This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Custom ESA email template with raw event payload

Custom ESA email template with raw event payload

SalSanshez
SalSanshez Beginner
Beginner
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2016-09-30 02:34 AM

A customer requested to recreate specifically formatted email alert templates that they were getting from Trustwave. I put together the following script with the help of the following 2 solutions. : 

 

Report for ESA's Triggered Alerts with Raw Events (Halim)

https://inside.emc.com/docs/DOC-134577  

 

000031690 - How to send customized subjects in an RSA Security Analytics ESA alert email

https://community.rsa.com/docs/DOC-45491

 

Here is the final script: 

 

  1. In the Security Analytics Web Interface, navigate to Administration -> System -> Global Notification -> Output.
  2. Create a New ESA Script Containing the text below.

 

#!/usr/bin/env python
from smtplib import SMTP
import datetime
import json
import sys
import re #regular expressions
import urllib2 #for querying concentrator's API
import logging #for sending syslog
import logging.handlers #for sending syslog
import time
import io

def dispatch(alert):
    """
    The default dispatch just prints the 'last' alert to /tmp/esa_alert.json. Alert details
    are available in the Python hash passed to this method e.g. alert['id'], alert['severity'],
    alert['module_name'], alert['events'][0], etc.
    These can be used to implement the external integration required.
    """

    with open("/tmp/esa_alert.json", mode='w') as alert_file:
        alert_file.write(json.dumps(alert, indent=True))

#function to get the raw logs from the sessions IDs
def getrawlogs():
    f = open('/tmp/esasyslogtest.log','w') #open and clear the file, start fresh
    f.write('')
    #f = open('/tmp/esasyslogtest.log','w') write the raw log to the message we're building
    for line in open("/tmp/esa_alert.json"): #open the file containing meta related to the triggered alert
        if "sessionid" in line: #look for the each line containing sessions IDs of constituent events
            sid =  re.search('(\d+)',line) #only keep the actual session ID (numbers) and drop all text
            rawlog = querycon(sid.group()) #call function to query the concentrator which returns the raw log for the session ID
            rawlog = rawlog.replace("\n", "") #do some cleaning
            f.write(rawlog)
    f.close()


#function that returns the raw log message based on the session ID by querying the concentrator's API
def querycon(sid):
        cip = '1.2.3.4' #concentrator's IP
        rport = '50105' #rest port
        userData = "Basic " + ("saservice:netwitness").encode("base64").rstrip() #first encode the username & password
        req = urllib2.Request('http://'+cip+':'+rport+'/sdk/packets?render=logs&sessions='+sid) #we build the query
        req.add_header('Authorization', userData) #add the authentication header
        raw = urllib2.urlopen(req) #make the request
        return raw.read() #return the raw log
       

def read():
    #Parameter
    sa_server = '1.2.3.5'
    brokerid = '35'
    smtp_server = 'smtp.world.so'
    smtp_port = '25'
    smtp_user = ''
    smtp_pass = ''
    from_addr = "LogAll <LogAll@so.com>"
    to_addr = ['sal.sa@so.com']

    # Get data from JSON
    esa_alert = json.loads(open('/tmp/esa_alert.json').read())
    #Extract Variables (Add as required)
    try:
        module_name = esa_alert["module_name"]
    except KeyError:
        module_name = "null"
    try:
        sig_type = esa_alert["events"][0]["sig_type"]
    except KeyError:
        sig_type = "null"
    try:
        event_desc = esa_alert["events"][0]["event_desc"]
    except KeyError:
        event_desc = "null"
    try:
        sensor = esa_alert["events"][0]["sensor"]
    except KeyError:
        sensor = "null"
    try:
        ip_src = esa_alert["events"][0]["ip_src"]
    except KeyError:
        ip_src = "null"
    try:
        ip_dst = esa_alert["events"][0]["ip_dst"]
    except KeyError:
        ip_dst = "null"
    # Sends Email
    smtp = SMTP()
    smtp.set_debuglevel(0)
    smtp.connect(smtp_server,smtp_port)
    #smtp.login(smtp_user,smtp_pass)

    raw_event = ''
    with io.open('/tmp/esasyslogtest.log') as f:
        try:
            raw_event = ''.join(f.readlines())
        except IOError:
            pass

    date = datetime.datetime.now().strftime( "%d/%m/%Y %H:%M" )
    subj = ( module_name ) + " :: " + ( date ) + " :: " + ( sig_type ) + " :: " + ( ip_src )
    message_text = ("Alert Name: \t\t%s\n" % ( module_name )+
        "Date/Time: \t\t\t%s\n" % ( date  ) +
        "IDS Signature: \t\t%s\n" % ( sig_type ) +
        "IDS Alert Detail: \t%s\n" % ( event_desc ) +
        "Sensor: \t\t\t%s\n" % ( sensor ) +
        "Source IP: \t\t\t%s\n" % ( ip_src ) +
        "Target IP: \t\t\t%s\n" % ( ip_dst ) +
        "\n" +
        "Raw Event: " + "\n" +
        "\n" +
       raw_event
)

    msg = "From: %s\nTo: %s\nSubject: %s\nDate: %s\n\n%s\n" % ( from_addr, to_addr, subj, date, message_text )
    smtp.sendmail(from_addr, to_addr, msg)
    smtp.quit()

if __name__ == "__main__":
    dispatch(json.loads(sys.argv[1]))
    getrawlogs() #add the raw logs of the constituent events to the message
    time.sleep(1)
    read()
    sys.exit(0)‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

 

  1. Note: The indentation in the above message is very important.
  2. Change the line sa_server =  to reflect the IP address of your SA Server.
  3. Change the line brokerid = '35' to reflect the deviceid of your SA Broker.
  4. Change the line smtp_server =  to be the IP address of your SMTP server.
  5. Change the from_addr and to_addr lines as applicable to your environment.
  6. Go to the Global Notifications -> Servers tab and define a Script Server (accept the default values).
  7. Under Alerts ->Configure make sure that the rule for which you wish to use the script has the notification type set as Script ,as shown below. (Adjust Output Suppression as desired)
filename.png

 

 

Email alert from trustwave

FinalEmailwPayloadTrustwave.jpg

 

 

Email alert from ESA

 

FinalEmailwPayloadNetwitness.jpg

 

 

Looks pretty close. Just need a little formatting. 

 

 

Let me know what you think. Good, Bad or Indifferent! You can't offend me it's all plagiarized!

 

 

 

 

 

 

RSA NetWitness Logs and Packets Training" data-type="space‌ 

NetWitness Logs and Packets Administrator" data-type="space‌

RSA NetWitness Suite Knowledge Base" data-type="space‌

Labels:
  • Resources
  • cool ish
  • ESA
  • esi
  • Esper
  • NetWitness
  • NW
  • NWP
  • pushing the envelope
  • python
  • python plagerism
  • python_script
  • qradar
  • RSA NetWitness
  • RSA NetWitness Platform
  • trustwave
5 Likes
Share
6 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.