This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
anwarrhce1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2012-09-20 15:28
7477 views

ArcSight Integration Commands

Jump to solution

Hello Community,

I was wondering about arcsight Integration Commands, what integration commands are you guys using ?

And in what use cases it plays crucial role ?

Rgds,

Anwar

Labels (2)
Labels
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
netcerebral
Micro Focus Expert
Micro Focus Expert
‎2012-09-20 22:50

Jump to solution

Hi Anwar,

I did a session at Protect'10 and Protect'11 that can be found here https://protect724.arcsight.com/docs/DOC-1455 and https://protect724.arcsight.com/docs/DOC-1872.

The internal blog I wrote explained the integration commands in detail, which goes in to detail about using URL or Script-based Integration Commands (I've highlighted the URL commands for you at the bottom):

========================================================
Topic: Network Forensic Integration Tools for ArcSight ESM
Date: April 18, 2011
Author: Gary Freeman
Version: 2.0
ArcSight Versions Confirmed: Demo VM running 5.1.0.1281.3, 5.0.1.6534.1 and 5.0.0.6450.0

OS Version: Windows Server 2003 R2 SP2

NOTE: some of the script commands need tweaking under Win7 due to permissions

(Notably PathPing and NBTstat)
========================================================

Overview:
=========
ESM integration commands leverage the power of ESM security and event management, and broaden its view to show external, snap-in views from applications like ArcSight NSP as well as third-party applications. Both automated (rule-driven) and manual (ESM user-driven) scenarios are supported. With a more flexible and powerful way to integrate ESM with other applications, you can use the ESM Console as a central command hub for all security-related operations and reconnaissance.

This is a set of ArcSight ESM Integration Commands that leverage common tools used in the pursuit of Cyber-Investigations. This toolset provides access to information gathering and common security tools such as Nmap, Nessus, tcpdump, blacklisted sites, NBTstat and OS fingerprinting that are common tools used by a security analyst or forensic investigator during or after a security incident has occurred.

Integration Commands use the local settings of the system hosting the ArcSight Console. Since most Security Operations departments use Windows XP/7/2003/2008 as the primary desktop systems, these Integration commands have been developed to access Windows versions of the common security tools, some of which are found natively under Unix/Linux. The commands can be easily modified to map to the appropriate path syntax and flags used by Linux versions of the same tools.

This package contains the following types of commands:
URL commands - provide links to Web page URLs or URIs that can be viewed in the ESM Console's internal browser or an external Web browser
Script commands - defines an executable script Script/executable output result (e.g., action)

Integration Tools Used:
=======================
- Dig for Windows v9.3.2
- Nmap for Windows v5.21
- Windump v3.9.5
- WinPcap v4.1.2
- PathPing v5.2.3790.0 (Windows Only)
- Nbtstat v5.2.3790.3959 (Windows Only)
- Nessuscmd for Windows v4.2.2 (Build 9129)

Installation - Step 1:
======================
Installation of the Integration Commands requires that the tools and their associated paths be available installing the .arb file.
1) Open the ArcSight Console and select "Packages" in the Resource Navigator.
2) Select "Import" and select the location of the "Investigation_Integration_Pack.arb" file.
3) Once imported you will see the following tools under Integration Commands / Configurations:
/All Integration Commands
+ /ArcNet Commands

+ /ArcNet Configurations

/All Files

+ /ArcNet Files

  + /Investigation Integration Apps

   + Investigation Integration Tools

Installation - Step 2:
======================

Various command line utilities have been placed in /All Files/ArcNet Files/Investigation Integration Apps/Investigation Integration Tools.zip

Download the zip file (right-mouse click > select download) and install the tools in the directory (C:\arcsight\tools).

Installation of the tools that are referenced must be located in the following directories, as configured in the integration commands:

Investigate: DNS Lookup: %arcsight%\tools\dig.exe

Investigate: NBTstat: %system32%\nbtstat.exe

Investigate: NMAP (TCP): %program files%\nmap\nmap.exe

Investigate: NMAP (UDP): %program files%\nmap\nmap.exe

Investigate: Open Shares: %arcsight%\tools\netview.cmd

Investigate: OS Fingerprint: %program files%\nmap\nmap.exe

Investigate: Packet Capture: %arcsight%\tools\windump.exe

Investigate: PathPing: %system32%\pathping.exe

Investigate: Vulnerability Scan: %program files%\tenable\nessus\nessuscmd

Usage:
======
Once the tools have been installed in the appropriate directories, Integration Commands are available on right-click context menus from a variety of contexts in the ESM Console including:
- Relevant fields in active channels (e.g. IP address, host name)
- Relevant resources (for example, assets)
- Active Lists, sessions lists, query viewers and channels

Once invoked, a script output or internal browser window will appear where the output of the integration command can be viewed. The output of script actions will allow analysts to export the results to a file or add the output to an existing case.

When the output window is closed the command will stop running and be removed from memory.

WinDump Note:
=============
Running multiple instances of memory intensive applications such as WinDump for long periods will degrade the performance of the system hosting the ArcSight Console. WinDump should be run on a separate system with a UNC path to the tool configured in the "Investigate: Packet Capture" command.

Additionally, a typical protocol analysis program such as WinDump (or tcpdump) is usually configured with an interface that is connected to a switchport that is mirroring all VLAN traffic (or spanning) to the system listening in promiscuous mode. This is not the case with the current configuration with the provided "Investigate: Packet Capture" command, as this was developed in a VM environment and tested against simulated data targeting the machine that was hosting both the ESM manager and the console.

Integration Tool Summary:
=========================

Investigate: Blacklisted Sites

Command Type: URL

Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:$selectedItem

Configuration Name: Investigate: Blacklisted Sites

Configuration Attributes: Internal

Configuration Context: Viewer | All Views | All Selections | IP Address, String

Investigate: DNS Lookup

Command Type: Script

Command Syntax: %arcsight%\tools\dig.exe -t ANY $selectedItem

Configuration Name: Investigate: DNS Lookup

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selection

Investigate: Internet Port Scan

Command Type: URL

Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=scan:$selectedItem

Configuration Name: Investigate: Internet Port Scan

Configuration Attributes: Internal

Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data Types

Investigate: Malware Protection Center (Target Address)

Command Type: URL

Command Syntax: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=${targetAddress}

Configuration Name: Investigate: Malware Protection Center

Configuration Attributes: Internal

Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data Types

Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data Types

Investigate: NBTstat

Command Type: Script

Command Syntax: %system32%\nbtstat.exe -a $selectedItem

Configuration Name: Investigate: NBTstat

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: NMAP (UDP)

Command Type: Script

Command Syntax: %program files%\nmap\nmap.exe -vv -sU -p0 $selectedItem

Configuration Name: Investigate: NMAP (UDP)

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Open Shares

Command Type: Script

Command Syntax: %arcsight%\tools\netview.cmd $selectedItem

Configuration Name: Investigate: Open Shares

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: OS Fingerprint

Command Type: Script

Command Syntax: %program files%\nmap\nmap.exe -vvv -A -O -PN $selectedItem

Configuration Name: Investigate: OS Fingerprint

Configuration Attributes: Text Renderer

Configuration Context: Viewer | All Views | All Selections | IP Address, String

Investigate: Packet Capture

Command Type: Script

Command Syntax: %arcsight%\tools\windump.exe -i 3 -l -x -n host $selectedItem

Configuration Name: Investigate: Packet Capture

Configuration Attributes: Text Renderer

Configuration Context: Viewer | All Views | All Selections | IP Address, String

Investigate: PathPing

Command Type: Script

Command Syntax: %system32%\pathping.exe $selectedItem

Configuration Name: Investigate: PathPing

Configuration Attributes: Text Renderer

Configuration Context: Viewer | All Views | All Selections | IP Address

Investigate: RFC Ignorant

Command Type: URL

Command Syntax: http://www.rfc-ignorant.org/tools/lookup.php?domain=$selectedItem&full=1

Configuration Name: Investigate: RFC Ignorant

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: SMTP Check

Command Type: URL

Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem

Configuration Name: Investigate: SMTP Check

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Suspected Malware (Target Address)

Command Type: URL

Command Syntax: http://www.malwaredomainlist.com/mdl.php?search=${targetAddress}

Configuration Name: Investigate: Suspected Malware

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Threat Expert (link – no integration)

Command Type: URL

Command Syntax: http://www.threatexpert.com/reports.aspx?find=&x=10&y=7

Configuration Name: Investigate: Threat Expert

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Vulnerability Scan

Command Type: Script

Command Syntax: %program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477 $selectedItem

Configuration Name: Investigate: Vulnerability Scan

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Windows Event

Command Type: URL

Command Syntax: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=${deviceEventClassId}

Configuration Name: Investigate: Windows Event

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

View solution in original post

Investigation_Integration_Commands_2012.arb
Reply
Report Inappropriate Content
19 Replies
Volker Michels
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2012-09-20 20:08

Jump to solution

Hello,

everything you or/and your analysts can think of is useful to have it "right-click" on an event can be integrated as command to make daily buisiness easier.

