Created
October 3, 2018 23:03
-
-
Save chrissmith-mcafee/221b8ebe82092ecb330e7b73d10ef529 to your computer and use it in GitHub Desktop.
This Node-RED flow executes a `McAfee Active Response` search for the IP addresses of hosts that have an Active Response client installed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"id": "4d70f507.87bd5c", | |
"type": "tab", | |
"label": "MAR Basic Search Example", | |
"disabled": false, | |
"info": "This sample executes a `McAfee Active Response` search for the IP addresses of\r\nhosts that have an Active Response client installed. The IP addresses found are\r\ndisplayed on the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for hosts` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### Setup\r\n\r\nTo deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Search MAR for hosts` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the\r\n`Specify search projections` node.\r\n\r\n### Output\r\n\r\nThe IP addresses found should appear in the Node-RED `debug` tab. For example:\r\n\r\n~~~\r\n[ \"192.168.130.152\", \"192.168.130.133\"]\r\n~~~\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Specify search projections\r\n\r\nThis is an `inject` input node which starts the flow. This node injects a new\r\nmessage with a `payload` property which specifies that the IP addresses of\r\nhosts which are found should be projected into the search results:\r\n\r\n```json\r\n[\r\n {\r\n \"name\": \"HostInfo\",\r\n \"outputs\": [\r\n \"ip_address\"\r\n ]\r\n }\r\n]\r\n```\r\n\r\n#### Set projections request parameter\r\n\r\nThis is a `change` node which copies the value from the `payload` property on\r\nthe message to the `projections` property. The `Search MAR for hosts` node uses\r\nthe `projections` property when constructing the parameters for the MAR search. \r\n\r\n#### Search MAR for hosts\r\n\r\nThis is a `mar search` node. This node connects to the DXL fabric and sends a\r\nsearch request to the MAR service using the `msg.projections` property set by\r\nthe `Set projections request parameter` node.\r\n\r\nThe `Limit` property specifies that up to the first \"10\" result items should be\r\nprovided.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\n`payload` for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Extract host IP addresses\r\n\r\nThis is a `function` node. This node includes a JavaScript code snippet which\r\niterates over the search result items that were set on the `msg.payload`\r\nproperty by the `Search MAR for hosts` node. The source code for the code\r\nsnippet is included below:\r\n\r\n```javascript\r\nmsg.payload = \r\n msg.payload.map(function (processEntry) {\r\n return processEntry.output[\"HostInfo|ip_address\"]\r\n })\r\nreturn msg\r\n```\r\n\r\nThe `HostInfo|ip_address` value for\r\neach item is captured. An array with just the ip addresses of the hosts which\r\nwere returned in the search results is set onto the `msg.payload` property.\r\n\r\n#### Output IP addresses\r\n\r\nThis is a `debug` output node. This node outputs the array of host IP addresses\r\nwritten to the `msg.payload` property by the `Extract host IP addresses` node." | |
}, | |
{ | |
"id": "e18fdc9e.6feae", | |
"type": "dxl-mar-search", | |
"z": "4d70f507.87bd5c", | |
"name": "Search MAR for hosts", | |
"pollInterval": 5, | |
"client": "2ed0ce07.039942", | |
"projections": "", | |
"limit": "10", | |
"textFilter": "", | |
"sortBy": "", | |
"sortDirection": "", | |
"returnType": "obj", | |
"x": 280, | |
"y": 220, | |
"wires": [ | |
[ | |
"be60e18f.08cfb" | |
] | |
] | |
}, | |
{ | |
"id": "340bdcc6.7f4904", | |
"type": "inject", | |
"z": "4d70f507.87bd5c", | |
"name": "Specify search projections", | |
"topic": "", | |
"payload": "[{\"name\":\"HostInfo\",\"outputs\":[\"ip_address\"]}]", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 150, | |
"y": 40, | |
"wires": [ | |
[ | |
"a2cb13bf.388be" | |
] | |
] | |
}, | |
{ | |
"id": "39e7184f.da87a8", | |
"type": "debug", | |
"z": "4d70f507.87bd5c", | |
"name": "Debug: Output IP addresses", | |
"active": true, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "payload", | |
"x": 480, | |
"y": 420, | |
"wires": [] | |
}, | |
{ | |
"id": "be60e18f.08cfb", | |
"type": "function", | |
"z": "4d70f507.87bd5c", | |
"name": "Extract host IP addresses", | |
"func": "msg.payload = \n msg.payload.map(function (processEntry) {\n return processEntry.output[\"HostInfo|ip_address\"]\n })\nreturn msg", | |
"outputs": 1, | |
"noerr": 0, | |
"x": 390, | |
"y": 320, | |
"wires": [ | |
[ | |
"39e7184f.da87a8" | |
] | |
] | |
}, | |
{ | |
"id": "a2cb13bf.388be", | |
"type": "change", | |
"z": "4d70f507.87bd5c", | |
"name": "Set projections request parameter", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "projections", | |
"pt": "msg", | |
"to": "payload", | |
"tot": "msg" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 260, | |
"y": 120, | |
"wires": [ | |
[ | |
"e18fdc9e.6feae" | |
] | |
] | |
} | |
] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment