ArcSight PsTools Integration Commands

Summary:

The document discusses PsTools, a suite of command-line tools designed for system management tasks in ArcSight, particularly focusing on two tools: PsGetSid and PsLoggedOn. To install PsTools, one must download the .zip file from Microsoft TechNet and extract it to C:\Temp\PsTools. The article then introduces PsGetSid and PsLoggedOn functionalities: - **PsGetSid**: This tool is used to display the SID (Security Identifier) of either a computer or a user, which aids in system administration within ArcSight by resolving SIDs for UPI (User Principal Identifier), Windows Machine Name, or SID fields. - **PsLoggedOn**: This tool identifies logged-on users on both local and remote systems, providing details about locally logged-on users and those accessing resources over a network. It can be used to monitor user sessions and ensure proper access control. The article concludes by clarifying that while some anti-virus software may flag PsTools as potentially infected due to their administrative capabilities, the tools are part of a suite aimed at facilitating system administration tasks remotely without containing viruses.

Details:

The article provides an overview of Windows Integration Tools for ArcSight, specifically focusing on PsTools and its functionalities. It begins by explaining that the PsTools suite is used to run commands from the ArcSight Console, which can be utilized to resolve Windows SIDs (Security Identifiers) and identify logged-on users across a Windows server. The article details how to install PsTools: 1. The PsTools should be downloaded from its official site at http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx. 2. Once downloaded, the .zip file should be extracted and placed in C:\Temp\PsTools. The article also provides an introduction to two tools within the PsTools suite: PsGetSid and PsLoggedOn.

• **PsGetSid**: This tool is used to display the SID (Security Identifier) of either a computer or a user, which can be useful for system administration tasks in ArcSight. It involves running the command "PsGetSid" followed by the relevant parameters such as the name of the computer or user.

• **PsLoggedOn**: This tool is used to see who is logged on locally and via resource sharing across a Windows server, providing detailed information about processes running remotely. The usage includes executing commands similar to PsList but with additional functionalities for remote systems management.

The article concludes by stating that while some anti-virus software may flag the PsTools as potentially infected due to their administrative capabilities, these tools do not contain viruses and are part of a suite aimed at facilitating system administration tasks remotely across multiple Windows servers. PsTools is a suite of command-line tools that provide various system management functionalities. The tools include PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutdown, PsSuspend, and PsUptime. Additionally, the download package includes an HTML help file with detailed usage information for all these tools. Another tool in the suite is PsGetSid, which allows users to translate SIDs (Security Identifiers) to display names and vice versa, supporting both built-in accounts, domain accounts, and local accounts. The command syntax for PsGetSid is provided, enabling users to query either a computer's or a user's SID based on the given inputs. In ArcSight, PsGetSid can be utilized in scenarios where fields containing UPI (User Principal Identifier), Windows Machine Name, or SID need to be resolved. For instance, it can be used to resolve SIDs to display names with the command "Integration Commands ( WBG: Resolve UPI to Windows SID" and vice versa for resolving SIDs to UPIs with "Integration Commands ( WBG: Resolve Windows SID to UPI". The article provides an overview of a tool called PsLoggedOn, which is used to determine who is using resources on either a local computer or a remote one. It can display both locally logged-on users and those logged on via network resources. The PsLoggedOn command allows for the specification of a computer name or username, with options to show only local logons (-l), not show logon times (-x), and search for specific usernames across the network. It also has an option to display supported options and units of measurement used for output values when run without parameters. The PsLoggedOn tool identifies logged-on users by scanning the Registry keys under HKEY_USERS, looking up user SIDs (security Identifier) to find corresponding usernames. To check who is using a remote computer via resource shares, it uses the NetSessionEnum API. Note that querying for specific users will show you as logged on if required access is granted, due to logon requirements for accessing remote system Registry keys. The PsLoggedOn command can be used in ArcSight by right-clicking on the Windows Machine IP Address or Host Name field and selecting Integration Commands (WBG: Users Logged to Windows Machine). This tool helps administrators monitor user sessions and ensure that particular users are not logged onto computers when making changes to their profiles.