Highlighted
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..
1766 views

Integration Commands for SOC Investigations v0.arb

Hi Guys,

As per the request from few members. Uploaded the (.arb) file. It will be really helpful for SOC Investigations. Refer the below Document for other Details.

Note: Custom Scripts/Tool Integration is not included with this file, only URL's

Enjoy!!!!

Thanks and Regards,

Balahasan V. | SIEM Engineer

17 Replies
siraj1 Respected Contributor.
Respected Contributor.

Re: Integration Commands for SOC Investigations v0.arb

Hi Bala,

Its an Excellent Effort that you have put to bring it altogether as a package. Just change the naming convention for the resources included in this package. Any .arb package having resources with names that include '&' or 'space' character will create issues during installation.

0 Likes
fheaven32 Absent Member.
Absent Member.

Re: Integration Commands for SOC Investigations v0.arb

Awesome thanks again for your help 🙂

This is just awesome!

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Integration Commands for SOC Investigations v0.arb

Ya Thanks Guys... If there is any prob with Installation. I'll repack and upload it again

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Integration Commands for SOC Investigations v0.arb

Hi Guys,

Updated the arb File(which was throwing error)

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Integration Commands for SOC Investigations v0.arb

Balahasan, love to see customers extend and refine my ideas - great work!

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Integration Commands for SOC Investigations v0.arb

Hi Gary,

That's the true power of sharing... I owe u a Thanks for initiating it.. Hope somone will take over from here

0 Likes
michael.risher1 Absent Member.
Absent Member.

Re: Integration Commands for SOC Investigations v0.arb

How do I setup the integration command that will populate a specific value in the URL?

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Integration Commands for SOC Investigations v0.arb

Hi Micheal,

u have the right clicked field  assigned to $selectedItem on ur Command URL

0 Likes
Established Member.. tejeu_tejeu1
Established Member..

Re: Integration Commands for SOC Investigations v0.arb

Hi Bala,

Kindly let me know the link where u have uploaded the modified .arb file.(Updated arb File which was throwing error).

Regards,

Tejesh

0 Likes
Established Member.. tejeu_tejeu1
Established Member..

Re: Integration Commands for SOC Investigations v0.arb

Hi Bala,

Post importing .arb pacakag in to my manager, while installing the pacakge i am getting error like "Install failed: Invalid resource name 'IP & URL Analysis'(Character '&' is not allowed).

Can any one help me out here...

Regards,

Tejesh

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Integration Commands for SOC Investigations v0.arb

Try to edit the package via xml and see it imports without an error.

0 Likes
Established Member.. tejeu_tejeu1
Established Member..

Re: Integration Commands for SOC Investigations v0.arb


No luck Bala... same error... can u try in your environment once again with this .arb file...

I am client place and we are using 5.0v Arcsight ESM....

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Integration Commands for SOC Investigations v0.arb

Hi Tejesh,

Same here.I'm Client place,Sydney. Don't have access to my lab to check it. Else create it manually from the PDF file which was included in the same place.

0 Likes
Established Member.. tejeu_tejeu1
Established Member..

Re: Integration Commands for SOC Investigations v0.arb

Hi Balla,

Thanks lot for your document….

I have created manually integration command content by referring your wonderful document and I am able to view output also, but is it possible to exact that list into active list to create blacklist rule.

Example : I have created blacklisted dshield url link

Original URL: http://www.dshield.org/ipsascii.html?limit=1000lHTTP/1.1

For this I have created integration command URL : http://www.dshield.org/ipsascii.html?limit=1000l${deviceCustomString1}

Post this integration command content creation I am able to view the big list of IP address from my Arcsight web console, now I want to use this list to create active list…. Is it possible?

Regards,

Tejesh

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.