Node-RED Flow: Apply FireEye file reputation to McAfee TIE

brumleyscott added a new solution:

Quote

Use FireEye appliance HTTP POST notifications to apply file reputation scores to McAfee TIE and the McAfee eco-system. This will create a FireEye Topic on the McAfee DXL to share intel with other platforms.

Prerequisites:

• FireEye Appliance
• DXL Fabric
• TIE "Threat Intelligence Exchange"
• McAfee ePO
• Node-RED Modules:
  • HTTP Basic Authentication (node-red-contrib-httpauth)
  • DXL Nodes (node-red-contrib-dxl)
  • McAfee TIE DXL Nodes (node-red-contrib-dxl-tie-client)
• DXL Authorization restrict send certificate on Set TIE Enterprise Reputation

Instructions

1. Import HTTP Basic Authentication and McAfee TIE Client Manage Palettes into Node Red.
    
2. Import Node Red Flow (fireeye-tie-nodered.json)
    

1. Provision DXL Client
   
2. Deploy in Node-RED
3. Set DXL Topic Authorization (Server Settings --> DXL Topic Authorization --> Edit --> Select TIE Server Set Enterprise Reputation --> Restrict Send Certificates)
4. Change Node-RED login credentials (default: - username: admin password: password) and set Node-RED /fireeye POST credentials (FireEye Authentication Node) (default - username:fireeye password:fireeye)

Flow Diagram

Configure FireEye Appliance

1. Log into the FireEye appliance with an administrator account
2. Click “Settings”
3. Click “Notifications”
4. Click the “http” hyperlink
5. Make sure the "Event type" check box is selected
6. If the Global HTTP Settings are already set—leave them
7. Add HTTP Server (Post to Node-RED server with path /fireeye)
8. Name Your Server (i.e. OpenDXLHTTP)
9. Check Enabled
10. Uncheck Auth
11. Check SSL Enabled
12. Per Event

Test FireEye JSON Payload

Save payload example below as fireeye.json

Code

1. curl -u fireeye:fireeye --insecure -vX POST https://docker01:1880/fireeye --header "Content-Type: application/json" -d @fireeye.json

FireEye JSON Payload Example

Code

1. {
2. "product": "MAS",
3. "appliance-id": "00:00:00:00:00:00",
4. "appliance": "fireeye-000000",
5. "alert": {
6. "src": {
7. "url": "/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe"
8. },
9. "severity": "majr",
10. "alert-url": "https://fireeye-000000/malware_analysis/analyses?maid=146658",
11. "explanation": {
12. "malware-detected": {
13. "malware": {
14. "maliciou<img src="https://www.opendxl.com/index.php?attachment/96-fireeye-splunk-jpg/&thumbnail=1" class="woltlabAttachment" data-attachment-id="96" id="wcfImgAttachment0">s": "yes",
15. "executed-at": "2017-05-09T14:30:25Z",
16. "md5sum": "41281428cd6f503f948e931d546e340c",
17. "type": "exe",
18. "name": "Trojan.LuminosityLink"
19. }
20. }
21. },
22. "occurred": "2017-05-09T14:30:25Z",
23. "action": "notified",
24. "id": "146658",
25. "name": "malware-object"
26. },
27. "version": "7.7.5.577562",
28. "msg": "concise"
29. }

Display More

Node Red Flow

HTML

1. [
2. {
3. "id": "23e49c5a.b408a4",
4. "type": "tab",
5. "label": "FireEye To McAfee TIE",
6. "disabled": false,
7. "info": ""
8. },
9. {
10. "id": "17ee602d.c4b03",
11. "type": "dxl-core-event out",
12. "z": "23e49c5a.b408a4",
13. "name": "",
14. "topic": "/vendor/fireeye",
15. "client": "",
16. "x": 836.6666259765625,
17. "y": 187.77777099609375,
18. "wires": []
19. },
20. {
21. "id": "2d49fb9f.cf32a4",
22. "type": "dxl-tie-set-file-reputation",
23. "z": "23e49c5a.b408a4",
24. "name": "",
25. "client": "",
26. "trustLevel": "",
27. "comment": "",
28. "x": 850,
29. "y": 600,
30. "wires": [
31. []
32. ]
33. },
34. {
35. "id": "1c202325.27cea5",
36. "type": "inject",
37. "z": "23e49c5a.b408a4",
38. "name": "FIreEye Major",
39. "topic": "",
40. "payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"majr\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }",
41. "payloadType": "json",
42. "repeat": "",
43. "crontab": "",
44. "once": false,
45. "onceDelay": 0.1,
46. "x": 110,
47. "y": 100,
48. "wires": [
49. [
50. "7238e123.6bd77"
51. ]
52. ]
53. },
54. {
55. "id": "20683e34.f5e812",
56. "type": "http in",
57. "z": "23e49c5a.b408a4",
58. "name": "",
59. "url": "/fireeye",
60. "method": "post",
61. "upload": true,
62. "swaggerDoc": "",
63. "x": 88,
64. "y": 229,
65. "wires": [
66. [
67. "8fb9d3c9.5ca068"
68. ]
69. ]
70. },
71. {
72. "id": "7238e123.6bd77",
73. "type": "json",
74. "z": "23e49c5a.b408a4",
75. "name": "",
76. "property": "payload",
77. "action": "obj",
78. "pretty": false,
79. "x": 310,
80. "y": 60,
81. "wires": [
82. [
83. "fb439e70.d0ff8"
84. ]
85. ]
86. },
87. {
88. "id": "5487eba4.8e2994",
89. "type": "dxl-core-event in",
90. "z": "23e49c5a.b408a4",
91. "name": "",
92. "topic": "/vendor/fireeye",
93. "client": "",
94. "payloadType": "txt",
95. "x": 120,
96. "y": 360,
97. "wires": [
98. [
99. "7aef7ffb.a89c2"
100. ]
101. ]
102. },
103. {
104. "id": "58127655.09b83",
105. "type": "change",
106. "z": "23e49c5a.b408a4",
107. "name": "Unknown",
108. "rules": [
109. {
110. "t": "set",
111. "p": "payload.mcafee-rep",
112. "pt": "msg",
113. "to": "$replace(\t payload.alert.severity,\t \"unkn\",\t \"50\"\t)\t\t",
114. "tot": "jsonata"
115. }
116. ],
117. "action": "",
118. "property": "",
119. "from": "",
120. "to": "",
121. "reg": false,
122. "x": 540,
123. "y": 160,
124. "wires": [
125. [
126. "3151a163.33b536",
127. "17ee602d.c4b03",
128. "7a874649.67c058"
129. ]
130. ]
131. },
132. {
133. "id": "3151a163.33b536",
134. "type": "debug",
135. "z": "23e49c5a.b408a4",
136. "name": "",
137. "active": true,
138. "tosidebar": true,
139. "console": false,
140. "tostatus": false,
141. "complete": "false",
142. "x": 830,
143. "y": 140,
144. "wires": []
145. },
146. {
147. "id": "acc35bcd.747c5",
148. "type": "inject",
149. "z": "23e49c5a.b408a4",
150. "name": "FireEye Unknown",
151. "topic": "",
152. "payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"unkn\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }",
153. "payloadType": "json",
154. "repeat": "",
155. "crontab": "",
156. "once": false,
157. "onceDelay": 0.1,
158. "x": 120,
159. "y": 60,
160. "wires": [
161. [
162. "7238e123.6bd77"
163. ]
164. ]
165. },
166. {
167. "id": "30da705d.e77138",
168. "type": "inject",
169. "z": "23e49c5a.b408a4",
170. "name": "FireEye Minor",
171. "topic": "",
172. "payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"minr\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}",
173. "payloadType": "json",
174. "repeat": "",
175. "crontab": "",
176. "once": false,
177. "onceDelay": 0.1,
178. "x": 110,
179. "y": 140,
180. "wires": [
181. [
182. "7238e123.6bd77"
183. ]
184. ]
185. },
186. {
187. "id": "7db19e12.3236f8",
188. "type": "inject",
189. "z": "23e49c5a.b408a4",
190. "name": "Critical",
191. "topic": "",
192. "payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"crit\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}",
193. "payloadType": "json",
194. "repeat": "",
195. "crontab": "",
196. "once": false,
197. "onceDelay": 0.1,
198. "x": 90,
199. "y": 180,
200. "wires": [
201. [
202. "7238e123.6bd77"
203. ]
204. ]
205. },
206. {
207. "id": "fb439e70.d0ff8",
208. "type": "switch",
209. "z": "23e49c5a.b408a4",
210. "name": "FireEyeSeverity",
211. "property": "payload.alert.severity",
212. "propertyType": "msg",
213. "rules": [
214. {
215. "t": "eq",
216. "v": "unkn",
217. "vt": "str"
218. },
219. {
220. "t": "eq",
221. "v": "minr",
222. "vt": "str"
223. },
224. {
225. "t": "eq",
226. "v": "majr",
227. "vt": "str"
228. },
229. {
230. "t": "eq",
231. "v": "crit",
232. "vt": "str"
233. }
234. ],
235. "checkall": "true",
236. "repair": false,
237. "outputs": 4,
238. "x": 510,
239. "y": 50,
240. "wires": [
241. [
242. "58127655.09b83"
243. ],
244. [
245. "89c2b8e9.5670d"
246. ],
247. [
248. "6ca092c8.6ce994"
249. ],
250. [
251. "bb303907.1d5fe8"
252. ]
253. ]
254. },
255. {
256. "id": "89c2b8e9.5670d",
257. "type": "change",
258. "z": "23e49c5a.b408a4",
259. "name": "might_be_malicious",
260. "rules": [
261. {
262. "t": "set",
263. "p": "payload.mcafee-rep",
264. "pt": "msg",
265. "to": "$replace(\t payload.alert.severity,\t \"minr\",\t \"30\"\t)\t\t",
266. "tot": "jsonata"
267. }
268. ],
269. "action": "",
270. "property": "",
271. "from": "",
272. "to": "",
273. "reg": false,
274. "x": 580,
275. "y": 200,
276. "wires": [
277. [
278. "17ee602d.c4b03",
279. "3151a163.33b536",
280. "7a874649.67c058"
281. ]
282. ]
283. },
284. {
285. "id": "6ca092c8.6ce994",
286. "type": "change",
287. "z": "23e49c5a.b408a4",
288. "name": "known_malicious",
289. "rules": [
290. {
291. "t": "set",
292. "p": "payload.mcafee-rep",
293. "pt": "msg",
294. "to": "$replace(\t payload.alert.severity,\t \"majr\",\t \"1\"\t)\t\t",
295. "tot": "jsonata"
296. }
297. ],
298. "action": "",
299. "property": "",
300. "from": "",
301. "to": "",
302. "reg": false,
303. "x": 570,
304. "y": 240,
305. "wires": [
306. [
307. "17ee602d.c4b03",
308. "3151a163.33b536",
309. "7a874649.67c058"
310. ]
311. ]
312. },
313. {
314. "id": "bb303907.1d5fe8",
315. "type": "change",
316. "z": "23e49c5a.b408a4",
317. "name": "known_malicious",
318. "rules": [
319. {
320. "t": "set",
321. "p": "payload.mcafee-rep",
322. "pt": "msg",
323. "to": "$replace(\t payload.alert.severity,\t \"crit\",\t \"1\"\t)\t\t",
324. "tot": "jsonata"
325. }
326. ],
327. "action": "",
328. "property": "",
329. "from": "",
330. "to": "",
331. "reg": false,
332. "x": 570,
333. "y": 280,
334. "wires": [
335. [
336. "17ee602d.c4b03",
337. "3151a163.33b536",
338. "7a874649.67c058"
339. ]
340. ]
341. },
342. {
343. "id": "7aef7ffb.a89c2",
344. "type": "json",
345. "z": "23e49c5a.b408a4",
346. "name": "",
347. "property": "payload",
348. "action": "obj",
349. "pretty": false,
350. "x": 290,
351. "y": 360,
352. "wires": [
353. [
354. "d43f71b7.7f5108"
355. ]
356. ]
357. },
358. {
359. "id": "408fed1d.0edf7c",
360. "type": "change",
361. "z": "23e49c5a.b408a4",
362. "name": "FileName",
363. "rules": [
364. {
365. "t": "set",
366. "p": "fileName",
367. "pt": "msg",
368. "to": "$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.name",
369. "tot": "jsonata"
370. }
371. ],
372. "action": "",
373. "property": "",
