If you configure Global Notification for Script, you may face an issue to execute the script even though the ESA rule is fired.
In this case, It is hard to find the root cause because there is no error message appeared regarding this issue.
There is a document on how to configure("Configure Script as a Notification" in the System Configuration Guide), but it is not enough to cover this topic.
To configure successfully, you need to consider followings
1. You can use "Default Script Template" as a template.
2. UI pop-up appears when you define script as shown below "Script will be saved to /opt/rsa/esa/scripts" but it is actually saved to mongo db since 11.3.
Image description3. You must locate the script under /tmp, otherwise script will not execute.
4. In case of bash shell, you can use following syntax(echo $*) to get all ESA parameters below and this is sample script output.
Image description
# cat /tmp/bash_test.txt
Tue Dec 7 08:17:57 UTC 2021
{"id": "41a15340-bb5e-45f9-a049-e2b49f17dca3", "severity":3, "time": "2021-12-07T08:17:57Z", "module_name" : "CS support rule for Script", "events": [{"analysis_session" : ["request no payload", "response no payload", "ratio high transmitted", "host not listening", "zero payload", "session size 0-5k"], "attack_tactic" : "exfiltration", "attack_technique" : "data transfer size limits", "attack_tid" : "T1030", "capture_port" : "eth0", "com_rsa_netwitness_streams_arrival_sequence" : 11, "com_rsa_netwitness_streams_arrival_timestamp" : 1638865076236, "com_rsa_netwitness_streams_source_trail" : ["admin@192.168.26.105:50005"], "com_rsa_netwitness_streams_stream" : "c-s-support-sa-managed-stream", "community_id" : "1:xa3WM28Id5DyRYPnARWOx/BHJ3M=", "did" : "pkthybrid", "direction" : "lateral", "esa_time" : 1638865077237, "eth_dst" : "00:50:56:01:36:82", "eth_dst_vendor" : "VMware, Inc.", "eth_src" : "00:50:56:01:46:75", "eth_src_vendor" : "VMware, Inc.", "eth_type" : 2048, "event_source_id" : "192.168.26.105:50005:1292845", "feed_name" : ["investigation", "investigation", "investigation", "investigation", "investigation", "investigation"], "inv_category" : ["operations", "operations", "operations", "operations", "operations", "operations"], "inv_context" : ["event analysis", "protocol analysis", "event analysis", "protocol analysis", "event analysis", "protocol analysis", "event analysis", "protocol analysis", "event analysis", "protocol analysis", "event analysis", "protocol analysis"], "ip_dst" : "192.168.26.109", "ip_proto" : 6, "ip_src" : "192.168.26.105", "lifetime" : 0, "medium" : 1, "netname" : ["private src", "private dst"], "packets" : 2, "payload" : 0, "payload_req" : 0, "payload_res" : 0, "rid" : 1292844, "service" : 0, "sessionid" : 1292845, "size" : 134, "streams" : 2, "tcp_dstport" : 4505, "tcp_flags" : 22, "tcp_flags_desc" : "syn", "tcp_srcport" : 34108, "tcpflags" : "syn", "time" : 1638865011000}]}