Chris Smith chrissmith-mcafee
chrissmith-mcafee
/ gist:962ac3456842c88610c97e5129b1b9f2
Last active
May 17, 2018 22:47
Persist ePO Threat Events in Elasticsearch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "7b37e26c.74758c", | |
| "type": "tab", | |
| "label": "Persist ePO Threat Events in Elasticsearch", | |
| "disabled": false, | |
| "info": "" | |
| }, | |
| { | |
| "id": "42926814.22ae18", |
chrissmith-mcafee
/ gist:f0f118cbe87a6ff8ac7590c33848705e
Created
May 17, 2018 22:52
Tag System in ePO when Cisco ISE Policy Applied
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "3fdb538d.d675ac", | |
| "type": "tab", | |
| "label": "Tag System when ISE Policy Applied", | |
| "disabled": false, | |
| "info": "" | |
| }, | |
| { | |
| "id": "9f34056c.e12c6", |
chrissmith-mcafee
/ mar-basic-paging-example.json
Created
October 3, 2018 22:44
This Node-RED flow executes a `McAfee Active Response` search for the running processes on a particular endpoint as specified by its IP address. The names of the processes found are retrieved and captured one page (up to 5 items) at a time.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "15c35c35.087ac4", | |
| "type": "tab", | |
| "label": "MAR Basic Paging Example", | |
| "disabled": false, | |
| "info": "This sample executes a `McAfee Active Response` search for the running processes\r\non a particular endpoint as specified by its IP address. The names of the\r\nprocesses found are retrieved and captured one page (up to 5 items) at a time.\r\nThe resulting process names captured across all pages are displayed on the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for host` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### S |
chrissmith-mcafee
/ mar-basic-search-example.json
Created
October 3, 2018 23:03
This Node-RED flow executes a `McAfee Active Response` search for the IP addresses of hosts that have an Active Response client installed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "4d70f507.87bd5c", | |
| "type": "tab", | |
| "label": "MAR Basic Search Example", | |
| "disabled": false, | |
| "info": "This sample executes a `McAfee Active Response` search for the IP addresses of\r\nhosts that have an Active Response client installed. The IP addresses found are\r\ndisplayed on the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A McAfee Active Response (MAR) service is available on the DXL fabric.\r\n* The DXL client associated with the\r\n`Search MAR for hosts` node has been authorized to perform MAR searches\r\n (see [Authorize Client to Perform MAR Search](https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html)).\r\n\r\n### Setup\r\n\r\nTo deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly co |
chrissmith-mcafee
/ epo-basic-threat-event-receive-example.json
Created
October 3, 2018 23:14
This Node-RED flow registers with the DXL fabric to receive threat event notifications from ePO via the ePO DXL service.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "ed863b5.ec467c8", | |
| "type": "tab", | |
| "label": "ePO Receive Threat Event Example", | |
| "disabled": false, | |
| "info": "This sample registers with the DXL fabric to receive threat event notifications\r\nfrom ePO via the ePO DXL service. The payload in the event message received from\r\nthe DXL fabric is printed to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* The client is authorized to receive \"ePO Threat Event Automatic Response Events\"\r\n (see [Client Authorization](https://opendxl.github.io/opendxl-epo-service-python/pydoc/authorization.html#client-authorization)).\r\n* Under the `Automatic Responses` page on the ePO server, ensure that a\r\n `Send Threat Event via DXL` response is set to `Enabled`.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the |
chrissmith-mcafee
/ epo-basic-system-apply-tag-example.json
Created
October 4, 2018 23:07
This Node-RED flow invokes and displays the results of a `system.applyTag` remote command via the ePO DXL service.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "3cab471f.fbdca8", | |
| "type": "tab", | |
| "label": "ePO System Apply Tag Example", | |
| "disabled": false, | |
| "info": "This sample invokes and displays the results of a `system.applyTag` remote\r\ncommand via the ePO DXL service. The results of the apply command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Apply system tag in ePO` node is\r\n author |
chrissmith-mcafee
/ epo-basic-system-clear-tag-example.json
Created
October 4, 2018 23:16
This Node-RED flow invokes and displays the results of a `system.clearTag` remote command via the ePO DXL service.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "1723c736.e448e9", | |
| "type": "tab", | |
| "label": "ePO System Clear Tag Example", | |
| "disabled": false, | |
| "info": "This sample invokes and displays the results of a `system.clearTag` remote\r\ncommand via the ePO DXL service. The results of the clear command are displayed\r\non the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\r\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\r\n DXL service should already be running on the fabric. If you are using an\r\n earlier version of the DXL ePO extensions, you can use the\r\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\r\n* The DXL client associated with the `Clear system tag from ePO` node is\r\n auth |
chrissmith-mcafee
/ tie-basic-get-file-reputation-example.json
Created
October 4, 2018 23:24
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a file (as identified by hashes).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "39707d18.0f97d2", | |
| "type": "tab", | |
| "label": "TIE Get File Reputation Example", | |
| "disabled": false, | |
| "info": "This sample invokes the TIE DXL service to retrieve the reputation of a file (as\r\nidentified by hashes). The response to the TIE request is printed to the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Get reputation from TIE`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow for the \"notepad.exe\" file, double-click the button on the\r\nleft side of the `Start Notepad.exe lo |
chrissmith-mcafee
/ tie-basic-get-cert-reputation-example.json
Created
October 4, 2018 23:34
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a certificate (as identified by hashes).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "e6aa430b.c2db4", | |
| "type": "tab", | |
| "label": "TIE Get Certificate Reputation Example", | |
| "disabled": false, | |
| "info": "This sample invokes the TIE DXL service to retrieve the reputation of a\r\ncertificate (as identified by hashes). The response to the TIE request is\r\nprinted to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* Edit the `Specify hash request parameters` node and modify the `msg.sha1`\r\n rule with the hash of the certificate and the `msg.publicKeySha1` rule with\r\n the hash of the public key that you want to use for the lookup. Note that\r\n the `msg.publicKeySha1` property is optional so this value can be set to an\r\n empty string or the property may be removed entirely if the public key |
chrissmith-mcafee
/ epo-basic-threat-event-create-example.json
Created
October 5, 2018 15:44
This Node-RED flow invokes and displays the results of a `DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "a1d1dbd.b4d6328", | |
| "type": "tab", | |
| "label": "ePO Create Threat Event Example", | |
| "disabled": false, | |
| "info": "This sample invokes and displays the results of a\n`DxlBrokerMgmt.createEpoThreatEvent` remote command via the ePO DXL service.\nThe results of the event creation command are displayed on the Node-RED `debug`\ntab.\n\n### Prerequisites\n\n* The samples configuration step has been completed (see\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\n* A ePO DXL service is running and available on the DXL fabric. If version 5.0\n or later of the DXL ePO extensions are installed on your ePO server, an ePO\n DXL service should already be running on the fabric. If you are using an\n earlier version of the DXL ePO extensions, you can use the\n [ePO DXL Python Service](https://github.com/opendxl/opendxl-epo-service-python).\n* The DXL client associated with the `Create threat event in ePO` node is\n |
OlderNewer