Network Forensic Integration Tools for ArcSight ESM

Summary:

Based on the information provided, it appears that you are discussing several different types of data investigation processes, each using specific tools and configurations to analyze various aspects of network security and system vulnerabilities. Here's a breakdown of what each command entails based on your description: ### Command 3: Investigate: Threat Expert (link – no integration) - **Purpose**: This command involves checking the threat analysis for a given target using a specific URL format. - **URL Format**: http://www.threatexpert.com/reports.aspx?find=&x=10&y=7 - **Configuration**: Internal configuration, usable across all views, resources, and editors. - **Focus**: Selected cell data along with IP address and string data types. - **Tool Usage**: Utilizes the Threatexpert service to analyze potential threats based on URL input. ### Command 4: Investigate: Vulnerability Scan - **Purpose**: This command involves performing a vulnerability scan on selected items, focusing on specific ports (139, 445) and services (10150, 34477). - **Ports/Services**: 139, 445 for ports; 10150, 34477 for services. - **Configuration**: Uses text rendering across all views, resources, and editors. - **Data Types**: Targets IP address and string data types. - **Tool Usage**: Utilizes tools like Nessus to scan for vulnerabilities in specified ports and services. ### Command 5: Investigate: Windows Event - **Purpose**: This command involves examining detailed information about a specific Windows event using a predefined URL format. - **URL Format**: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$deviceEventClassId - **Configuration**: Internal configuration, usable across all views, resources, and editors. - **Focus**: Selected cell data including IP address and string types. - **Tool Usage**: Utilizes Ultimate Windows Security to access detailed event information through a web interface. ### Additional Information: - You are working with ArcSight Express for command 3 and command 5, which suggests that these commands might be part of a broader security analysis workflow within an organization using ArcSight as its SIEM (Security Information and Event Management) tool. - For command 4, you are using Nessus for vulnerability scanning, indicating the integration with another vulnerability assessment tool to enhance your network security monitoring capabilities. - The use of tcpdump, nmap, pathping, and windump in various contexts suggests that these tools might be used for network protocol analysis, mapping networks, and detailed pinging to detect potential issues or threats within the network infrastructure. ### Document Details: - **Title**: "All Data Types" - PowerPoint Presentation - **File Name**: "How_To_Become_An_ArcSight_CSI - 040811.ppt" - **Size**: 2.8 MB - **Attachment**: "Investigation_Integration_2011_Pack.arb", Size: 2.0 MB, Views: 556 times - **Categories**: Console, Integration, Presentation, Threat Detector (aka Pattern Discovery) - **Tags**: Corporate Investigation, Cyber-investigator, Evidence Collection, Network Forensics, and others related to cybersecurity. ### Jive for Microsoft Office Plugin: - **Purpose**: Enhances Microsoft Office applications with collaboration and sharing features directly within the office environment. - **Software Version**: 2016.1.0.0 - **Revision Date**: March 1st, 2016 - **Service Provided By**: Jive Software This plugin allows users to create, open, collaborate on, and share documents like Word, Excel, and PowerPoint files, facilitating teamwork through shared editing capabilities within the documents and sharing functionalities for distribution.

Details:

The article is about Network Forensic Integration Tools for ArcSight ESM, which are commands designed to expand the capabilities of ArcSight ESM by integrating external tools and applications like ArcSight NSP and third-party apps. These integration commands allow users to access information gathering and common security tools used in cyber investigations, such as Nmap, Nessus, tcpdump, blacklisted sites, NBTstat, and OS fingerprinting. The toolset is flexible and powerful, enabling the use of ESM Console as a central command hub for all security-related operations and reconnaissance. The text describes a package for integrating security tools into Windows XP/7/2003/2008 environments, with specific focus on utilizing Unix/Linux-based command line utilities. It includes URL and script commands to access web pages and run scripts or executables, using native and Linux versions of various tools such as Dig, Nmap, Windump, WinPcap, PathPing, Nbtstat, and Nessuscmd. The package contains: 1. **URL Commands** - Links to Web page URLs for viewing within the ESM Console's internal browser or an external one. 2. **Script Commands** - Defines executable scripts that result in script/executable output. 3. **Integration Tools Used**:

