Open topic with navigation

More Integration Examples

To experiment with building integration commands, you need one command and one configuration. Create the commands first because the configuration references the commands.

The configuration also defines how command results are rendered, and references contexts where your new Integration Commands appear in the ArcSight Console right-click menus (for example, Viewers, Resource Panel, Editors, and more specifics within those contexts).

To define targets (remote servers where commands run), add them to the configuration.

Here are examples of how to set up a command to do a Google Search on a selected cell in the ArcSight Console, and how to set up commands that use Google Maps to locate a target and an attacker. The examples do not require a “target,” so just set up a command, add it to a configuration, and run it. The details of this and other types of commands and configurations are discussed further in the topics that follow.

To add a command for Google Search:

  1. Start by getting the format of the Google search. Do a Google Search in a Web browser. Copy the first part of the URL (everything before or to the left of the search term) from the Address bar, so you have it on your clipboard. (You paste in to the Parameters dialog in a later step.)

  2. In the ArcSight Console Navigator panel, select the Integration Commands resource from the drop-down menu and click the Commands tab.

  3. Right-click the group (folder) where you want to create the command and select New Command.

  4. On the Commands Editor, fill in these attributes:

  1. Set up the configuration and add the command to it:

    1. Click the Configurations tab.

    2. Right-click a group and select New Configuration.

    3. On the Configurations Editor, select URL as the configuration Type, and enter set these attributes:

      • For Name, provide a user-friendly name.

      • The output will be rendered on a preferred Web browser specified during Console installation.

    4. Click the Context tab. This sets where in the ArcSight Console the command is available. Click Add to get a set of context fields, then click into each field to select a location, type, selection, and data type. (You can add multiple contexts by clicking Add again.) Add one context to show in the Viewer in all “views” and to take the selected cell as the “selection”:

      Location

      Type

      Selection

      Data Type

      Viewer

      All Views

      Selected Cell

      All Data Types

      When the search command is deployed as part of this configuration, and run using a right-click command in the context of the ArcSight Console, it searches on the text in the “cell” (Viewer table cell) the user selects in the ArcSight Console.

    5. Add the command to the configuration. On the Configuration Editor, click Commands. Click Add to get the command selector, select your Google Search command, and click OK.

    6. Click Apply or OK on the Configurations Editor to save the configuration.

  2. Run the Search command you just built:

    1. Open any active channel, list, data monitor, or query viewer with a table style view.

    2. Right-click any cell in the Viewer that contains a term you would like to search on, and select Integration Commands > Google Search (or whatever you named the command).

      The command runs a search using the text from the selected cell as the search term, and returns search hits in your preferred browser.

To add a command for Google Maps:

Use the same basic steps in the previous example for Google search to integrate a command named Google Maps. This Google Maps example lets you pass the GeoLatitude and GeoLongitude to locate, for example, an attacker and a target. Refer to the following information as a guide for the URLs in your integration command.

Command

URL and attribute

Attacker

http://maps.google.com/maps?q=${attackerGeoLatitude},${attackerGeoLongitude}

Target

http://maps.google.com/maps?q=${targetGeoLatitude},${targetGeoLongitude}