Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Implement URL Actions

SIEM Foundations: Implement URL Actions

URL actions allow SIEM administrators to seamlessly link to external sources to perform lookups on data elements such as IP addresses, domains, file hashes, etc.  McAfee ESM provides an open framework for administrators to define custom URL actions to link out to the external sources of information they find most useful during incident investigations.

As an example, you might like to use the popular service provided by IPVoid to compare a suspicious IP address against multiple IP-based blacklists and reputation services.  IPVoid allows queries using a simple formatted URL, with the format:

where “” is the IP address in question.  We can easily create an ESM URL action to allow administrators to quickly query IPVoid for details on an IP address we have identified as suspicious, to provide additional context to an investigation.

To implement IP Void URL action:

  1. Select an IP address in any view, then open the context menu for that view panel and choose Execute remote command.
  2. Click Add to define a new remote command.  You will be presented with a dialog to fill in the details for the IPVoid lookup.  Fill in the dialog as shown below.

    The Command String should read as follows:[$Source IP]/

    You’ll find shortcuts to inserting syntax for all event, flow, and alarm fields by clicking the small green arrow icon on the right side of the dialog.  When complete, save the remote command by clicking OK.
  3. Now if you select a Source IP address in any view, open the context menu for that view panel and choose Execute remote command, you’ll have the opportunity to execute the IPVoid lookup on the selected Source IP.  Simply select Run Now to execute the lookup.

    You should see a new popup browser window appear, showing something similar to the screenshot below.
  4. You might also like to have the ability to look up Destination IPs with IPVoid.  To do so, repeat steps 1-3 above, but substitute the following string as the Command String in step 2:[$Destination IP]/

    Once complete, you will have 2 IPVoid actions to invoke: one for source IPs, and one for dest IPs.
  5. You can create as many URL actions as you like.  Below are suggestions for other actions you might like to configure:

McAfee Global Threat Intelligence – IP Lookups[$Source IP][$Destination IP]

Internet Storm Center Dshield – IP Lookups[$Source IP][$Destination IP]

What URL Actions have you found most useful in your enterprise?  Please share in the comments below.

« previousoutlinenext »


These are some of the URL Actions I use: Source IP:[$Source IP].html Destination IP:[$Destination IP].html Source IP:[$Source IP]&run=toolpage Destination IP:[$Destination IP]&run=toolpage



When executive remote commands via URL, Is there a way to url encode the expanded field-values? For example, if I expand [$First Time], it expands in this format "08/21/2016%2015:30:14" but it is not URL encoded. So how do I convert it to encoded "08%2F21%2F2016%2015%3A30%3A14" ?



Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 09:10 PM
Updated by: