Skip to content

Instantly share code, notes, and snippets.

@chrissmith-mcafee

chrissmith-mcafee/epo-basic-threat-event-create-example.json

Created October 5, 2018 15:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chrissmith-mcafee/81dbddf77a02dfe7024574325e31a52c to your computer and use it in GitHub Desktop.
Save chrissmith-mcafee/81dbddf77a02dfe7024574325e31a52c to your computer and use it in GitHub Desktop.
Download ZIP
This Node-RED flow invokes and displays the results of a `DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.
Raw
epo-basic-threat-event-create-example.json
[
{
"id": "a1d1dbd.b4d6328",
"type": "tab",
"label": "ePO Create Threat Event Example",
"disabled": false,
"info": "This sample invokes and displays the results of a\n`DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.\nThe results of the event creation command are displayed on the Node-RED `debug`\ntab.\n\n### Prerequisites\n\n* The samples configuration step has been completed (see\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\n DXL service should already be running on the fabric. If you are using an\n earlier version of the DXL ePO extensions, you can use the\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\n* The DXL client associated with the `Create threat event in ePO` node is\n authorized to invoke the ePO DXL service, and the user that is connecting to\n the ePO server (within the ePO DXL service) has permission to execute the\n `DxlBrokerMgmt.createEpoThreatEvent` remote command (see\n [Client Authorization](https://opendxl.github.io/opendxl-epo-client-python/pydoc/authorization.html)).\n\n### Setup\n\n* If more than one ePO service is available on the DXL fabric that the DXL\n client is connecting to, edit the `Create threat event in ePO` node and set the\n `ePO Id` property to that of the ePO service through which the remote command\n should be performed. By default, the `ePO Id` property is empty, in which case\n the client attempts to dynamically determine the id of the ePO service to\n communicate with.\n* Edit the `Set threat event parameters` node and modify the `msg.ip4Address`\n and `msg.agentGuid` properties with the value of an IPv4 address and McAfee\n agent GUID for the threat event to be created. Note that the value for the\n `msg.agentGuid` property must be that of a valid McAfee agent previously seen\n by the ePO server in order for the event to be created properly.\n* Modify the content in the `Format full ePO threat event` template node with\n appropriate information for the type of event to be created.\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\n with the word `connected` should appear under the `Create threat event in ePO`\n node.\n\n### Running\n\nTo exercise the flow, double-click the button on the left side of the\n`Inject current timestamp` node.\n\n### Output\n\nAn entry similar to the following should appear in the `debug` tab for the\n`Output event` node:\n\n```\n? { eventMsgType: \"McAfee Common Event\", eventMsgVersion: \"1.0\", event: object }\n```\n\nAfter clicking on the right arrow button to expand the contents of the object,\noutput similar to the following should appear:\n\n```\n? object\n eventMsgType: \"McAfee Common Event\"\n eventMsgVersion: \"1.0\"\n ? event: object\n category: \"This is the event category\"\n ...\n ? source: object\n ipv4: \"10.0.0.254\"\n...\n```\n\nOn successful creation of an event, a message similar to the following should\nappear in the `debug` tab for the `Output result` node:\n\n```\n\"Successfully created new ePO Threat Event for AgentGuid:'12345678-9012-3456-7890-12345678ABCD'\"\n```\n\n### Details\n\nThe flow exercises the nodes below.\n\n#### Inject current timestamp\n\nThis is an `inject` input node which starts the flow. This node injects a new\nmessage with a `payload` property which specifies the current system timestamp\n(as a numeric value representing milliseconds since January 1, 1970).\n\n#### Set threat event parameters\n\nThis is a `change` node which sets values for the `ipv4Address` and `agentGuid`\nproperties on the message. The `Format full ePO threat event` template node\nuses these values when formatting the content of the full threat event payload.\n\n#### Get current date as ISO string\n\nThis is a `function` node which uses the value from the timestamp `payload`\ninjected by the `Inject current timestamp` node to set a `currentDate` message\nproperty with the timestamp value formatted as an ISO string. The\n`Format full ePO threat event` template node uses this value when formatting the\ncontent of the full threat event payload.