Skip to content

Instantly share code, notes, and snippets.

View chrissmith-mcafee's full-sized avatar

Chris Smith chrissmith-mcafee

View GitHub Profile
@chrissmith-mcafee
chrissmith-mcafee / add-misp-sightings-mar.json
Created November 20, 2018 18:04
This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP published events containing hash-based attributes.
[
{
"id": "3bcf37ef.a9d108",
"type": "tab",
"label": "Add Hash Sightings to MISP Event using MAR",
"disabled": false,
"info": "This flow utilizes McAfee Active Response (MAR) to adds sightings to MISP \r\npublished events containing hash-based attributes.\r\n\r\nWhen a MISP event is published, the flow examines the event to determine if \r\nit contains hash-based attributes. If it does, a MAR search is performed \r\nto determine if any active endpoints contain the hashes. For each endpoint\r\ncontaining a hash, a sighting is added to the MISP event in addition to a \r\ncomment that includes the associated endpoint information.\r\n\r\n### Prerequisites\r\n\r\n* The Node-RED DXL client configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The Node-RED DXL client is authorized to perform MA
@chrissmith-mcafee
chrissmith-mcafee / tag-system-when-ise-policy-applied.json
Created November 9, 2018 00:00
This Node-RED flow ensures that systems within McAfee ePO are tagged to indicate what policies are currently applied within Cisco ISE Adaptive Network Control (ANC)
[
{
"id": "454f293f.10a098",
"type": "tab",
"label": "Tag System when ISE Policy Applied",
"disabled": false,
"info": "This flow ensures that systems within McAfee ePO are tagged to indicate\r\nwhat policies are currently applied within Cisco ISE Adaptive Network \r\nControl (ANC). When an ANC policy is applied, the corresponding system is\r\nlocated within ePO and tagged approriately. When an ANC policy is removed,\r\nthe corresponding system is located within ePO and untagged appropriately.\r\n\r\n### Prerequisites\r\n\r\n* The Node-RED DXL client configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* The DXL fabric to which the Node-RED DXL client will connect has been bridged to Cisco\r\n pxGrid.\r\n* An ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\
@chrissmith-mcafee
chrissmith-mcafee / epo-basic-remote-command-example.json
Created October 5, 2018 17:00
This Node-RED flow invokes and displays the results of a `system.findTag` remote command via the ePO DXL service.
[
{
"id": "a6c49432.25d5b8",
"type": "tab",
"label": "ePO Remote Command Example",
"disabled": false,
"info": "This sample invokes and displays the results of a `system.findTag` remote\r\ncommand via the ePO DXL service. The results of the find command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Find tags in ePO` node is authorized to\r\n inv
@chrissmith-mcafee
chrissmith-mcafee / epo-basic-system-find-example.json
Created October 5, 2018 15:56
This Node-RED flow invokes and displays the results of a `system.find` remote command via the ePO DXL service.
[
{
"id": "c73cd652.3f9f08",
"type": "tab",
"label": "ePO System Find Example",
"disabled": false,
"info": "This sample invokes and displays the results of a `system.find` remote command\r\nvia the ePO DXL service. The results of the find command are displayed on the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Find systems in ePO` node is\r\n authorized to invoke
@chrissmith-mcafee
chrissmith-mcafee / epo-basic-threat-event-create-example.json
Created October 5, 2018 15:44
This Node-RED flow invokes and displays the results of a `DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.
[
{
"id": "a1d1dbd.b4d6328",
"type": "tab",
"label": "ePO Create Threat Event Example",
"disabled": false,
"info": "This sample invokes and displays the results of a\n`DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.\nThe results of the event creation command are displayed on the Node-RED `debug`\ntab.\n\n### Prerequisites\n\n* The samples configuration step has been completed (see\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\n DXL service should already be running on the fabric. If you are using an\n earlier version of the DXL ePO extensions, you can use the\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\n* The DXL client associated with the `Create threat event in ePO` node is\n
@chrissmith-mcafee
chrissmith-mcafee / tie-basic-get-cert-reputation-example.json
Created October 4, 2018 23:34
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a certificate (as identified by hashes).
[
{
"id": "e6aa430b.c2db4",
"type": "tab",
"label": "TIE Get Certificate Reputation Example",
"disabled": false,
"info": "This sample invokes the TIE DXL service to retrieve the reputation of a\r\ncertificate (as identified by hashes). The response to the TIE request is\r\nprinted to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* Edit the `Specify hash request parameters` node and modify the `msg.sha1`\r\n rule with the hash of the certificate and the `msg.publicKeySha1` rule with\r\n the hash of the public key that you want to use for the lookup. Note that\r\n the `msg.publicKeySha1` property is optional so this value can be set to an\r\n empty string or the property may be removed entirely if the public key
@chrissmith-mcafee
chrissmith-mcafee / tie-basic-get-file-reputation-example.json
Created October 4, 2018 23:24
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a file (as identified by hashes).
[
{
"id": "39707d18.0f97d2",
"type": "tab",
"label": "TIE Get File Reputation Example",
"disabled": false,
"info": "This sample invokes the TIE DXL service to retrieve the reputation of a file (as\r\nidentified by hashes). The response to the TIE request is printed to the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Get reputation from TIE`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow for the \"notepad.exe\" file, double-click the button on the\r\nleft side of the `Start Notepad.exe lo
@chrissmith-mcafee
chrissmith-mcafee / epo-basic-system-clear-tag-example.json
Created October 4, 2018 23:16
This Node-RED flow invokes and displays the results of a `system.clearTag` remote command via the ePO DXL service.
[
{
"id": "1723c736.e448e9",
"type": "tab",
"label": "ePO System Clear Tag Example",
"disabled": false,
"info": "This sample invokes and displays the results of a `system.clearTag` remote\r\ncommand via the ePO DXL service. The results of the clear command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Clear system tag from ePO` node is\r\n auth
@chrissmith-mcafee
chrissmith-mcafee / epo-basic-system-apply-tag-example.json
Created October 4, 2018 23:07
This Node-RED flow invokes and displays the results of a `system.applyTag` remote command via the ePO DXL service.
[
{
"id": "3cab471f.fbdca8",
"type": "tab",
"label": "ePO System Apply Tag Example",
"disabled": false,
"info": "This sample invokes and displays the results of a `system.applyTag` remote\r\ncommand via the ePO DXL service. The results of the apply command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Apply system tag in ePO` node is\r\n author
@chrissmith-mcafee
chrissmith-mcafee / epo-basic-threat-event-receive-example.json
Created October 3, 2018 23:14
This Node-RED flow registers with the DXL fabric to receive threat event notifications from ePO via the ePO DXL service.
[
{
"id": "ed863b5.ec467c8",
"type": "tab",
"label": "ePO Receive Threat Event Example",
"disabled": false,
"info": "This sample registers with the DXL fabric to receive threat event notifications\r\nfrom ePO via the ePO DXL service. The payload in the event message received from\r\nthe DXL fabric is printed to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* The client is authorized to receive \"ePO Threat Event Automatic Response Events\"\r\n (see [Client Authorization](https://opendxl.github.io/opendxl-epo-service-python/pydoc/authorization.html#client-authorization)).\r\n* Under the `Automatic Responses` page on the ePO server, ensure that a\r\n `Send Threat Event via DXL` response is set to `Enabled`.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the