Ive been working on a VBscript to auto update watchlists for a while now. I have finally cracked it and would like to share it with everyone.
It started out that i wanted to pull users for AD (disabled users) and monitor if they get enabled and logged into. I thought must be simple enough to automate. Then relised that there was a limit of 32k using the methods Envision had out the box.
The AutoUpdate script is separated into 2 parts. The first part does the AD look ups and outputs to a TXT file on the Envision Appliance. The second part converts the TXT file into a .sql file and injects it into the Sybase DB.
The process has to be setup this way as the the Envision box is seporated and on its own domain.
I hope these help others out, let me know if you have any issues.
I would suggest converting these VBS into exe's and setting up a scheduled process to run them. That way account credentials aren't in plain txt.
Make sure the accounts being used are service accounts that don't expire.
Nice work, I've done something very similer to that and as you indicate the tricky part is since enVision does not contain a trust, extracting info and uploading within a secure manner. The load tool then can be applied in other methods such as leveraging other dynamic changing filter sets such as:
Is it possible to use the same for having dynamic watchlists. For example the source ip that triggers a rule for a port scan should automatically be added to a watchlist, which is being used for another rule to check connections to an apache server. We cant use this source ip in the cache since i would want to check 'access' from this IP for maybe a month or two (slow and grow reconnaissance and access).
Would it be possible to use this tool for the same?
Thanks, I spent some time modifying the code and it's working great.
Do you know how to also update the watchlist COMMENT? It would be great to be able to include the time/date the list was updated by the script so it's visible in the enVision GUI.
One thing I found -- do NOT use a dash "-" in the input filename. iSQL doesn't like this, and it's error message is not the clearest. Hopefully this saves someone else the 30 minutes of debugging I spent