• Dig for Windows v9.3.2

• Nmap for Windows v5.21

• Windump v3.9.5

• WinPcap v4.1.2

• PathPing v5.2.3790.0 (Windows-only)

• Nbtstat v5.2.3790.3959 (Windows-only)

• Nessuscmd for Windows v4.2.2 (Build 9129)

**Installation Steps**: 1. **Step 1**: Open the ArcSight Console, navigate to "Packages" in the Resource Navigator, select "Import," and locate the "Investigation_Integration_Pack.arb" file. Once imported, you'll see tools under Integration Commands / Configurations. The necessary tools should be installed from the .arb file. 2. **Step 2**: Install various command line utilities by downloading the zip file (from right-mouse click > select download) and extracting it to the directory: `C:\arcsight\tools`. Ensure that the referenced tools are located in their configured directories as per the integration commands, e.g., DNS Lookup using Dig should be at `%arcsight%\tools\dig`. The text provides an overview of various tools that are used for investigation purposes, detailing their installation locations and usage within the ArcSight Security Management (ESM) Console. These tools include NBTstat, NetWitness Integration, NMAP (TCP/UDP), Open Shares, OS Fingerprint, Packet Capture, PathPing, and Vulnerability Scan. Once installed in their respective directories, these tools can be accessed via right-click context menus from relevant fields, resources, or lists within the ESM Console. When invoked, a script output or internal browser window will display the results of the integration command, which analysts can then export or add to existing cases. Closing the output window stops the command and removes it from memory. There is also a note about WinDump (or tcpdump), cautioning that running multiple instances on a host system may degrade performance due to its memory-intensive nature. It's recommended to run such tools on separate systems with specific configurations for better performance. The "Integration Tool Summary" outlines a series of commands designed to investigate various aspects of network and system information. These include checking for blacklisted sites using an online tool, performing DNS lookups with the dig command, scanning internet ports with a specific site, searching for malware protection status at Microsoft's Malware Protection Center, utilizing NBTstat for name resolution tests, and integrating with NetWitness for deeper investigation capabilities. Each command is associated with a configuration that specifies its usage context within the system or network environment. The provided text outlines a series of configuration settings and commands associated with various network investigation tools within an unspecified software or system. Each tool is designed to perform specific tasks related to IP address analysis, data type selection, command scripting, and external resource querying. Here's a breakdown of each configuration: 1. **Investigate: NetWitness Integration** - This involves using NMAP (a network scanning tool) with UDP protocol for scanning selected items, displaying results in text renderer format within the viewer interface. Command syntax is provided as `%program files%\nmap\nmap.exe -vv -sU -p0 $selectedItem`. 2. **Investigate: NMAP (UDP)** - This configuration uses NMAP to scan UDP ports on selected IP addresses, with details set to verbose and scans starting at port 0. It is also displayed using a text renderer in the viewer interface. 3. **Investigate: Open Shares** - Executes `netview.cmd` from `%arcsight%\tools` against the selected item to investigate open network shares, again using a text renderer for display within the tool's interface. 4. **Investigate: OS Fingerprint** - Utilizes NMAP with high verbosity (-vvv), comprehensive OS detection (-A) and Guess MOTD/NSE script banner mode (-O -PN) to identify operating system details of selected IP addresses, displayed via text renderer. 5. **Investigate: Packet Capture** - Uses Windump from `%arcsight%\tools` to capture packets on interface 3 for the selected host, capturing both data and non-data types in a verbose manner, also rendered in text format within the viewer. 6. **Investigate: PathPing** - Executes Windows Command Line tool PathPing against the selected IP address to measure and display round trip times, utilizing default settings from the system32 directory. 7. **Investigate: RFC Ignorant** - This configuration involves querying an external web service at `http://www.rfc-ignorant.org/tools/lookup.php?domain=$selectedItem&full=1` to gather information about domain names, with results displayed within the viewer interface as internal content. Each of these configurations is designed to facilitate specific network analysis tasks using predefined tools and scripts, tailored for different types of data selection (IP addresses, strings, etc.) and displayed in a consistent format across the software's interfaces. The provided information outlines several investigation commands and their configurations for different tools. Each command is designed to perform a specific type of analysis on data related to network communications, security threats, system vulnerabilities, and Windows events. Here's a summary of each command: 1. **Investigate: SMTP Check** - This command involves checking the Simple Mail Transfer Protocol (SMTP) settings for a selected item using the URL format http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem. The configuration is set to be internal and applicable across all views, resources, and editors, specifically targeting the selected cell and its associated selections along with IP address and string data types. 2. **Investigate: Suspected Malware (Target Address)** - This command involves checking a suspected malware domain list for a given target address using the URL format http://www.malwaredomainlist.com/mdl.php?search=$targetAddress. It is also configured as internal, applicable across all views, resources, and editors, focusing on selected cell data along with IP address and string data types. 3. **Investigate: Threat Expert (link – no integration)** - This command involves checking the threat analysis for a given target using the URL format http://www.threatexpert.com/reports.aspx?find=&x=10&y=7. The configuration is internal, allowing it to be used across all views, resources, and editors, with focus on selected cell data along with IP address and string data types. 4. **Investigate: Vulnerability Scan** - This command involves performing a vulnerability scan on the selected item using a script that checks specific ports (139, 445) for potential vulnerabilities across specified services (10150, 34477). The configuration uses text rendering and is applicable across all views, resources, and editors, targeting data types including IP address and string. 5. **Investigate: Windows Event** - This command involves examining detailed information about a specific Windows event using the URL format http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$deviceEventClassId. The configuration is internal, usable across all views, resources, and editors, with an emphasis on selected cell data including IP address and string types. Each command is designed to facilitate a specific investigation task within a network or system environment, providing detailed information about potential issues such as SMTP configurations, malware threats, vulnerabilities in systems or applications, and security event logs. This document is titled "All Data Types" and is a PowerPoint presentation file named "How_To_Become_An_ArcSight_CSI - 040811.ppt," with a size of 2.8 MB. It also includes an attachment named "Investigation_Integration_2011_Pack.arb," which has a size of 2.0 MB and has been viewed 556 times. The document falls under several categories including Console, Integration, Presentation, and Threat Detector (aka Pattern Discovery). It is tagged with various terms related to cybersecurity such as corporate investigation, cyber-investigator, evidence collection, network forensics, and others. The content appears to be focused on using various tools for investigation in a digital environment, including but not limited to:

• Using ArcSight Express (tagged)

• Employing tcpdump, nmap, pathping, and windump (tagged as tools) for network analysis and forensic investigations

• Integrating with Nessus for vulnerability assessments

• Utilizing command line utilities like dig, net view, and more (tagged as integration_commands)

This document is marked as final, which suggests it may be part of a training curriculum or an official ArcSight documentation. The presence of multiple tags indicates its utility across different aspects of digital investigation and security operations within corporate environments. To summarize the provided information, it appears that you are required to download a plugin called Jive for Microsoft Office in order to create, open, collaborate on, and share Word, Excel, and PowerPoint documents. The necessary software versions include Windows and Office 2003, 2007, 2010, or 2013. After downloading the plugin, you will need to enter your login credentials for the website at the provided URL: https://irock.jiveon.com and ensure successful connection upon plugin installation. The service is provided by Jive Software, version 2016.1.0.0, with a revision date of March 1st, 2016. This plugin aims to enhance the functionality of Microsoft Office applications by integrating additional features for document collaboration and sharing directly within the familiar office environment. The specific details and exact functionalities provided by Jive for Microsoft Office are not detailed in this summary; however, it is mentioned that the software version is 2016.1.0.0, a date indicating its release in early 2016. The plugin's interface might include options to create new documents or access previously saved ones within the familiar menus of Microsoft Office applications like Word, Excel, and PowerPoint. The collaboration features are likely aimed at facilitating teamwork through shared editing capabilities within these office documents. Sharing functionality could be integrated into email or cloud storage services for easy distribution of completed documents among team members or clients. The notice about copyright ownership is present (© 2016 Jive Software), indicating that the use of this plugin and its functionalities are subject to certain terms, conditions, and licensing agreements specified by Jive Software. The revision number mentioned at the bottom serves as a version identifier for potential updates, bug fixes, or changes in service provided by the software.