374. "from": "",
375. "to": "",
376. "reg": false,
377. "x": 740,
378. "y": 360,
379. "wires": [
380. [
381. "cc100dd2.9f3a4"
382. ]
383. ]
384. },
385. {
386. "id": "cc100dd2.9f3a4",
387. "type": "change",
388. "z": "23e49c5a.b408a4",
389. "name": "Comment",
390. "rules": [
391. {
392. "t": "set",
393. "p": "comment",
394. "pt": "msg",
395. "to": "Reputation set via OpenDXL",
396. "tot": "str"
397. }
398. ],
399. "action": "",
400. "property": "",
401. "from": "",
402. "to": "",
403. "reg": false,
404. "x": 640,
405. "y": 440,
406. "wires": [
407. [
408. "de4190c3.1cee48",
409. "2d49fb9f.cf32a4"
410. ]
411. ]
412. },
413. {
414. "id": "de4190c3.1cee48",
415. "type": "debug",
416. "z": "23e49c5a.b408a4",
417. "name": "",
418. "active": false,
419. "tosidebar": true,
420. "console": false,
421. "tostatus": false,
422. "complete": "true",
423. "x": 810,
424. "y": 540,
425. "wires": []
426. },
427. {
428. "id": "1e78a28d.a27135",
429. "type": "change",
430. "z": "23e49c5a.b408a4",
431. "name": "TrustLevel",
432. "rules": [
433. {
434. "t": "set",
435. "p": "trustLevel",
436. "pt": "msg",
437. "to": "payload.mcafee-rep",
438. "tot": "msg"
439. }
440. ],
441. "action": "",
442. "property": "",
443. "from": "",
444. "to": "",
445. "reg": false,
446. "x": 590,
447. "y": 360,
448. "wires": [
449. [
450. "408fed1d.0edf7c"
451. ]
452. ]
453. },
454. {
455. "id": "d43f71b7.7f5108",
456. "type": "change",
457. "z": "23e49c5a.b408a4",
458. "name": "MD5 Hash",
459. "rules": [
460. {
461. "t": "set",
462. "p": "hashes",
463. "pt": "msg",
464. "to": "{\"md5\":$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.md5sum}",
465. "tot": "jsonata"
466. }
467. ],
468. "action": "",
469. "property": "",
470. "from": "",
471. "to": "",
472. "reg": false,
473. "x": 430,
474. "y": 360,
475. "wires": [
476. [
477. "1e78a28d.a27135"
478. ]
479. ]
480. },
481. {
482. "id": "bf0ef69e.ca4ff8",
483. "type": "debug",
484. "z": "23e49c5a.b408a4",
485. "name": "",
486. "active": false,
487. "tosidebar": true,
488. "console": false,
489. "tostatus": false,
490. "complete": "payload",
491. "x": 358.5,
492. "y": 317,
493. "wires": []
494. },
495. {
496. "id": "8fb9d3c9.5ca068",
497. "type": "node-red-contrib-httpauth",
498. "z": "23e49c5a.b408a4",
499. "name": "FireEye Authentication",
500. "file": "",
501. "cred": "",
502. "authType": "Basic",
503. "realm": "",
504. "username": "fireeye",
505. "password": "fireeye",
506. "hashed": false,
507. "x": 133.5,
508. "y": 278,
509. "wires": [
510. [
511. "bf0ef69e.ca4ff8",
512. "7238e123.6bd77"
513. ]
514. ]
515. },
516. {
517. "id": "7a874649.67c058",
518. "type": "template",
519. "z": "23e49c5a.b408a4",
520. "name": "",
521. "field": "payload",
522. "fieldType": "msg",
523. "format": "handlebars",
524. "syntax": "mustache",
525. "template": "<html> \n <head>\n </head>\n <body>\n <h1>FireEye To McAfee TIE File Reputation Set!</h1>\n Filename: {{ payload.alert.explanation.malware-detected.malware.name }}<br>\n MD5: {{ payload.alert.explanation.malware-detected.malware.md5sum }}<br>\n FireEye Severity: {{ payload.alert.severity }}\n McAfee Reputation Score: {{ payload.mcafee-rep }}\n </body>\n</html> ",
526. "output": "str",
527. "x": 819.4444580078125,
528. "y": 246.66665649414062,
529. "wires": [
530. [
531. "e02d1a12.1530b"
532. ]
533. ]
534. },
535. {
536. "id": "e02d1a12.1530b",
537. "type": "http response",
538. "z": "23e49c5a.b408a4",
539. "name": "",
540. "statusCode": "",
541. "headers": {},
542. "x": 870.5555555555555,
543. "y": 302.22222222222223,
544. "wires": []
545. }
546. ]

Display More

Display More