\n\n#### Format full ePO threat event\n\nThis is a `template` node which constructs the full threat event payload to\nsend to the ePO server. The node produces a payload which conforms to the\n\"McAfee Common Event\" format. The payload is stored as a JavaScript object to\nthe `event` property on the message.\n\n#### Output event\n\nThis is a `debug` output node. This node outputs the contents of the `event`\nproperty set on the message by the `Format full ePO threat event` node.\n\n#### Create threat event in ePO\n\nThis is an `epo threat event create` node. This node connects to the DXL fabric\nand sends a DXL `Request` message to the ePO service. The message specifies the\ntarget remote command as `DxlBrokerMgmt.createEpoThreatEvent`.\n\nThe request message also includes the `msg.event` property set by the\n`Format full ePO threat event` node.\n \nThe `Return` property is set to \"a parsed JSON object\" and the `Format` property\nis set to \"JSON\" to indicate that the payload for the response should be\nadded to the output message as a JavaScript object decoded from JSON.\n\n#### Output result\n\nThis is a `debug` output node. This node outputs the `payload` set on\nthe message by the `Create threat event in ePO` node. The output should include\nthe response received from the DXL fabric for the\n`DxlBrokerMgmt.createEpoThreatEvent` command."
},
{
"id": "23fb9acf.4763a6",
"type": "template",
"z": "a1d1dbd.b4d6328",
"name": "Format full ePO threat event",
"field": "event",
"fieldType": "msg",
"format": "handlebars",
"syntax": "mustache",
"template": "{\n \"eventMsgType\": \"McAfee Common Event\",\n \"eventMsgVersion\": \"1.0\",\n \"event\": {\n \"category\": \"This is the event category\",\n \"eventDesc\": \"This is the event description\",\n \"threatActionTaken\": \"blocked\",\n \"threatHandled\": 1,\n \"threatName\": \"This is the threat name\",\n \"threatSeverity\": 1,\n \"threatType\": \"This is the threat type\",\n \"analyzer\": {\n \"detectionMethod\": \"This is the detection method\",\n \"detectedUTC\": \"{{currentDate}}\",\n \"id\": \"MY_ANALYZER_0123\",\n \"name\": \"My Analyzer\",\n \"version\": \"1.2.3\"\n },\n \"entity\": { \n \"id\": \"{{agentGuid}}\" \n },\n \"source\": {\n \"ipv4\": \"{{ipv4Address}}\",\n \"mac\": \"\"\n },\n \"target\": {\n\t \"ipv4\": \"{{ipv4Address}}\",\n\t \"mac\": \"\",\n\t \"port\": 0\n\t}\n }\n}",
"output": "json",
"x": 200,
"y": 300,
"wires": [
[
"efa60b16.e2a988",
"6c3dd002.9d8a9"
]
]
},
{
"id": "bb9f7043.5406f",
"type": "inject",
"z": "a1d1dbd.b4d6328",
"name": "Inject current timestamp",
"topic": "",
"payload": "",
"payloadType": "date",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 140,
"y": 40,
"wires": [
[
"f75fccdd.1b9"
]
]
},
{
"id": "923d51f6.723f2",
"type": "comment",
"z": "a1d1dbd.b4d6328",
"name": "Set the IP address and agent GUID for the event",
"info": "",
"x": 560,
"y": 120,
"wires": []
},
{
"id": "efa60b16.e2a988",
"type": "dxl-epo-threat-event-create",
"z": "a1d1dbd.b4d6328",
"name": "",
"client": "24599b64.76f314",
"searchNameOnly": "",
"epoUniqueId": "",
"returnType": "obj",
"x": 200,
"y": 400,
"wires": [
[
"79ea3d97.2b4104"
]
]
},
{
"id": "79ea3d97.2b4104",
"type": "debug",
"z": "a1d1dbd.b4d6328",
"name": "Debug: Output result",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 520,
"y": 400,
"wires": []
},
{
"id": "f75fccdd.1b9",
"type": "change",
"z": "a1d1dbd.b4d6328",
"name": "Set threat event parameters",
"rules": [
{
"t": "set",
"p": "ipv4Address",
"pt": "msg",
"to": "10.0.0.254",
"tot": "str"
},
{
"t": "set",
"p": "agentGuid",
"pt": "msg",
"to": "12345678-9012-3456-7890-12345678ABCD",
"tot": "str"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 200,
"y": 120,
"wires": [
[
"d0c6a116.28a89"
]
]
},
{
"id": "d0c6a116.28a89",
"type": "function",
"z": "a1d1dbd.b4d6328",
"name": "Get current date as ISO string",
"func": "msg.currentDate = new Date(msg.payload).toISOString()\nreturn msg",
"outputs": 1,
"noerr": 0,
"x": 210,
"y": 200,
"wires": [
[
"23fb9acf.4763a6"
]
]
},
{
"id": "41f9ada8.9dbb34",
"type": "comment",
"z": "a1d1dbd.b4d6328",
"name": "Fill in event details (e.g., data for a host intrusion detection)",
"info": "",
"x": 590,
"y": 300,
"wires": []
},
{
"id": "6c3dd002.9d8a9",
"type": "debug",
"z": "a1d1dbd.b4d6328",
"name": "Debug: Output event",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "event",
"x": 520,
"y": 240,
"wires": []
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment