ThreatPinchLookup icon indicating copy to clipboard operation
ThreatPinchLookup copied to clipboard

Published 20 hours ago verified publisher icon cloudtracer

Add integration for McAfee EPO

Open cloudtracer opened this issue 7 years ago • 6 comments

I don't have access to an EPO server, so I need help from someone who does.

McAfee Documentation: https://kc.mcafee.com/corporate/index?page=content&id=PD24810

These are probably the configuration parameters needs:

lookupType: IPV4 lookupUrl: https://YOURMCAFEEFQDN:8443/remote/system.find?:output=json httpType: POST httpPostData: searchText=${PINCH.HOVERITEM} requestGroup: LOCALNET

Most EPO servers require users to use the API with their AD credentials, which I wouldn't recommend storing in the ThreatPinch extension. It would be good to have instructions on how to setup a read only user to use the API with.

Screenshot of how I would try to configure it in the wizard: image

cloudtracer avatar Apr 09 '17 15:04 cloudtracer

I took a stab at making this, but I haven't been able to validate if it works. Anyone have an EPO server they can test with? The EPO server needs a valid SSL/TLS certificate though or the requests will fail (no way around this).

chrome-extension://ljdgplocfnmnofbhpkjclbefmjoikgke/src/options/wizard.html?RL=eyJhdXRob3JpemF0aW9uVHlwZSI6IkFQSV9LRVlfQU5EX1BBU1NXT1JEX0JBU0lDIiwiZGF0YVNjaGVtYSI6eyJ0aXRsZSI6eyJsaW5rVGl0bGUiOiIke1BJTkNILkhPVkVSSVRFTX0iLCJsaW5rVXJsIjoiaHR0cHM6Ly8ke1BJTkNILlVTRVJERUZJTkVELmFwaV91cmwudmFsdWV9IiwibWFwcGluZyI6IiR7UElOQ0guTElOS1VSTH0iLCJvcmRlciI6MCwidGl0bGUiOiJFUE8ifX0sImRhdGFUeXBlIjoiSlNPTiIsImRpc2FibGVkIjpmYWxzZSwiaHR0cEhlYWRlcnMiOnt9LCJodHRwVHlwZSI6IlBPU1QiLCJodHRwUG9zdERhdGEiOiJzZWFyY2hUZXh0PSR7UElOQ0guSE9WRVJJVEVNfSIsImlvY3MiOnRydWUsImxvb2t1cE5hbWUiOiJNY0FmZWUgRVBPIElQVjQiLCJsb29rdXBUeXBlIjoiSVBWNCIsImxvb2t1cFVybCI6Imh0dHBzOi8vJHtQSU5DSC5VU0VSREVGSU5FRC5hcGlfdXJsLnZhbHVlfS9yZW1vdGUvc3lzdGVtLmZpbmQ/Om91dHB1dD1qc29uIiwibG9va3VwVmFyaWFibGUiOiJNQ0FGRUVFUE9JUFY0Iiwib3JkZXIiOjQwLCJyZWdleE1hdGNoZXIiOmZhbHNlLCJyZXF1ZXN0R3JvdXAiOiJMT0NBTE5FVCIsInJlZ2lzdHJhdGlvbiI6eyJsaW5rIjoiaHR0cHM6Ly93d3cubWNhZmVlLmNvbS9jYS9wcm9kdWN0cy9lcG9saWN5LW9yY2hlc3RyYXRvci5hc3B4Iiwic3VtbWFyeSI6IkVQTyIsInRpdGxlIjoiTUlTUCBUaHJlYXQgU2hhcmluZyIsInR5cGUiOiJTZWxmIEhvc3RlZCJ9LCJhdXRob3JpemF0aW9uU2V0dGluZ3MiOnsiYXBpX2tleSI6IiR7UElOQ0guVVNFUkRFRklORUQuYXBpX2tleS52YWx1ZX0iLCJhcGlfcGFzc3dvcmQiOiIke1BJTkNILlVTRVJERUZJTkVELmFwaV9wYXNzd29yZC52YWx1ZX0iLCJ2YWxpZGF0ZWQiOnRydWV9LCJ1c2VyRGVmaW5lZCI6eyJhcGlfa2V5Ijp7InRpdGxlIjoiTWNBZmVlIFVzZXIiLCJ2YWx1ZSI6IllPVVJEQVRBSEVSRSJ9LCJhcGlfcGFzc3dvcmQiOnsidGl0bGUiOiJNY0FmZWUgUGFzc3dvcmQiLCJ2YWx1ZSI6IllPVVJEQVRBSEVSRSJ9LCJhcGlfdXJsIjp7InRpdGxlIjoiRVBPIEJhc2UgVVJMIiwidmFsdWUiOiJZT1VSREFUQUhFUkUifX19

cloudtracer avatar May 19 '17 12:05 cloudtracer

I've started looking into this. Is there more verbose errors available in ThreatPinch.

Testing curl -k -u username:mypass https://epo_server:8443/remote/policy.find?system.find?searchText=ipaddress with curl I get successful authentication and a response.

xg5-simon avatar Jun 09 '17 06:06 xg5-simon

Hi @xg5-simon,

Thanks for taking a look, the wizard actually just does all the work on the current page in the browser, so for the wizard to do debugging you mostly have to rely on the chrome developers tools to debug the situation.

I can see with your curl command you are using the -k parameter which probably means your EPO instance is using a self sign cert (or at least its insecure to curl). Unfortunately, there really isn't a way for me to force the xhr requests on a web server with an untrusted cert. I suppose you can try adding the cert to your browser to get around this.

cloudtracer avatar Jun 09 '17 10:06 cloudtracer

Thanks. I've got access to another system that I can install another CAs cert on instead of self signed. Are there any other specific API calls you need me to look at (i.e TIE/DXL)?

On 9 Jun. 2017 8:15 pm, cloudtracer [email protected] wrote:

Hi @xg5-simonhttps://github.com/xg5-simon,

Thanks for taking a look, the wizard actually just does all the work on the current page in the browser, so for the wizard to do debugging you mostly have to rely on the chrome developers tools to debug the situation.

I can see with your curl command you are using the -k parameter which probably means your EPO instance is using a self sign cert (or at least its insecure to curl). Unfortunately, there really isn't a way for me to force the xhr requests on a web server with an untrusted cert. I suppose you can try adding the cert to your browser to get around this.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/cloudtracer/ThreatPinchLookup/issues/29#issuecomment-307352265, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIkEwEr7GIP2STYf8sqH4ZDkhu9RqK-9ks5sCRtXgaJpZM4M4Dsc.

xg5-simon avatar Jun 11 '17 08:06 xg5-simon

Take a look at whatever you think might be relevant, I figured the easiest bit of value would be to get the IP look ups working for EPO, but there is probably a fair bit of value in being able to look up the hashes from TIE/DXL as well.

Thanks for taking a crack at this! I've had a fair number of people ask for EPO.

cloudtracer avatar Jun 11 '17 13:06 cloudtracer

Will look into this again over the next day or so. I've installed a cert from a trusted CA. Will post the results.

xg5-simon avatar Jun 27 '17 10:06 xg5-simon