Integration Tools Use V 0

Table of Contents
Integration Tool Summary for URL ............................................................................................................... 2

About Integration Commands .................................................................................................................. 2
Blacklist/Reputation Check for IP Address................................................................................................ 3
Other Useful Sites for Investigation: ..................................................................................................... 9
Integration Tool Summary for Script/Tool: ................................................................................................. 10
Modified/Updated by
Balahasan V. | SIEM Engineer
Integration Tool Summary for URL

About Integration Commands
Integration commands leverage the power of security and event management, and broaden its view to show external, snap-in
views from appliances like ArcSight NSP TRM and ArcSight Logger, as well as third-party applications
Integration commands enable you to link from the ArcSight Console to information in other views and applications. You can
also build and launch commands locally and on remote servers or appliances, using field values in events as command
parameters. You can configure the commands as context-aware, right-click options on different views, resources, and editors
on the ArcSight Console.
Command execution mechanisms

URI (HTTP)
Local script/executable (tool)
CounterAct Connector (TRM)
Result rendering
Internal web browser/external web browser
Script/executable output
CounterAct structured result
Attach to case
Save to a file
Blacklist/Reputation Check for IP Address

Centralized Visibility into global threat activity by integrating Threat feeds cant be relied upon
completely, since we use multiple open source feeds and even paid threat feeds also gives us false
positives. Then only way to make sure the True positive correlated event is generated by investigating
the Feed Destinations, here are few open source URLs and what we are actually investigating for
Phishing URL/email blacklists
Trojan/Botnet watch lists
Suspicious domain registrations
Infected IPs from malware victims
C&C/Botnet communications monitoring
Dynamic DNS communication
Fast flux monitoring
Honeypot threat intelligence
HTTP Referrer and User Agent Profiling
Malicious Nameserverwatch lists
Passive DNS monitoring
Phishing dropsitemonitoring
Proprietary validation scanners
Investigate: Threat Expert (link no integration)
Command Type: URL
Command Syntax: http://www.threatexpert.com/reports.aspx?find=&x=10&y=7
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selections | IP Address, String, All Data Types
Investigate: Google Maps Location
Basically, create a set of commands called "Google Attacker" and "Google Target" respectively and use
the URL type command with both with the following strings
For Attacker:
Command Type: URL
Command Syntax:
http://maps.google.com/maps?q=${attackerGeoLatitude},${attackerGeoLongitude}
Configuration Name: Investigate: IP GeoLocation
Configuration Context: Viewer | All Views| All Selections |All Data Types
For Target:
Command Type: URL
Command Syntax:
http://maps.google.com/maps?q=${targetGeoLatitude},${targetGeoLongitude}
Configuration Name: Investigate: IP GeoLocation
Investigate: Robtex IP Check
Command Type: URL
Command Syntax:
https://www.robtex.com/ip/$selectedItem
https://www.robtex.com/dns/$selectedItem
Investigate: IPVoid Check
Command Type: URL
Command Syntax:
http://www.ipvoid.com/scan/$selectedItem/
Investigate: IP/URL Check-myIP.ms
Command Type: URL
Command Syntax:
http://myip.ms/view/ip_addresses/$selectedItem
Investigate: IP/URL Check-Multirbl.valli
Command Type: URL
Command Syntax:
http://multirbl.valli.org/lookup/$selectedItem
Investigate: mxtoolbox-Blacklist
Command Type: URL
Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:$selectedItem
Configuration Context: Viewer | All Views | All Selections | IP Address, String
Investigate: mxtoolbox-SMTP Check

Command Type: URL
Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem
Configuration Name: Investigate: SMTP Check
Investigate: IP/URL Check-Umask
Command Type: URL
Command Syntax:
http://www.unmasklinks.com/?domain=$selectedItem&privacy=PUBLIC
Investigate: URL Check AVG
Command Type: URL
Command Syntax:
http://www.avgthreatlabs.com/website-safety-reports/domain/$selectedItem
Configuration Name: Investigate: URL Blacklist Checking
Investigate: URL Check -Robtex
Command Type: URL
Command Syntax:
https://www.robtex.com/dns/$selectedItem
Investigate: URL Check Hosts-file
Command Type: URL
Command Syntax:
http://hosts-file.net/default.asp?s=$selectedItem
Investigate: URL Check Maldb
Command Type: URL
Command Syntax:
http://maldb.com/$selectedItem
Investigate: URL Check Sucuri
Command Type: URL
Command Syntax:
http://sitecheck.sucuri.net/results/$selectedItem
Investigate: URL Check SiteAdvisor
Command Type: URL
Command Syntax:
http://www.siteadvisor.com/sites/$selectedItem
Investigate: MS Malware Protection Center
Command Type: URL
Command Syntax:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=$selectedItem
Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All
Data Types
Investigate: URL Check URL Void
Command Type: URL
Command Syntax:
http://www.urlvoid.com/scan/$selectedItem
Investigate: URL Check Webutations
Command Type: URL
Command Syntax:
http://www.webutations.net/go/review/$selectedItem
Configuration Name: Investigate: URL Reputation Check
Investigate: Suspected Malware
Command Type: URL
Command Syntax:
www.malwaredomainlist.com/mdl.php?search=$selectedItem
Investigate: URL Check MyWOT
Command Type: URL
Command Syntax:
http://www.checksitesafe.com/site/$selectedItem
Configuration Name: Investigate: URL Reputation Check
Investigate: IP/URL Check WatchGaurd
Command Type: URL
Command Syntax:
http://www.reputationauthority.org/lookup.php?ip=$selectedItem
Configuration Name: Investigate: Reputation Checking
Investigate: URL Check Pingdom
Command Type: URL
Command Syntax:
http://tools.pingdom.com/fpt/#!/$selectedItem
Configuration Name: Investigate: Full Site Scan
Investigate: URL Check vURL
Command Type: URL
Command Syntax:
http://vurldissect.co.uk/default.asp?url=http://$selectedItem&btnvURL=Dissect&selUAStr=1&selServer
=1&ref=&cbxSource=on&cbxBlacklist=on
Configuration Name: Investigate: Full Site Scan
Investigate: mxtoolbox-Internet Port Scan

Command Type: URL
Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=scan:$selectedItem
Configuration Name: Investigate: Internet Port Scan
Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All
Data Types
Investigate: Windows Event ID
Command Type: URL
Command Syntax:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=${deviceEvent
ClassId}
Configuration Name: Investigate: Windows Event
Some of the Snapshots of Integration Commands from ESM:
Other Useful Sites for Investigation:

https://managerip:8443/arcsight/web/manage.jsp
http://urlquery.net
http://www.site24x7.com/web-page-analyzer.html
http://wepawet.iseclab.org/index.php
http://anubis.iseclab.org
http://www.scumware.org/search.scumware
http://www.maxmind.com/en/lookup
http://secunia.com/community/advisories
http://technet.microsoft.com/en-us/security/advisory
http://www.dnsstuff.com
http://www.toolsvoid.com
http://www.sophos.com/en-us/threat-center/threat-analyses.aspx
http://vscan.novirusthanks.org
http://dnslookup.me/dynamic-dns
http://krebsonsecurity.com
http://centralops.net/co
https://www.shadowserver.org/wiki
http://www.emailsherlock.com
http://www.projecthoneypot.org/search_ip.php
http://www.blacklistalert.org
http://www.unmaskparasites.com
http://jsunpack.jeek.org/?
http://www.phishtank.com
http://www.malwareurl.com/listing-urls.php
http://malc0de.com/tools/beautify
http://web-sniffer.net
https://safeweb.norton.com
http://webmastercoffee.com/en/
http://www.dnsinspect.com
http://www.sophos.com/en-us/threat-center/ip-lookup.aspx
http://www.mcafee.com/threat-intelligence/domain/popular.aspx
http://www.waudit.com
http://www.threatexpert.com
https://www.virustotal.com/en
https://malwr.com/submission/
http://virusscan.jotti.org/en
http://www.virscan.org/
http://www.backscatterer.org/index.php?target=test
http://www.microsoft.com/security/portal/threat/threats.aspx?id=1
http://www.malware-analyzer.com/malware-analysis-tools/malware-auto-analysis
Integration Tool Summary for Script/Tool

Sample Integration Tools Used:
- Dig for Windows v9.3.2
- Nmap for Windows v5.21
- Windump v3.9.5
- WinPcap v4.1.2
- PathPing v5.2.3790.0 (Windows Only)
- Nbtstat v5.2.3790.3959 (Windows Only)
- Nessuscmd for Windows v4.2.2 (Build 9129)
Installation - Step 1:
Installation of the Integration Commands requires that the tools and their associated paths be available
installing the .arb file.
1) Open the ArcSight Console and select "Packages" in the Resource Navigator.
2) Select "Import" and select the location of the "Investigation_Integration_Pack.arb" file.
3) Once imported you will see the following tools under Integration Commands / Configurations:
/All Integration Commands
+ /ArcNet Commands
+ /ArcNet Configurations
/All Files
+ /ArcNet Files
+ /Investigation Integration Apps
+ Investigation Integration Tools
Installation - Step 2:
Various command line utilities have been placed in /All Files/ArcNet Files/Investigation Integration
Apps/Investigation Integration Tools.zip
Download the zip file (right-mouse click > select download) and install the tools in the directory
(C:\arcsight\tools).
Installation of the tools that are referenced must be located in the following directories, as configured in
the integration commands:
Investigate: DNS Lookup: %arcsight%\tools\dig.exe
Investigate: NBTstat: %system32%\nbtstat.exe
Investigate: NMAP (TCP): %program files%\nmap\nmap.exe
Investigate: NMAP (UDP): %program files%\nmap\nmap.exe
Investigate: Open Shares: %arcsight%\tools\netview.cmd
Investigate: OS Fingerprint: %program files%\nmap\nmap.exe
Investigate: Packet Capture: %arcsight%\tools\windump.exe
Investigate: PathPing: %system32%\pathping.exe
Investigate: Vulnerability Scan: %program files%\tenable\nessus\nessuscmd
Usage:
Once the tools have been installed in the appropriate directories, Integration Commands are available
on right-click context menus from a variety of contexts in the ESM Console including:
- Relevant fields in active channels (e.g. IP address, host name)
- Relevant resources (for example, assets)
- Active Lists, sessions lists, query viewers and channels
Once invoked, a script output or internal browser window will appear where the output of the
integration command can be viewed. The output of script actions will allow analysts to export the
results to a file or add the output to an existing case.
When the output window is closed the command will stop running and be removed from memory.
WinDump Note:
Running multiple instances of memory intensive applications such as WinDump for long periods will
degrade the performance of the system hosting the ArcSight Console. WinDump should be run on a
separate system with a UNC path to the tool configured in the "Investigate: Packet Capture" command.
Additionally, a typical protocol analysis program such as WinDump (or tcpdump) is usually configured
with an interface that is connected to a switchport that is mirroring all VLAN traffic (or spanning) to the
system listening in promiscuous mode. This is not the case with the current configuration with the
provided "Investigate: Packet Capture" command, as this was developed in a VM environment and
tested against simulated data targeting the machine that was hosting both the ESM manager and the
console.
Investigate: DNS Lookup
Command Type: Script
Command Syntax: %arcsight%\tools\dig.exe -t ANY $selectedItem
Configuration Name: Investigate: DNS Lookup
Configuration Attributes: Text Renderer
Selection
Investigate: NBTstat
Command Syntax: %system32%\nbtstat.exe -a $selectedItem
Configuration Name: Investigate: NBTstat
Configuration Attributes: Text Rendererbalahasan.venkatesan
Investigate: NMAP (UDP)
Command Syntax: %program files%\nmap\nmap.exe -vv -sU -p0 $selectedItem
Configuration Name: Investigate: NMAP (UDP)
Investigate: Open Shares
Command Syntax: %arcsight%\tools\netview.cmd $selectedItem
Configuration Name: Investigate: Open Shares
Investigate: OS Fingerprint
Command Syntax: %program files%\nmap\nmap.exe -vvv -A -O -PN $selectedItem
Configuration Name: Investigate: OS Fingerprint
Investigate: Packet Capture
Command Syntax: %arcsight%\tools\windump.exe -i 3 -l -x -n host $selectedItem
Configuration Name: Investigate: Packet Capture
Investigate: PathPing
Command Syntax: %system32%\pathping.exe $selectedItem
Configuration Name: Investigate: PathPing
Configuration Context: Viewer | All Views | All Selections | IP Address
Investigate: Vulnerability Scan
Command Syntax: %program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477
$selectedItem
Configuration Name: Investigate: Vulnerability Scan
For Snort SID searches, you can do the following:

Create a 'Evaluate Velocity Template' Global Variable with the following code:
#set( $sid = $deviceEventClassId )
#set( $format_sid1 = $sid.replace(":", "-") )
#set( $format_sid2 = $format_sid1.replace("[", "") )
#set( $format_sid3 = $format_sid2.replace("]", "") )
${format_sid3}
Integration Command URL: https://www.snort.org/search/sid/${Global Var Name}
TRM Example:
Other Docs and References:

Sourcefire Integration Command Guide
HP TippingPoint Command Line Interface (CLI) Reference for TOS v3.2
Netwitness Right-Click Integration - URL-based Session Drill-down
Guidance Software_EnCase Cybersecurity_4 4_Action_2012
Gary Freeman Posts
SOC Investigation Tools which are being built in my Environment

Integration Tools Use V 0

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Integration Tools Use V 0

Încărcat de

Drepturi de autor:

Formate disponibile

Table of Contents

Integration Tool Summary for URL ............................................................................................................... 2

Integration Tool Summary for URL

Command execution mechanisms

Blacklist/Reputation Check for IP Address

Investigate: mxtoolbox-SMTP Check

Investigate: mxtoolbox-Internet Port Scan

Other Useful Sites for Investigation:

Integration Tool Summary for Script/Tool

For Snort SID searches, you can do the following:

Other Docs and References:

S-ar putea să vă placă și