McAfee ATD Playbooks

As part of the Automated Malware Analysis use case, the Detonate File Playbook template makes it easy to process an ATD Malware report as intelligence in ThreatConnect. When the Component is triggered it will retrieve the report from McAfee ATD and then save it as an Incident with associated Indicators in ThreatConnect. This component can be used in a variety of Playbooks and Workflows such as “Malware Processing – McAfee ATD via DXL” and “Detonate File – McAfee ATD”.

As part of the Automated Malware Analysis use case, the Create Intelligence from Malware Report Playbook template allows a user to easily pass a suspicious Malware sample to McAfee ATD for analysis. The Playbook begins with a User Action trigger and then sends the Document to McAfee ATD for analysis. The “McAfee ATD – Create Intelligence from Malware Report” component is used to create an Incident and associated Indicators in ThreatConnect from the results.

As part of the Automated Malware Processing use case, the Malware Processing Playbook template provides a starting point for ingesting McAfee ATD Reports from the `/mcafee/event/atd/file/report` topic on DXL. Once a message is received by the Playbook the “McAfee ATD – Create Intelligence from Malware Report” component is used to save the report as an Incident and associated Indicators in ThreatConnect for further correlation and analysis. This playbook requires McAfee ATD to be connected to the DXL fabric.

These Playbook templates can be found in the ThreatConnect App Catalog under the names: Detonate File – McAfee ATD,McAfee ATD – Create Intelligence from Malware Report, and Malware Processing – McAfee ATD via DXL