Node-RED Flow: Apply FireEye file reputation to McAfee TIE 1.0.0

Allows FireEye appliances to send file reputation to McAfee TIE over the DXL.

Use FireEye appliance HTTP POST notifications to apply file reputation scores to McAfee TIE and the McAfee eco-system. This will create a FireEye Topic on the McAfee DXL to share intel with other platforms.

Prerequisites:

Instructions

  1. Import HTTP Basic Authentication and McAfee TIE Client Manage Palettes into Node Red.
     
  2. Import Node Red Flow (fireeye-tie-nodered.json)
     
  1. Provision DXL Client
  2. Deploy in Node-RED
  3. Set DXL Topic Authorization (Server Settings --> DXL Topic Authorization --> Edit --> Select TIE Server Set Enterprise Reputation --> Restrict Send Certificates)
  4. Change Node-RED login credentials (default: - username: admin password: password) and set Node-RED /fireeye POST credentials (FireEye Authentication Node) (default - username:fireeye password:fireeye)

Flow Diagram


Configure FireEye Appliance

  1. Log into the FireEye appliance with an administrator account
  2. Click “Settings”
  3. Click “Notifications”
  4. Click the “http” hyperlink
  5. Make sure the "Event type" check box is selected
  6. If the Global HTTP Settings are already set—leave them
  7. Add HTTP Server (Post to Node-RED server with path /fireeye)
  8. Name Your Server (i.e. OpenDXLHTTP)
  9. Check Enabled
  10. Uncheck Auth
  11. Check SSL Enabled
  12. Per Event



Test FireEye JSON Payload

Save payload example below as fireeye.json

Code
  1. curl -u fireeye:fireeye --insecure -vX POST https://docker01:1880/fireeye --header "Content-Type: application/json" -d @fireeye.json

FireEye JSON Payload Example

Node Red Flow