Volker

0 Likes
Reply
Report Inappropriate Content
anwarrhce1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2012-09-20 21:23

Jump to solution

Thanks Volker, Can you share couple of useful commands or scripts ?

Rgds,

Anwar

0 Likes
Reply
Report Inappropriate Content
Volker Michels
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2012-09-20 21:28

Jump to solution

Hey, it depends on waht you will need, you can execute scripts, execute html commands and believe me, it's easy, check out the ArcSight base stuff and you will know how it works.

Volker

PS: NIDS signature look up, whois, google serarch etc.

0 Likes
Reply
Report Inappropriate Content
netcerebral
Micro Focus Expert
Micro Focus Expert
‎2012-09-20 22:50

Jump to solution

Hi Anwar,

I did a session at Protect'10 and Protect'11 that can be found here https://protect724.arcsight.com/docs/DOC-1455 and https://protect724.arcsight.com/docs/DOC-1872.

The internal blog I wrote explained the integration commands in detail, which goes in to detail about using URL or Script-based Integration Commands (I've highlighted the URL commands for you at the bottom):

========================================================
Topic: Network Forensic Integration Tools for ArcSight ESM
Date: April 18, 2011
Author: Gary Freeman
Version: 2.0
ArcSight Versions Confirmed: Demo VM running 5.1.0.1281.3, 5.0.1.6534.1 and 5.0.0.6450.0

OS Version: Windows Server 2003 R2 SP2

NOTE: some of the script commands need tweaking under Win7 due to permissions

(Notably PathPing and NBTstat)
========================================================

Overview:
=========
ESM integration commands leverage the power of ESM security and event management, and broaden its view to show external, snap-in views from applications like ArcSight NSP as well as third-party applications. Both automated (rule-driven) and manual (ESM user-driven) scenarios are supported. With a more flexible and powerful way to integrate ESM with other applications, you can use the ESM Console as a central command hub for all security-related operations and reconnaissance.

This is a set of ArcSight ESM Integration Commands that leverage common tools used in the pursuit of Cyber-Investigations. This toolset provides access to information gathering and common security tools such as Nmap, Nessus, tcpdump, blacklisted sites, NBTstat and OS fingerprinting that are common tools used by a security analyst or forensic investigator during or after a security incident has occurred.

Integration Commands use the local settings of the system hosting the ArcSight Console. Since most Security Operations departments use Windows XP/7/2003/2008 as the primary desktop systems, these Integration commands have been developed to access Windows versions of the common security tools, some of which are found natively under Unix/Linux. The commands can be easily modified to map to the appropriate path syntax and flags used by Linux versions of the same tools.

This package contains the following types of commands:
URL commands - provide links to Web page URLs or URIs that can be viewed in the ESM Console's internal browser or an external Web browser
Script commands - defines an executable script Script/executable output result (e.g., action)

Integration Tools Used:
=======================
- Dig for Windows v9.3.2
- Nmap for Windows v5.21
- Windump v3.9.5
- WinPcap v4.1.2
- PathPing v5.2.3790.0 (Windows Only)
- Nbtstat v5.2.3790.3959 (Windows Only)
- Nessuscmd for Windows v4.2.2 (Build 9129)

Installation - Step 1:
======================
Installation of the Integration Commands requires that the tools and their associated paths be available installing the .arb file.
1) Open the ArcSight Console and select "Packages" in the Resource Navigator.
2) Select "Import" and select the location of the "Investigation_Integration_Pack.arb" file.
3) Once imported you will see the following tools under Integration Commands / Configurations:
/All Integration Commands
+ /ArcNet Commands

+ /ArcNet Configurations

/All Files

+ /ArcNet Files

  + /Investigation Integration Apps

   + Investigation Integration Tools

Installation - Step 2:
======================

Various command line utilities have been placed in /All Files/ArcNet Files/Investigation Integration Apps/Investigation Integration Tools.zip

Download the zip file (right-mouse click > select download) and install the tools in the directory (C:\arcsight\tools).

