McAfee ATD
Integration version: 11.0
Configure McAfee ATD integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Actions
Check Hash
Description
Check if a hash is blacklisted.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_blacklisted | True/False | is_blacklisted:False |
JSON Result
[{
"EntityResult": true,
"Entity": "ebdd035084968f675ee1510519dd8319"
}]
Get Analyzer Profiles
Description
Get Trellix ATD analyzer profiles data.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[{
"overrideOS": 0,
"logZip": 0,
"family": 0,
"default64OSName": "",
"artimas": 0,
"yararules": 0,
"xMode": 0,
"consoleLog": 0,
"sophosAV": 0,
"defaultVM": 0,
"userLog": 0,
"filePassword1": "",
"dnnEnable": 0,
"recusiveAnalysis": 0,
"imageid": 0,
"vmDesc": "Only Down Selectors",
"heuristic": 0,
"netdriveZip": 0,
"ssKeyid": 1,
"gtiTS": 1,
"ssAPIid": 1,
"pe32": 0,
"createTime": "2012-12-01 02:16:01",
"locBlackList": 1,
"openarchive": 1,
"yaraScan": 0,
"runtimeArgument": "",
"dumpZip": 0,
"userid": 1,
"filePassword": "",
"internet": 0,
"default32OSName": "",
"lastChange": "2018-08-20 01:04:37",
"summary": 1,
"maxExecTime": 180,
"asm": 0,
"ntvLog": 0,
"name": "Analyzer Profile 1",
"reAnalysis": 1,
"noPDF": 0,
"flp": 0,
"mfeAV": 1,
"aviraAV": 0,
"vmProfileid": 1,
"gam": 1,
"gml": 0,
"netLog": 0,
"sandbox": 0,
"dropZip": 0,
"selectedOSName": "",
"minExecTime": 5,
"ssLevelid": 1,
"gtiURLRep": 0,
"customrules": 0,
"locWhiteList": 0
}]
Get Report
Description
Get a report for task IDs.
Parameters
Parameter | Type | Default Value | Description |
---|---|---|---|
Task IDs | String | N/A | The IDs of the tasks to fetch reports for, comma separated. |
Create Insight | Boolean | Checked | If enabled, action will create an insight containing all of the retrieved information about the report. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
report | True/False | report:False |
JSON Result
{
"95":
{
"Summary":
{
"JSONversion": "1.002",
"SubmitterName": "User",
"Subject":
{
"Name": "events.txt",
"Timestamp": "2018-08-21 08:29:48",
"FileType": "2",
"sha-256": "74834D752D73B4C81EAD10184A091C12AA30BD809D575FD9CFA07B0EBBD7A0D7", "sha-1": "6BDA9FCFB56CE2B34168D499EE04970F640ADD9A",
"parent_archive": "Not Available",
"md5": "11FBEF3A9916BF50EC5002B5795B23C3",
"Type": "ASCII text",
"size": "481231"
},
"Process":
[{
"Reason": "processed by down selectors",
"Name": "events.txt",
"Severity": "0"
}],
"Data":
{
"compiled_with": "Not Available",
"analysis_seconds": "181",
"sandbox_analysis": "0"
},
"SUMversion": "1.1.1.1",
"JobId": "95",
"SubmitterType": "STAND_ALONE",
"Behavior": ["Identified as --- by GTI File Reputation", "Identified as --- by Anti-Malware"],
"hasDynamicAnalysis": "false",
"TaskId": "95",
"Verdict":
{
"Severity": "0",
"Description": "No malicious activity was detected, but this does NOT mean that execution of the sample is safe"
},
"OSversion": "StaticAnalysis",
"Selectors":
[{
"Engine": "GTI File Reputation",
"Severity": "0",
"MalwareName": "---"
},
{
"Engine": "Anti-Malware",
"Severity": "0",
"MalwareName": "---"
},
{
"Engine": "Sandbox",
"Severity": "0",
"MalwareName": "---"
}],
"MISversion": "1.1.1.1",
"DETversion": "1.1.1.1"
}
}
}
Ping
Description
Verify that the user has a connection to Trellix ATD via the user's device.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
N/A
Submit File
Description
Submit a file for analysis.
Parameters
Parameter | Type | Default Value | Description |
---|---|---|---|
File Paths | String | N/A | The paths of the file to submit, comma separated. |
Analyzer Profile ID | String | N/A | The ID of the analyzer profile to analyze with. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
task_id | True/False | task_id:False |
JSON Result
{
"C:\\temp\\test.txt\": 95
}
Submit URL
Description
Submit a URL for analysis.
Parameters
Parameter | Type | Default Value | Description |
---|---|---|---|
Analyzer Profile ID | String | N/A | The ID of the analyzer profile to analyze the URLs with. It can be found in ATD under the Policy Analyzer Profile section. |
Create Insight | Boolean | Checked | If enabled, action will create an insight containing all of the retrieved information about the entity. |
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic-When to apply |
---|---|
Summary | Returns if it exists in JSON result |
Script Result
Script Result Name | Value Options | Example |
---|---|---|
report | True/False | report:False |
JSON Result
[{
"EntityResult":
{
"Summary":
{
"JSONversion": "1.002",
"SubmitterName": "User",
"Subject":
{
"sha-1": "6BDA9FCFB56CE2B34168D499EE04970F640ADD9A",
"Timestamp": "2018-08-21 08:29:48",
"FileType": "2",
"sha-256": "74834D752D73B4C81EAD10184A091C12AA30BD809D575FD9CFA07B0EBBD7A0D7",
"parent_archive": "Not Available",
"Name": "events.txt",
"md5": "11FBEF3A9916BF50EC5002B5795B23C3",
"Type": "ASCII text",
"size": "481231"
},
"Process":
[{
"Reason": "processed by down selectors",
"Name": "events.txt",
"Severity": "0"
}],
"Data":
{
"compiled_with": "Not Available",
"analysis_seconds": "181",
"sandbox_analysis": "0"
},
"SUMversion": "1.1.1.1",
"JobId": "95",
"SubmitterType": "STAND_ALONE",
"Behavior":
["Identified as --- by GTI File Reputation",
"Identified as --- by Anti-Malware"],
"hasDynamicAnalysis": "false",
"TaskId": "95",
"Verdict":
{
"Description": "No malicious activity was detected, but this does NOT mean that execution of the sample is safe",
"Severity": "0"
},
"OSversion": "StaticAnalysis",
"Selectors":
[{
"Engine": "GTI File Reputation",
"Severity": "0",
"MalwareName": "---"
},
{
"Engine": "Anti-Malware",
"Severity": "0",
"MalwareName": "---"
},
{
"Engine": "Sandbox",
"Severity": "0",
"MalwareName": "---"
}],
"MISversion": "1.1.1.1",
"DETversion": "1.1.1.1"
}
},
"Entity": "http://google.com"
}]
Need more help? Get answers from Community members and Google SecOps professionals.