Tutorial: Basic Threat Event Callback Example

Basic Threat Event Callback Example

This sample demonstrates registering a callback with the DXL fabric to receive threat events when ePO sends them. The topic and payload for each event which is received is displayed in JSON format.

Prerequisites

  • The samples configuration step has been completed (see Samples).
  • The client is authorized to receive "ePO Threat Event Automatic Response Events" (see Client Authorization).

Running

To run this sample execute the sample/basic/basic-threat-event-callback-example.js script as follows:

$ node sample/basic/basic-threat-event-callback-example.js

The output should appear similar to the following:

Waiting for threat event notifications...

At this point the sample is listening for threat events from the DXL fabric.

The actual steps to force a threat event to be sent by ePO are outside the scope of this client library. After the event has been sent, the event information should appear with the console that the sample is running (similar to the output below):

Threat event on topic: /mcafee/event/epo/threat/response
<event json...>

Details

The majority of the sample code is shown below:

// Create the client
var client = new dxl.Client(config)

// Connect to the fabric, supplying a callback function which is invoked
// when the connection has been established
client.connect(function () {
  // Create the ePO client
  var epoClient = new EpoClient(client)

  // Register the ePO threat event callback with the client
  epoClient.addThreatEventCallback(function (threatEventObj, originalEvent) {
    // Display the DXL topic that the event was received on
    console.log('Threat event on topic: ' + originalEvent.destinationTopic)

    // Dump the threat event object
    console.log(MessageUtils.objectToJson(threatEventObj, true))
  })

  // Wait forever
  console.log('Waiting for threat event notifications...')
})

Once a connection is established to the DXL fabric, the callback function supplied to the DXL client instance's connect() method will be invoked. From within the callback function, an EpoClient instance is created.

Next, the EpoClient instance's addThreatEventCallback() method is called with a callback function to invoke as each threat event is received.

When a threat event is received, the event callback is invoked with two parameters:

  • A JavaScript object, threatEventObj, which is decoded from the threat event JSON payload.
  • The full DXL event message which is sent for the threat event.

The threat event object is formatted as a pretty-printed string via a call to the MessageUtils.objectToJson() method and then displayed to the console.