Network Forensic Integration Tools for ArcSight ESM

Summary:

Based on the provided text, here is an overview of each command and its purpose: 1. **Investigate: PathPing** - Command: `%system32%\pathping.exe $selectedItem` - Purpose: Analyzes network paths by IP address to help troubleshoot network issues or assess connectivity between devices on a network. 2. **Investigate: RFC Ignorant** - Command: `http://www.rfc-ignorant.org/tools/lookup.php?domain=$selectedItem&full=1` - Purpose: Looks up domain information for the selected IP address or string, providing details about the domain's registration and other relevant data. 3. **Investigate: SMTP Check** - Command: `http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem` - Purpose: Checks the functionality of an SMTP server associated with a given domain or IP address to ensure proper email transmission and configuration. 4. **Investigate: Suspected Malware (Target Address)** - Command: `http://www.malwaredomainlist.com/mdl.php?search=$targetAddress` - Purpose: Queries a database of known malicious domains associated with the target IP address to help identify potential threats and malware. 5. **Investigate: Threat Expert** - Command: `http://www.threatexpert.com/reports.aspx?find=&x=10&y=7` - Purpose: Retrieves threat reports on domains or IP addresses, providing insights into potential security threats and malicious activities. 6. **Investigate: Vulnerability Scan** - Command: `%program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477 $selectedItem` - Purpose: Performs a vulnerability scan on specified IP addresses and ports to identify potential security vulnerabilities that could be exploited by attackers. These commands are designed for various investigative tasks within a networked environment, including network troubleshooting, malware detection, and vulnerability assessment. They utilize different syntaxes and configurations based on the desired outcome and can be accessed across multiple interfaces within the system for comprehensive analysis.

Details:

The document "Network Forensic Integration Tools for ArcSight ESM" outlines how to integrate various network forensic tools with ArcSight Enterprise Security Manager (ESM). It explains the integration process, supported platforms, and provides an overview of how it enhances security operations. This toolset is designed to expand the capabilities of ESM by providing external views from applications like ArcSight NSP and third-party software through automated and manual scenarios. The document also specifies that this version has been confirmed compatible with ArcSight versions 5.0.1.6534.1 and 5.0.0.6450.0, and runs on Windows Server 2003 R2 SP2 with Oracle Database 10g Enterprise Edition Release 10.2.0.4.0. The provided text is a summary of the capabilities and usage of a toolset designed for Cyber-Investigations. This toolset includes various security tools such as Nmap, Nessus, tcpdump, NBTstat, and OS fingerprinting, which are commonly used by security analysts or forensic investigators in their investigations post a security incident. The toolset's commands can be customized to work with both Windows and Unix/Linux environments, thanks to its integration capabilities that adapt local settings of the system hosting the ArcSight Console. As most Security Operations departments use Windows XP/7/2003/2008 as their primary desktop systems, specific versions for Windows of these tools have been developed and included in this package. The toolset includes several types of commands: URL commands that provide access to Web page URLs or URIs viewable within the ArcSight Console's internal browser or an external web browser; script commands which execute scripts with output results, allowing for specific actions based on their execution; and integration tools used such as Dig for Windows v9.3.2, Nmap for Windows v5.21, Windump v3.9.5, WinPcap v4.1.2 (Windows only), PathPing v5.2.3790.0 (Windows only), and Nessuscmd for Windows v4.2.2 (Build 9129). The installation process involves two steps: Step 1: Import the "Investigation_Integration_Pack.arb" file by opening the ArcSight Console, navigating to Packages in the Resource Navigator, selecting Import, and choosing the location of the .arb file. Once imported, you will see the tools under Integration Commands / Configurations. Step 2: This step isn't detailed in the text provided but typically involves verifying the installation and ensuring all configurations are set according to your organization's needs. In summary, this toolset provides a comprehensive suite of security investigation tools with flexible integration capabilities that can be tailored for both Windows and Unix/Linux environments, making it valuable for Cyber-Investigations within organizations using the ArcSight Console as their primary security management platform. The article discusses the placement and installation of various command line utilities related to investigation integration apps. These tools are stored in a zip file located at "/All Files/ArcNet Files/Investigation Integration Apps/Investigation Integration Tools.zip". To install these tools, one must download the zip file, right-click on it, select "download", and then extract the contents to the directory "C:\arcsight\tools". The installation of these tools should follow specific directories as configured in integration commands:

• DNS Lookup: %arcsight%\tools\dig.exe

• NBTstat: %system32%\nbtstat.exe

• NetWitness Integration: %arcsight%\tools\NetWitness.gif

• NMAP (TCP): %program files%\nmap\nmap.exe

• NMAP (UDP): %program files%\nmap\nmap.exe

• Open Shares: %arcsight%\tools\netview.cmd

• OS Fingerprint: %program files%\nmap\nmap.exe

• Packet Capture: %arcsight%\tools\windump.exe

• PathPing: %system32%\pathping.exe

• Vulnerability Scan: %program files%\tenable\nessus\nessuscmd

Once installed, these tools are available for use through right-click context menus in the ESM (Extended Systems Management) Console, including fields in active channels, relevant resources, and lists such as sessions lists. When invoked, a script output or internal browser window will appear where command outputs can be viewed. The output allows analysts to export results to files or add them to existing cases. Closing the output window stops the command and removes it from memory. Additionally, the article provides a note about running WinDump: "Running multiple instances of memory-intensive applications such as WinDump for long periods will degrade the performance of the system hosting the ArcSight Console." It recommends running WinDump on a separate system if possible. The provided text discusses the configuration and functionality of various commands used in a tool called "Investigate." These commands are primarily designed for analyzing data related to network traffic, DNS lookups, blacklisted sites, port scans, and malware protection. Here's a summary of each command and its characteristics: 1. **Investigate: Blacklisted Sites**

• Command Type: URL

• Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:$selectedItem

• Configuration Name: Investigate: Blacklisted Sites

• Configuration Attributes: Internal

• Configuration Context: This command is used to check if a specific domain or IP address is blacklisted. It involves querying an external service (mxtoolbox) to see if the requested item appears on any blacklist. The configuration context allows for selection of items either as IP Addresses or Strings, and it can be applied across various views within the tool.

2. **Investigate: DNS Lookup**

• Command Type: Script

• Command Syntax: %arcsight%\tools\dig.exe -t ANY $selectedItem

• Configuration Name: Investigate: DNS Lookup

• Configuration Attributes: Text Renderer

• Configuration Context: This command performs a DNS lookup on the selected item, retrieving detailed information about the domain or IP address, including all record types (e.g., A, NS, MX, etc.). The context allows for application in various views and editors within the tool.

3. **Investigate: Internet Port Scan**

• Command Type: URL

• Command Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=scan:$selectedItem

• Configuration Name: Investigate: Internet Port Scan

• Configuration Attributes: Internal

• Configuration Context: This command is used to scan a target IP address for open ports, providing information about the services running on that host. Similar to other commands, it can be applied across different views and selections related to IP addresses or strings within the tool.

4. **Investigate: Malware Protection Center (Target Address)**

• Command Type: URL

• Command Syntax: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=$selectedItem

• Configuration Name: Investigate: Malware Protection Center

• Configuration Attributes: Internal

• Configuration Context: This command checks the target address against Microsoft's malware protection database to determine if the address is associated with known malicious activity or has been flagged as unsafe. The context applies across various views and selections, focusing on IP addresses and strings within the tool environment.

Overall, these commands are designed for network administrators and security analysts to investigate potential threats, analyze network traffic, and assess system vulnerabilities by querying external databases and performing DNS lookups on specified items. This document outlines several investigation commands related to network and system analysis. The commands are designed to be executed using specific tools or scripts, with each command tailored for a different purpose based on the type of data being investigated. Here's a summary of each command: 1. **Investigate: NBTstat** - This command uses `nbtstat.exe` from the system32 directory to perform an address resolution protocol (ARP) cache table, node information, and other network statistics related to the specified IP address. It is configured with a text renderer in various contexts including viewer, resource, editor, selected cell, and all selections. 2. **Investigate: NetWitness Integration** - This command opens a slide from NetWitness integration, presumably for visualizing integrated network data. The syntax specifies a local file path to the NetWitness GIF image. It is configured with context options including viewer, all views, and all selections related to IP addresses and strings. 3. **Investigate: NMAP (UDP)** - This command runs `nmap` from the program files directory using UDP scanning mode on port 0 for the selected IP address. It also uses verbose output (-vv), enabling detailed network mapping information. The configuration is set to a text renderer with similar context options as above. 4. **Investigate: Open Shares** - This command executes a script from the ArcSight tools directory (`netview.cmd`) to enumerate and display open shares for the specified IP address. It uses a text renderer and has general viewer, resource, editor contexts. 5. **Investigate: OS Fingerprint** - Utilizing `nmap` from the program files, this command performs an aggressive scan (with options -vvv -A -O -PN) to gather information about the operating system fingerprint of the target IP address. The configuration includes a text renderer and applies to all views or selections related to IP addresses and strings. 6. **Investigate: Packet Capture** - This command captures network packets using `windump` from the ArcSight tools directory, filtering by interface number 3 and capturing all traffic for the specified host IP address. It is configured with a text renderer and applies in similar contexts as other commands listed above. Each command is designed to assist in specific types of investigations, utilizing different scripts or executables tailored to gather detailed information about network assets identified by their IP addresses. The provided text outlines several commands and configurations used in a system or software environment for network troubleshooting, malware detection, and vulnerability assessment. Each command is associated with specific tasks such as path analysis (using `thPing`), domain investigation (via URLs), SMTP server checks, suspected malware queries, threat reporting, and vulnerability scanning.

• **Investigate: PathPing** uses the script located at `%system32%\pathping.exe $selectedItem` to analyze network paths. It is configured with a text renderer for display in a viewer interface. This command operates on IP addresses selected within all views, supporting all data types.

• **Investigate: RFC Ignorant** provides a lookup service through an external URL (`http://www.rfc-ignorant.org/tools/lookup.php?domain=$selectedItem&full=1`). This is configured as internal and can be accessed in various contexts including viewer, resource, and editor interfaces across all views, assets, and editors for selected cells with IP address or string data types.

• **Investigate: SMTP Check** uses the external URL `http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem` to check the functionality of an SMTP server associated with a given domain or IP address. Similar to other investigate commands, this is configured as internal and can be used across various contexts in the viewer, resource, and editor interfaces.

• **Investigate: Suspected Malware (Target Address)** queries `http://www.malwaredomainlist.com/mdl.php?search=$targetAddress` to check for known malicious domains associated with a target IP address. It is also internal and can be accessed across multiple contexts in the system, including viewer, resource, and editor interfaces.

• **Investigate: Threat Expert** accesses `http://www.threatexpert.com/reports.aspx?find=&x=10&y=7` to retrieve threat reports on domains or IP addresses. This command is set up as internal and can be used across various editor interfaces for assets, resources, and viewers with the ability to handle different data types like string and IP address selections.

• **Investigate: Vulnerability Scan** performs a scan using `%program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477 $selectedItem` on specified ports and IP addresses to detect vulnerabilities. It utilizes a text renderer in the viewer interface, supporting all views and data types.

Each command is tailored for specific investigative tasks within a networked environment, utilizing different syntaxes and configurations based on the desired outcome (network analysis, malware detection, vulnerability assessment) while adhering to internal system settings. The provided document is a resource for investigating Windows events using the ArcSight Event Manager (ESM). It includes details on how to use specific URLs and commands to access detailed information about events, such as those found at www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$. The configuration is designed to be used within the ArcSight ESM environment, allowing users to view and analyze event details through various interfaces including selected cells and all selections, with support for different data types like IP addresses and strings. The document includes two attachments: a PowerPoint presentation titled "How_To_Become_An_ArcSight_CSI - 040811.ppt" (2.8 MB) and an ArcSight Express file named "Investigation_Integration_2011_Pack.arb" (2.0 MB). These resources are intended to help users become proficient in using the tool for investigations, particularly within the context of network forensics, evidence collection, and corporate investigation related to blacklisted sites and active channels. The document is categorized under Threat Detector (Pattern Discovery), Console, Presentation, and Integration, with tags that include various tools, content types, and investigative commands such as tcpdump, nmap, net_view, dig, windump, and others. The average user rating for this resource is 5 out of 5 based on one rating, indicating high satisfaction among users. The document also allows for comments and annotations, with options to bookmark it or receive email notifications when changes are made. It can be accessed through various interfaces within the ArcSight ESM, supporting a comprehensive approach to digital forensics and security analysis.