brumleyscott added a new solution:
QuoteDisplay MoreUse FireEye appliance HTTP POST notifications to apply file reputation scores to McAfee TIE and the McAfee eco-system. This will create a FireEye Topic on the McAfee DXL to share intel with other platforms.
Prerequisites:
- FireEye Appliance
- DXL Fabric
- TIE "Threat Intelligence Exchange"
- McAfee ePO
- Node-RED Modules:
- HTTP Basic Authentication (node-red-contrib-httpauth)
- DXL Nodes (node-red-contrib-dxl)
- McAfee TIE DXL Nodes (node-red-contrib-dxl-tie-client)
- DXL Authorization restrict send certificate on Set TIE Enterprise Reputation
Instructions
- Import HTTP Basic Authentication and McAfee TIE Client Manage Palettes into Node Red.
- Import Node Red Flow (fireeye-tie-nodered.json)
- Provision DXL Client
- Deploy in Node-RED
- Set DXL Topic Authorization (Server Settings --> DXL Topic Authorization --> Edit --> Select TIE Server Set Enterprise Reputation --> Restrict Send Certificates)
- Change Node-RED login credentials (default: - username: admin password: password) and set Node-RED /fireeye POST credentials (FireEye Authentication Node) (default - username:fireeye password:fireeye)
Flow Diagram
Configure FireEye Appliance
- Log into the FireEye appliance with an administrator account
- Click “Settings”
- Click “Notifications”
- Click the “http” hyperlink
- Make sure the "Event type" check box is selected
- If the Global HTTP Settings are already set—leave them
- Add HTTP Server (Post to Node-RED server with path /fireeye)
- Name Your Server (i.e. OpenDXLHTTP)
- Check Enabled
- Uncheck Auth
- Check SSL Enabled
- Per Event
Test FireEye JSON Payload
Save payload example below as fireeye.json
FireEye JSON Payload Example
Display MoreCode
- {
- "product": "MAS",
- "appliance-id": "00:00:00:00:00:00",
- "appliance": "fireeye-000000",
- "alert": {
- "src": {
- "url": "/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe"
- },
- "severity": "majr",
- "alert-url": "https://fireeye-000000/malware_analysis/analyses?maid=146658",
- "explanation": {
- "malware-detected": {
- "malware": {
- "maliciou<img src="https://www.opendxl.com/index.php?attachment/96-fireeye-splunk-jpg/&thumbnail=1" class="woltlabAttachment" data-attachment-id="96" id="wcfImgAttachment0">s": "yes",
- "executed-at": "2017-05-09T14:30:25Z",
- "md5sum": "41281428cd6f503f948e931d546e340c",
- "type": "exe",
- "name": "Trojan.LuminosityLink"
- }
- }
- },
- "occurred": "2017-05-09T14:30:25Z",
- "action": "notified",
- "id": "146658",
- "name": "malware-object"
- },
- "version": "7.7.5.577562",
- "msg": "concise"
- }
Node Red Flow
Display MoreHTML
- [
- {
- "id": "23e49c5a.b408a4",
- "type": "tab",
- "label": "FireEye To McAfee TIE",
- "disabled": false,
- "info": ""
- },
- {
- "id": "17ee602d.c4b03",
- "type": "dxl-core-event out",
- "z": "23e49c5a.b408a4",
- "name": "",
- "topic": "/vendor/fireeye",
- "client": "",
- "x": 836.6666259765625,
- "y": 187.77777099609375,
- "wires": []
- },
- {
- "id": "2d49fb9f.cf32a4",
- "type": "dxl-tie-set-file-reputation",
- "z": "23e49c5a.b408a4",
- "name": "",
- "client": "",
- "trustLevel": "",
- "comment": "",
- "x": 850,
- "y": 600,
- "wires": [
- []
- ]
- },
- {
- "id": "1c202325.27cea5",
- "type": "inject",
- "z": "23e49c5a.b408a4",
- "name": "FIreEye Major",
- "topic": "",
- "payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"majr\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 110,
- "y": 100,
- "wires": [
- [
- "7238e123.6bd77"
- ]
- ]
- },
- {
- "id": "20683e34.f5e812",
- "type": "http in",
- "z": "23e49c5a.b408a4",
- "name": "",
- "url": "/fireeye",
- "method": "post",
- "upload": true,
- "swaggerDoc": "",
