Network Forensic Integration Tools for ArcSight

Summary:

This document provides a comprehensive guide on integrating Network Forensic Integration Tools with ArcSight ESM by detailing the installation process for various tools such as Dig, Nmap, Windump, WinPcap, PathPing, Nbtstat, and Nessuscmd. It explains how to import an .arb file in the ArcSight Console, specify correct paths and directories, and install these tools on separate systems if necessary to avoid performance degradation. Once installed, these tools can be accessed via right-click context menus within the ESM Console for analysis. The article also includes warnings about running memory-intensive applications concurrently and specific details on command types like "Investigate: Blacklisted Sites," "Investigate: DNS Lookup," "Investigate: Internet Port Scan," "Investigate: Malware Protection Center," "Investigate: NBTstat," "Investigate: NetWitness Integration," "Investigate: NMAP (UDP)," "Investigate: Open Shares," and "Investigate: OS Fingerprint." These commands serve various functions including blacklist checking, DNS querying, port scanning, malware detection, and detailed system assessments.

Details:

The article outlines the integration of Network Forensic Integration Tools for ArcSight ESM. It states that these tools leverage the power of ESM security and event management to expand its view beyond traditional internal views, allowing for external applications like ArcSight NSP to be integrated seamlessly. This includes both automated (rule-driven) and manual (ESM user-driven) scenarios. The article provides a detailed guide on installing the Integration Commands through importing an .arb file in the ArcSight Console and specifying the correct paths and directories for various tools such as Dig, Nmap, Windump, WinPcap, PathPing, Nbtstat, and Nessuscmd. It also specifies where these tools should be installed to ensure optimal performance within the system hosting the ArcSight Console. The article highlights that once the tools are properly integrated and installed in their designated directories, they become accessible via right-click context menus in various parts of the ESM Console such as relevant fields in active channels or resources. The output of these commands can be viewed directly in a script output window or internal browser window, allowing for further analysis and exportation options if necessary. Finally, the article warns about running multiple instances of memory-intensive applications like WinDump on the same system hosting the ArcSight Console to prevent performance degradation. It recommends running such tools on separate systems when possible. The provided summary outlines a series of command configurations used in various investigation tools, each designed to gather specific information from network traffic and system data. These commands are executed within a VM environment and were developed for simulated testing against targeted machines hosting the ESM manager and console. The summary includes details about each command type, syntax, configuration name, attributes, context, and where they apply. The "Investigate: Blacklisted Sites" command uses an URL to check if a specific site is blacklisted through services like MXToolbox, which provides tools for internet analysis including blacklist checking. The "Investigate: DNS Lookup" command utilizes the Dig utility from ArcSight to query DNS information about a selected item, providing detailed results typically used in network diagnostics and security assessments. The "Investigate: Internet Port Scan" employs MXToolbox's SuperTool to scan open ports on specified IP addresses or domains, useful for understanding network configurations and identifying potential vulnerabilities. "Investigate: Malware Protection Center," as the name suggests, checks against Microsoft’s security portal for threats related to a given target address, helping in malware detection and threat assessment. "Investigate: NBTstat" is a script-based command that uses Windows' built-in tool nbtstat to gather information about the network connections of specified IP addresses or domain names, which can be crucial for understanding how systems are communicating across your network. The "Investigate: NetWitness Integration" provides a local link to an internal tool within ArcSight used specifically for NetWitness integration, facilitating deeper analysis and visualization of security incidents as part of the wider cybersecurity monitoring framework. Lastly, "Investigate: NMAP (UDP)" runs the nmap utility with UDP scanning options against selected items, useful for network mapping and vulnerability assessments in a more detailed manner than traditional TCP scans. "Investigate: Open Shares" uses ArcSight's netview tool to list open shares on specified systems, which is essential for understanding what resources are accessible from other devices on the network. Finally, "Investigate: OS Fingerprint" employs nmap with verbose and aggressive scanning options to identify operating system details of target systems, aiding in asset discovery and security assessments. The commands vary in their method of execution, whether via URL, script, or direct utility invocation, each serving a specific purpose related to network analysis, malware detection, and detailed OS assessment.