Created
November 20, 2018 18:04
-
-
Save chrissmith-mcafee/18c4a0036d613116ba1af5e1b30e9198 to your computer and use it in GitHub Desktop.
This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP published events containing hash-based attributes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"id": "3bcf37ef.a9d108", | |
"type": "tab", | |
"label": "Add Hash Sightings to MISP Event using MAR", | |
"disabled": false, | |
"info": "This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP \r\npublished events containing hash-based attributes.\r\n\r\nWhen a MISP event is published, the flow examines the event to determine if \r\nit contains hash-based attributes. If it does, a MAR search is performed \r\nto determine if any active endpoints contain the hashes. For each endpoint\r\ncontaining a hash, a sighting is added to the MISP event in addition to a \r\ncomment that includes the associated endpoint information.\r\n\r\n### Prerequisites\r\n\r\n* The Node-RED DXL client configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The Node-RED DXL client is authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n* The [MISP DXL Service](https://github.com/opendxl/opendxl-misp-service-python) is running and connected to the DXL fabric.\r\n * The service is configured to connect to ZeroMQ (`zeroMqPort`) and the notification topic `misp_json` is being forwarded.\r\n * The service exposes the `sighting` API \r\n* The following Node-RED modules have been installed:\r\n * [Node-RED config node](https://flows.nodered.org/node/node-red-contrib-config) (included in OpenDXL Node-RED Docker image)\r\n * [DXL Node-RED nodes](https://flows.nodered.org/node/@opendxl/node-red-contrib-dxl) (included in OpenDXL Node-RED Docker image)\r\n * [McAfee Active Response (MAR) DXL nodes for Node-RED](https://flows.nodered.org/node/@opendxl/node-red-contrib-dxl-mar-client)\r\n \r\n" | |
}, | |
{ | |
"id": "3d363a67.a36dd6", | |
"type": "dxl-core-event in", | |
"z": "3bcf37ef.a9d108", | |
"name": "Receive MISP Event Publish Notifications", | |
"topic": "/opendxl-misp/event/zeromq-notifications/misp_json", | |
"client": "cc766472.7a4b28", | |
"payloadType": "obj", | |
"x": 180, | |
"y": 60, | |
"wires": [ | |
[ | |
"9e6420fb.a4d33", | |
"945c3d8c.86648" | |
] | |
] | |
}, | |
{ | |
"id": "5fb31223.b5578c", | |
"type": "debug", | |
"z": "3bcf37ef.a9d108", | |
"name": "Debug: Sighting Request", | |
"active": true, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "payload", | |
"x": 770, | |
"y": 414, | |
"wires": [] | |
}, | |
{ | |
"id": "9e6420fb.a4d33", | |
"type": "function", | |
"z": "3bcf37ef.a9d108", | |
"name": "Extract Hash-based Attributes", | |
"func": "var output = []\n\nif(msg.payload && \n msg.payload.Event &&\n msg.payload.Event.Attribute) {\n var attribs = msg.payload.Event.Attribute\n attribs.forEach(function(entry) {\n if(entry.type == \"md5\" ||\n entry.type == \"sha1\" ||\n entry.type == \"sha256\") {\n output.push({\n \"uuid\": entry.uuid,\n \"type\": entry.type,\n \"value\": entry.value\n });\n }\n });\n}\nmsg.payload = output;\nreturn msg;", | |
"outputs": 1, | |
"noerr": 0, | |
"x": 210, | |
"y": 140, | |
"wires": [ | |
[ | |
"28fb53c3.5229cc" | |
] | |
] | |
}, | |
{ | |
"id": "8e254ff0.db295", | |
"type": "function", | |
