Skip to content

Instantly share code, notes, and snippets.

@chrissmith-mcafee
Created October 3, 2018 23:03
Show Gist options
  • Save chrissmith-mcafee/221b8ebe82092ecb330e7b73d10ef529 to your computer and use it in GitHub Desktop.
Save chrissmith-mcafee/221b8ebe82092ecb330e7b73d10ef529 to your computer and use it in GitHub Desktop.
This Node-RED flow executes a `McAfee Active Response` search for the IP addresses of hosts that have an Active Response client installed.
[
{
"id": "4d70f507.87bd5c",
"type": "tab",
"label": "MAR Basic Search Example",
"disabled": false,
"info": "This sample executes a `McAfee Active Response` search for the IP addresses of\r\nhosts that have an Active Response client installed. The IP addresses found are\r\ndisplayed on the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for hosts` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### Setup\r\n\r\nTo deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Search MAR for hosts` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify search projections` node.\r\n\r\n### Output\r\n\r\nThe IP addresses found should appear in the Node-RED `debug` tab. For example:\r\n\r\n~~~\r\n[ \"192.168.130.152\", \"192.168.130.133\"]\r\n~~~\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify search projections\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies that the IP addresses of\r\nhosts which are found should be projected into the search results:\r\n\r\n```json\r\n[\r\n {\r\n \"name\": \"HostInfo\",\r\n \"outputs\": [\r\n \"ip_address\"\r\n ]\r\n }\r\n]\r\n```\r\n\r\n#### Set projections request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `projections` property. The `Search MAR for hosts` node uses\r\nthe `projections` property when constructing the parameters for the MAR search. \r\n\r\n#### Search MAR for hosts\r\n\r\nThis is a `mar search` node. This node connects to the DXL fabric and sends a\r\nsearch request to the MAR service using the `msg.projections` property set by\r\nthe `Set projections request parameter` node.\r\n\r\nThe `Limit` property specifies that up to the first \"10\" result items should be\r\nprovided.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\n`payload` for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Extract host IP addresses\r\n\r\nThis is a `function` node. This node includes a JavaScript code snippet which\r\niterates over the search result items that were set on the `msg.payload`\r\nproperty by the `Search MAR for hosts` node. The source code for the code\r\nsnippet is included below:\r\n\r\n```javascript\r\nmsg.payload = \r\n msg.payload.map(function (processEntry) {\r\n return processEntry.output[\"HostInfo|ip_address\"]\r\n })\r\nreturn msg\r\n```\r\n\r\nThe `HostInfo|ip_address` value for\r\neach item is captured. An array with just the ip addresses of the hosts which\r\nwere returned in the search results is set onto the `msg.payload` property.\r\n\r\n#### Output IP addresses\r\n\r\nThis is a `debug` output node. This node outputs the array of host IP addresses\r\nwritten to the `msg.payload` property by the `Extract host IP addresses` node."
},
{
"id": "e18fdc9e.6feae",
"type": "dxl-mar-search",
"z": "4d70f507.87bd5c",
"name": "Search MAR for hosts",
"pollInterval": 5,
"client": "2ed0ce07.039942",
"projections": "",
"limit": "10",
"textFilter": "",
"sortBy": "",
"sortDirection": "",
"returnType": "obj",
"x": 280,
"y": 220,
"wires": [
[
"be60e18f.08cfb"
]
]
},
{
"id": "340bdcc6.7f4904",
"type": "inject",
"z": "4d70f507.87bd5c",
"name": "Specify search projections",
"topic": "",
"payload": "[{\"name\":\"HostInfo\",\"outputs\":[\"ip_address\"]}]",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 150,
"y": 40,
"wires": [
[
"a2cb13bf.388be"
]
]
},
{
"id": "39e7184f.da87a8",
"type": "debug",
"z": "4d70f507.87bd5c",
"name": "Debug: Output IP addresses",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 480,
"y": 420,
"wires": []
},
{
"id": "be60e18f.08cfb",
"type": "function",
"z": "4d70f507.87bd5c",
"name": "Extract host IP addresses",
"func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg",
"outputs": 1,
"noerr": 0,
"x": 390,
"y": 320,
"wires": [
[
"39e7184f.da87a8"
]
]
},
{
"id": "a2cb13bf.388be",
"type": "change",
"z": "4d70f507.87bd5c",
"name": "Set projections request parameter",
"rules": [
{
"t": "set",
"p": "projections",
"pt": "msg",
"to": "payload",
"tot": "msg"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 260,
"y": 120,
"wires": [
[
"e18fdc9e.6feae"
]
]
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment