Nice Gary! Alternatively I have had great results with tiny script driven integration tools using the D-Shield API at hxxps://isc.sans.edu/api/ in addition to MXtoolbox and some others for comprehensive investigation of IPs and the like. In Windows it's as easy as a batch ala "start iexplore.exe" and executing calls to the url()'s given in the API definition in the above link. Perl is great for regex parsing of log files, etc.You can integrate the "right click tools" into reports (via automated calls to processes spun up by a given integration command)  when working up a rep quantification on top talkers, etc. Happy integrating!

Mark

Hi Bobby,

Burpsuite integration can help and some others listed at Appendix A: Testing Tools - OWASP

I have not yet tried this but I have heard good things: - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page

Good luck and let me know if you gain any further insight into this.

Mark

Has anyone else had problems getting the nbtstat command to work?  I can't even browse to it when creating a new integration command.  It's visible in Windows Explorer though.

What version are you using? I may have observed such an issue at one point when on 5.x ESM and 4.5. I may have used a simple workaround as such:

ARCSIGHT TOOL FIELDS:

Name: nbtstat

Program: $C:\arcsight\Console\current\bin\scripts\nbtstat.bat

Working Directory: C:\arcsight\Console\current\bin\scripts

Params: $selctedCell

BATCH FILE:

echo off

cls

ipconfig

pause

:: any args or user input (if needed\wanted) should be defined here

exit

Is your nslookup working?

-Mark

PS: I know this is IT 101 for windows.

Yes, the other Windows commands in the same location work (e.g. tracert.exe, etc.)  That's why I find this so odd.  If I attempt to create the integration command by browsing to the location of nbtstat.exe, I can't see the file in the browser in the Arcsight ESM console.  However, I can view the file in Windows Explorer and it executes normally at the command line.  I tried using a batch file like you suggested (good idea) but I still get a "not recognized as internal or external command, operable program, or batch file".  I suppose my batch file syntax could be wrong, but I don't think so.  The shell script works at the command line.  It's all of two lines:

@echo off

C:\Windows\System32\nbtstat.exe -a %1

I also tried copying the executable to another directory.

I'm using 6.5.

Joel Gunderson

Information Assurance

1400 Douglas Street STOP 0520

Omaha, NE 68179-0520

o:402-544-1020 | m:402-926-8015

jdgunder@up.com

This message and any attachments contain information from Union Pacific

which may be confidential and/or privileged. If you are not the intended

recipient, be aware that any disclosure, copying, distribution or use of

the contents of this message is strictly prohibited by law. If you receive

this message in error, please contact the sender immediately and delete

the message and any attachments.