McAfee ATD
Integration version: 11.0
Configure McAfee ATD integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Actions
Check Hash
Description
Check if a hash is blacklisted.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_blacklisted
|
True/False | is_blacklisted:False |
JSON Result
[{
"EntityResult"
:
true
,
"Entity"
:
"ebdd035084968f675ee1510519dd8319"
}]
Get Analyzer Profiles
Description
Get Trellix ATD analyzer profiles data.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"overrideOS"
:
0
,
"logZip"
:
0
,
"family"
:
0
,
"default64OSName"
:
""
,
"artimas"
:
0
,
"yararules"
:
0
,
"xMode"
:
0
,
"consoleLog"
:
0
,
"sophosAV"
:
0
,
"defaultVM"
:
0
,
"userLog"
:
0
,
"filePassword1"
:
""
,
"dnnEnable"
:
0
,
"recusiveAnalysis"
:
0
,
"imageid"
:
0
,
"vmDesc"
:
"Only Down Selectors"
,
"heuristic"
:
0
,
"netdriveZip"
:
0
,
"ssKeyid"
:
1
,
"gtiTS"
:
1
,
"ssAPIid"
:
1
,
"pe32"
:
0
,
"createTime"
:
"2012-12-01 02:16:01"
,
"locBlackList"
:
1
,
"openarchive"
:
1
,
"yaraScan"
:
0
,
"runtimeArgument"
:
""
,
"dumpZip"
:
0
,
"userid"
:
1
,
"filePassword"
:
""
,
"internet"
:
0
,
"default32OSName"
:
""
,
"lastChange"
:
"2018-08-20 01:04:37"
,
"summary"
:
1
,
"maxExecTime"
:
180
,
"asm"
:
0
,
"ntvLog"
:
0
,
"name"
:
"Analyzer Profile 1"
,
"reAnalysis"
:
1
,
"noPDF"
:
0
,
"flp"
:
0
,
"mfeAV"
:
1
,
"aviraAV"
:
0
,
"vmProfileid"
:
1
,
"gam"
:
1
,
"gml"
:
0
,
"netLog"
:
0
,
"sandbox"
:
0
,
"dropZip"
:
0
,
"selectedOSName"
:
""
,
"minExecTime"
:
5
,
"ssLevelid"
:
1
,
"gtiURLRep"
:
0
,
"customrules"
:
0
,
"locWhiteList"
:
0
}]
Get Report
Description
Get a report for task IDs.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Task IDs
|
String | N/A | The IDs of the tasks to fetch reports for, comma separated. |
|
Create Insight
|
Boolean | Checked | If enabled, action will create an insight containing all of the retrieved information about the report. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
report
|
True/False | report:False |
JSON Result
{
"95"
:
{
"Summary"
:
{
"JSONversion"
:
"1.002"
,
"SubmitterName"
:
"User"
,
"Subject"
:
{
"Name"
:
"events.txt"
,
"Timestamp"
:
"2018-08-21 08:29:48"
,
"FileType"
:
"2"
,
"sha-256"
:
"74834D752D73B4C81EAD10184A091C12AA30BD809D575FD9CFA07B0EBBD7A0D7"
,
"sha-1"
:
"6BDA9FCFB56CE2B34168D499EE04970F640ADD9A"
,
"parent_archive"
:
"Not Available"
,
"md5"
:
"11FBEF3A9916BF50EC5002B5795B23C3"
,
"Type"
:
"ASCII text"
,
"size"
:
"481231"
},
"Process"
:
[{
"Reason"
:
"processed by down selectors"
,
"Name"
:
"events.txt"
,
"Severity"
:
"0"
}],
"Data"
:
{
"compiled_with"
:
"Not Available"
,
"analysis_seconds"
:
"181"
,
"sandbox_analysis"
:
"0"
},
"SUMversion"
:
"1.1.1.1"
,
"JobId"
:
"95"
,
"SubmitterType"
:
"STAND_ALONE"
,
"Behavior"
:
[
"Identified as --- by GTI File Reputation"
,
"Identified as --- by Anti-Malware"
],
"hasDynamicAnalysis"
:
"false"
,
"TaskId"
:
"95"
,
"Verdict"
:
{
"Severity"
:
"0"
,
"Description"
:
"No malicious activity was detected, but this does NOT mean that execution of the sample is safe"
},
"OSversion"
:
"StaticAnalysis"
,
"Selectors"
:
[{
"Engine"
:
"GTI File Reputation"
,
"Severity"
:
"0"
,
"MalwareName"
:
"---"
},
{
"Engine"
:
"Anti-Malware"
,
"Severity"
:
"0"
,
"MalwareName"
:
"---"
},
{
"Engine"
:
"Sandbox"
,
"Severity"
:
"0"
,
"MalwareName"
:
"---"
}],
"MISversion"
:
"1.1.1.1"
,
"DETversion"
:
"1.1.1.1"
}
}
}
Ping
Description
Verify that the user has a connection to Trellix ATD via the user's device.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Submit File
Description
Submit a file for analysis.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
File Paths
|
String | N/A | The paths of the file to submit, comma separated. |
|
Analyzer Profile ID
|
String | N/A | The ID of the analyzer profile to analyze with. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
task_id
|
True/False | task_id:False |
JSON Result
{
"C:\\temp\\test.txt\": 95
}
Submit URL
Description
Submit a URL for analysis.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Analyzer Profile ID
|
String | N/A | The ID of the analyzer profile to analyze the URLs with. It can be found in ATD under the Policy Analyzer Profile section. |
|
Create Insight
|
Boolean | Checked | If enabled, action will create an insight containing all of the retrieved information about the entity. |
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| Summary | Returns if it exists in JSON result |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
report
|
True/False | report:False |
JSON Result
[{
"EntityResult"
:
{
"Summary"
:
{
"JSONversion"
:
"1.002"
,
"SubmitterName"
:
"User"
,
"Subject"
:
{
"sha-1"
:
"6BDA9FCFB56CE2B34168D499EE04970F640ADD9A"
,
"Timestamp"
:
"2018-08-21 08:29:48"
,
"FileType"
:
"2"
,
"sha-256"
:
"74834D752D73B4C81EAD10184A091C12AA30BD809D575FD9CFA07B0EBBD7A0D7"
,
"parent_archive"
:
"Not Available"
,
"Name"
:
"events.txt"
,
"md5"
:
"11FBEF3A9916BF50EC5002B5795B23C3"
,
"Type"
:
"ASCII text"
,
"size"
:
"481231"
},
"Process"
:
[{
"Reason"
:
"processed by down selectors"
,
"Name"
:
"events.txt"
,
"Severity"
:
"0"
}],
"Data"
:
{
"compiled_with"
:
"Not Available"
,
"analysis_seconds"
:
"181"
,
"sandbox_analysis"
:
"0"
},
"SUMversion"
:
"1.1.1.1"
,
"JobId"
:
"95"
,
"SubmitterType"
:
"STAND_ALONE"
,
"Behavior"
:
[
"Identified as --- by GTI File Reputation"
,
"Identified as --- by Anti-Malware"
],
"hasDynamicAnalysis"
:
"false"
,
"TaskId"
:
"95"
,
"Verdict"
:
{
"Description"
:
"No malicious activity was detected, but this does NOT mean that execution of the sample is safe"
,
"Severity"
:
"0"
},
"OSversion"
:
"StaticAnalysis"
,
"Selectors"
:
[{
"Engine"
:
"GTI File Reputation"
,
"Severity"
:
"0"
,
"MalwareName"
:
"---"
},
{
"Engine"
:
"Anti-Malware"
,
"Severity"
:
"0"
,
"MalwareName"
:
"---"
},
{
"Engine"
:
"Sandbox"
,
"Severity"
:
"0"
,
"MalwareName"
:
"---"
}],
"MISversion"
:
"1.1.1.1"
,
"DETversion"
:
"1.1.1.1"
}
},
"Entity"
:
"http://google.com"
}]
Need more help? Get answers from Community members and Google SecOps professionals.
