Utilizing the McAfee product suite and Swimlane to automate incident response

3 Minute Read


McAfee has a robust cybersecurity product suite that several leading organizations utilize as their security operations and incident response platforms. From the SIEM to endpoint protection, McAfee offers a solution for almost every stage of incident response. Swimlane has integrations with a majority of these integral tools and products, which makes it possible to automate most of the same processes an analyst would do manually during an investigation.

The Swimlane team developed integrations with the following McAfee products:

  • McAfee ESM (SIEM):
    • Ingest unacknowledged alarms
    • Retrieve base events that trigger a correlation rule
  • McAfee ePO (EDR):
    • Apply a tag to a specific host or a set of hosts
    • Clear a tag from a specific host or a set of hosts
    • Pull all related threat events from a host
    • Pull all relevant host information about a host managed by ePO
  • McAfee OpenDXL:
    • Lookup MD5 hash
    • Push MD5 hash to the TIE DB with a reputation score
    • Push an event over the DXL fabric
  • McAfee ATD:
    • Submit files for sandbox analysis
    • Pull back results from a completed scan
  • McAfee Web Gateway:
    • Black/whitelist URLs
    • Black/whitelist domains

How does Swimlane orchestrate and automate alarms with McAfee tools?

With these tools in place, Swimlane can automate and orchestrate an alarm that fires in ESM and then remediate and respond to the incident using the developed McAfee integrations. A real-world use case example would be if an employee browsed to a website that had been previously flagged by McAfee ESM. Once the alarm triggered, Swimlane’s McAfee ESM integration would ingest the alarm while also setting the alarm to acknowledged. The alarm details would include the host IP, hostname, the URL the user connected to, as well as other relevant information about the incident. Swimlane, using the hostname of the user’s computer, would automatically apply a tag in McAfee ePO that would then kick off a virus scan on that host. Once the scan is completed, Swimlane, using the ePO Threat Events integration, would pull back all details from the scan and append it to the current investigation. In this situation, the user accidentally pulled down a malicious binary, in which the path to this binary was included in the threat event.

At this point in the playbook, the digital forensics team would get involved and pull the binary off the user’s machine and attach it to the current case investigation. Once the file is attached, Swimlane would submit the file to McAfee ATD for sandbox analysis and calculate the hash value of the binary. The results of this scan would show that this binary connects to two other domains that are considered malicious indicators of compromise (IOCs).

Due to the severity of these IOCs, Swimlane would automatically kick off a playbook for remediation. The defined remediation steps for this use case state that Swimlane should automatically apply a tag to McAfee ePO to remove the computer from the network, so the digital forensics team can complete their set of remediation steps. Next, Swimlane would push the MD5 hash to the TIE DB with a high reputation score, using the integration developed for McAfee ATD. And finally, using the McAfee Web Gateway integration, the IOCs would be submitted to be blacklisted by the proxy.

Workflow - Automatically Resolve AlertsHow Swimlane can help

These types of events might occur several times a day and it could take an analyst 30 to 60 minutes per investigation. With Swimlane’s ability to automate and orchestrate complex playbooks, it not only greatly decreases the time to remediate an incident, it also increases the value and investment in the McAfee products. These integrations, coupled with the playbooks created for them, help organizations true-up their cybersecurity operating procedures and allow them to retain the knowledge and processes within Swimlane.

If you would like to learn more about how Swimlane integrates with the McAfee product suite, watch our integration video.

Request a Live Demo