Automated response Using ArcSight CounterAct Connector

Document created by anwarrhce on Mar 8, 2016Last modified by anwarrhce on Mar 9, 2016
Version 2Show Document
  • View in full screen mode

Recently got a request from a client to see the ArcSight capability w.r.t. Automated Response/ Smart Response.

Client wanted to see that if certain condition matches ArcSight should be able to disable AD account. I used the ArcSight Counter Act connector or formerly known as Action Connector to achieve the same. Similarly Blocking an IP/port on firewall (PANOS, FORTIOS or Ciso IOS) can be done provided if they support SSH for remote logging which they do for sure.

Number of ways to do it for AD:

 

Option 1:

1. Use Action Connector and install it on Active Directory Itself and below is the action connector ActionConn.counteract.properties content which is located in flexagent directory:

command.count=1

command[0].name=disableaduser

command[0].displayname=Disable_ADUser

command[0].parameter.count=1

command[0].parameter[0].name=disableaduser

command[0].parameter[0].displayname=Disable_ADUser

command[0].action=C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe Disable-ADAccount -Identity ${disableaduser}

 

Once you start connector this command will start appearing in the connector commands and then you can use a rule and have an action to execute a connector command using variable in value field.

 

Option 2:

Use Action Connector and install it on any connector server and below is the action connector ActionConn.counteract.properties content which is located in flexagent directory

command.count=1

command[0].name=disableaduser

command[0].displayname=Disable_ADUser

command[0].parameter.count=1

command[0].parameter[0].name=disableaduser

command[0].parameter[0].displayname=Disable_ADUser

command[0].action=psexec \\\\system1.example.com -u DOMAIN\\USERNAME -p PASSWORD C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe Disable-ADAccount -Identity ${disableaduser}

 

I used a psexec utility here to do this remotely; however there are multiple ways to do it even using powershell remote logging capabilities, I didn't explore other option much but if I dig further in this I would love to replace psexec with some other reliable option. Option 2 may work or may not as I also faced issues. If you get time explore powershell. Option 1 will work for sure.

 

Anwar

Attachments

    Outcomes