Highlighted
Established Member..
Established Member..
7054 views

ArcSight Integration Commands

Jump to solution

Hello Community,

I was wondering about arcsight Integration Commands, what integration commands are you guys using ?

And in what use cases it plays crucial role ?

Rgds,

Anwar

Labels (2)
19 Replies
Highlighted
Honored Contributor.
Honored Contributor.

For Snort SID searches, you can do the following:

Create a 'Evaluate Velocity Template' Global Variable with the following code:

#set( $sid = $deviceEventClassId )

#set( $format_sid1 = $sid.replace(":", "-") )

#set( $format_sid2 = $format_sid1.replace("[", "") )

#set( $format_sid3 = $format_sid2.replace("]", "") )

${format_sid3}

Integration Command URL:  https://www.snort.org/search/sid/${Global Var Name}


Highlighted
Absent Member.
Absent Member.

Nice Gary! Alternatively I have had great results with tiny script driven integration tools using the D-Shield API at hxxps://isc.sans.edu/api/ in addition to MXtoolbox and some others for comprehensive investigation of IPs and the like. In Windows it's as easy as a batch ala "start iexplore.exe" and executing calls to the url()'s given in the API definition in the above link. Perl is great for regex parsing of log files, etc.You can integrate the "right click tools" into reports (via automated calls to processes spun up by a given integration command)  when working up a rep quantification on top talkers, etc. Happy integrating!

Mark

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Bobby,

Burpsuite integration can help and some others listed at Appendix A: Testing Tools - OWASP


I have not yet tried this but I have heard good things: - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page

Good luck and let me know if you gain any further insight into this.

Mark

0 Likes
Highlighted
Absent Member.
Absent Member.

Has anyone else had problems getting the nbtstat command to work?  I can't even browse to it when creating a new integration command.  It's visible in Windows Explorer though.

0 Likes
Highlighted
Absent Member.
Absent Member.

What version are you using? I may have observed such an issue at one point when on 5.x ESM and 4.5. I may have used a simple workaround as such:

ARCSIGHT TOOL FIELDS:

Name: nbtstat

Program: $C:\arcsight\Console\current\bin\scripts\nbtstat.bat

Working Directory: C:\arcsight\Console\current\bin\scripts

Params: $selctedCell

BATCH FILE:

echo off

cls

ipconfig

pause

:: any args or user input (if needed\wanted) should be defined here

exit

Is your nslookup working?

-Mark

PS: I know this is IT 101 for windows.

0 Likes
Highlighted
Absent Member.
Absent Member.

Yes, the other Windows commands in the same location work (e.g. tracert.exe, etc.)  That's why I find this so odd.  If I attempt to create the integration command by browsing to the location of nbtstat.exe, I can't see the file in the browser in the Arcsight ESM console.  However, I can view the file in Windows Explorer and it executes normally at the command line.  I tried using a batch file like you suggested (good idea) but I still get a "not recognized as internal or external command, operable program, or batch file".  I suppose my batch file syntax could be wrong, but I don't think so.  The shell script works at the command line.  It's all of two lines:

@echo off

C:\Windows\System32\nbtstat.exe -a %1

I also tried copying the executable to another directory.

0 Likes
Highlighted
Absent Member.
Absent Member.

I'm using 6.5.

Joel Gunderson

Information Assurance

1400 Douglas Street STOP 0520

Omaha, NE 68179-0520

o:402-544-1020 | m:402-926-8015

jdgunder@up.com

This message and any attachments contain information from Union Pacific

which may be confidential and/or privileged. If you are not the intended

recipient, be aware that any disclosure, copying, distribution or use of

the contents of this message is strictly prohibited by law. If you receive

this message in error, please contact the sender immediately and delete

the message and any attachments.

Tags (1)
0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.
HI i Cann't download the file, kindly re-share it
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.