Installation of the tools that are referenced must be located in the following directories, as configured in the integration commands:

Investigate: DNS Lookup: %arcsight%\tools\dig.exe

Investigate: NBTstat: %system32%\nbtstat.exe

Investigate: NMAP (TCP): %program files%\nmap\nmap.exe

Investigate: NMAP (UDP): %program files%\nmap\nmap.exe

Investigate: Open Shares: %arcsight%\tools\netview.cmd

Investigate: OS Fingerprint: %program files%\nmap\nmap.exe

Investigate: Packet Capture: %arcsight%\tools\windump.exe

Investigate: PathPing: %system32%\pathping.exe

Investigate: Vulnerability Scan: %program files%\tenable\nessus\nessuscmd

Usage:
======
Once the tools have been installed in the appropriate directories, Integration Commands are available on right-click context menus from a variety of contexts in the ESM Console including:
- Relevant fields in active channels (e.g. IP address, host name)
- Relevant resources (for example, assets)
- Active Lists, sessions lists, query viewers and channels

Once invoked, a script output or internal browser window will appear where the output of the integration command can be viewed. The output of script actions will allow analysts to export the results to a file or add the output to an existing case.

When the output window is closed the command will stop running and be removed from memory.

WinDump Note:
=============
Running multiple instances of memory intensive applications such as WinDump for long periods will degrade the performance of the system hosting the ArcSight Console. WinDump should be run on a separate system with a UNC path to the tool configured in the "Investigate: Packet Capture" command.

Additionally, a typical protocol analysis program such as WinDump (or tcpdump) is usually configured with an interface that is connected to a switchport that is mirroring all VLAN traffic (or spanning) to the system listening in promiscuous mode. This is not the case with the current configuration with the provided "Investigate: Packet Capture" command, as this was developed in a VM environment and tested against simulated data targeting the machine that was hosting both the ESM manager and the console.

Integration Tool Summary:
=========================

Investigate: Blacklisted Sites

Command Type: URL

Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:$selectedItem

Configuration Name: Investigate: Blacklisted Sites

Configuration Attributes: Internal

Configuration Context: Viewer | All Views | All Selections | IP Address, String

Investigate: DNS Lookup

Command Type: Script

Command Syntax: %arcsight%\tools\dig.exe -t ANY $selectedItem

Configuration Name: Investigate: DNS Lookup

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selection

Investigate: Internet Port Scan

Command Type: URL

Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=scan:$selectedItem

Configuration Name: Investigate: Internet Port Scan

Configuration Attributes: Internal

Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data Types

Investigate: Malware Protection Center (Target Address)

Command Type: URL

Command Syntax: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=${targetAddress}

Configuration Name: Investigate: Malware Protection Center

Configuration Attributes: Internal

Configuration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data Types

Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data Types

Investigate: NBTstat

Command Type: Script

Command Syntax: %system32%\nbtstat.exe -a $selectedItem

Configuration Name: Investigate: NBTstat

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: NMAP (UDP)

Command Type: Script

Command Syntax: %program files%\nmap\nmap.exe -vv -sU -p0 $selectedItem

Configuration Name: Investigate: NMAP (UDP)

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Open Shares

Command Type: Script

Command Syntax: %arcsight%\tools\netview.cmd $selectedItem

Configuration Name: Investigate: Open Shares

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: OS Fingerprint

Command Type: Script

Command Syntax: %program files%\nmap\nmap.exe -vvv -A -O -PN $selectedItem

Configuration Name: Investigate: OS Fingerprint

Configuration Attributes: Text Renderer

Configuration Context: Viewer | All Views | All Selections | IP Address, String

Investigate: Packet Capture

Command Type: Script

Command Syntax: %arcsight%\tools\windump.exe -i 3 -l -x -n host $selectedItem

Configuration Name: Investigate: Packet Capture

Configuration Attributes: Text Renderer

Configuration Context: Viewer | All Views | All Selections | IP Address, String

Investigate: PathPing

Command Type: Script

Command Syntax: %system32%\pathping.exe $selectedItem

Configuration Name: Investigate: PathPing

Configuration Attributes: Text Renderer

Configuration Context: Viewer | All Views | All Selections | IP Address

Investigate: RFC Ignorant

Command Type: URL

Command Syntax: http://www.rfc-ignorant.org/tools/lookup.php?domain=$selectedItem&full=1

Configuration Name: Investigate: RFC Ignorant

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: SMTP Check

Command Type: URL

Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem

Configuration Name: Investigate: SMTP Check

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Suspected Malware (Target Address)

Command Type: URL

Command Syntax: http://www.malwaredomainlist.com/mdl.php?search=${targetAddress}

Configuration Name: Investigate: Suspected Malware

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Threat Expert (link – no integration)

Command Type: URL

Command Syntax: http://www.threatexpert.com/reports.aspx?find=&x=10&y=7

Configuration Name: Investigate: Threat Expert

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Vulnerability Scan

Command Type: Script

Command Syntax: %program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477 $selectedItem

Configuration Name: Investigate: Vulnerability Scan

Configuration Attributes: Text Renderer

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

Investigate: Windows Event

Command Type: URL

Command Syntax: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=${deviceEventClassId}

Configuration Name: Investigate: Windows Event

Configuration Attributes: Internal

Configuration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data Types

View solution in original post

Investigation_Integration_Commands_2012.arb
Reply
Report Inappropriate Content
netcerebral
Micro Focus Expert
Micro Focus Expert
‎2012-09-20 23:31

Jump to solution

Additionally, one of my ex-colleagues came up with an innovative way to use the Geo-coords SmartConnectors inject into the events to go to Google Maps and plot the addresses of both the source and the target IP addresses.

Basically, create a set of commands called "Google Attacker" and "Google Target" respectively and use the URL type command with both with the following strings:

Attacker

http://maps.google.com/maps?q=${attackerGeoLatitude},${attackerGeoLongitude}

Target

http://maps.google.com/maps?q=${targetGeoLatitude},${targetGeoLongitude}

Then create the accompanying configuration file (I always name them the same as the commands) and make sure you choose external browser as the renderer and the context would be "Location=Viewer" (the rest defaults).

ScreenHunter_15 Sep. 20 18.30.jpg

0 Likes
Reply
Report Inappropriate Content
anwarrhce1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2012-09-21 08:27

Jump to solution

Thats fantastic Gary, really appreciate that.

What's the name of your blog ? I might wanna have a look on weekly basis for updates

Again Thanks for share.

0 Likes
Reply
Report Inappropriate Content
netcerebral
Micro Focus Expert
Micro Focus Expert
‎2012-09-21 19:15

Jump to solution

Sorry Anwar, I was referring to an internal HP blog all of the tech staff contribute to. This can't be made public unfortunately.

0 Likes
Reply
Report Inappropriate Content
bwmetz
Absent Member.
Absent Member.
‎2013-05-25 02:03

Jump to solution

What if the URL you need to use requires a POST action instead of a GET?  I don't see any way to define this in the integration command for URL type and be able to associate values with the post parameters.  I could possibly write a script but wasn't sure how the HTML output would get passed to a viewer, plus I'd have to worry about hardening the script to prevent against command injection.

Thoughts?

0 Likes
Reply
Report Inappropriate Content
bwmetz
Absent Member.
Absent Member.
‎2013-06-20 19:02

Jump to solution

Well, no responses...guess I'll post my own answer.

  1. You can't use POST.
  2. You can use curl or a script to do a POST, but there's no way to launch the output in a browser (well, not easily in a Windows environment at least).
  3. What wasn't clear to me in the documentation is:
    1. The viewer is launched from the local PC, which kind of makes sense.
    2. The scripts are run from the local machine as well, NOT the SIEM/ESM, which makes no sense to me.
    3. So if you opt to use a fancy integration script, any libraries, tools or other dependencies required by the script must be loaded on every console user's PC. 
    4. You can't use integration commands via the web console, which now makes sense based on the facts above.

Based on this these commands aren't near as useful as I'd once hoped.  So much for leveraging the LAMP stack (minus the AM part) for centralized maintenance of scripted integration commands.  You can role your own web server to handle different GET requests I suppose, but then have to deal with hardening of those websites to prevent unwanted use.

Now, would someone please prove me wrong?  I so want to be wrong on this one.

0 Likes
Reply
Report Inappropriate Content
blroberts90
Absent Member.
Absent Member.
‎2013-06-21 14:52

Jump to solution

Awesome info.  Where can I download the information below?

Installation - Step 2:
======================

Various command line utilities have been placed in /All Files/ArcNet Files/Investigation Integration Apps/Investigation Integration Tools.zip

Download the zip file (right-mouse click > select download) and install the tools in the directory (C:\arcsight\tools).


Thanks,


- Brandon

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.