"z": "3bcf37ef.a9d108", | |
"name": "Extract Found Host IP Addresses", | |
"func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg", | |
"outputs": 1, | |
"noerr": 0, | |
"x": 360, | |
"y": 294, | |
"wires": [ | |
[ | |
"cbbd0543.94c9e8" | |
] | |
] | |
}, | |
{ | |
"id": "cbbd0543.94c9e8", | |
"type": "split", | |
"z": "3bcf37ef.a9d108", | |
"name": "Execute for each IP address", | |
"splt": "\\n", | |
"spltType": "str", | |
"arraySplt": 1, | |
"arraySpltType": "len", | |
"stream": false, | |
"addname": "", | |
"x": 420, | |
"y": 354, | |
"wires": [ | |
[ | |
"2166f5bc.f4597a" | |
] | |
] | |
}, | |
{ | |
"id": "51a75203.b4424c", | |
"type": "function", | |
"z": "3bcf37ef.a9d108", | |
"name": "Compose MAR Search Condition", | |
"func": "msg.mispHash = msg.payload;\nmsg.conditions = {\n \"or\": [{\n \"and\": [{\n \"name\": \"Files\",\n \"output\": msg.mispHash.type,\n \"op\": \"EQUALS\",\n \"value\": msg.mispHash.value\n }]\n }]\n};\n\nreturn msg;\n", | |
"outputs": 1, | |
"noerr": 0, | |
"x": 620, | |
"y": 200, | |
"wires": [ | |
[ | |
"354b7393.e9e4ac" | |
] | |
] | |
}, | |
{ | |
"id": "d95da896.6b2648", | |
"type": "dxl-core-request", | |
"z": "3bcf37ef.a9d108", | |
"name": "Add Sighting to MISP Event", | |
"topic": "/opendxl-misp/service/misp-api/sighting", | |
"client": "cc766472.7a4b28", | |
"returnType": "txt", | |
"x": 780, | |
"y": 474, | |
"wires": [ | |
[ | |
"7fd94d76.8ea7d4" | |
] | |
] | |
}, | |
{ | |
"id": "2166f5bc.f4597a", | |
"type": "template", | |
"z": "3bcf37ef.a9d108", | |
"name": "Format Add Sighting Request", | |
"field": "payload", | |
"fieldType": "msg", | |
"format": "handlebars", | |
"syntax": "mustache", | |
"template": "{\n \"uuid\": \"{{mispHash.uuid}}\",\n \"type\": \"0\",\n \"source\": \"Observed on system {{payload}}\"\n}", | |
"output": "json", | |
"x": 470, | |
"y": 474, | |
"wires": [ | |
[ | |
"d95da896.6b2648", | |
"5fb31223.b5578c" | |
] | |
] | |
}, | |
{ | |
"id": "28fb53c3.5229cc", | |
"type": "split", | |
"z": "3bcf37ef.a9d108", | |
"name": "Execute MAR Search for each Hash", | |
"splt": "\\n", | |
"spltType": "str", | |
"arraySplt": 1, | |
"arraySpltType": "len", | |
"stream": false, | |
"addname": "", | |
"x": 290, | |
"y": 200, | |
"wires": [ | |
[ | |
"51a75203.b4424c" | |
] | |
] | |
}, | |
{ | |
"id": "7fd94d76.8ea7d4", | |
"type": "debug", | |
"z": "3bcf37ef.a9d108", | |
"name": "Debug: Response", | |
"active": true, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "payload", | |
"x": 1030, | |
"y": 474, | |
"wires": [] | |
}, | |
{ | |
"id": "945c3d8c.86648", | |
"type": "debug", | |
"z": "3bcf37ef.a9d108", | |
"name": "Debug: Received Event", | |
"active": true, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "payload", | |
"x": 570, | |
"y": 60, | |
"wires": [] | |
}, | |
{ | |
"id": "354b7393.e9e4ac", | |
"type": "dxl-mar-search", | |
"z": "3bcf37ef.a9d108", | |
"name": "", | |
"pollInterval": 5, | |
"client": "cc766472.7a4b28", | |
"projections": "[\n {\n \"name\": \"HostInfo\", \n \"outputs\": [\"ip_address\"]\n }\n]", | |
"limit": "", | |
"textFilter": "", | |
"sortBy": "", | |
"sortDirection": "", | |
"returnType": "obj", | |
"x": 870, | |
"y": 200, | |
"wires": [ | |
[ | |
"8e254ff0.db295" | |
] | |
] | |
} | |
] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment