Basic Set Reputation Example

This sample demonstrates invoking the McAfee Threat Intelligence Exchange (TIE) DXL service to set the enterprise-specific trust level of a file (as identified by its hashes).

Note

From TIE Server 3.0.0 and above it's recommended for automated integrations to set an External Reputation (see Basic Set External Reputation Example) instead of an Enterprise Override.

Advantages:
  • It will help you differentiate between manual Enterprise Overrides (from ePO UI) from automated integrations (from OpenDXL).
  • External Provider reputations will be treated as a fallback, so endpoints will consider it only if there is no other reputation for the file. This will reduce the impact of false positives.
  • Files with an Enterprise Overrides are not deleted after its retention period expires, because this information cannot be recovered. When files are no longer used, keeping their automatically overridden reputations is not practical.

Prerequisites

  • The samples configuration step has been completed (see Samples Configuration)

  • A McAfee Threat Intelligence Exchange (TIE) Service is available on the DXL fabric

  • The Python client must be authorized to send messages to the /mcafee/service/tie/file/reputation/set topic which is part of the TIE Server Set Enterprise Reputation authorization group.

    The following page provides an example of authorizing a Python client to send messages to an authorization group. While the example is based on McAfee Active Response (MAR), the instructions are the same with the exception of swapping the TIE Server Set Enterprise Reputation authorization group in place of Active Response Server API:

    https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html

Running

To run this sample execute the sample/basic/basic_set_reputation_example.py script as follows:

c:\dxltieclient-python-sdk-0.3.0>python sample/basic/basic_set_reputation_example.py

If the set reputation operation succeeds the following message will be displayed:

Succeeded.

Details

The majority of the sample code is shown below:

# Create the client
with DxlClient(config) as client:

    # Connect to the fabric
    client.connect()

    # Create the McAfee Threat Intelligence Exchange (TIE) client
    tie_client = TieClient(client)

    # Set the Enterprise reputation for notepad.exe to Known Trusted
    tie_client.set_file_reputation(
        TrustLevel.KNOWN_TRUSTED, {
            HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
            HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
            HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
        },
        filename="notepad.exe",
        comment="Reputation set via OpenDXL")

    print("Succeeded.")

Once a connection is established to the DXL fabric, a dxltieclient.client.TieClient instance is created which will be used to communicate with the TIE DXL services.

The enterprise-specific trust level is established for the file by invoking the dxltieclient.client.TieClient.set_file_reputation() method of the dxltieclient.client.TieClient instance along with the hash values used to identify the file.

The filename and comment are optional, but are useful in identifying the particular file that is associated with the hashes (especially if the file did not previously exist in the TIE repository).