- "x": 88,
- "y": 229,
- "wires": [
- [
- "8fb9d3c9.5ca068"
- ]
- ]
- },
- {
- "id": "7238e123.6bd77",
- "type": "json",
- "z": "23e49c5a.b408a4",
- "name": "",
- "property": "payload",
- "action": "obj",
- "pretty": false,
- "x": 310,
- "y": 60,
- "wires": [
- [
- "fb439e70.d0ff8"
- ]
- ]
- },
- {
- "id": "5487eba4.8e2994",
- "type": "dxl-core-event in",
- "z": "23e49c5a.b408a4",
- "name": "",
- "topic": "/vendor/fireeye",
- "client": "",
- "payloadType": "txt",
- "x": 120,
- "y": 360,
- "wires": [
- [
- "7aef7ffb.a89c2"
- ]
- ]
- },
- {
- "id": "58127655.09b83",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "Unknown",
- "rules": [
- {
- "t": "set",
- "p": "payload.mcafee-rep",
- "pt": "msg",
- "to": "$replace(\t payload.alert.severity,\t \"unkn\",\t \"50\"\t)\t\t",
- "tot": "jsonata"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 540,
- "y": 160,
- "wires": [
- [
- "3151a163.33b536",
- "17ee602d.c4b03",
- "7a874649.67c058"
- ]
- ]
- },
- {
- "id": "3151a163.33b536",
- "type": "debug",
- "z": "23e49c5a.b408a4",
- "name": "",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "false",
- "x": 830,
- "y": 140,
- "wires": []
- },
- {
- "id": "acc35bcd.747c5",
- "type": "inject",
- "z": "23e49c5a.b408a4",
- "name": "FireEye Unknown",
- "topic": "",
- "payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"unkn\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 120,
- "y": 60,
- "wires": [
- [
- "7238e123.6bd77"
- ]
- ]
- },
- {
- "id": "30da705d.e77138",
- "type": "inject",
- "z": "23e49c5a.b408a4",
- "name": "FireEye Minor",
- "topic": "",
- "payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"minr\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 110,
- "y": 140,
- "wires": [
- [
- "7238e123.6bd77"
- ]
- ]
- },
- {
- "id": "7db19e12.3236f8",
- "type": "inject",
- "z": "23e49c5a.b408a4",
- "name": "Critical",
- "topic": "",
- "payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"crit\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 90,
- "y": 180,
- "wires": [
- [
- "7238e123.6bd77"
- ]
- ]
- },
- {
- "id": "fb439e70.d0ff8",
- "type": "switch",
- "z": "23e49c5a.b408a4",
- "name": "FireEyeSeverity",
- "property": "payload.alert.severity",
- "propertyType": "msg",
- "rules": [
- {
- "t": "eq",
- "v": "unkn",
- "vt": "str"
- },
- {
- "t": "eq",
- "v": "minr",
- "vt": "str"
- },
- {
- "t": "eq",
- "v": "majr",
- "vt": "str"
- },
- {
- "t": "eq",
- "v": "crit",
- "vt": "str"
- }
- ],
- "checkall": "true",
- "repair": false,
- "outputs": 4,
- "x": 510,
- "y": 50,
- "wires": [
- [
- "58127655.09b83"
- ],
- [
- "89c2b8e9.5670d"
- ],
- [
- "6ca092c8.6ce994"
- ],
- [
- "bb303907.1d5fe8"
- ]
- ]
- },
- {
- "id": "89c2b8e9.5670d",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "might_be_malicious",
- "rules": [
- {
- "t": "set",
- "p": "payload.mcafee-rep",
- "pt": "msg",
- "to": "$replace(\t payload.alert.severity,\t \"minr\",\t \"30\"\t)\t\t",
- "tot": "jsonata"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 580,
- "y": 200,
- "wires": [
- [
- "17ee602d.c4b03",
- "3151a163.33b536",
- "7a874649.67c058"
- ]
- ]
- },
- {
- "id": "6ca092c8.6ce994",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "known_malicious",
- "rules": [
- {
- "t": "set",
- "p": "payload.mcafee-rep",
- "pt": "msg",
- "to": "$replace(\t payload.alert.severity,\t \"majr\",\t \"1\"\t)\t\t",
- "tot": "jsonata"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 570,
- "y": 240,
- "wires": [
- [
- "17ee602d.c4b03",
- "3151a163.33b536",
- "7a874649.67c058"
- ]
- ]
- },
- {
- "id": "bb303907.1d5fe8",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "known_malicious",
- "rules": [
- {
- "t": "set",
- "p": "payload.mcafee-rep",
- "pt": "msg",
- "to": "$replace(\t payload.alert.severity,\t \"crit\",\t \"1\"\t)\t\t",
- "tot": "jsonata"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 570,
- "y": 280,
- "wires": [
- [
- "17ee602d.c4b03",
- "3151a163.33b536",
- "7a874649.67c058"
- ]
- ]
- },
- {
- "id": "7aef7ffb.a89c2",
- "type": "json",
- "z": "23e49c5a.b408a4",
- "name": "",
- "property": "payload",
- "action": "obj",
- "pretty": false,
- "x": 290,
- "y": 360,
- "wires": [
- [
- "d43f71b7.7f5108"
- ]
- ]
- },
- {
- "id": "408fed1d.0edf7c",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "FileName",
- "rules": [
- {
- "t": "set",
- "p": "fileName",
- "pt": "msg",
- "to": "$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.name",
- "tot": "jsonata"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 740,
- "y": 360,
- "wires": [
- [
- "cc100dd2.9f3a4"
- ]
- ]
- },
- {
- "id": "cc100dd2.9f3a4",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "Comment",
- "rules": [
- {
- "t": "set",
- "p": "comment",
- "pt": "msg",
- "to": "Reputation set via OpenDXL",
- "tot": "str"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 640,
- "y": 440,
- "wires": [
- [
- "de4190c3.1cee48",
- "2d49fb9f.cf32a4"
- ]
- ]
- },
- {
- "id": "de4190c3.1cee48",
- "type": "debug",
- "z": "23e49c5a.b408a4",
- "name": "",
- "active": false,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "true",
- "x": 810,
- "y": 540,
- "wires": []
- },
- {
- "id": "1e78a28d.a27135",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "TrustLevel",
- "rules": [
- {
- "t": "set",
- "p": "trustLevel",
- "pt": "msg",
- "to": "payload.mcafee-rep",
- "tot": "msg"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 590,
- "y": 360,
- "wires": [
- [
- "408fed1d.0edf7c"
- ]
- ]
- },
- {
- "id": "d43f71b7.7f5108",
- "type": "change",
- "z": "23e49c5a.b408a4",
- "name": "MD5 Hash",
- "rules": [
- {
- "t": "set",
- "p": "hashes",
- "pt": "msg",
- "to": "{\"md5\":$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.md5sum}",
- "tot": "jsonata"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 430,
- "y": 360,
- "wires": [
- [
- "1e78a28d.a27135"
- ]
- ]
- },
- {
- "id": "bf0ef69e.ca4ff8",
- "type": "debug",
- "z": "23e49c5a.b408a4",
- "name": "",
- "active": false,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 358.5,
- "y": 317,
- "wires": []
- },
- {
- "id": "8fb9d3c9.5ca068",
- "type": "node-red-contrib-httpauth",
- "z": "23e49c5a.b408a4",
- "name": "FireEye Authentication",
- "file": "",
- "cred": "",
- "authType": "Basic",
- "realm": "",
- "username": "fireeye",
- "password": "fireeye",
- "hashed": false,
- "x": 133.5,
- "y": 278,
- "wires": [
- [
- "bf0ef69e.ca4ff8",
- "7238e123.6bd77"
- ]
- ]
- },
- {
- "id": "7a874649.67c058",
- "type": "template",
- "z": "23e49c5a.b408a4",
- "name": "",
- "field": "payload",
- "fieldType": "msg",
- "format": "handlebars",
- "syntax": "mustache",
- "template": "<html> \n <head>\n </head>\n <body>\n <h1>FireEye To McAfee TIE File Reputation Set!</h1>\n Filename: {{ payload.alert.explanation.malware-detected.malware.name }}<br>\n MD5: {{ payload.alert.explanation.malware-detected.malware.md5sum }}<br>\n FireEye Severity: {{ payload.alert.severity }}\n McAfee Reputation Score: {{ payload.mcafee-rep }}\n </body>\n</html> ",
- "output": "str",
- "x": 819.4444580078125,
- "y": 246.66665649414062,
- "wires": [
- [
- "e02d1a12.1530b"
- ]
- ]
- },
- {
- "id": "e02d1a12.1530b",
- "type": "http response",
- "z": "23e49c5a.b408a4",
- "name": "",
- "statusCode": "",
- "headers": {},
- "x": 870.5555555555555,
- "y": 302.22222222222223,
- "wires": []
- }
- ]