cancel
Showing results for 
Search instead for 
Did you mean: 

launching urls from execute remote command

Hi,

I saw this document that describes steps for launching external URLs.

On trying this, one challenge in passing fields such as [$Last Time], it puts values in the URL that are not url-encoded. Is there any macro supported to url encode the expanded field-value? (For example, [$Last Time] should be url-encoded from "08/21/2016%2015:30:14" to "08%2F21%2F2016%2015%3A30%3A14".)

thanks,

Dhiraj

5 Replies
yd9038
Level 9
Report Inappropriate Content
Message 2 of 6

Re: launching urls from execute remote command

Dhiraj,

I understand what you are trying to do but I don't understand why you are trying to add the Last Time field to URL Actions. Can you please share your use case idea with us?

Highlighted

Re: launching urls from execute remote command

I am building an integration use-cases that takes IP and time from the selected alert, and provides additional activity / context on that IP from my product that happened around the time-range of the selected alert.

Alternately, is it possible to pass the epoch value instead of human-readable time value?

thanks.

yd9038
Level 9
Report Inappropriate Content
Message 4 of 6

Re: launching urls from execute remote command

I wonder if you can use a correlation rule for that.

The alert that you have can append the IP address to a watchlist, and you then use that watchlist in a correlation rule with a time window parameter defined. So, if the SIEM receives an event with an IP in the watchlist from your host within the next hour or so (time window parameter) the correlation will generate an event. 

For the epoch part, I’m not sure about that as it’s already parsed to human-readable date/time by receiver. I wonder if you can create a “Time” custom type field in addition to built-in "first/last time" fields, and use that custom field to parse the epoch value. This is just a theory and I can’t tell whether it works or not w/ testing it.

Re: launching urls from execute remote command

This is for manual user-driven action on the GUI on the selected alert, to pull in additional context on demand in a separate browser tab. So I think the right solution would be that I add a Custom Type with time datatype, and set its format to be epoch millis as in this screenshot Screen Shot 2016-10-13 at 2.57.41 PM.png

But to be able to go with this solution, I need steps on how to copy First Time's value into this new field for every single event across all receivers. The field doesn't need to be indexed but needs to be accessible for launching action commands. Can anyone point to steps on how to achieve this? This is probably a newbie question!

thanks

Dhiraj

yd9038
Level 9
Report Inappropriate Content
Message 6 of 6

Re: launching urls from execute remote command

What you did actually looks good, but I'm not sure if that's really going to parse the time stamp in epoch format the way you wanted, you can test it and see how it goes.

And if it works, do you really want to enable this for every single event across all receivers?

You will then need to make the same change in all enabled ASP parser rules for all device types, save them and roll out the policies.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community