chrissmith added a new solution:
QuoteWhen a MISP event is published, the flow examines the event to determine if it contains hash-based attributes. If it does, a MAR search is performed to determine if any active endpoints contain the hashes. For each endpoint containing a hash, a sighting is added to the MISP event in addition to a comment that includes the associated endpoint information.
Prerequisites
- The Node-RED DXL client configuration step has been completed (see Client Configuration).
- A McAfee Active Response (MAR) service is available on the DXL fabric.
- The Node-RED DXL client is authorized to perform MAR searches (see Authorize Client to Perform MAR Search).
- The MISP DXL Service is running and connected to the DXL fabric.
- The service is configured to connect to ZeroMQ (zeroMqPort) and the notification topic misp_json is being forwarded.
- The service exposes the sighting API
- The following Node-RED modules have been installed:
- Node-RED config node (included in OpenDXL Node-RED Docker image)
- DXL Node-RED nodes (included in OpenDXL Node-RED Docker image)
- McAfee Active Response (MAR) DXL nodes for Node-RED
The Node-RED flow content for this solution:
Display MoreCode: Node-RED Flow
- [
- {
- "id": "3bcf37ef.a9d108",
- "type": "tab",
- "label": "Add Hash Sightings to MISP Event using MAR",
- "disabled": false,
- "info": "This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP \r\npublished events containing hash-based attributes.\r\n\r\nWhen a MISP event is published, the flow examines the event to determine if \r\nit contains hash-based attributes. If it does, a MAR search is performed \r\nto determine if any active endpoints contain the hashes. For each endpoint\r\ncontaining a hash, a sighting is added to the MISP event in addition to a \r\ncomment that includes the associated endpoint information.\r\n\r\n### Prerequisites\r\n\r\n* The Node-RED DXL client configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The Node-RED DXL client is authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n* The [MISP DXL Service](https://github.com/opendxl/opendxl-misp-service-python) is running and connected to the DXL fabric.\r\n * The service is configured to connect to ZeroMQ (`zeroMqPort`) and the notification topic `misp_json` is being forwarded.\r\n * The service exposes the `sighting` API \r\n* The following Node-RED modules have been installed:\r\n * [Node-RED config node](https://flows.nodered.org/node/node-red-contrib-config) (included in OpenDXL Node-RED Docker image)\r\n * [DXL Node-RED nodes](https://flows.nodered.org/node/@opendxl/node-red-contrib-dxl) (included in OpenDXL Node-RED Docker image)\r\n * [McAfee Active Response (MAR) DXL nodes for Node-RED](https://flows.nodered.org/node/@opendxl/node-red-contrib-dxl-mar-client)\r\n \r\n"
- },
- {
- "id": "3d363a67.a36dd6",
- "type": "dxl-core-event in",
- "z": "3bcf37ef.a9d108",
- "name": "Receive MISP Event Publish Notifications",
- "topic": "/opendxl-misp/event/zeromq-notifications/misp_json",
- "client": "cc766472.7a4b28",
- "payloadType": "obj",
- "x": 180,
- "y": 60,
- "wires": [
- [
- "9e6420fb.a4d33",
- "945c3d8c.86648"
- ]
- ]
- },
- {
- "id": "5fb31223.b5578c",
- "type": "debug",
- "z": "3bcf37ef.a9d108",
- "name": "Debug: Sighting Request",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 770,
- "y": 414,
- "wires": []
- },
- {
- "id": "9e6420fb.a4d33",
- "type": "function",
- "z": "3bcf37ef.a9d108",
- "name": "Extract Hash-based Attributes",
- "func": "var output = []\n\nif(msg.payload && \n msg.payload.Event &&\n msg.payload.Event.Attribute) {\n var attribs = msg.payload.Event.Attribute\n attribs.forEach(function(entry) {\n if(entry.type == \"md5\" ||\n entry.type == \"sha1\" ||\n entry.type == \"sha256\") {\n output.push({\n \"uuid\": entry.uuid,\n \"type\": entry.type,\n \"value\": entry.value\n });\n }\n });\n}\nmsg.payload = output;\nreturn msg;",
- "outputs": 1,
- "noerr": 0,
- "x": 210,
- "y": 140,
- "wires": [
- [
- "28fb53c3.5229cc"
- ]
- ]
- },
- {
- "id": "8e254ff0.db295",
- "type": "function",
- "z": "3bcf37ef.a9d108",
- "name": "Extract Found Host IP Addresses",
- "func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg",
- "outputs": 1,
- "noerr": 0,
- "x": 360,
- "y": 294,
- "wires": [
- [
- "cbbd0543.94c9e8"
- ]
- ]
- },
- {
- "id": "cbbd0543.94c9e8",
- "type": "split",
- "z": "3bcf37ef.a9d108",
- "name": "Execute for each IP address",
- "splt": "\\n",
- "spltType": "str",
- "arraySplt": 1,
- "arraySpltType": "len",
- "stream": false,
- "addname": "",
- "x": 420,
- "y": 354,
- "wires": [
- [
- "2166f5bc.f4597a"
- ]
- ]
- },
- {
- "id": "51a75203.b4424c",
- "type": "function",
- "z": "3bcf37ef.a9d108",
- "name": "Compose MAR Search Condition",
- "func": "msg.mispHash = msg.payload;\nmsg.conditions = {\n \"or\": [{\n \"and\": [{\n \"name\": \"Files\",\n \"output\": msg.mispHash.type,\n \"op\": \"EQUALS\",\n \"value\": msg.mispHash.value\n }]\n }]\n};\n\nreturn msg;\n",
- "outputs": 1,
- "noerr": 0,
- "x": 620,
- "y": 200,
- "wires": [
- [
- "354b7393.e9e4ac"
- ]
- ]
- },
- {
- "id": "d95da896.6b2648",
- "type": "dxl-core-request",
- "z": "3bcf37ef.a9d108",
- "name": "Add Sighting to MISP Event",
- "topic": "/opendxl-misp/service/misp-api/sighting",
- "client": "cc766472.7a4b28",
- "returnType": "txt",
- "x": 780,
- "y": 474,
- "wires": [
- [
- "7fd94d76.8ea7d4"
- ]
- ]
- },
- {
- "id": "2166f5bc.f4597a",
- "type": "template",
- "z": "3bcf37ef.a9d108",
- "name": "Format Add Sighting Request",
- "field": "payload",
- "fieldType": "msg",
- "format": "handlebars",
- "syntax": "mustache",
- "template": "{\n \"uuid\": \"{{mispHash.uuid}}\",\n \"type\": \"0\",\n \"source\": \"Observed on system {{payload}}\"\n}",
- "output": "json",
- "x": 470,
- "y": 474,
- "wires": [
- [
- "d95da896.6b2648",
- "5fb31223.b5578c"
- ]
- ]
- },
- {
- "id": "28fb53c3.5229cc",
- "type": "split",
- "z": "3bcf37ef.a9d108",
- "name": "Execute MAR Search for each Hash",
- "splt": "\\n",
- "spltType": "str",
- "arraySplt": 1,
- "arraySpltType": "len",
- "stream": false,
- "addname": "",
- "x": 290,
- "y": 200,
- "wires": [
- [
- "51a75203.b4424c"
- ]
- ]
- },
- {
- "id": "7fd94d76.8ea7d4",
- "type": "debug",
- "z": "3bcf37ef.a9d108",
- "name": "Debug: Response",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 1030,
- "y": 474,
- "wires": []
- },
- {
- "id": "945c3d8c.86648",
- "type": "debug",
- "z": "3bcf37ef.a9d108",
- "name": "Debug: Received Event",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 570,
- "y": 60,
- "wires": []
- },
- {
- "id": "354b7393.e9e4ac",
- "type": "dxl-mar-search",
- "z": "3bcf37ef.a9d108",
- "name": "",
- "pollInterval": 5,
- "client": "cc766472.7a4b28",
- "projections": "[\n {\n \"name\": \"HostInfo\", \n \"outputs\": [\"ip_address\"]\n }\n]",
- "limit": "",
- "textFilter": "",
- "sortBy": "",
- "sortDirection": "",
- "returnType": "obj",
- "x": 870,
- "y": 200,
- "wires": [
- [
- "8e254ff0.db295"
- ]
- ]
- }
- ]