Created
November 5, 2018 15:30
-
-
Save scottbrumley/5a3bc86436b187d667ef652ea1f80902 to your computer and use it in GitHub Desktop.
FireEye to McAfee TIE file reputation flow for Node Red
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"id": "23e49c5a.b408a4", | |
"type": "tab", | |
"label": "FireEye To McAfee TIE", | |
"disabled": false, | |
"info": "" | |
}, | |
{ | |
"id": "17ee602d.c4b03", | |
"type": "dxl-core-event out", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"topic": "/vendor/fireeye", | |
"client": "", | |
"x": 836.6666259765625, | |
"y": 187.77777099609375, | |
"wires": [] | |
}, | |
{ | |
"id": "2d49fb9f.cf32a4", | |
"type": "dxl-tie-set-file-reputation", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"client": "", | |
"trustLevel": "", | |
"comment": "", | |
"x": 850, | |
"y": 600, | |
"wires": [ | |
[] | |
] | |
}, | |
{ | |
"id": "1c202325.27cea5", | |
"type": "inject", | |
"z": "23e49c5a.b408a4", | |
"name": "FIreEye Major", | |
"topic": "", | |
"payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"majr\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 110, | |
"y": 100, | |
"wires": [ | |
[ | |
"7238e123.6bd77" | |
] | |
] | |
}, | |
{ | |
"id": "20683e34.f5e812", | |
"type": "http in", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"url": "/fireeye", | |
"method": "post", | |
"upload": true, | |
"swaggerDoc": "", | |
"x": 88, | |
"y": 229, | |
"wires": [ | |
[ | |
"8fb9d3c9.5ca068" | |
] | |
] | |
}, | |
{ | |
"id": "7238e123.6bd77", | |
"type": "json", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"property": "payload", | |
"action": "obj", | |
"pretty": false, | |
"x": 310, | |
"y": 60, | |
"wires": [ | |
[ | |
"fb439e70.d0ff8" | |
] | |
] | |
}, | |
{ | |
"id": "5487eba4.8e2994", | |
"type": "dxl-core-event in", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"topic": "/vendor/fireeye", | |
"client": "", | |
"payloadType": "txt", | |
"x": 120, | |
"y": 360, | |
"wires": [ | |
[ | |
"7aef7ffb.a89c2" | |
] | |
] | |
}, | |
{ | |
"id": "58127655.09b83", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "Unknown", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "payload.mcafee-rep", | |
"pt": "msg", | |
"to": "$replace(\t payload.alert.severity,\t \"unkn\",\t \"50\"\t)\t\t", | |
"tot": "jsonata" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 540, | |
"y": 160, | |
"wires": [ | |
[ | |
"3151a163.33b536", | |
"17ee602d.c4b03", | |
"7a874649.67c058" | |
] | |
] | |
}, | |
{ | |
"id": "3151a163.33b536", | |
"type": "debug", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"active": true, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "false", | |
"x": 830, | |
"y": 140, | |
"wires": [] | |
}, | |
{ | |
"id": "acc35bcd.747c5", | |
"type": "inject", | |
"z": "23e49c5a.b408a4", | |
"name": "FireEye Unknown", | |
"topic": "", | |
"payload": "{ \"product\": \"MAS\", \"appliance-id\": \"00:00:00:00:00:00\", \"appliance\": \"fireeye-000000\", \"alert\": { \"src\": { \"url\": \"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\" }, \"severity\": \"unkn\", \"alert-url\": \"https://fireeye-000000/malware_analysis/analyses?maid=146658\", \"explanation\": { \"malware-detected\": { \"malware\": { \"malicious\": \"yes\", \"executed-at\": \"2017-05-09T14:30:25Z\", \"md5sum\": \"41281428cd6f503f948e931d546e340c\", \"type\": \"exe\", \"name\": \"Trojan.LuminosityLink\" } } }, \"occurred\": \"2017-05-09T14:30:25Z\", \"action\": \"notified\", \"id\": \"146658\", \"name\": \"malware-object\" }, \"version\": \"7.7.5.577562\", \"msg\": \"concise\" }", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 120, | |
"y": 60, | |
"wires": [ | |
[ | |
