This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-11-09 10:31 AM

AutoUpdate Watchlist

Ive been working on a VBscript to auto update watchlists for a while now. I have finally cracked it and would like to share it with everyone.

 

It started out that i wanted to pull users for AD (disabled users) and monitor if they get enabled and logged into. I thought must be simple enough to automate. Then relised that there was a limit of 32k using the methods Envision had out the box.

 

The AutoUpdate script is separated into 2 parts. The first part does the AD look ups and outputs to a TXT file on the Envision Appliance. The second part converts the TXT file into a .sql file and injects it into the Sybase DB.


The process has to be setup this way as the the Envision box is seporated and on its own domain.

 

I hope these help others out, let me know if you have any issues.

 

ConvertUpdate2.vbs
0 Likes
Reply
7 Replies
RSAAdmin
Beginner
Beginner
‎2010-11-09 10:32 AM

First Script to pull users

DisabledUsersPull1.vbs
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-11-09 10:34 AM

I would suggest converting these VBS into exe's and setting up a scheduled process to run them. That way account credentials aren't in plain txt.

 

Make sure the accounts being used are service accounts that don't expire.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-11-16 04:01 AM

Good to see this forum is as active as ever

0 Likes
Reply
DavidBruskin
Beginner
Beginner
In response to RSAAdmin
‎2010-12-01 11:45 PM

Nice work, I've done something very similer to that and as you indicate the tricky part is since enVision does not contain a trust, extracting info and uploading within a secure manner. The load tool then can be applied in other methods such as leveraging other dynamic changing filter sets such as:

 

Spam Cop

Dshield Trends

Team CYMRU

Malware Threat Center

Emerging Threats

DNSBL Lists

Shadow Server Foundation

 

Good stuff..

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to DavidBruskin
‎2010-12-08 04:02 AM

Wow a response. Im amazed lol. I thought i was the only person left on here. Its kinds like 28 days later on here.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-04-14 02:42 AM

Is it possible to use the same for having dynamic watchlists. For example the source ip that triggers a rule for a port scan should automatically be added to a watchlist, which is being used for another rule to check connections to an apache server. We cant use this source ip in the cache since i would want to check 'access' from this IP for maybe a month or two (slow and grow reconnaissance and access).

 

Would it be possible to use this tool for the same?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-08-17 11:32 AM

Thanks, I spent some time modifying the code and it's working great.

 

Do you know how to also update the watchlist COMMENT?  It would be great to be able to include the time/date the list was updated by the script so it's visible in the enVision GUI.

 

One thing I found -- do NOT use a dash "-" in the input filename.  iSQL doesn't like this, and it's error message is not the clearest. Hopefully this saves someone else the 30 minutes of debugging I spent :smileyhappy:

0 Likes
Reply
Related Topics
Watchlist AutoUpdate
© 2020 RSA Security LLC or its affiliates.
All rights reserved.