SIEM Foundations: Implement URL Actions

Version 4

    URL actions allow SIEM administrators to seamlessly link to external sources to perform lookups on data elements such as IP addresses, domains, file hashes, etc.  McAfee ESM provides an open framework for administrators to define custom URL actions to link out to the external sources of information they find most useful during incident investigations.

     

    As an example, you might like to use the popular service provided by IPVoid to compare a suspicious IP address against multiple IP-based blacklists and reputation services.  IPVoid allows queries using a simple formatted URL, with the format:

     

    http://www.ipvoid.com/scan/1.2.3.4/

     

    where “1.2.3.4” is the IP address in question.  We can easily create an ESM URL action to allow administrators to quickly query IPVoid for details on an IP address we have identified as suspicious, to provide additional context to an investigation.

     

    To implement IP Void URL action:

     

    1. Select an IP address in any view, then open the context menu for that view panel and choose Execute remote command.
      pic1.png
    2. Click Add to define a new remote command.  You will be presented with a dialog to fill in the details for the IPVoid lookup.  Fill in the dialog as shown below.
      pic2.png

      The Command String should read as follows:
      http://www.ipvoid.com/scan/[$Source IP]/

      You’ll find shortcuts to inserting syntax for all event, flow, and alarm fields by clicking the small green arrow icon on the right side of the dialog.  When complete, save the remote command by clicking OK.
    3. Now if you select a Source IP address in any view, open the context menu for that view panel and choose Execute remote command, you’ll have the opportunity to execute the IPVoid lookup on the selected Source IP.  Simply select Run Now to execute the lookup.
      pic3.png

      You should see a new popup browser window appear, showing something similar to the screenshot below.
      pic4.png
    4. You might also like to have the ability to look up Destination IPs with IPVoid.  To do so, repeat steps 1-3 above, but substitute the following string as the Command String in step 2:
      http://www.ipvoid.com/scan/[$Destination IP]/

      Once complete, you will have 2 IPVoid actions to invoke: one for source IPs, and one for dest IPs.
      pic5.png
    5. You can create as many URL actions as you like.  Below are suggestions for other actions you might like to configure:

     

    McAfee Global Threat Intelligence – IP Lookups

    http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=[$Source IP]

    http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=[$Destination IP]

     

    Internet Storm Center Dshield – IP Lookups

    https://www.dshield.org/ipinfo.html?ip=[$Source IP]

    https://www.dshield.org/ipinfo.html?ip=[$Destination IP]

     

    What URL Actions have you found most useful in your enterprise?  Please share in the comments below.

     

     

    « previousoutlinenext »