Skip to content

Instantly share code, notes, and snippets.

@scottbrumley

scottbrumley/fireeye-tie-nodered.json

Created November 5, 2018 15:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save scottbrumley/5a3bc86436b187d667ef652ea1f80902 to your computer and use it in GitHub Desktop.
Save scottbrumley/5a3bc86436b187d667ef652ea1f80902 to your computer and use it in GitHub Desktop.
Download ZIP
FireEye to McAfee TIE file reputation flow for Node Red
Raw
fireeye-tie-nodered.json
[
{
"id": "23e49c5a.b408a4",
"type": "tab",
"label": "FireEye To McAfee TIE",
"disabled": false,
"info": ""
},
{
"id": "17ee602d.c4b03",
"type": "dxl-core-event out",
"z": "23e49c5a.b408a4",
"name": "",
"topic": "/vendor/fireeye",
"client": "",
"x": 836.6666259765625,
"y": 187.77777099609375,
"wires": []
},
{
"id": "2d49fb9f.cf32a4",
"type": "dxl-tie-set-file-reputation",
"z": "23e49c5a.b408a4",
"name": "",
"client": "",
"trustLevel": "",
"comment": "",
"x": 850,
"y": 600,
"wires": [
[]
]
},
{
"id": "1c202325.27cea5",
"type": "inject",
"z": "23e49c5a.b408a4",
"name": "FIreEye Major",
"topic": "",
"payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"majr\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 110,
"y": 100,
"wires": [
[
"7238e123.6bd77"
]
]
},
{
"id": "20683e34.f5e812",
"type": "http in",
"z": "23e49c5a.b408a4",
"name": "",
"url": "/fireeye",
"method": "post",
"upload": true,
"swaggerDoc": "",
"x": 88,
"y": 229,
"wires": [
[
"8fb9d3c9.5ca068"
]
]
},
{
"id": "7238e123.6bd77",
"type": "json",
"z": "23e49c5a.b408a4",
"name": "",
"property": "payload",
"action": "obj",
"pretty": false,
"x": 310,
"y": 60,
"wires": [
[
"fb439e70.d0ff8"
]
]
},
{
"id": "5487eba4.8e2994",
"type": "dxl-core-event in",
"z": "23e49c5a.b408a4",
"name": "",
"topic": "/vendor/fireeye",
"client": "",
"payloadType": "txt",
"x": 120,
"y": 360,
"wires": [
[
"7aef7ffb.a89c2"
]
]
},
{
"id": "58127655.09b83",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "Unknown",
"rules": [
{
"t": "set",
"p": "payload.mcafee-rep",
"pt": "msg",
"to": "$replace(\t payload.alert.severity,\t \"unkn\",\t \"50\"\t)\t\t",
"tot": "jsonata"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 540,
"y": 160,
"wires": [
[
"3151a163.33b536",
"17ee602d.c4b03",
"7a874649.67c058"
]
]
},
{
"id": "3151a163.33b536",
"type": "debug",
"z": "23e49c5a.b408a4",
"name": "",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "false",
"x": 830,
"y": 140,
"wires": []
},
{
"id": "acc35bcd.747c5",
"type": "inject",
"z": "23e49c5a.b408a4",
"name": "FireEye Unknown",
"topic": "",
"payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"unkn\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 120,
"y": 60,
"wires": [
[
"7238e123.6bd77"
]
]
},
{
"id": "30da705d.e77138",
"type": "inject",
"z": "23e49c5a.b408a4",
"name": "FireEye Minor",
"topic": "",
"payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"minr\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 110,
"y": 140,
"wires": [
[
"7238e123.6bd77"
]
]
},
{
"id": "7db19e12.3236f8",
"type": "inject",
"z": "23e49c5a.b408a4",
"name": "Critical",
"topic": "",
"payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"crit\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 90,
"y": 180,
"wires": [
[
"7238e123.6bd77"
]
]
},
{
"id": "fb439e70.d0ff8",
"type": "switch",
"z": "23e49c5a.b408a4",
"name": "FireEyeSeverity",
"property": "payload.alert.severity",
"propertyType": "msg",
"rules": [
{
"t": "eq",
"v": "unkn",
"vt": "str"
},
{
"t": "eq",
"v": "minr",
"vt": "str"
},
{
"t": "eq",
"v": "majr",
"vt": "str"
},
{
"t": "eq",
"v": "crit",
"vt": "str"
}
],
"checkall": "true",
"repair": false,
"outputs": 4,
"x": 510,
"y": 50,
"wires": [
[
"58127655.09b83"
],
[
"89c2b8e9.5670d"
],
[
"6ca092c8.6ce994"
],
[
"bb303907.1d5fe8"
]
]
},
{
"id": "89c2b8e9.5670d",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "might_be_malicious",
"rules": [
{
"t": "set",
"p": "payload.mcafee-rep",
"pt": "msg",
"to": "$replace(\t payload.alert.severity,\t \"minr\",\t \"30\"\t)\t\t",
"tot": "jsonata"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 580,
"y": 200,
"wires": [
[
"17ee602d.c4b03",
"3151a163.33b536",
"7a874649.67c058"
]
]
},
{
"id": "6ca092c8.6ce994",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "known_malicious",
"rules": [
{
"t": "set",
"p": "payload.mcafee-rep",
"pt": "msg",
"to": "$replace(\t payload.alert.severity,\t \"majr\",\t \"1\"\t)\t\t",
"tot": "jsonata"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 570,
"y": 240,
"wires": [
[
"17ee602d.c4b03",
"3151a163.33b536",
"7a874649.67c058"
]
]
},
{
"id": "bb303907.1d5fe8",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "known_malicious",
"rules": [
{
"t": "set",
"p": "payload.mcafee-rep",
"pt": "msg",
"to": "$replace(\t payload.alert.severity,\t \"crit\",\t \"1\"\t)\t\t",
"tot": "jsonata"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 570,
"y": 280,
"wires": [
[
"17ee602d.c4b03",
"3151a163.33b536",
"7a874649.67c058"
]
]
},
{
"id": "7aef7ffb.a89c2",
"type": "json",
"z": "23e49c5a.b408a4",
"name": "",
"property": "payload",
"action": "obj",
"pretty": false,
"x": 290,
"y": 360,
"wires": [
[
"d43f71b7.7f5108"
]
]
},
{
"id": "408fed1d.0edf7c",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "FileName",
"rules": [
{
"t": "set",
"p": "fileName",
"pt": "msg",
"to": "$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.name",
"tot": "jsonata"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 740,
"y": 360,
"wires": [
[
"cc100dd2.9f3a4"
]
]
},
{
"id": "cc100dd2.9f3a4",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "Comment",
"rules": [
{
"t": "set",
"p": "comment",
"pt": "msg",
"to": "Reputation set via OpenDXL",
"tot": "str"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 640,
"y": 440,
"wires": [
[
"de4190c3.1cee48",
"2d49fb9f.cf32a4"
]
]
},
{
"id": "de4190c3.1cee48",
"type": "debug",
"z": "23e49c5a.b408a4",
"name": "",
"active": false,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "true",
"x": 810,
"y": 540,
"wires": []
},
{
"id": "1e78a28d.a27135",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "TrustLevel",
"rules": [
{
"t": "set",
"p": "trustLevel",
"pt": "msg",
"to": "payload.mcafee-rep",
"tot": "msg"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 590,
"y": 360,
"wires": [
[
"408fed1d.0edf7c"
]
]
},
{
"id": "d43f71b7.7f5108",
"type": "change",
"z": "23e49c5a.b408a4",
"name": "MD5 Hash",
"rules": [
{
"t": "set",
"p": "hashes",
"pt": "msg",
"to": "{\"md5\":$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.md5sum}",
"tot": "jsonata"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 430,
"y": 360,
"wires": [
[
"1e78a28d.a27135"
]
]
},
{
"id": "bf0ef69e.ca4ff8",
"type": "debug",
"z": "23e49c5a.b408a4",
"name": "",
"active": false,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 358.5,
"y": 317,
"wires": []
},
{
"id": "8fb9d3c9.5ca068",
"type": "node-red-contrib-httpauth",
"z": "23e49c5a.b408a4",
"name": "FireEye Authentication",
"file": "",
"cred": "",
"authType": "Basic",
"realm": "",
"username": "fireeye",
"password": "fireeye",
"hashed": false,
"x": 133.5,
"y": 278,
"wires": [
[
"bf0ef69e.ca4ff8",
"7238e123.6bd77"
]
]
},
{
"id": "7a874649.67c058",
"type": "template",
"z": "23e49c5a.b408a4",
"name": "",
"field": "payload",
"fieldType": "msg",
"format": "handlebars",
"syntax": "mustache",
"template": "<html> \n <head>\n </head>\n <body>\n <h1>FireEye To McAfee TIE File Reputation Set!</h1>\n Filename: {{ payload.alert.explanation.malware-detected.malware.name }}<br>\n MD5: {{ payload.alert.explanation.malware-detected.malware.md5sum }}<br>\n FireEye Severity: {{ payload.alert.severity }}\n McAfee Reputation Score: {{ payload.mcafee-rep }}\n </body>\n</html> ",
"output": "str",
"x": 819.4444580078125,
"y": 246.66665649414062,
"wires": [
[
"e02d1a12.1530b"
]
]
},
{
"id": "e02d1a12.1530b",
"type": "http response",
"z": "23e49c5a.b408a4",
"name": "",
"statusCode": "",
"headers": {},
"x": 870.5555555555555,
"y": 302.22222222222223,
"wires": []
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment