mcafee added a new version:
QuoteMcAfee Threat Intelligence Exchange (TIE) DXL Python Client Library 0.3.0 Release
- Added support for external reputation providers (TIE 3.0)
mcafee added a new version:
QuoteMcAfee Threat Intelligence Exchange (TIE) DXL Python Client Library 0.3.0 Release
- Added support for external reputation providers (TIE 3.0)
mcafee added a new version:
QuoteMcAfee Active Response (MAR) DXL Python Client Library 0.2.1 Release
- Added
context
support for queries (#7)
mcafee added a new version:
QuoteCisco pxGrid nodes for Node-RED using DXL 0.1.1 Release
- Added session notification node
mcafee added a new solution:
QuoteDisplay MorePrerequisites
- The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
- The Node-RED DXL client is authorized to invoke the ePO DXL service, and the user that is connecting to the ePO server (within the ePO DXL service) has permission to execute the "system.findTag" remote command (see Client Authorization).
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "a6c49432.25d5b8",
- "type": "tab",
- "label": "ePO Remote Command Example",
- "disabled": false,
- "info": "This sample invokes and displays the results of a `system.findTag` remote\r\ncommand via the ePO DXL service. The results of the find command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Find tags in ePO` node is authorized to\r\n invoke the ePO DXL service, and the user that is connecting to the ePO server\r\n (within the ePO DXL service) has permission to execute the `system.findTag`\r\n remote command (see\r\n [Client Authorization](https://opendxl.github.io/opendxl-epo-client-python/pydoc/authorization.html)).\r\n\r\n### Setup\r\n\r\n* If more than one ePO service is available on the DXL fabric that the DXL\r\n client is connecting to, edit the `Find tags in ePO` node and set the `ePO Id`\r\n property to that of the ePO service through which the remote command should be\r\n performed. By default, the `ePO Id` property is empty, in which case the\r\n client attempts to dynamically determine the id of the ePO service to\r\n communicate with.\r\n* Edit the `Set search text` node and modify the `Payload` property with the\r\n search text to use for the system find tag command. For example:\r\n\r\n ```json\r\n {\"searchText\":\"broker\"}\r\n ```\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Find tags in ePO` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Set search text` node.\r\n\r\n### Output\r\n\r\nThe following output should appear in the Node-RED `debug` tab:\r\n\r\n```\r\n? [ object ]\r\n```\r\n\r\nAfter clicking on the right arrow button to expand the contents of the object,\r\noutput similar to the following should appear\r\n\r\n```\r\n? 0: object\r\n tagId: 3\r\n tagName: \"DXLBROKER\"\r\n tagNotes: \"DXL Broker\"\r\n```\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Set search text\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a JSON-formatted document as the `payload`. The document\r\nspecifies the parameters to use for the ePO remote command. The parameters for\r\nthe \"system.findTag\" command include a `searchText` key with a corresponding\r\nvalue to be used as the text for the search.\r\n\r\nTo see the full list of remote commands and parameters that the ePO server\r\nsupports, a node which invokes the `core.help` remote command with an\r\nempty JSON document `{}` as the `payload` parameter could be included in a flow.\r\n\r\n#### Find tags in ePO\r\n\r\nThis is an `epo remote command` node. This node connects to the DXL fabric and\r\nsends a DXL `Request` message to the ePO service.\r\n\r\nThe `Command` property specifies the target remote command as `system.findTag`.\r\n\r\nThe DXL request message contains parameters set in the `payload` by the\r\n`Set search text` node.\r\n \r\nThe `Return` property is set to \"a parsed JSON object\" and the `Format` property\r\nis set to \"JSON\" to indicate that the payload for the response should be\r\nadded to the output message as a JavaScript object decoded from JSON.\r\n\r\n#### Output tags\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Find tags in ePO` node. The output should include the\r\nresponse received from the DXL fabric for the `system.findTag` command.\r\n"
- },
- {
- "id": "f8520e86.9988a",
- "type": "dxl-epo-remote-command",
- "z": "a6c49432.25d5b8",
- "name": "Find tags in ePO",
- "command": "system.findTag",
- "client": "dc14e134.3cbdc",
- "returnType": "obj",
- "x": 330,
- "y": 100,
- "wires": [
- [
- "9f57edf.3a8841"
- ]
- ]
- },
- {
- "id": "946b44fc.150d48",
- "type": "inject",
- "z": "a6c49432.25d5b8",
- "name": "Set search text",
- "topic": "",
- "payload": "{\"searchText\":\"<specify-search-text>\"}",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 140,
- "y": 100,
- "wires": [
- [
- "f8520e86.9988a"
- ]
- ]
- },
- {
- "id": "9f57edf.3a8841",
- "type": "debug",
- "z": "a6c49432.25d5b8",
- "name": "Debug: Output tags",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 530,
- "y": 100,
- "wires": []
- },
- {
- "id": "160fe741.ab7209",
- "type": "comment",
- "z": "a6c49432.25d5b8",
- "name": "Supply the tag search text to use in the 'Set search text' node ",
- "info": "",
- "x": 260,
- "y": 40,
- "wires": []
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
- The Node-RED DXL client is authorized to invoke the ePO DXL service, and the user that is connecting to the ePO server (within the ePO DXL service) has permission to execute the "system.find" remote command (see Client Authorization).
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "c73cd652.3f9f08",
- "type": "tab",
- "label": "ePO System Find Example",
- "disabled": false,
- "info": "This sample invokes and displays the results of a `system.find` remote command\r\nvia the ePO DXL service. The results of the find command are displayed on the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Find systems in ePO` node is\r\n authorized to invoke the ePO DXL service, and the user that is connecting to\r\n the ePO server (within the ePO DXL service) has permission to execute the\r\n `system.find` remote command (see\r\n [Client Authorization](https://opendxl.github.io/opendxl-epo-client-python/pydoc/authorization.html)).\r\n\r\n### Setup\r\n\r\n* If more than one ePO service is available on the DXL fabric that the DXL\r\n client is connecting to, edit the `Find systems in ePO` node and set the\r\n `ePO Id` property to that of the ePO service through which the remote command\r\n should be performed. By default, the `ePO Id` property is empty, in which case\r\n the client attempts to dynamically determine the id of the ePO service to\r\n communicate with.\r\n* Edit the `Specify search text` node and modify the `Payload` property with\r\n the search text to use for the system find command. For example:\r\n\r\n ```\r\n broker\r\n ```\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Find systems in ePO` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify search text` node.\r\n\r\n### Output\r\n\r\nThe following output should appear in the Node-RED `debug` tab:\r\n\r\n```\r\n? [ object ]\r\n```\r\n\r\nAfter clicking on the right arrow button to expand the contents of the object,\r\noutput similar to the following should appear:\r\n\r\n```\r\n? array[1]\r\n ? 0: object\r\n EPOComputerProperties.ParentID: 2\r\n EPOComputerProperties.ComputerName\": \"mysystem\",\r\n EPOComputerProperties.Description\": null,\r\n...\r\n```\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify search text\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies the search text to use for the\r\nsystem find command.\r\n\r\n#### Set searchText request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `searchText` property. The `Find systems in ePO` node uses the `searchText` property when constructing\r\nthe parameters for the `system.find` remote command. \r\n\r\n#### Find systems in ePO\r\n\r\nThis is an `epo system find` node. This node connects to the DXL fabric and\r\nsends a DXL `Request` message to the ePO service. The message specifies the\r\ntarget remote command as `system.find`.\r\n\r\nThe request message also includes the `msg.searchText` property set by the\r\n`Set searchText request parameter` node.\r\n \r\nThe `Return` property is set to \"a parsed JSON object\" and the `Format` property\r\nis set to \"JSON\" to indicate that the payload for the response should be\r\nadded to the output message as a JavaScript object decoded from JSON.\r\n\r\n#### Output result\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Find systems in ePO` node. The output should include\r\nthe response received from the DXL fabric for the `system.find` command."
- },
- {
- "id": "1b9edb70.07a2d5",
- "type": "inject",
- "z": "c73cd652.3f9f08",
- "name": "Specify search text",
- "topic": "",
- "payload": "<specify-search-text>",
- "payloadType": "str",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 130,
- "y": 100,
- "wires": [
- [
- "cd9123b6.2492f"
- ]
- ]
- },
- {
- "id": "af069888.ffe238",
- "type": "debug",
- "z": "c73cd652.3f9f08",
- "name": "Debug: Output systems",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 530,
- "y": 300,
- "wires": []
- },
- {
- "id": "1b3a4932.b46f37",
- "type": "dxl-epo-system-find",
- "z": "c73cd652.3f9f08",
- "name": "",
- "client": "31714476.e2a4ec",
- "searchNameOnly": "",
- "epoUniqueId": "",
- "returnType": "obj",
- "x": 280,
- "y": 300,
- "wires": [
- [
- "af069888.ffe238"
- ]
- ]
- },
- {
- "id": "cd9123b6.2492f",
- "type": "change",
- "z": "c73cd652.3f9f08",
- "name": "Set searchText request parameter",
- "rules": [
- {
- "t": "set",
- "p": "searchText",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- },
- {
- "t": "set",
- "p": "searchNameOnly",
- "pt": "msg",
- "to": "false",
- "tot": "bool"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 260,
- "y": 200,
- "wires": [
- [
- "1b3a4932.b46f37"
- ]
- ]
- },
- {
- "id": "70002f7e.8a701",
- "type": "comment",
- "z": "c73cd652.3f9f08",
- "name": "Supply the system search text to use in the 'Set search text' node",
- "info": "",
- "x": 250,
- "y": 40,
- "wires": []
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
- The Node-RED DXL client is authorized to invoke the ePO DXL service, and the user that is connecting to the ePO server (within the ePO DXL service) has permission to execute the "DxlBrokerMgmt.createEpoThreatEvent" remote command (see Client Authorization).
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "a1d1dbd.b4d6328",
- "type": "tab",
- "label": "ePO Create Threat Event Example",
- "disabled": false,
- "info": "This sample invokes and displays the results of a\n`DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.\nThe results of the event creation command are displayed on the Node-RED `debug`\ntab.\n\n### Prerequisites\n\n* The samples configuration step has been completed (see\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\n DXL service should already be running on the fabric. If you are using an\n earlier version of the DXL ePO extensions, you can use the\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\n* The DXL client associated with the `Create threat event in ePO` node is\n authorized to invoke the ePO DXL service, and the user that is connecting to\n the ePO server (within the ePO DXL service) has permission to execute the\n `DxlBrokerMgmt.createEpoThreatEvent` remote command (see\n [Client Authorization](https://opendxl.github.io/opendxl-epo-client-python/pydoc/authorization.html)).\n\n### Setup\n\n* If more than one ePO service is available on the DXL fabric that the DXL\n client is connecting to, edit the `Create threat event in ePO` node and set the\n `ePO Id` property to that of the ePO service through which the remote command\n should be performed. By default, the `ePO Id` property is empty, in which case\n the client attempts to dynamically determine the id of the ePO service to\n communicate with.\n* Edit the `Set threat event parameters` node and modify the `msg.ip4Address`\n and `msg.agentGuid` properties with the value of an IPv4 address and McAfee\n agent GUID for the threat event to be created. Note that the value for the\n `msg.agentGuid` property must be that of a valid McAfee agent previously seen\n by the ePO server in order for the event to be created properly.\n* Modify the content in the `Format full ePO threat event` template node with\n appropriate information for the type of event to be created.\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\n with the word `connected` should appear under the `Create threat event in ePO`\n node.\n\n### Running\n\nTo exercise the flow, double-click the button on the left side of the\n`Inject current timestamp` node.\n\n### Output\n\nAn entry similar to the following should appear in the `debug` tab for the\n`Output event` node:\n\n```\n? { eventMsgType: \"McAfee Common Event\", eventMsgVersion: \"1.0\", event: object }\n```\n\nAfter clicking on the right arrow button to expand the contents of the object,\noutput similar to the following should appear:\n\n```\n? object\n eventMsgType: \"McAfee Common Event\"\n eventMsgVersion: \"1.0\"\n ? event: object\n category: \"This is the event category\"\n ...\n ? source: object\n ipv4: \"10.0.0.254\"\n...\n```\n\nOn successful creation of an event, a message similar to the following should\nappear in the `debug` tab for the `Output result` node:\n\n```\n\"Successfully created new ePO Threat Event for AgentGuid:'12345678-9012-3456-7890-12345678ABCD'\"\n```\n\n### Details\n\nThe flow exercises the nodes below.\n\n#### Inject current timestamp\n\nThis is an `inject` input node which starts the flow. This node injects a new\nmessage with a `payload` property which specifies the current system timestamp\n(as a numeric value representing milliseconds since January 1, 1970).\n\n#### Set threat event parameters\n\nThis is a `change` node which sets values for the `ipv4Address` and `agentGuid`\nproperties on the message. The `Format full ePO threat event` template node\nuses these values when formatting the content of the full threat event payload.\n\n#### Get current date as ISO string\n\nThis is a `function` node which uses the value from the timestamp `payload`\ninjected by the `Inject current timestamp` node to set a `currentDate` message\nproperty with the timestamp value formatted as an ISO string. The\n`Format full ePO threat event` template node uses this value when formatting the\ncontent of the full threat event payload.\n\n#### Format full ePO threat event\n\nThis is a `template` node which constructs the full threat event payload to\nsend to the ePO server. The node produces a payload which conforms to the\n\"McAfee Common Event\" format. The payload is stored as a JavaScript object to\nthe `event` property on the message.\n\n#### Output event\n\nThis is a `debug` output node. This node outputs the contents of the `event`\nproperty set on the message by the `Format full ePO threat event` node.\n\n#### Create threat event in ePO\n\nThis is an `epo threat event create` node. This node connects to the DXL fabric\nand sends a DXL `Request` message to the ePO service. The message specifies the\ntarget remote command as `DxlBrokerMgmt.createEpoThreatEvent`.\n\nThe request message also includes the `msg.event` property set by the\n`Format full ePO threat event` node.\n \nThe `Return` property is set to \"a parsed JSON object\" and the `Format` property\nis set to \"JSON\" to indicate that the payload for the response should be\nadded to the output message as a JavaScript object decoded from JSON.\n\n#### Output result\n\nThis is a `debug` output node. This node outputs the `payload` set on\nthe message by the `Create threat event in ePO` node. The output should include\nthe response received from the DXL fabric for the\n`DxlBrokerMgmt.createEpoThreatEvent` command."
- },
- {
- "id": "23fb9acf.4763a6",
- "type": "template",
- "z": "a1d1dbd.b4d6328",
- "name": "Format full ePO threat event",
- "field": "event",
- "fieldType": "msg",
- "format": "handlebars",
- "syntax": "mustache",
- "template": "{\n \"eventMsgType\": \"McAfee Common Event\",\n \"eventMsgVersion\": \"1.0\",\n \"event\": {\n \"category\": \"This is the event category\",\n \"eventDesc\": \"This is the event description\",\n \"threatActionTaken\": \"blocked\",\n \"threatHandled\": 1,\n \"threatName\": \"This is the threat name\",\n \"threatSeverity\": 1,\n \"threatType\": \"This is the threat type\",\n \"analyzer\": {\n \"detectionMethod\": \"This is the detection method\",\n \"detectedUTC\": \"{{currentDate}}\",\n \"id\": \"MY_ANALYZER_0123\",\n \"name\": \"My Analyzer\",\n \"version\": \"1.2.3\"\n },\n \"entity\": { \n \"id\": \"{{agentGuid}}\" \n },\n \"source\": {\n \"ipv4\": \"{{ipv4Address}}\",\n \"mac\": \"\"\n },\n \"target\": {\n\t \"ipv4\": \"{{ipv4Address}}\",\n\t \"mac\": \"\",\n\t \"port\": 0\n\t}\n }\n}",
- "output": "json",
- "x": 200,
- "y": 300,
- "wires": [
- [
- "efa60b16.e2a988",
- "6c3dd002.9d8a9"
- ]
- ]
- },
- {
- "id": "bb9f7043.5406f",
- "type": "inject",
- "z": "a1d1dbd.b4d6328",
- "name": "Inject current timestamp",
- "topic": "",
- "payload": "",
- "payloadType": "date",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 140,
- "y": 40,
- "wires": [
- [
- "f75fccdd.1b9"
- ]
- ]
- },
- {
- "id": "923d51f6.723f2",
- "type": "comment",
- "z": "a1d1dbd.b4d6328",
- "name": "Set the IP address and agent GUID for the event",
- "info": "",
- "x": 560,
- "y": 120,
- "wires": []
- },
- {
- "id": "efa60b16.e2a988",
- "type": "dxl-epo-threat-event-create",
- "z": "a1d1dbd.b4d6328",
- "name": "",
- "client": "24599b64.76f314",
- "searchNameOnly": "",
- "epoUniqueId": "",
- "returnType": "obj",
- "x": 200,
- "y": 400,
- "wires": [
- [
- "79ea3d97.2b4104"
- ]
- ]
- },
- {
- "id": "79ea3d97.2b4104",
- "type": "debug",
- "z": "a1d1dbd.b4d6328",
- "name": "Debug: Output result",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 520,
- "y": 400,
- "wires": []
- },
- {
- "id": "f75fccdd.1b9",
- "type": "change",
- "z": "a1d1dbd.b4d6328",
- "name": "Set threat event parameters",
- "rules": [
- {
- "t": "set",
- "p": "ipv4Address",
- "pt": "msg",
- "to": "10.0.0.254",
- "tot": "str"
- },
- {
- "t": "set",
- "p": "agentGuid",
- "pt": "msg",
- "to": "12345678-9012-3456-7890-12345678ABCD",
- "tot": "str"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 200,
- "y": 120,
- "wires": [
- [
- "d0c6a116.28a89"
- ]
- ]
- },
- {
- "id": "d0c6a116.28a89",
- "type": "function",
- "z": "a1d1dbd.b4d6328",
- "name": "Get current date as ISO string",
- "func": "msg.currentDate = new Date(msg.payload).toISOString()\nreturn msg",
- "outputs": 1,
- "noerr": 0,
- "x": 210,
- "y": 200,
- "wires": [
- [
- "23fb9acf.4763a6"
- ]
- ]
- },
- {
- "id": "41f9ada8.9dbb34",
- "type": "comment",
- "z": "a1d1dbd.b4d6328",
- "name": "Fill in event details (e.g., data for a host intrusion detection)",
- "info": "",
- "x": 590,
- "y": 300,
- "wires": []
- },
- {
- "id": "6c3dd002.9d8a9",
- "type": "debug",
- "z": "a1d1dbd.b4d6328",
- "name": "Debug: Output event",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "event",
- "x": 520,
- "y": 240,
- "wires": []
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee Threat Intelligence Exchange (TIE) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- A TIE server is installed and available on the DXL fabric.
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "e6aa430b.c2db4",
- "type": "tab",
- "label": "TIE Get Certificate Reputation Example",
- "disabled": false,
- "info": "This sample invokes the TIE DXL service to retrieve the reputation of a\r\ncertificate (as identified by hashes). The response to the TIE request is\r\nprinted to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* Edit the `Specify hash request parameters` node and modify the `msg.sha1`\r\n rule with the hash of the certificate and the `msg.publicKeySha1` rule with\r\n the hash of the public key that you want to use for the lookup. Note that\r\n the `msg.publicKeySha1` property is optional so this value can be set to an\r\n empty string or the property may be removed entirely if the public key is\r\n not known.\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the\r\n `Get reputation from TIE` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the \r\n`Start flow` node.\r\n\r\n### Output\r\n\r\nThe output in the Node-RED `debug` tab should appear similar to the following:\r\n\r\n```\r\n? { 2: object, 4: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 2: object\r\n ? attributes: object\r\n 2108821: \"94\"\r\n 2109077: \"1454912619\"\r\n 2117524: \"0\"\r\n 2120596: \"0\"\r\n createDate: 1476318514\r\n providerId: 2\r\n trustLevel: 99\r\n ? 4: object\r\n ? attributes: object\r\n 2109333: \"12\"\r\n 2109589: \"1476318514\"\r\n 2139285: \"7318349394477075\r\n createDate: 1476318514\r\n providerId: 4\r\n trustLevel: 0\r\n```\r\n\r\nThe `key` for each entry in the object corresponds to a particular `provider` of\r\nthe associated `reputation`. The list of certificate reputation providers can\r\nbe found in the\r\n[CertProvider documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-CertProvider.html)\r\nin the TIE JavaScript client SDK.\r\n\r\nThe McAfee Global Threat Intelligence (GTI) service is identified in the results\r\nas `providerId: 2`. The trust level associated with the GTI response\r\n(`trustLevel: 99`) indicates that the certificate is known good.\r\n\r\nSee the \r\n[TrustLevel documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-TrustLevel.html)\r\nin the TIE JavaScript client SDK for the list of standard trust levels.\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Start flow\r\n\r\nThis is an `inject` input node which starts the flow.\r\n\r\n#### Set hash request parameters\r\n\r\nThis is a `change` node which sets the hash of the certificate to the\r\n`msg.sha1` property and the hash of the associated public key to the\r\n`msg.publicKeySha1` property. The `Get reputation from TIE` node uses the\r\n`sha1` and `publicKeySha1` properties when constructing the parameters for the\r\nTIE first references request. \r\n\r\n#### Get reputation from TIE\r\n\r\nThis is a `tie get certificate reputation` node. This node connects to\r\nthe DXL fabric and sends a DXL `Request` message to the TIE service to lookup\r\ncertificate reputation information.\r\n\r\nThe request message also includes the `sha1` and `publicKeySha1` properties set\r\nby the `Set hash request parameters` node.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\npayload for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Output first references\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Get reputation from TIE` node. The output should\r\ninclude information for reputation data for the certificate."
- },
- {
- "id": "a148f5e2.763d88",
- "type": "dxl-tie-get-certificate-reputation",
- "z": "e6aa430b.c2db4",
- "name": "Get reputation from TIE",
- "client": "2ed0ce07.039942",
- "returnType": "obj",
- "x": 330,
- "y": 200,
- "wires": [
- [
- "14798663.f923fa"
- ]
- ]
- },
- {
- "id": "14798663.f923fa",
- "type": "debug",
- "z": "e6aa430b.c2db4",
- "name": "Debug: Output reputation",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 590,
- "y": 200,
- "wires": []
- },
- {
- "id": "caeea8f4.abe3c8",
- "type": "inject",
- "z": "e6aa430b.c2db4",
- "name": "Start flow",
- "topic": "",
- "payload": "",
- "payloadType": "str",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 100,
- "y": 40,
- "wires": [
- [
- "44a5cb23.7a8ad4"
- ]
- ]
- },
- {
- "id": "44a5cb23.7a8ad4",
- "type": "change",
- "z": "e6aa430b.c2db4",
- "name": "Set hash request parameters",
- "rules": [
- {
- "t": "set",
- "p": "sha1",
- "pt": "msg",
- "to": "6eae26db8c13182a7947982991b4321732cc3de2",
- "tot": "str"
- },
- {
- "t": "set",
- "p": "publicKeySha1",
- "pt": "msg",
- "to": "3b87a2d6f39770160364b79a152fcc73bae27adf",
- "tot": "str"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 240,
- "y": 120,
- "wires": [
- [
- "a148f5e2.763d88"
- ]
- ]
- },
- {
- "id": "5aaa4a15.cfe6b4",
- "type": "comment",
- "z": "e6aa430b.c2db4",
- "name": "Supply the cert hashes in the 'Specify hash request parameters' node",
- "info": "",
- "x": 460,
- "y": 60,
- "wires": []
- },
- {
- "id": "2ed0ce07.039942",
- "type": "dxl-client",
- "z": "",
- "configFile": "/data/dxl/dxlclient.config",
- "name": "",
- "keepAliveInterval": "1800",
- "reconnectDelay": "1"
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee Threat Intelligence Exchange (TIE) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- A TIE server is installed and available on the DXL fabric.
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "39707d18.0f97d2",
- "type": "tab",
- "label": "TIE Get File Reputation Example",
- "disabled": false,
- "info": "This sample invokes the TIE DXL service to retrieve the reputation of a file (as\r\nidentified by hashes). The response to the TIE request is printed to the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Get reputation from TIE`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow for the \"notepad.exe\" file, double-click the button on the\r\nleft side of the `Start Notepad.exe lookup flow` node.\r\n\r\nTo exercise the flow for the \"EICAR Standard Anti-Virus Test File\" file,\r\ndouble-click the button on the left side of the `Start EICAR lookup flow` node.\r\n\r\n### Output\r\n\r\nThe output in the Node-RED `debug` tab after the flow is run for the\r\n`notepad.exe` file should appear similar to the following:\r\n\r\n```\r\n? { 1: object, 3: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 1: object\r\n ? attributes: object\r\n 2120340: \"2139160704\"\r\n createDate: 1451502875\r\n providerId: 1\r\n trustLevel: 99\r\n ? 3: object\r\n ? attributes: object\r\n 2101652: \"17\"\r\n 2102165: \"1451502875\"\r\n 2111893: \"21\"\r\n 2114965: \"0\"\r\n 2139285: \"72339069014638857\"\r\n createDate: 1526675921\r\n providerId: 3\r\n trustLevel: 99\r\n```\r\n\r\nThe `key` for each entry in the object corresponds to a particular `provider` of\r\nthe associated `reputation`. The list of file reputation providers can\r\nbe found in the\r\n[FileProvider documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-FileProvider.html)\r\nin the TIE JavaScript client SDK.\r\n\r\nThe McAfee Global Threat Intelligence (GTI) service is identified in the results\r\nas `providerId: 1`. The trust level associated with the GTI response\r\n(`trustLevel: 99`) indicates that the file is known good.\r\n\r\nThe output in the Node-RED `debug` tab after the flow is run for the `EICAR`\r\nfile should also appear similar to the following:\r\n\r\n```\r\n? { 1: object, 3: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 1: object\r\n ? attributes: object\r\n 2120340: \"2139162632\"\r\n createDate: 1451504331\r\n providerId: 1\r\n trustLevel: 1\r\n ? 3: object\r\n ? attributes: object\r\n 2101652: \"11\"\r\n 2102165: \"1451504331\"\r\n 2111893: \"22\"\r\n 2114965: \"0\"\r\n 2139285: \"72339069014638857\"\r\n createDate: 1451504331\r\n providerId: 3\r\n trustLevel: 0\r\n```\r\n\r\nThe trust level associated with the GTI response (`trustLevel: 1`) indicates\r\nthat the file is known bad.\r\n\r\nSee the \r\n[TrustLevel documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-TrustLevel.html)\r\nin the TIE JavaScript client SDK for the list of standard trust levels.\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Start lookup flow\r\n\r\nThese are `inject` input nodes which start the flow.\r\n\r\n#### Set hashes request parameter\r\n\r\nThese are `change` nodes which set values for different hash types —\r\n`md5`, `sha1`, and `sha256` — onto an object which is stored to the\r\n`hashes` property on the message. The `Get reputation from TIE` node uses\r\nthe `hashes` property when constructing the parameters for the TIE reputation\r\nrequest. \r\n\r\n#### Get reputation from TIE\r\n\r\nThis is a `tie get file reputation` node. This node connects to\r\nthe DXL fabric and sends a DXL `Request` message to the TIE service to lookup\r\nfile reputation information.\r\n\r\nThe request message includes the `hashes` properties set by the\r\n`Set hashes request parameter` nodes.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\npayload for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Output reputation\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Get reputation from TIE` node. The output should\r\ninclude information for reputation data for the file."
- },
- {
- "id": "51a672e5.8eeacc",
- "type": "dxl-tie-get-file-reputation",
- "z": "39707d18.0f97d2",
- "name": "Get reputation from TIE",
- "client": "2ed0ce07.039942",
- "returnType": "obj",
- "x": 650,
- "y": 200,
- "wires": [
- [
- "5fba5195.75416"
- ]
- ]
- },
- {
- "id": "5fba5195.75416",
- "type": "debug",
- "z": "39707d18.0f97d2",
- "name": "Debug: Output reputation",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 770,
- "y": 300,
- "wires": []
- },
- {
- "id": "6f2b0eb8.3ccf1",
- "type": "change",
- "z": "39707d18.0f97d2",
- "name": "Set hashes request parameter for Notepad.exe",
- "rules": [
- {
- "t": "set",
- "p": "hashes",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- },
- {
- "t": "set",
- "p": "hashes.md5",
- "pt": "msg",
- "to": "f2c7bb8acc97f92e987a2d4087d021b1",
- "tot": "str"
- },
- {
- "t": "set",
- "p": "hashes.sha1",
- "pt": "msg",
- "to": "7eb0139d2175739b3ccb0d1110067820be6abd29",
- "tot": "str"
- },
- {
- "t": "set",
- "p": "hashes.sha256",
- "pt": "msg",
- "to": "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2",
- "tot": "str"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 300,
- "y": 120,
- "wires": [
- [
- "51a672e5.8eeacc"
- ]
- ]
- },
- {
- "id": "373b1de9.ad69a2",
- "type": "change",
- "z": "39707d18.0f97d2",
- "name": "Set hashes request parameter for EICAR",
- "rules": [
- {
- "t": "set",
- "p": "hashes",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- },
- {
- "t": "set",
- "p": "hashes.md5",
- "pt": "msg",
- "to": "44d88612fea8a8f36de82e1278abb02f",
- "tot": "str"
- },
- {
- "t": "set",
- "p": "hashes.sha1",
- "pt": "msg",
- "to": "3395856ce81f2b7382dee72602f798b642f14140",
- "tot": "str"
- },
- {
- "t": "set",
- "p": "hashes.sha256",
- "pt": "msg",
- "to": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
- "tot": "str"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 280,
- "y": 300,
- "wires": [
- [
- "51a672e5.8eeacc"
- ]
- ]
- },
- {
- "id": "b473334d.8f843",
- "type": "inject",
- "z": "39707d18.0f97d2",
- "name": "Start Notepad.exe lookup flow",
- "topic": "",
- "payload": "{}",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 160,
- "y": 40,
- "wires": [
- [
- "6f2b0eb8.3ccf1"
- ]
- ]
- },
- {
- "id": "2a870a65.7cfd26",
- "type": "inject",
- "z": "39707d18.0f97d2",
- "name": "Start EICAR lookup flow",
- "topic": "",
- "payload": "{}",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 140,
- "y": 200,
- "wires": [
- [
- "373b1de9.ad69a2"
- ]
- ]
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
- The Node-RED DXL client is authorized to invoke the ePO DXL service, and the user that is connecting to the ePO server (within the ePO DXL service) has permission to execute the "system.clearTag" remote command (see Client Authorization).
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "1723c736.e448e9",
- "type": "tab",
- "label": "ePO System Clear Tag Example",
- "disabled": false,
- "info": "This sample invokes and displays the results of a `system.clearTag` remote\r\ncommand via the ePO DXL service. The results of the clear command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Clear system tag from ePO` node is\r\n authorized to invoke the ePO DXL service, and the user that is connecting to\r\n the ePO server (within the ePO DXL service) has permission to execute the\r\n `system.clearTag` remote command (see\r\n [Client Authorization](https://opendxl.github.io/opendxl-epo-client-python/pydoc/authorization.html)).\r\n\r\n### Setup\r\n\r\n* If more than one ePO service is available on the DXL fabric that the DXL\r\n client is connecting to, edit the `Clear system tag from ePO` node and set the\r\n `ePO Id` property to that of the ePO service through which the remote command\r\n should be performed. By default, the `ePO Id` property is empty, in which case\r\n the client attempts to dynamically determine the id of the ePO service to\r\n communicate with.\r\n* Edit the `Specify systems to clear tag from` node and modify the `Payload`\r\n property with the name(s) of the system(s) to clear the tag from. System names\r\n should be separated by commas. For example:\r\n\r\n ```\r\n system1,system2\r\n ```\r\n\r\n* Edit the `Clear system tag from ePO` node and modify the `Tag name` property\r\n with the name of the tag to clear. For example:\r\n\r\n ```\r\n mytag1\r\n ```\r\n \r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Clear system tag from ePO`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify systems to clear tag from` node.\r\n\r\n### Output\r\n\r\nThe number of systems that the tag was cleared from should appear in the\r\nNode-RED `debug` tab. For example:\r\n\r\n```\r\n2\r\n```\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify systems to clear tag from\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies the name(s) of the system(s)\r\nto clear the tag from.\r\n\r\n#### Set names request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `names` property. The `Clear system tag from ePO` node uses the `names` property\r\nwhen constructing the parameters for the `system.clearTag` remote command. \r\n\r\n#### Apply system tag in ePO\r\n\r\nThis is an `epo system clear tag` node. This node connects to the DXL fabric and\r\nsends a DXL `Request` message to the ePO service. The message specifies the\r\ntarget remote command as `system.clearTag`.\r\n\r\nThe request message also includes the `msg.names` property set by the\r\n`Set names request parameter` node and the `tagName` set in the\r\n`Tag name` property.\r\n \r\nThe `Return` property is set to \"a parsed JSON object\" and the `Format` property\r\nis set to \"JSON\" to indicate that the payload for the response should be\r\nadded to the output message as a JavaScript object decoded from JSON.\r\n\r\n#### Output result\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Clear system tag from ePO` node. The output should include\r\nthe response received from the DXL fabric for the `system.clearTag` command."
- },
- {
- "id": "bd18c65a.273748",
- "type": "inject",
- "z": "1723c736.e448e9",
- "name": "Specify systems to clear tag from",
- "topic": "",
- "payload": "<specify-systems-to-clear-tag-from>",
- "payloadType": "str",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 170,
- "y": 100,
- "wires": [
- [
- "684fc5a6.d1373c"
- ]
- ]
- },
- {
- "id": "a8237152.66ba2",
- "type": "debug",
- "z": "1723c736.e448e9",
- "name": "Debug: Output result",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 580,
- "y": 300,
- "wires": []
- },
- {
- "id": "5c2cef1a.30518",
- "type": "dxl-epo-system-clear-tag",
- "z": "1723c736.e448e9",
- "name": "",
- "tagName": "<specify-tag-to-clear>",
- "client": "2ed0ce07.039942",
- "returnType": "obj",
- "x": 320,
- "y": 300,
- "wires": [
- [
- "a8237152.66ba2"
- ]
- ]
- },
- {
- "id": "684fc5a6.d1373c",
- "type": "change",
- "z": "1723c736.e448e9",
- "name": "Set names request parameter",
- "rules": [
- {
- "t": "set",
- "p": "names",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 250,
- "y": 200,
- "wires": [
- [
- "5c2cef1a.30518"
- ]
- ]
- },
- {
- "id": "1b8a001f.ba618",
- "type": "comment",
- "z": "1723c736.e448e9",
- "name": "Supply the list of systems to untag in the 'Set search text' node ",
- "info": "",
- "x": 240,
- "y": 40,
- "wires": []
- },
- {
- "id": "6fa0ef7f.f3a96",
- "type": "comment",
- "z": "1723c736.e448e9",
- "name": "Supply the tag name in the 'Clear system tag from ePO' node ",
- "info": "",
- "x": 400,
- "y": 360,
- "wires": []
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
- The Node-RED DXL client is authorized to invoke the ePO DXL service, and the user that is connecting to the ePO server (within the ePO DXL service) has permission to execute the "system.applyTag" remote command (see Client Authorization).
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "3cab471f.fbdca8",
- "type": "tab",
- "label": "ePO System Apply Tag Example",
- "disabled": false,
- "info": "This sample invokes and displays the results of a `system.applyTag` remote\r\ncommand via the ePO DXL service. The results of the apply command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Apply system tag in ePO` node is\r\n authorized to invoke the ePO DXL service, and the user that is connecting to\r\n the ePO server (within the ePO DXL service) has permission to execute the\r\n `system.applyTag` remote command (see\r\n [Client Authorization](https://opendxl.github.io/opendxl-epo-client-python/pydoc/authorization.html)).\r\n\r\n### Setup\r\n\r\n* If more than one ePO service is available on the DXL fabric that the DXL\r\n client is connecting to, edit the `Apply system tag in ePO` node and set the\r\n `ePO Id` property to that of the ePO service through which the remote command\r\n should be performed. By default, the `ePO Id` property is empty, in which case\r\n the client attempts to dynamically determine the id of the ePO service to\r\n communicate with.\r\n* Edit the `Specify systems to tag` node and modify the `Payload` property with\r\n the name(s) of the system(s) to apply the tag to. System names should be\r\n separated by commas. For example:\r\n\r\n ```\r\n system1,system2\r\n ```\r\n\r\n* Edit the `Apply system tag in ePO` node and modify the `Tag name` property\r\n with the name of the tag to apply. For example:\r\n\r\n ```\r\n mytag1\r\n ```\r\n \r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Apply system tag in ePO`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify systems to tag` node.\r\n\r\n### Output\r\n\r\nThe number of systems that the tag was applied to should appear in the Node-RED\r\n`debug` tab. For example:\r\n\r\n```\r\n2\r\n```\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify systems to tag\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies the name(s) of the system(s)\r\nto apply the tag to.\r\n\r\n#### Set names request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `names` property. The `Apply system tag in ePO` node uses the `names` property when\r\nconstructing the parameters for the `system.applyTag` remote command. \r\n\r\n#### Apply system tag in ePO\r\n\r\nThis is an `epo system apply tag` node. This node connects to the DXL fabric and\r\nsends a DXL `Request` message to the ePO service. The message specifies the\r\ntarget remote command as `system.applyTag`.\r\n\r\nThe request message also includes the `msg.names` property set by the\r\n`Set names request parameter` node and the `tagName` set in the\r\n`Tag name` property.\r\n \r\nThe `Return` property is set to \"a parsed JSON object\" and the `Format` property\r\nis set to \"JSON\" to indicate that the payload for the response should be\r\nadded to the output message as a JavaScript object decoded from JSON.\r\n\r\n#### Output result\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Apply system tag in ePO` node. The output should include\r\nthe response received from the DXL fabric for the `system.applyTag` command."
- },
- {
- "id": "dfbc08fd.29a308",
- "type": "inject",
- "z": "3cab471f.fbdca8",
- "name": "Specify systems to tag",
- "topic": "",
- "payload": "<specify-systems-to-tag>",
- "payloadType": "str",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 140,
- "y": 40,
- "wires": [
- [
- "35c99ba3.eb1b44"
- ]
- ]
- },
- {
- "id": "eebb5fc1.e8327",
- "type": "debug",
- "z": "3cab471f.fbdca8",
- "name": "Debug: Output result",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 560,
- "y": 220,
- "wires": []
- },
- {
- "id": "d0651085.b90f3",
- "type": "dxl-epo-system-apply-tag",
- "z": "3cab471f.fbdca8",
- "name": "",
- "tagName": "<specify-tag-to-apply>",
- "client": "2ed0ce07.039942",
- "epoUniqueId": "",
- "returnType": "obj",
- "x": 290,
- "y": 220,
- "wires": [
- [
- "eebb5fc1.e8327"
- ]
- ]
- },
- {
- "id": "35c99ba3.eb1b44",
- "type": "change",
- "z": "3cab471f.fbdca8",
- "name": "Set names request parameter",
- "rules": [
- {
- "t": "set",
- "p": "names",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 230,
- "y": 120,
- "wires": [
- [
- "d0651085.b90f3"
- ]
- ]
- },
- {
- "id": "91c0d2cd.6c4a1",
- "type": "comment",
- "z": "3cab471f.fbdca8",
- "name": "Supply the list of systems to tag in the 'Set search text' node ",
- "info": "",
- "x": 540,
- "y": 40,
- "wires": []
- },
- {
- "id": "5ccd91fd.367b5",
- "type": "comment",
- "z": "3cab471f.fbdca8",
- "name": "Supply the tag name in the 'Apply system tag in ePO' node ",
- "info": "",
- "x": 370,
- "y": 280,
- "wires": []
- }
- ]
mcafee added a new version:
QuoteMcAfee ePolicy Orchestrator (ePO) DXL Node-RED Client Nodes 0.1.1 Release
- Added threat event creation node
- Updated samples
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
- The Node-RED DXL client is authorized to receive "ePO Threat Event Automatic Response Events" (see Client Authorization).
- Under the "Automatic Responses" page on the ePO server, ensure that a "Send Threat Event via DXL" response is set to "Enabled".
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "ed863b5.ec467c8",
- "type": "tab",
- "label": "ePO Receive Threat Event Example",
- "disabled": false,
- "info": "This sample registers with the DXL fabric to receive threat event notifications\r\nfrom ePO via the ePO DXL service. The payload in the event message received from\r\nthe DXL fabric is printed to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* The client is authorized to receive \"ePO Threat Event Automatic Response Events\"\r\n (see [Client Authorization](https://opendxl.github.io/opendxl-epo-service-python/pydoc/authorization.html#client-authorization)).\r\n* Under the `Automatic Responses` page on the ePO server, ensure that a\r\n `Send Threat Event via DXL` response is set to `Enabled`.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Receive ePO threat event`\r\n node.\r\n* By default, the `Topic` configured for the `Send Threat Event via DXL`\r\n automatic response on the ePO server is set to\r\n \"/mcafee/event/epo/threat/response\". If you have changed this to a different \r\n value, edit the `Receive ePO threat event` node and set the value for\r\n the `Topic` property to be the same as the `Topic` value used for the automatic\r\n response on the ePO server.\r\n\r\n### Output\r\n\r\nWhen an ePO threat event is received, the following output should appear in the\r\nNode-RED `debug` tab:\r\n\r\n```\r\n? [ object ]\r\n```\r\n\r\nClick on the right arrow button to expand the contents of the object. The\r\ncontent may be similar to the following:\r\n\r\n```\r\n? object\r\n eventMsgVersion: \"1.0\"\r\n eventMsgType: \"McAfee Common Event\"\r\n ? event: object\r\n category: \"(This is the event category)\"\r\n ...\r\n ? source: object\r\n ipv4: \"10.0.0.254\"\r\n...\r\n```\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Receive ePO threat event\r\n\r\nThis is an `epo threat event` input node which starts the flow. This node\r\ninjects a new message with a `payload` property which includes the information\r\nfrom the threat event.\r\n\r\n#### Output result\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Receive ePO threat event` node."
- },
- {
- "id": "8827ac7a.2d56d",
- "type": "dxl-epo-threat-event in",
- "z": "ed863b5.ec467c8",
- "name": "Receive ePO threat event",
- "topic": "",
- "client": "2ed0ce07.039942",
- "payloadType": "obj",
- "x": 130,
- "y": 40,
- "wires": [
- [
- "1a5fa94b.5c5f27"
- ]
- ]
- },
- {
- "id": "1a5fa94b.5c5f27",
- "type": "debug",
- "z": "ed863b5.ec467c8",
- "name": "Debug: Output event payload",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 400,
- "y": 40,
- "wires": []
- }
- ]
mcafee added a new solution:
QuotePrerequisites
- The OpenDXL and McAfee Active Response (MAR) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- A MAR DXL service is running and available on the DXL fabric.
- The Node-RED DXL client is authorized to perform MAR search (see Authorize Client to Perform MAR Search).
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "4d70f507.87bd5c",
- "type": "tab",
- "label": "MAR Basic Search Example",
- "disabled": false,
- "info": "This sample executes a `McAfee Active Response` search for the IP addresses of\r\nhosts that have an Active Response client installed. The IP addresses found are\r\ndisplayed on the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for hosts` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### Setup\r\n\r\nTo deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Search MAR for hosts` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify search projections` node.\r\n\r\n### Output\r\n\r\nThe IP addresses found should appear in the Node-RED `debug` tab. For example:\r\n\r\n~~~\r\n[ \"192.168.130.152\", \"192.168.130.133\"]\r\n~~~\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify search projections\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies that the IP addresses of\r\nhosts which are found should be projected into the search results:\r\n\r\n```json\r\n[\r\n {\r\n \"name\": \"HostInfo\",\r\n \"outputs\": [\r\n \"ip_address\"\r\n ]\r\n }\r\n]\r\n```\r\n\r\n#### Set projections request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `projections` property. The `Search MAR for hosts` node uses\r\nthe `projections` property when constructing the parameters for the MAR search. \r\n\r\n#### Search MAR for hosts\r\n\r\nThis is a `mar search` node. This node connects to the DXL fabric and sends a\r\nsearch request to the MAR service using the `msg.projections` property set by\r\nthe `Set projections request parameter` node.\r\n\r\nThe `Limit` property specifies that up to the first \"10\" result items should be\r\nprovided.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\n`payload` for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Extract host IP addresses\r\n\r\nThis is a `function` node. This node includes a JavaScript code snippet which\r\niterates over the search result items that were set on the `msg.payload`\r\nproperty by the `Search MAR for hosts` node. The source code for the code\r\nsnippet is included below:\r\n\r\n```javascript\r\nmsg.payload = \r\n msg.payload.map(function (processEntry) {\r\n return processEntry.output[\"HostInfo|ip_address\"]\r\n })\r\nreturn msg\r\n```\r\n\r\nThe `HostInfo|ip_address` value for\r\neach item is captured. An array with just the ip addresses of the hosts which\r\nwere returned in the search results is set onto the `msg.payload` property.\r\n\r\n#### Output IP addresses\r\n\r\nThis is a `debug` output node. This node outputs the array of host IP addresses\r\nwritten to the `msg.payload` property by the `Extract host IP addresses` node."
- },
- {
- "id": "e18fdc9e.6feae",
- "type": "dxl-mar-search",
- "z": "4d70f507.87bd5c",
- "name": "Search MAR for hosts",
- "pollInterval": 5,
- "client": "2ed0ce07.039942",
- "projections": "",
- "limit": "10",
- "textFilter": "",
- "sortBy": "",
- "sortDirection": "",
- "returnType": "obj",
- "x": 280,
- "y": 220,
- "wires": [
- [
- "be60e18f.08cfb"
- ]
- ]
- },
- {
- "id": "340bdcc6.7f4904",
- "type": "inject",
- "z": "4d70f507.87bd5c",
- "name": "Specify search projections",
- "topic": "",
- "payload": "[{\"name\":\"HostInfo\",\"outputs\":[\"ip_address\"]}]",
- "payloadType": "json",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 150,
- "y": 40,
- "wires": [
- [
- "a2cb13bf.388be"
- ]
- ]
- },
- {
- "id": "39e7184f.da87a8",
- "type": "debug",
- "z": "4d70f507.87bd5c",
- "name": "Debug: Output IP addresses",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "payload",
- "x": 480,
- "y": 420,
- "wires": []
- },
- {
- "id": "be60e18f.08cfb",
- "type": "function",
- "z": "4d70f507.87bd5c",
- "name": "Extract host IP addresses",
- "func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg",
- "outputs": 1,
- "noerr": 0,
- "x": 390,
- "y": 320,
- "wires": [
- [
- "39e7184f.da87a8"
- ]
- ]
- },
- {
- "id": "a2cb13bf.388be",
- "type": "change",
- "z": "4d70f507.87bd5c",
- "name": "Set projections request parameter",
- "rules": [
- {
- "t": "set",
- "p": "projections",
- "pt": "msg",
- "to": "payload",
- "tot": "msg"
- }
- ],
- "action": "",
- "property": "",
- "from": "",
- "to": "",
- "reg": false,
- "x": 260,
- "y": 120,
- "wires": [
- [
- "e18fdc9e.6feae"
- ]
- ]
- }
- ]
mcafee added a new solution:
QuoteDisplay MorePrerequisites
- The OpenDXL and McAfee Active Response (MAR) DXL modules have been added to the Node-RED palette.
- A DXL client has been configured in Node-RED (see Client Configuration).
- A MAR DXL service is running and available on the DXL fabric.
- The Node-RED DXL client is authorized to perform MAR search (see Authorize Client to Perform MAR Search).
opendxl.com/index.php?attachment/79/
Here is the Node-RED flow content for this solution:
Display MoreCode
- [
- {
- "id": "15c35c35.087ac4",
- "type": "tab",
- "label": "MAR Basic Paging Example",
- "disabled": false,
- "info": "This sample executes a `McAfee Active Response` search for the running processes\r\non a particular endpoint as specified by its IP address. The names of the\r\nprocesses found are retrieved and captured one page (up to 5 items) at a time.\r\nThe resulting process names captured across all pages are displayed on the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for host` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### Setup\r\n\r\n* Edit the `Specify host to find` node and modify the `Payload` property with\r\n the IP address of a host to retrieve the process list from. For example:\r\n\r\n ```\r\n 192.168.1.1\r\n ```\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Search MAR for host` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify host to find` node.\r\n\r\n### Output\r\n\r\nOutput similar to the following should appear in the Node-RED `debug` tab:\r\n\r\n```\r\n? [ array[5], array[5], array[5] ]\r\n```\r\n\r\nAfter clicking on the right arrow buttons to expand the contents of the array,\r\noutput similar to the following should appear:\r\n\r\n```\r\n? array[3]\r\n ? 0: array[5]\r\n 0: \"MARService.exe\"\r\n 1: \"OneDrive.exe\"\r\n 2: \"RuntimeBroker.exe\"\r\n 3: \"SearchIndexer.exe\"\r\n 4: \"SearchUI.exe\"\r\n ? 1: array[5]\r\n 0: \"ShellExperienceHost.exe\"\r\n 1: \"SkypeHost.exe\"\r\n 2: \"System\"\r\n 3: \"UpdaterUI.exe\"\r\n 4: \"VGAuthService.exe\"\r\n ? 2: array[5]\r\n 0: \"WUDFHost.exe\"\r\n 1: \"WmiApSrv.exe\"\r\n 2: \"WmiPrvSE.exe\"\r\n 3: \"WmiPrvSE.exe\"\r\n 4: \"[System Process]\"\r\n...\r\n```\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify host to find\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies the IP address of host to\r\nfind.\r\n\r\n#### Set search conditions\r\n\r\nThis is a `template` node which formats the IP address supplied on the\r\n`msg.payload` property by the `Specify host to find` node into the\r\n`conditions` property on the output message. The `Search MAR for host` node\r\nuses the `conditions` property when constructing the parameters for MAR\r\nsearch. \r\n\r\nThe JSON-formatted mustache template has the following:\r\n\r\n```json\r\n{\r\n \"or\": [{\r\n \"and\": [{\r\n \"name\": \"HostInfo\",\r\n \"output\": \"ip_address\",\r\n \"op\": \"EQUALS\",\r\n \"value\": \"{{payload}}\"\r\n }]\r\n }]\r\n}\r\n```\r\n\r\nIf the `payload` property on the input message, for example, were set to\r\n`192.168.1.1`, the resulting JavaScript object stored to the `conditions`\r\nproperty on the output message would be:\r\n\r\n```javascript\r\n{\r\n or: [{\r\n and: [{\r\n name: 'HostInfo',\r\n output: 'ip_address',\r\n op: 'EQUALS',\r\n value\": '192.168.1.1'\r\n }]\r\n }]\r\n}\r\n```\r\n\r\n#### Search MAR for host\r\n\r\nThis is a `mar search` node. This node connects to the DXL fabric and sends a\r\nsearch request to the MAR service to collect process information from a\r\nparticular system (as specified by the IP address in the `msg.conditions`\r\nproperty set by the `Set search conditions` node).\r\n\r\nThe JSON-formatted document provided for `Projections` property specifies that\r\n`Processes` for the target host should be returned:\r\n\r\n```json\r\n[\r\n {\r\n \"name\": \"Processes\"\r\n }\r\n]\r\n```\r\n\r\nThe `Limit` property specifies that up to the next \"5\" result items should be\r\nprovided per `page` of search results. This node is revisited repeatedly by the\r\n`More results available?` node until all of the result items available\r\nfor the search have been retrieved.\r\n\r\nThe `Sort by` and `Sort` properties, respectively, specify that the search\r\nresults should be sorted by the \"Processes|name\" field in \"Ascending\" order.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\n`payload` for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Extract process names\r\n\r\nThis is a `function` node. This node includes a JavaScript code snippet which\r\niterates over the search result items that were set on the `msg.payload`\r\nproperty by the `Search MAR for hosts` node. The source code for the code\r\nsnippet is included below:\r\n\r\n```javascript\r\nif (!msg.processes) {\r\n msg.processes = []\r\n}\r\n\r\nmsg.processes.push(\r\n msg.payload.map(function (processEntry) {\r\n return processEntry.output[\"Processes|name\"]\r\n })\r\n)\r\n\r\nreturn msg\r\n```\r\n\r\nAn array is assigned to the `processes` property in the message. Each element\r\nin the array contains an sub-array with the names of processes returned for\r\nthe previous page. New elements are appended to the array each time this node\r\nis revisited to capture a page of search results.\r\n\r\nFor example, the contents of the `processes` property after the first time this\r\nnode is visited within a flow might contain:\r\n\r\n```javascript\r\n[[\"MARService.exe\",\r\n \"OneDrive.exe\",\r\n \"RuntimeBroker.exe\",\r\n \"SearchIndexer.exe\", \r\n \"SearchUI.exe\"]]\r\n```\r\n\r\nAfter the second time this node is visited for a flow, the `processes` property\r\nmight contain:\r\n\r\n```javascript\r\n[[\"MARService.exe\",\r\n \"OneDrive.exe\",\r\n \"RuntimeBroker.exe\",\r\n \"SearchIndexer.exe\", \r\n \"SearchUI.exe\"],\r\n [\"ShellExperienceHost.exe\",\r\n \"SkypeHost.exe\",\r\n \"System\",\r\n \"UpdaterUI.exe\",\r\n \"VGAuthService.exe\"]]\r\n```\r\n\r\n#### More results available?\r\n\r\nThis is a `switch` node. This node routes the input message to a different\r\nnode based on the value of the `hasMoreItems` property.\r\n\r\nIf the value of `hasMoreItems` is `true`, additional items are available to be\r\nretrieved from the MAR server for the current search. In this case, the input\r\nmessage is routed back to the `Search MAR for host` node. When the\r\n`Search MAR for host` node is revisited, the next page of search results is\r\nobtained from the MAR server and forwarded along to the `Extract process names`\r\nnode.\r\n\r\nIf the value of `hasMoreItems` is `false`, no additional items are available\r\nto be retrieved from the MAR server for the current search. In this case, the\r\ninput message is routed to the `Output process names` node.\r\n\r\n#### Output process names\r\n\r\nThis is a `debug` output node. This node outputs the array of process names\r\nwritten by the `Extract process names` node to the `msg.processes` property\r\nfor each page of search results returned from the MAR server."
- },
- {
- "id": "3fbfd464.d3a6cc",
- "type": "inject",
- "z": "15c35c35.087ac4",
- "name": "Specify host to find",
- "topic": "",
- "payload": "<specify-host-ip-address>",
- "payloadType": "str",
- "repeat": "",
- "crontab": "",
- "once": false,
- "onceDelay": 0.1,
- "x": 130,
- "y": 100,
- "wires": [
- [
- "32c7d68f.2ed0ca"
- ]
- ]
- },
- {
- "id": "53c77ace.c1e504",
- "type": "switch",
- "z": "15c35c35.087ac4",
- "name": "More results available?",
- "property": "hasMoreItems",
- "propertyType": "msg",
- "rules": [
- {
- "t": "true"
- },
- {
- "t": "false"
- }
- ],
- "checkall": "true",
- "repair": false,
- "outputs": 2,
- "x": 190,
- "y": 400,
- "wires": [
- [
- "b6e234bf.312e78"
- ],
- [
- "cd7c5168.252d9"
- ]
- ]
- },
- {
- "id": "cd7c5168.252d9",
- "type": "debug",
- "z": "15c35c35.087ac4",
- "name": "Debug: Output process names",
- "active": true,
- "tosidebar": true,
- "console": false,
- "tostatus": false,
- "complete": "processes",
- "x": 490,
- "y": 400,
- "wires": []
- },
- {
- "id": "2a2240df.31f3b",
- "type": "function",
- "z": "15c35c35.087ac4",
- "name": "Extract process names",
- "func": "if (!msg.processes) {\n msg.processes = []\n}\n\nmsg.processes.push(\n msg.payload.map(function (processEntry) {\n return processEntry.output[\"Processes|name\"]\n })\n)\n\nreturn msg",
- "outputs": 1,
- "noerr": 0,
- "x": 480,
- "y": 280,
- "wires": [
- [
- "53c77ace.c1e504"
- ]
- ]
- },
- {
- "id": "b6e234bf.312e78",
- "type": "dxl-mar-search",
- "z": "15c35c35.087ac4",
- "name": "Search MAR for host",
- "pollInterval": 5,
- "client": "42926d46.783374",
- "projections": "[\n {\n \"name\": \"Processes\"\n }\n]",
- "limit": "5",
- "textFilter": "",
- "sortBy": "Processes|name",
- "sortDirection": "asc",
- "returnType": "obj",
- "x": 440,
- "y": 180,
- "wires": [
- [
- "2a2240df.31f3b"
- ]
- ]
- },
- {
- "id": "32c7d68f.2ed0ca",
- "type": "template",
- "z": "15c35c35.087ac4",
- "name": "Set search conditions",
- "field": "conditions",
- "fieldType": "msg",
- "format": "json",
- "syntax": "mustache",
- "template": "{\n \"or\": [{\n \"and\": [{\n \"name\": \"HostInfo\",\n \"output\": \"ip_address\",\n \"op\": \"EQUALS\",\n \"value\": \"{{payload}}\"\n }]\n }]\n}",
- "output": "json",
- "x": 200,
- "y": 180,
- "wires": [
- [
- "b6e234bf.312e78"
- ]
- ]
- },
- {
- "id": "c271164f.62d8b8",
- "type": "comment",
- "z": "15c35c35.087ac4",
- "name": "Supply the IP address of the host to find in the 'Specify host to find' node",
- "info": "",
- "x": 270,
- "y": 40,
- "wires": []
- }
- ]
mcafee added a new version:
QuoteMcAfee ePolicy Orchestrator (ePO) DXL Python Client Library 0.2.2 Release
- Combine commands and remote service ids together during lookup
mcafee added a new solution:
QuoteOverview
The McAfee Active Response (MAR) DXL Node-RED client package enables the development of flows in Node-RED which perform MAR searches via the Data Exchange Layer (DXL) fabric.
Documentation
See the Wiki for an overview of the McAfee Active Response (MAR) DXL Node-RED client package and examples.
See the McAfee Active Response (MAR) DXL Node-RED Client Documentation for installation instructions, API documentation, and examples.
mcafee added a new solution:
QuoteDisplay MoreOverview
The McAfee Active Response (MAR) DXL JavaScript client library provides a high level wrapper for the MAR Data Exchange Layer (DXL) API.
The purpose of this library is to allow users to perform MAR searches without having to focus on lower-level details such as MAR-specific DXL topics and message formats.
Documentation
See the Wiki for an overview of the McAfee Active Response (MAR) DXL JavaScript client library and examples.
See the McAfee Active Response (MAR) DXL JavaScript Client Library Documentation for installation instructions, API documentation, and examples.
mcafee added a new solution:
QuoteOverview
The McAfee Threat Intelligence Exchange (TIE) DXL Node-RED client package enables the development of flows in Node-REDwhich use TIE features (manage reputations, determine where a file has executed, etc.) via the Data Exchange Layer (DXL) fabric.
Documentation
See the Wiki for an overview of the McAfee Threat Intelligence Exchange (TIE) DXL Node-RED client package and examples.
See the McAfee Threat Intelligence Exchange (TIE) DXL Node-RED Client Documentation for installation instructions, API documentation, and examples.
mcafee added a new solution:
QuoteDisplay MoreOverview
The McAfee Threat Intelligence Exchange (TIE) DXL JavaScript client library provides a high level wrapper for the TIE Data Exchange Layer (DXL) API.
The purpose of this library is to allow users to access the features of TIE (manage reputations, determine where a file has executed, etc.) without having to focus on lower-level details such as TIE-specific DXL topics and message formats.
Documentation
See the Wiki for an overview of the McAfee Threat Intelligence (TIE) DXL JavaScript client library and examples.
See the McAfee Threat Intelligence (TIE) DXL JavaScript Client Library Documentation for installation instructions, API documentation, and examples.
mcafee added a new solution:
QuoteDisplay MoreOverview
The Cisco pxGrid DXL Node-RED client package enables the development of flows in Node-RED which communicate with Cisco pxGrid via the Data Exchange Layer (DXL) fabric.
Documentation
See the Wiki for an overview of the Cisco pxGrid DXL Node-RED client package and examples.
See the Cisco pxGrid DXL Node-RED Client Documentation for installation instructions, API documentation, and examples.