser",
                "os": {
                    "major": 6,
                    "minor": 3,
                    "build": 9600,
                    "sp": "",
                    "desc": "Windows 2012 R2"
                },
                "netInterfaces": [
                    {
                        "name": "Ethernet",
                        "macAddress": "fa:16:3e:08:89:58",
                        "ip": "172.16.114.30",
                        "type": 6
                    }
                ],
                "traceExtendedVisibility": 0
            },
            "sha256": "5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393"
        }
    ]
}

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Trellix MVISION EDR Threats

Known Issues / Limitations

• MITRE ATT&CK attack patterns must have already been ingested by a previous run of the MITRE ATT&CK feeds in order for MITRE ATT&CK attack patterns extracted from detection event tags to be related to the event. MITRE ATT&CK attack patterns are ingested from the following feeds:
  • MITRE Enterprise ATT&CK
  • MITRE Mobile ATT&CK
  • MITRE PRE-ATT&CK

Change Log

• Version 2.0.4
  • Removed the Region configuration parameter and updated the Trellix base URL.
  • Resolved a related events and indicator tags ingestion issue.
  • Updated the filtering based on a response schema change.
  • Removed the MVISION link attribute due to a lack of information the feed provided. 
  • Added a new known Issue / limitation entry regarding MITRE ATT&CK Patterns.   MITRE ATT&CK attack patterns must have already been ingested by a previous run of the MITRE ATT&CK feeds in order for MITRE ATT&CK attack patterns extracted from detection event tags to be related to the event.  
• Version 2.0.3
  • Fixed an ingestion issue regarding Assets and Events.  
• Version 2.0.2
  • Resolved a filter mapping error for tags.  
  • Updated the method for retrieving attack patterns from the ThreatQ API.  
• Version 2.0.1
  • Added validation for non-existent detection list.  
• Version 2.0.0
  • Integration has been rebranded from McAfee MVISION EDR to Trellix MVISION EDR Threats. 
  • Switched authentication method to new IAM authentication using API Key, Client ID, and Client Secret.
  • Updated the Fetch Detection Tags configuration field to Add Detection Tag to Threats.
  • Added new configuration option: Import Detections as Related Events.
  • Updated the Threat Severity Filter configuration options scale from Level X to Very Low, Low, Medium, Medium-High, High, and Critical. 
  • The Detection (event) tags will now be parsed to create Attack Pattern, TTP, and Tactic relationships.
• Version 1.0.1
  • Added expired token reauthorization.
• Version 1.0.0
  • Initial release