Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.
Prerequisit : have the Utility Functions integration installed and configured Link to App Exchange Purpose : Enhance the standard shell access using a multi-select choice fo shell action ot the analyst Changes : New Rule Shell Commands actually limited to atifact type IP and DNS. It use a Shell Command activity fields (below) that allow the analyst to select the action they want to run at once. New Workflow CVE Lookup as duplicate of the Example: CVE Search with changes in post process scripts Rule: Workflow: Actually, the following commands are available : traceroute nslookup dig whois nmap It needs the app.config to be adapted like: # local shell_command default commands (unix) nslookup=nslookup "{{shell_param1}}" dig=dig "{{shell_param1}}" traceroute=traceroute -m 15 "{{shell_param1}}" whois=whois "{{shell_param1}}" nmap=nmap "{{shell_param1}}" and the requested packages to be installed on the integration server that will launch the shell. Here is my personal list, but check and verify it before using it! # Install for Shell action traceroute, whois, bind, nmap, nslookup wget http://mirror.centos.org/centos/7/os/x86_64/Packages/traceroute-2.0.22-2.el7.x86_64.rpm sudo rpm -Uvh traceroute-2.0.22-2.el7.x86_64.rpm wget http://mirror.centos.org/centos/7/os/x86_64/Packages/whois-5.1.1-2.el7.x86_64.rpm sudo rpm -Uvh whois-5.1.1-2.el7.x86_64.rpm sudo yum install bind-utils wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-1.5.3-11.el7.x86_64.rpm sudo rpm -Uvh libpcap-1.5.3-11.el7.x86_64.rpm http://mirror.ghettoforge.org/distributions/gf/el/7/plus/x86_64/nmap-ncat-7.10-1.gf.el7.x86_64.rpm http://mirror.ghettoforge.org/distributions/gf/el/7/plus/x86_64//nmap-7.10-1.gf.el7.x86_64.rpm sudo rpm -Uvh nmap-ncat-7.10-1.gf.el7.x86_64.rpm sudo rpm -Uvh nmap-7.10-1.gf.el7.x86_64.rpm Note that I recommend a dedicated integration server in a DMZ for integrations facing internet like Shell, VirusTotal, Pipl etc... Results are visible in notes, and result status in artifact description: Attached is the res file to import this configuration. Feel free to use, change, adapt this code to your usage. Building the res file: resilient-circuits extract --workflow "shell" --rule "Shell Commands" -o config_SHELL.res --zip