Hi
@s 3k,
Good point but I wouls like to brainstorm here:
1) XForce is a good threat intelligence feed but might be that it classifies some websites incorrectly. That will mean you will end up scanning many systems even just in some hours because in normal situations, end user computers go everywhere due to some plugins, ads etc
2) If you are not using Symantec API to initiate a scan, you would need credentials to remotely login into systems and thus require elevated priviledges to start a scan(run a script on the computer). Not sure if Symantec has API to initiate a scan.
------------------------------
Chinmay Kulkarni
------------------------------
Original Message:
Sent: Wed December 04, 2019 05:38 AM
From: s 3k
Subject: Custom action script and initiate an AV scan
hi
I want to use custom action script to do some possible offensive actions.. for example if a suspicious traffic towards malicious IP (xforce) is detected by rule, I want rule custom action to kickstart the script and initiate Symantec scan on that machine.
remotely we can login to shell of any computer and initiate a scan provided commandline action is supported.
i want to extend that to qradar as part of custom action script. Has anyone any trials / lessons learned?
s@ntha
------------------------------
s 3k
------------------------------