cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Implement URL Actions

URL actions allow SIEM administrators to seamlessly link to external sources to perform lookups on data elements such as IP addresses, domains, file hashes, etc.  McAfee ESM provides an open framework for administrators to define custom URL actions to link out to the external sources of information they find most useful during incident investigations.

As an example, you might like to use the popular service provided by IPVoid to compare a suspicious IP address against multiple IP-based blacklists and reputation services.  IPVoid allows queries using a simple formatted URL, with the format:

http://www.ipvoid.com/scan/1.2.3.4/

where “1.2.3.4” is the IP address in question.  We can easily create an ESM URL action to allow administrators to quickly query IPVoid for details on an IP address we have identified as suspicious, to provide additional context to an investigation.

To implement IP Void URL action:

  1. Select an IP address in any view, then open the context menu for that view panel and choose Execute remote command.
    pic1.png
  2. Click Add to define a new remote command.  You will be presented with a dialog to fill in the details for the IPVoid lookup.  Fill in the dialog as shown below.
    pic2.png

    The Command String should read as follows:
    http://www.ipvoid.com/scan/[$Source IP]/

    You’ll find shortcuts to inserting syntax for all event, flow, and alarm fields by clicking the small green arrow icon on the right side of the dialog.  When complete, save the remote command by clicking OK.
  3. Now if you select a Source IP address in any view, open the context menu for that view panel and choose Execute remote command, you’ll have the opportunity to execute the IPVoid lookup on the selected Source IP.  Simply select Run Now to execute the lookup.
    pic3.png

    You should see a new popup browser window appear, showing something similar to the screenshot below.
    pic4.png
  4. You might also like to have the ability to look up Destination IPs with IPVoid.  To do so, repeat steps 1-3 above, but substitute the following string as the Command String in step 2:
    http://www.ipvoid.com/scan/[$Destination IP]/

    Once complete, you will have 2 IPVoid actions to invoke: one for source IPs, and one for dest IPs.
    pic5.png
  5. You can create as many URL actions as you like.  Below are suggestions for other actions you might like to configure:

McAfee Global Threat Intelligence – IP Lookups

http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=[$Source IP]

http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=[$Destination IP]

Internet Storm Center Dshield – IP Lookups

https://www.dshield.org/ipinfo.html?ip=[$Source IP]

https://www.dshield.org/ipinfo.html?ip=[$Destination IP]

What URL Actions have you found most useful in your enterprise?  Please share in the comments below.

« previousoutlinenext »

Comments

These are some of the URL Actions I use:

Robtex.com Source IP:  https://www.robtex.com/ip/[$Source IP].html

Robtex.com Destination IP:  https://www.robtex.com/ip/[$Destination IP].html

MXtoolbox.com Source IP: http://mxtoolbox.com/SuperTool.aspx?action=mx:[$Source IP]&run=toolpage

MXtoolbox.com Destination IP: http://mxtoolbox.com/SuperTool.aspx?action=mx:[$Destination IP]&run=toolpage

Hi,

When executive remote commands via URL, Is there a way to url encode the expanded field-values? For example, if I expand [$First Time], it expands in this format "08/21/2016%2015:30:14" but it is not URL encoded. So how do I convert it to encoded "08%2F21%2F2016%2015%3A30%3A14" ?

thanks,

Dhiraj

Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 09:10 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community