Run Command Output Action
I was surprised by how the "Run Command" output action is designed. The content of the alert, rather than being passed in on the standard input, is passed in as a program argument. And it's not even that, it's passed in as-is, so instead of a single argument with the content, you get 300+ arguments that you have to concatenate together.
This is a bug, right? Is there a way to modify this behaviour?
Actually, I did not understand the question correctly. “The content of the alert, rather than being passed in on the standard input, is passed in as a program argument” What does it mean by passing through standard input vs program argument?.
Explanation about Run command output action
In Run command output action variables are passed as command line parameters. These variables are based on output action template.
Currently we have around 50 variables in output action template. User can choose these variables. User can also choose the Format , Filed delimiter(for variables) and value delimiter .
For example If the alert message has Source IP 10.1.1.1 and Destination IP 18.104.22.168
And user choose Source IP and Destination IP in output action template with filed delimiter as TAB
Then the run command OA will have
Source IP=10.1.1.1 Destination IP=22.214.171.124 as four run command parameters as they are separated with space(in between variable names) and TAB.
But if field delimiter is comma
Then it will be
Source IP=10.1.1.1,Destination IP=126.96.36.199 as two parameter as there are spaces between variables.
But what is there are spaces in the value for example if the Message Text is used among variables.
If the value delimiter in NONE then it would be like
Message Text =%NICWIN-4-Security_540_Security: Security rn 298043 cid 0x00000002 eid 0x0000021c Wed Mar 24 13:40:02 2010 540 Security ENV370J/master Success Audit RSAJHFVM1 Logon/Logoff Successful Network Logon: User Name: master Domain: ENV370J Logon ID: (0x0 0x66E495) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: ENV370J-ES Logon GUID: - no space between variables.
So lot of spaces in this but it the value delimiter is chosen as SINGLE QUOTES then value would be starting and ending with delimiter and the output would be
Message Text ='%NICWIN-4-Security_540_Security: Security rn 298043 cid 0x00000002 eid 0x0000021c Wed Mar 24 13:40:02 2010 540 Security ENV370J/master Success Audit RSAJHFVM1 Logon/Logoff Successful Network Logon: User Name: master Domain: ENV370J Logon ID: (0x0 0x66E495) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: ENV370J-ES Logon GUID: -'
So the parameters depends upon the configuration. Though we have do not have control for variable name but for values we can use value delimiters and for different variables we can use "," delimiter.
If you're not a software engineer then that question probably won't make any sense to you. The best way to pass data into a program is through standard input. The best way to pass options to a program is on the command line. enVision is passing the contents of the alert (the data) as options to the program. This is not wrong, exactly, but it's not the right way to do it.
Even so, it would help to pass the content of the alert as a single parameter to the command (or script), instead of as multiple parameters. I'm going to assume whoever implemented that for RSA just exec'd cmd.exe and passed it the whole string as-is.
Thanks for the reply.