"7238e123.6bd77" | |
] | |
] | |
}, | |
{ | |
"id": "30da705d.e77138", | |
"type": "inject", | |
"z": "23e49c5a.b408a4", | |
"name": "FireEye Minor", | |
"topic": "", | |
"payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"minr\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 110, | |
"y": 140, | |
"wires": [ | |
[ | |
"7238e123.6bd77" | |
] | |
] | |
}, | |
{ | |
"id": "7db19e12.3236f8", | |
"type": "inject", | |
"z": "23e49c5a.b408a4", | |
"name": "Critical", | |
"topic": "", | |
"payload": "{\"product\":\"MAS\",\"appliance-id\":\"00:00:00:00:00:00\",\"appliance\":\"fireeye-000000\",\"alert\":{\"src\":{\"url\":\"/data/share/winxp-sp3/src/41281428cd6f503f948e931d546e340c.exe\"},\"severity\":\"crit\",\"alert-url\":\"https://fireeye-000000/malware_analysis/analyses?maid=146658\",\"explanation\":{\"malware-detected\":{\"malware\":{\"malicious\":\"yes\",\"executed-at\":\"2017-05-09T14:30:25Z\",\"md5sum\":\"41281428cd6f503f948e931d546e340c\",\"type\":\"exe\",\"name\":\"Trojan.LuminosityLink\"}}},\"occurred\":\"2017-05-09T14:30:25Z\",\"action\":\"notified\",\"id\":\"146658\",\"name\":\"malware-object\"},\"version\":\"7.7.5.577562\",\"msg\":\"concise\"}", | |
"payloadType": "json", | |
"repeat": "", | |
"crontab": "", | |
"once": false, | |
"onceDelay": 0.1, | |
"x": 90, | |
"y": 180, | |
"wires": [ | |
[ | |
"7238e123.6bd77" | |
] | |
] | |
}, | |
{ | |
"id": "fb439e70.d0ff8", | |
"type": "switch", | |
"z": "23e49c5a.b408a4", | |
"name": "FireEyeSeverity", | |
"property": "payload.alert.severity", | |
"propertyType": "msg", | |
"rules": [ | |
{ | |
"t": "eq", | |
"v": "unkn", | |
"vt": "str" | |
}, | |
{ | |
"t": "eq", | |
"v": "minr", | |
"vt": "str" | |
}, | |
{ | |
"t": "eq", | |
"v": "majr", | |
"vt": "str" | |
}, | |
{ | |
"t": "eq", | |
"v": "crit", | |
"vt": "str" | |
} | |
], | |
"checkall": "true", | |
"repair": false, | |
"outputs": 4, | |
"x": 510, | |
"y": 50, | |
"wires": [ | |
[ | |
"58127655.09b83" | |
], | |
[ | |
"89c2b8e9.5670d" | |
], | |
[ | |
"6ca092c8.6ce994" | |
], | |
[ | |
"bb303907.1d5fe8" | |
] | |
] | |
}, | |
{ | |
"id": "89c2b8e9.5670d", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "might_be_malicious", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "payload.mcafee-rep", | |
"pt": "msg", | |
"to": "$replace(\t payload.alert.severity,\t \"minr\",\t \"30\"\t)\t\t", | |
"tot": "jsonata" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 580, | |
"y": 200, | |
"wires": [ | |
[ | |
"17ee602d.c4b03", | |
"3151a163.33b536", | |
"7a874649.67c058" | |
] | |
] | |
}, | |
{ | |
"id": "6ca092c8.6ce994", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "known_malicious", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "payload.mcafee-rep", | |
"pt": "msg", | |
"to": "$replace(\t payload.alert.severity,\t \"majr\",\t \"1\"\t)\t\t", | |
"tot": "jsonata" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 570, | |
"y": 240, | |
"wires": [ | |
[ | |
"17ee602d.c4b03", | |
"3151a163.33b536", | |
"7a874649.67c058" | |
] | |
] | |
}, | |
{ | |
"id": "bb303907.1d5fe8", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "known_malicious", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "payload.mcafee-rep", | |
"pt": "msg", | |
"to": "$replace(\t payload.alert.severity,\t \"crit\",\t \"1\"\t)\t\t", | |
"tot": "jsonata" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 570, | |
"y": 280, | |
"wires": [ | |
[ | |
"17ee602d.c4b03", | |
"3151a163.33b536", | |
"7a874649.67c058" | |
] | |
] | |
}, | |
{ | |
"id": "7aef7ffb.a89c2", | |
"type": "json", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"property": "payload", | |
"action": "obj", | |
"pretty": false, | |
"x": 290, | |
"y": 360, | |
"wires": [ | |
[ | |
"d43f71b7.7f5108" | |
] | |
] | |
}, | |
{ | |
"id": "408fed1d.0edf7c", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "FileName", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "fileName", | |
"pt": "msg", | |
"to": "$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.name", | |
"tot": "jsonata" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 740, | |
"y": 360, | |
"wires": [ | |
[ | |
"cc100dd2.9f3a4" | |
] | |
] | |
}, | |
{ | |
"id": "cc100dd2.9f3a4", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "Comment", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "comment", | |
"pt": "msg", | |
"to": "Reputation set via OpenDXL", | |
"tot": "str" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 640, | |
"y": 440, | |
"wires": [ | |
[ | |
"de4190c3.1cee48", | |
"2d49fb9f.cf32a4" | |
] | |
] | |
}, | |
{ | |
"id": "de4190c3.1cee48", | |
"type": "debug", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"active": false, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "true", | |
"x": 810, | |
"y": 540, | |
"wires": [] | |
}, | |
{ | |
"id": "1e78a28d.a27135", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "TrustLevel", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "trustLevel", | |
"pt": "msg", | |
"to": "payload.mcafee-rep", | |
"tot": "msg" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 590, | |
"y": 360, | |
"wires": [ | |
[ | |
"408fed1d.0edf7c" | |
] | |
] | |
}, | |
{ | |
"id": "d43f71b7.7f5108", | |
"type": "change", | |
"z": "23e49c5a.b408a4", | |
"name": "MD5 Hash", | |
"rules": [ | |
{ | |
"t": "set", | |
"p": "hashes", | |
"pt": "msg", | |
"to": "{\"md5\":$lookup(msg.payload.alert.explanation, \"malware-detected\").malware.md5sum}", | |
"tot": "jsonata" | |
} | |
], | |
"action": "", | |
"property": "", | |
"from": "", | |
"to": "", | |
"reg": false, | |
"x": 430, | |
"y": 360, | |
"wires": [ | |
[ | |
"1e78a28d.a27135" | |
] | |
] | |
}, | |
{ | |
"id": "bf0ef69e.ca4ff8", | |
"type": "debug", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"active": false, | |
"tosidebar": true, | |
"console": false, | |
"tostatus": false, | |
"complete": "payload", | |
"x": 358.5, | |
"y": 317, | |
"wires": [] | |
}, | |
{ | |
"id": "8fb9d3c9.5ca068", | |
"type": "node-red-contrib-httpauth", | |
"z": "23e49c5a.b408a4", | |
"name": "FireEye Authentication", | |
"file": "", | |
"cred": "", | |
"authType": "Basic", | |
"realm": "", | |
"username": "fireeye", | |
"password": "fireeye", | |
"hashed": false, | |
"x": 133.5, | |
"y": 278, | |
"wires": [ | |
[ | |
"bf0ef69e.ca4ff8", | |
"7238e123.6bd77" | |
] | |
] | |
}, | |
{ | |
"id": "7a874649.67c058", | |
"type": "template", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"field": "payload", | |
"fieldType": "msg", | |
"format": "handlebars", | |
"syntax": "mustache", | |
"template": "<html> \n <head>\n </head>\n <body>\n <h1>FireEye To McAfee TIE File Reputation Set!</h1>\n Filename: {{ payload.alert.explanation.malware-detected.malware.name }}<br>\n MD5: {{ payload.alert.explanation.malware-detected.malware.md5sum }}<br>\n FireEye Severity: {{ payload.alert.severity }}\n McAfee Reputation Score: {{ payload.mcafee-rep }}\n </body>\n</html> ", | |
"output": "str", | |
"x": 819.4444580078125, | |
"y": 246.66665649414062, | |
"wires": [ | |
[ | |
"e02d1a12.1530b" | |
] | |
] | |
}, | |
{ | |
"id": "e02d1a12.1530b", | |
"type": "http response", | |
"z": "23e49c5a.b408a4", | |
"name": "", | |
"statusCode": "", | |
"headers": {}, | |
"x": 870.5555555555555, | |
"y": 302.22222222222223, | |
"wires": [] | |
} | |
] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment