intelmq.bots.experts.mcafee namespace¶
Submodules¶
intelmq.bots.experts.mcafee.expert_mar module¶
MARExpertBot queries environment for occurrences of IOCs via McAfee Active Response.
Parameter: dxl_config_file: string lookup_type: string
- intelmq.bots.experts.mcafee.expert_mar.BOT¶
alias of
MARExpertBot
- class intelmq.bots.experts.mcafee.expert_mar.MARExpertBot(*args, **kwargs)¶
Bases:
ExpertBot
Query connections to IP addresses to the given destination within the local environment using McAfee Active Response queries
- MAR_Query(mar_search_str)¶
- QUERY = {'DestFQDN': [{'name': 'DNSCache', 'op': 'EQUALS', 'output': 'hostname', 'value': '%(destination.fqdn)s'}], 'DestIP': [{'name': 'NetworkFlow', 'op': 'EQUALS', 'output': 'dst_ip', 'value': '%(destination.ip)s'}], 'DestSocket': [{'name': 'NetworkFlow', 'op': 'EQUALS', 'output': 'dst_ip', 'value': '%(destination.ip)s'}, {'name': 'NetworkFlow', 'op': 'EQUALS', 'output': 'dst_port', 'value': '%(destination.port)s'}], 'Hash': [{'name': 'Files', 'op': 'EQUALS', 'output': 'md5', 'value': '%(malware.hash.md5)s'}, {'name': 'Files', 'op': 'EQUALS', 'output': 'sha1', 'value': '%(malware.hash.sha1)s'}, {'name': 'Files', 'op': 'EQUALS', 'output': 'sha256', 'value': '%(malware.hash.sha256)s'}]}¶
- dxl_config_file: str = '<insert /path/to/dxlclient.config>'¶
- init()¶
- lookup_type: str = '<Hash|DestSocket|DestIP|DestFQDN>'¶
- process()¶