OpenDXL
Security Intelligence Sharing
Node-RED Flow: Search for IP Addresses of MAR Clients via DXL 1.0.0
- mcafee
- 626 Downloads
- 0 Comments
Prerequisites
- The OpenDXL and McAfee Active Response (MAR) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- A MAR DXL service is running and available on the DXL fabric.
- The Node-RED DXL client is authorized to perform MAR search (see Authorize Client to Perform MAR Search).
Here is the Node-RED flow content for this solution:
Code
- [
- {
- "id": "4d70f507.87bd5c",
- "type": "tab",
- "label": "MAR Basic Search Example",
- "disabled": false,
- "info": "This sample executes a `McAfee Active Response` search for the IP addresses of\r\nhosts that have an Active Response client installed. The IP addresses found are\r\ndisplayed on the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for hosts` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### Setup\r\n\r\nTo deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Search MAR for hosts` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify search projections` node.\r\n\r\n### Output\r\n\r\nThe IP addresses found should appear in the Node-RED `debug` tab. For example:\r\n\r\n~~~\r\n[ \"192.168.130.152\", \"192.168.130.133\"]\r\n~~~\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify search projections\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies that the IP addresses of\r\nhosts which are found should be projected into the search results:\r\n\r\n```json\r\n[\r\n {\r\n \"name\": \"HostInfo\",\r\n \"outputs\": [\r\n \"ip_address\"\r\n ]\r\n }\r\n]\r\n```\r\n\r\n#### Set projections request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `projections` property. The `Search MAR for hosts` node uses\r\nthe `projections` property when constructing the parameters for the MAR search. \r\n\r\n#### Search MAR for hosts\r\n\r\nThis is a `mar search` node. This node connects to the DXL fabric and sends a\r\nsearch request to the MAR service using the `msg.projections` property set by\r\nthe `Set projections request parameter` node.\r\n\r\nThe `Limit` property specifies that up to the first \"10\" result items should be\r\nprovided.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\n`payload` for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Extract host IP addresses\r\n\r\nThis is a `function` node. This node includes a JavaScript code snippet which\r\niterates over the search result items that were set on the `msg.payload`\r\nproperty by the `Search MAR for hosts` node. The source code for the code\r\nsnippet is included below:\r\n\r\n```javascript\r\nmsg.payload = \r\n msg.payload.map(function (processEntry) {\r\n return processEntry.output[\"HostInfo|ip_address\"]\r\n })\r\nreturn msg\r\n```\r\n\r\nThe `HostInfo|ip_address` value for\r\neach item is captured. An array with just the ip addresses of the hosts which\r\nwere returned in the search results is set onto the `msg.payload` property.\r\n\r\n#### Output IP addresses\r\n\r\nThis is a `debug` output node. This node outputs the array of host IP addresses\r\nwritten to the `msg.payload` property by the `Extract host IP addresses` node."
- },
- {
- "id": "e18fdc9e.6feae",
- "type": "dxl-mar-search",
- "z": "4d70f507.87bd5c",
- "name": "Search MAR for hosts",
- "pollInterval": 5,
- "client": "2ed0ce07.039942",
- "projections": "",
- "limit": "10",
- "textFilter": "",
- "sortBy": "",
- "sortDirection": "",
- "returnType": "obj",
- "x": 280,
- "y": 220,
- "wires": [
- [
- "be60e18f.08cfb"
- ]
- ]
- },
- {
- "id": "340bdcc6.7f4904",
- "type": "inject",
- "z": "4d70f507.87bd5c",
- "name": "Specify search projections",
- "topic": "",
- "payload": "[{\"name\":\"HostInfo\",\"outputs\":[\"ip_address\"]}]",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 150,
- "y": 40,
- "wires": [
- [
- "a2cb13bf.388be"
- ]
- ]
- },
- {
- "id": "39e7184f.da87a8",
- "type": "debug",
- "z": "4d70f507.87bd5c",
- "name": "Debug: Output IP addresses",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 480,
- "y": 420,
- "wires": []
- },
- {
- "id": "be60e18f.08cfb",
- "type": "function",
- "z": "4d70f507.87bd5c",
- "name": "Extract host IP addresses",
- "func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg",
- "outputs": 1,
- "noerr": 0,
- "x": 390,
- "y": 320,
- "wires": [
- [
- "39e7184f.da87a8"
- ]
- ]
- },
- {
- "id": "a2cb13bf.388be",
- "type": "change",
- "z": "4d70f507.87bd5c",
- "name": "Set projections request parameter",
- "rules": [
- {
- "t": "set",
- "p": "projections",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 260,
- "y": 120,
- "wires": [
- [
- "e18fdc9e.6feae"
- ]
- ]
- }
- ]
-
Version 1.0.0
- 626 Downloads