intelmq.bots.experts.mcafee namespace

Submodules

intelmq.bots.experts.mcafee.expert_mar module

MARExpertBot queries environment for occurrences of IOCs via McAfee Active Response.

Parameter: dxl_config_file: string lookup_type: string

intelmq.bots.experts.mcafee.expert_mar.BOT

alias of intelmq.bots.experts.mcafee.expert_mar.MARExpertBot

class intelmq.bots.experts.mcafee.expert_mar.MARExpertBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.Bot

Query connections to IP addresses to the given destination within the local environment using McAfee Active Response queries

MAR_Query(mar_search_str)
QUERY = {'DestFQDN': [{'name': 'DNSCache', 'output': 'hostname', 'op': 'EQUALS', 'value': '%(destination.fqdn)s'}], 'DestIP': [{'name': 'NetworkFlow', 'output': 'dst_ip', 'op': 'EQUALS', 'value': '%(destination.ip)s'}], 'DestSocket': [{'name': 'NetworkFlow', 'output': 'dst_ip', 'op': 'EQUALS', 'value': '%(destination.ip)s'}, {'name': 'NetworkFlow', 'output': 'dst_port', 'op': 'EQUALS', 'value': '%(destination.port)s'}], 'Hash': [{'name': 'Files', 'output': 'md5', 'op': 'EQUALS', 'value': '%(malware.hash.md5)s'}, {'name': 'Files', 'output': 'sha1', 'op': 'EQUALS', 'value': '%(malware.hash.sha1)s'}, {'name': 'Files', 'output': 'sha256', 'op': 'EQUALS', 'value': '%(malware.hash.sha256)s'}]}
dxl_config_file: str = '<insert /path/to/dxlclient.config>'
init()
lookup_type: str = '<Hash|DestSocket|DestIP|DestFQDN>'
process()