Basic First References Example

This sample demonstrates invoking the McAfee Threat Intelligence Exchange (TIE) DXL service to retrieve the set of systems which have referenced (typically executed) a file (as identified by hashes).

The majority of the sample code is shown below:

Sample Code

# Create the client
with DxlClient(config) as client:

    # Connect to the fabric
    client.connect()

    # Create the McAfee Threat Intelligence Exchange (TIE) client
    tie_client = TieClient(client)

    # Get the list of systems that have referenced the file
    system_list = \
        tie_client.get_file_first_references({
            HashType.MD5: FILE_MD5,
            HashType.SHA1: FILE_SHA1,
            HashType.SHA256: FILE_SHA256
        })

    print("\nSystems that have referenced the file:\n")
    for system in system_list:
        print("\t" + system[FirstRefProp.SYSTEM_GUID] + ": " + \
                FirstRefProp.to_localtime_string(system[FirstRefProp.DATE]))

Once a connection is established to the DXL fabric, a TieClient instance is created which will be used to communicate with the TIE DXL services.

A call is made to the get_file_first_references() method of the TieClient instance along with the hash values that are used to identify the file.

The list of returned systems are iterated, displaying the system’s GUID along with the first time the system referenced the file.

Output

The output should appear similar to the following:

Systems that have referenced the file:

    {3a6f574a-3e6f-436d-acd4-bcde336b054d}: 2016-10-07 13:54:52
    {d48d3d1a-915e-11e6-323a-000c2992f5d9}: 2016-10-12 16:57:54
    {68125cd6-a5d8-11e6-348e-000c29663178}: 2016-11-08 09:29:32