In this post, I'm going to go through configuring custom Eternal Lookups. What External Lookups allow a user to do is to investigate external IP addresses and ranges utilizing external applications and lookups. StealthWatch already comes pre-configured with a few and allows an administrator to add their own.
The two default External Lookups that come pre-configured on StealthWatch are:
- DShield.org
- Cisco SenderBase
To use the External Lookup in the StealthWatch Client, right-click on an IP and navigate to External Lookup>Lookup-of-Choice
You can also use the StealthWatch Web app to use External Lookups in Flow Searches:
This can be used to research an IP and for investigative reasons. The External Lookup will allow StealthWatch to send data to any supported external application or database using a URL queries and it enables you to view additional information from the supported external application about a specific IP address. It can assist you in providing faster remediation from potential threats and access other resources from within StealthWatch with no need to change interfaces.
You would typically use this feature when investigating an IP address, network issues, and cyber threats in StealthWatch. StealthWatch supports adding vendors such as Splunk, Tripwire, Ziften, ISE, and various Cisco products to the External Lookups.
When setting up a new External Lookup, you have to make sure that StealthWatch is configured with the appropriate parameters to use the application form within StealthWatch. You can send internal and external IP information to these new External Lookups to gather more information on the host. You can also use scripts to add query parameters that do not not match the standard query parameters found in StealthWatch.
Some of the interesting ideas for setting up an external lookup might be to cross reference with ISE by IP, your SIEM like Splunk, AMP for Endpoints (it'll pull up the hosts that accessed that IP, files associated with it, etc), or even Shodan,io (Popular IoT search engine).
Setting up an External Lookup
When adding an External Lookup application, you must identify the parameters you wish to pass the external application and the associated attributes in StealthWatch.
In your SMC Web app, navigate to Tools>Settings>External Lookup Configuration and click the button for Add External Lookup
In the name field, you would name this external lookup. I would recommend naming it something as specific as possible so other users would understand what it is they're using. There's also a box to check if you would like to enable the sending of internal IPs to this lookup.
The Base URL query box is something you need to find out from the application itself. The easiest way to do this is to run a search on the external application. Base URL queries will be in two different formats for most applications and depends on how the external application uses and accepts requests for searches:
- The Default standard query
- The "Splunk" custom script
StealthWatch has a default standard query that sites like SenderBase, DShield, and Google Support likes format-wise. The Base URL contains that main part of the URL from the web search for an IP:
http://www.senderbase.org/lookup
The parameter from the base URL is moved to the parameter field. You can click the + sign to add as many parameters as you need as long as they match the parameters used by the application. Each "Parameter Name" must have a StealthWatch attribute associated with it. The available attributes are:
- Destination IP Address
- Destination Port No
- Host Name
- Source IP Address
- Source Port No
- Timestamp UTC
- Transport Protocol
- User
If you are using the default standard query, you won't need to select a URL Script Builder File to upload. Once you save the Lookup, a copy of the default will be created in a system with the file name of the lookup and shown automatically.
If the Base URL is non-standard, it will require getting a script file. Thankfully, StealthWatch has some pre-made ones for you. In order to access these, on the top of the page, go to the ? and click on StealthWatch Help. This will pull up the documentation for External Lookups. Expand Configure Parameters>URL and Script examples to use these pre-made scripts.
Using the script file and not the default, we would need to set it up a little differently:
- We would need to keep the parameter names in the Base URL and not remove it as with the Default script
The variables in the Base URL will be replaced with {0} {1} {2}... as per the script file
You can’t use the {0} {1} {2} as a Parameter Name. A parameter name is required for each replaced variable in the Base URL. Parameter names under “Query Parameter Mapping” can be anything but it’s recommended to be as descriptive as possible.
The last step is to browse the generic script file we downloaded from the help documentation and click Save.