Node-RED Flow: Add Hash Sightings to MISP Event using MAR 1.0.0

This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP published events containing hash-based attributes.

When a MISP event is published, the flow examines the event to determine if it contains hash-based attributes. If it does, a MAR search is performed to determine if any active endpoints contain the hashes. For each endpoint containing a hash, a sighting is added to the MISP event in addition to a comment that includes the associated endpoint information.


The Node-RED flow content for this solution: