Created
October 4, 2018 23:24
-
-
Save chrissmith-mcafee/cd37b7a551452b05487b0b2fdd398194 to your computer and use it in GitHub Desktop.
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a file (as identified by hashes).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"id": "39707d18.0f97d2", | |
"type": "tab", | |
"label": "TIE Get File Reputation Example", | |
"disabled": false, | |
"info": "This sample invokes the TIE DXL service to retrieve the reputation of a file (as\r\nidentified by hashes). The response to the TIE request is printed to the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Get reputation from TIE`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow for the \"notepad.exe\" file, double-click the button on the\r\nleft side of the `Start Notepad.exe lookup flow` node.\r\n\r\nTo exercise the flow for the \"EICAR Standard Anti-Virus Test File\" file,\r\ndouble-click the button on the left side of the `Start EICAR lookup flow` node.\r\n\r\n### Output\r\n\r\nThe output in the Node-RED `debug` tab after the flow is run for the\r\n`notepad.exe` file should appear similar to the following:\r\n\r\n```\r\n? { 1: object, 3: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 1: object\r\n ? attributes: object\r\n 2120340: \"2139160704\"\r\n createDate: 1451502875\r\n providerId: 1\r\n trustLevel: 99\r\n ? 3: object\r\n ? attributes: object\r\n 2101652: \"17\"\r\n 2102165: \"1451502875\"\r\n 2111893: \"21\"\r\n 2114965: \"0\"\r\n 2139285: \"72339069014638857\"\r\n createDate: 1526675921\r\n providerId: 3\r\n trustLevel: 99\r\n```\r\n\r\nThe `key` for each entry in the object corresponds to a particular `provider` of\r\nthe associated `reputation`. The list of file reputation providers can\r\nbe found in the\r\n[FileProvider documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-FileProvider.html)\r\nin the TIE JavaScript client SDK.\r\n\r\nThe McAfee Global Threat Intelligence (GTI) service is identified in the results\r\nas `providerId: 1`. The trust level associated with the GTI response\r\n(`trustLevel: 99`) indicates that the file is known good.\r\n\r\nThe output in the Node-RED `debug` tab after the flow is run for the `EICAR`\r\nfile should also appear similar to the following:\r\n\r\n```\r\n? { 1: object, 3: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 1: object\r\n ? attributes: object\r\n 2120340: \"2139162632\"\r\n createDate: 1451504331\r\n providerId: 1\r\n trustLevel: 1\r\n ? 3: object\r\n ? attributes: object\r\n 2101652: \"11\"\r\n 2102165: \"1451504331\"\r\n 2111893: \"22\"\r\n 2114965: \"0\"\r\n 2139285: \"72339069014638857\"\r\n createDate: 1451504331\r\n providerId: 3\r\n trustLevel: 0\r\n```\r\n\r\nThe trust level associated with the GTI response (`trustLevel: 1`) indicates\r\nthat the file is known bad.\r\n\r\nSee the \r\n[TrustLevel documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-TrustLevel.html)\r\nin the TIE JavaScript client SDK for the list of standard trust levels.\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Start lookup flow\r\n\r\nThese are `inject` input nodes which start the flow.\r\n\r\n#### Set hashes request parameter\r\n\r\nThese are `change` nodes which set values for different hash types —\r\n`md5`, `sha1`, and `sha256` — onto an object which is stored to the\r\n`hashes` property on the message. The `Get reputation from TIE` node uses\r\nthe `hashes` property when constructing the parameters for the TIE reputation\r\nrequest. \r\n\r\n#### Get reputation from TIE\r\n\r\nThis is a `tie get file reputation` node. This node connects to\r\nthe DXL fabric and sends a DXL `Request` message to the TIE service to lookup\r\nfile reputation information.\r\n\r\nThe request message includes the `hashes` properties set by the\r\n`Set hashes request parameter` nodes.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\npayload for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Output reputation\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Get reputation from TIE` node. The output should\r\ninclude information for reputation data for the file." | |
}, | |
{ | |
"id": "51a672e5.8eeacc", | |
"type": "dxl-tie-get-file-reputation", | |
"z": "39707d18.0f97d2", | |
"name": "Get reputation from TIE", | |
"client": "2ed0ce07.039942", | |
"returnType": "obj", | |
"x": 650, | |
"y": 200, | |
"wires": [ | |
[ | |
"5fba5195.75416" | |
] | |
] | |
}, | |
{ | |
"id": "5fba5195.75416", | |
"type": "debug", | |
"z": "39707d18.0f97d2", | |
"name": "Debug: Output reputation", | |
"active": true, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "payload", | |
"x": 770, | |
"y": 300, | |
"wires": [] | |
}, | |
{ | |
"id": "6f2b0eb8.3ccf1", | |
"type": "change", | |
"z": "39707d18.0f97d2", | |
"name": "Set hashes request parameter for Notepad.exe", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "hashes", | |
"pt": "msg", | |
"to": "payload", | |
"tot": "msg" | |
}, | |
{ | |
"t": "set", | |
"p": "hashes.md5", | |
"pt": "msg", | |
"to": "f2c7bb8acc97f92e987a2d4087d021b1", | |
"tot": "str" | |
}, | |
{ | |
"t": "set", | |
"p": "hashes.sha1", | |
"pt": "msg", | |
"to": "7eb0139d2175739b3ccb0d1110067820be6abd29", | |
"tot": "str" | |
}, | |
{ | |
"t": "set", | |
"p": "hashes.sha256", | |
"pt": "msg", | |
"to": "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2", | |
"tot": "str" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 300, | |
"y": 120, | |
"wires": [ | |
[ | |
"51a672e5.8eeacc" | |
] | |
] | |
}, | |
{ | |
"id": "373b1de9.ad69a2", | |
"type": "change", | |
"z": "39707d18.0f97d2", | |
"name": "Set hashes request parameter for EICAR", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "hashes", | |
"pt": "msg", | |
"to": "payload", | |
"tot": "msg" | |
}, | |
{ | |
"t": "set", | |
"p": "hashes.md5", | |
"pt": "msg", | |
"to": "44d88612fea8a8f36de82e1278abb02f", | |
"tot": "str" | |
}, | |
{ | |
"t": "set", | |
"p": "hashes.sha1", | |
"pt": "msg", | |
"to": "3395856ce81f2b7382dee72602f798b642f14140", | |
"tot": "str" | |
}, | |
{ | |
"t": "set", | |
"p": "hashes.sha256", | |
"pt": "msg", | |
"to": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", | |
"tot": "str" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 280, | |
"y": 300, | |
"wires": [ | |
[ | |
"51a672e5.8eeacc" | |
] | |
] | |
}, | |
{ | |
"id": "b473334d.8f843", | |
"type": "inject", | |
"z": "39707d18.0f97d2", | |
"name": "Start Notepad.exe lookup flow", | |
"topic": "", | |
"payload": "{}", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 160, | |
"y": 40, | |
"wires": [ | |
[ | |
"6f2b0eb8.3ccf1" | |
] | |
] | |
}, | |
{ | |
"id": "2a870a65.7cfd26", | |
"type": "inject", | |
"z": "39707d18.0f97d2", | |
"name": "Start EICAR lookup flow", | |
"topic": "", | |
"payload": "{}", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 140, | |
"y": 200, | |
"wires": [ | |
[ | |
"373b1de9.ad69a2" | |
] | |
] | |
} | |
] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment