Documente Academic
Documente Profesional
Documente Cultură
Modified/Updated by
Balahasan V. | SIEM Engineer
Command Syntax:
http://maps.google.com/maps?q=${targetGeoLatitude},${targetGeoLongitude}
Configuration Name: Investigate: IP GeoLocation
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: Robtex IP Check
Command Type: URL
Command Syntax:
https://www.robtex.com/ip/$selectedItem
https://www.robtex.com/dns/$selectedItem
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: IPVoid Check
Command Type: URL
Command Syntax:
http://www.ipvoid.com/scan/$selectedItem/
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: IP/URL Check-myIP.ms
Command Type: URL
Command Syntax:
http://myip.ms/view/ip_addresses/$selectedItem
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: IP/URL Check-Multirbl.valli
Command Type: URL
Command Syntax:
http://multirbl.valli.org/lookup/$selectedItem
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: mxtoolbox-Blacklist
Command Type: URL
Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:$selectedItem
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views | All Selections | IP Address, String
http://maldb.com/$selectedItem
Configuration Name: Investigate: URL Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: URL Check Sucuri
Command Type: URL
Command Syntax:
http://sitecheck.sucuri.net/results/$selectedItem
Configuration Name: Investigate: URL Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: URL Check SiteAdvisor
Command Type: URL
Command Syntax:
http://www.siteadvisor.com/sites/$selectedItem
Configuration Name: Investigate: URL Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: MS Malware Protection Center
Command Type: URL
Command Syntax:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=$selectedItem
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All
Data Types
Investigate: URL Check URL Void
Command Type: URL
Command Syntax:
http://www.urlvoid.com/scan/$selectedItem
Configuration Name: Investigate: URL Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: URL Check Webutations
Command Type: URL
Command Syntax:
http://www.webutations.net/go/review/$selectedItem
Configuration Name: Investigate: URL Reputation Check
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: Suspected Malware
Command Type: URL
Command Syntax:
www.malwaredomainlist.com/mdl.php?search=$selectedItem
Configuration Name: Investigate: Blacklist Checking
Configuration Attributes: Internal
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selections | IP Address, String, All Data Types
Investigate: URL Check MyWOT
Command Type: URL
Command Syntax:
http://www.checksitesafe.com/site/$selectedItem
Configuration Name: Investigate: URL Reputation Check
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: IP/URL Check WatchGaurd
Command Type: URL
Command Syntax:
http://www.reputationauthority.org/lookup.php?ip=$selectedItem
Configuration Name: Investigate: Reputation Checking
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: URL Check Pingdom
Command Type: URL
Command Syntax:
http://tools.pingdom.com/fpt/#!/$selectedItem
Configuration Name: Investigate: Full Site Scan
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Investigate: URL Check vURL
Command Type: URL
Command Syntax:
http://vurldissect.co.uk/default.asp?url=http://$selectedItem&btnvURL=Dissect&selUAStr=1&selServer
=1&ref=&cbxSource=on&cbxBlacklist=on
Configuration Name: Investigate: Full Site Scan
Configuration Attributes: Internal
Configuration Context: Viewer | All Views| All Selections |All Data Types
Installation of the tools that are referenced must be located in the following directories, as configured in
the integration commands:
Investigate: DNS Lookup: %arcsight%\tools\dig.exe
Investigate: NBTstat: %system32%\nbtstat.exe
Investigate: NMAP (TCP): %program files%\nmap\nmap.exe
Investigate: NMAP (UDP): %program files%\nmap\nmap.exe
Investigate: Open Shares: %arcsight%\tools\netview.cmd
Investigate: OS Fingerprint: %program files%\nmap\nmap.exe
Investigate: Packet Capture: %arcsight%\tools\windump.exe
Investigate: PathPing: %system32%\pathping.exe
Investigate: Vulnerability Scan: %program files%\tenable\nessus\nessuscmd
Usage:
Once the tools have been installed in the appropriate directories, Integration Commands are available
on right-click context menus from a variety of contexts in the ESM Console including:
- Relevant fields in active channels (e.g. IP address, host name)
- Relevant resources (for example, assets)
- Active Lists, sessions lists, query viewers and channels
Once invoked, a script output or internal browser window will appear where the output of the
integration command can be viewed. The output of script actions will allow analysts to export the
results to a file or add the output to an existing case.
When the output window is closed the command will stop running and be removed from memory.
WinDump Note:
Running multiple instances of memory intensive applications such as WinDump for long periods will
degrade the performance of the system hosting the ArcSight Console. WinDump should be run on a
separate system with a UNC path to the tool configured in the "Investigate: Packet Capture" command.
Additionally, a typical protocol analysis program such as WinDump (or tcpdump) is usually configured
with an interface that is connected to a switchport that is mirroring all VLAN traffic (or spanning) to the
system listening in promiscuous mode. This is not the case with the current configuration with the
provided "Investigate: Packet Capture" command, as this was developed in a VM environment and
tested against simulated data targeting the machine that was hosting both the ESM manager and the
console.
Investigate: DNS Lookup
Command Type: Script
Command Syntax: %arcsight%\tools\dig.exe -t ANY $selectedItem
Configuration Name: Investigate: DNS Lookup
Configuration Attributes: Text Renderer
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selection
Investigate: NBTstat
Command Type: Script
Command Syntax: %system32%\nbtstat.exe -a $selectedItem
Configuration Name: Investigate: NBTstat
Configuration Attributes: Text Rendererbalahasan.venkatesan
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selections | IP Address, String, All Data Types
Investigate: NMAP (UDP)
Command Type: Script
Command Syntax: %program files%\nmap\nmap.exe -vv -sU -p0 $selectedItem
Configuration Name: Investigate: NMAP (UDP)
Configuration Attributes: Text Renderer
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selections | IP Address, String, All Data Types
Investigate: Open Shares
Command Type: Script
Command Syntax: %arcsight%\tools\netview.cmd $selectedItem
Configuration Name: Investigate: Open Shares
Configuration Attributes: Text Renderer
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selections | IP Address, String, All Data Types
Investigate: OS Fingerprint
Command Type: Script
Command Syntax: %program files%\nmap\nmap.exe -vvv -A -O -PN $selectedItem
Configuration Name: Investigate: OS Fingerprint
Configuration Attributes: Text Renderer
Configuration Context: Viewer | All Views | All Selections | IP Address, String
Investigate: Packet Capture
Command Type: Script
Command Syntax: %arcsight%\tools\windump.exe -i 3 -l -x -n host $selectedItem
Configuration Name: Investigate: Packet Capture
Configuration Attributes: Text Renderer
Configuration Context: Viewer | All Views | All Selections | IP Address, String
Investigate: PathPing
Command Type: Script
Command Syntax: %system32%\pathping.exe $selectedItem
Configuration Name: Investigate: PathPing
Configuration Attributes: Text Renderer
Configuration Context: Viewer | All Views | All Selections | IP Address
Investigate: Vulnerability Scan
Command Type: Script
Command Syntax: %program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477
$selectedItem
Configuration Name: Investigate: Vulnerability Scan
Configuration Attributes: Text Renderer
Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All
Selections | IP Address, String, All Data Types
TRM Example: