Skip to content

Instantly share code, notes, and snippets.

@chrissmith-mcafee
Created November 20, 2018 18:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chrissmith-mcafee/18c4a0036d613116ba1af5e1b30e9198 to your computer and use it in GitHub Desktop.
Save chrissmith-mcafee/18c4a0036d613116ba1af5e1b30e9198 to your computer and use it in GitHub Desktop.
This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP published events containing hash-based attributes.
[
{
"id": "3bcf37ef.a9d108",
"type": "tab",
"label": "Add Hash Sightings to MISP Event using MAR",
"disabled": false,
"info": "This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP \r\npublished events containing hash-based attributes.\r\n\r\nWhen a MISP event is published, the flow examines the event to determine if \r\nit contains hash-based attributes. If it does, a MAR search is performed \r\nto determine if any active endpoints contain the hashes. For each endpoint\r\ncontaining a hash, a sighting is added to the MISP event in addition to a \r\ncomment that includes the associated endpoint information.\r\n\r\n### Prerequisites\r\n\r\n* The Node-RED DXL client configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The Node-RED DXL client is authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n* The [MISP DXL Service](https://github.com/opendxl/opendxl-misp-service-python) is running and connected to the DXL fabric.\r\n * The service is configured to connect to ZeroMQ (`zeroMqPort`) and the notification topic `misp_json` is being forwarded.\r\n * The service exposes the `sighting` API \r\n* The following Node-RED modules have been installed:\r\n * [Node-RED config node](https://flows.nodered.org/node/node-red-contrib-config) (included in OpenDXL Node-RED Docker image)\r\n * [DXL Node-RED nodes](https://flows.nodered.org/node/@opendxl/node-red-contrib-dxl) (included in OpenDXL Node-RED Docker image)\r\n * [McAfee Active Response (MAR) DXL nodes for Node-RED](https://flows.nodered.org/node/@opendxl/node-red-contrib-dxl-mar-client)\r\n \r\n"
},
{
"id": "3d363a67.a36dd6",
"type": "dxl-core-event in",
"z": "3bcf37ef.a9d108",
"name": "Receive MISP Event Publish Notifications",
"topic": "/opendxl-misp/event/zeromq-notifications/misp_json",
"client": "cc766472.7a4b28",
"payloadType": "obj",
"x": 180,
"y": 60,
"wires": [
[
"9e6420fb.a4d33",
"945c3d8c.86648"
]
]
},
{
"id": "5fb31223.b5578c",
"type": "debug",
"z": "3bcf37ef.a9d108",
"name": "Debug: Sighting Request",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 770,
"y": 414,
"wires": []
},
{
"id": "9e6420fb.a4d33",
"type": "function",
"z": "3bcf37ef.a9d108",
"name": "Extract Hash-based Attributes",
"func": "var output = []\n\nif(msg.payload && \n msg.payload.Event &&\n msg.payload.Event.Attribute) {\n var attribs = msg.payload.Event.Attribute\n attribs.forEach(function(entry) {\n if(entry.type == \"md5\" ||\n entry.type == \"sha1\" ||\n entry.type == \"sha256\") {\n output.push({\n \"uuid\": entry.uuid,\n \"type\": entry.type,\n \"value\": entry.value\n });\n }\n });\n}\nmsg.payload = output;\nreturn msg;",
"outputs": 1,
"noerr": 0,
"x": 210,
"y": 140,
"wires": [
[
"28fb53c3.5229cc"
]
]
},
{
"id": "8e254ff0.db295",
"type": "function",
"z": "3bcf37ef.a9d108",
"name": "Extract Found Host IP Addresses",
"func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg",
"outputs": 1,
"noerr": 0,
"x": 360,
"y": 294,
"wires": [
[
"cbbd0543.94c9e8"
]
]
},
{
"id": "cbbd0543.94c9e8",
"type": "split",
"z": "3bcf37ef.a9d108",
"name": "Execute for each IP address",
"splt": "\\n",
"spltType": "str",
"arraySplt": 1,
"arraySpltType": "len",
"stream": false,
"addname": "",
"x": 420,
"y": 354,
"wires": [
[
"2166f5bc.f4597a"
]
]
},
{
"id": "51a75203.b4424c",
"type": "function",
"z": "3bcf37ef.a9d108",
"name": "Compose MAR Search Condition",
"func": "msg.mispHash = msg.payload;\nmsg.conditions = {\n \"or\": [{\n \"and\": [{\n \"name\": \"Files\",\n \"output\": msg.mispHash.type,\n \"op\": \"EQUALS\",\n \"value\": msg.mispHash.value\n }]\n }]\n};\n\nreturn msg;\n",
"outputs": 1,
"noerr": 0,
"x": 620,
"y": 200,
"wires": [
[
"354b7393.e9e4ac"
]
]
},
{
"id": "d95da896.6b2648",
"type": "dxl-core-request",
"z": "3bcf37ef.a9d108",
"name": "Add Sighting to MISP Event",
"topic": "/opendxl-misp/service/misp-api/sighting",
"client": "cc766472.7a4b28",
"returnType": "txt",
"x": 780,
"y": 474,
"wires": [
[
"7fd94d76.8ea7d4"
]
]
},
{
"id": "2166f5bc.f4597a",
"type": "template",
"z": "3bcf37ef.a9d108",
"name": "Format Add Sighting Request",
"field": "payload",
"fieldType": "msg",
"format": "handlebars",
"syntax": "mustache",
"template": "{\n \"uuid\": \"{{mispHash.uuid}}\",\n \"type\": \"0\",\n \"source\": \"Observed on system {{payload}}\"\n}",
"output": "json",
"x": 470,
"y": 474,
"wires": [
[
"d95da896.6b2648",
"5fb31223.b5578c"
]
]
},
{
"id": "28fb53c3.5229cc",
"type": "split",
"z": "3bcf37ef.a9d108",
"name": "Execute MAR Search for each Hash",
"splt": "\\n",
"spltType": "str",
"arraySplt": 1,
"arraySpltType": "len",
"stream": false,
"addname": "",
"x": 290,
"y": 200,
"wires": [
[
"51a75203.b4424c"
]
]
},
{
"id": "7fd94d76.8ea7d4",
"type": "debug",
"z": "3bcf37ef.a9d108",
"name": "Debug: Response",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 1030,
"y": 474,
"wires": []
},
{
"id": "945c3d8c.86648",
"type": "debug",
"z": "3bcf37ef.a9d108",
"name": "Debug: Received Event",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 570,
"y": 60,
"wires": []
},
{
"id": "354b7393.e9e4ac",
"type": "dxl-mar-search",
"z": "3bcf37ef.a9d108",
"name": "",
"pollInterval": 5,
"client": "cc766472.7a4b28",
"projections": "[\n {\n \"name\": \"HostInfo\", \n \"outputs\": [\"ip_address\"]\n }\n]",
"limit": "",
"textFilter": "",
"sortBy": "",
"sortDirection": "",
"returnType": "obj",
"x": 870,
"y": 200,
"wires": [
[
"8e254ff0.db295"
]
]
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment