Halim Abouzeid

Integrate RSA NetWitness Incident Management with Todoist

Blog Post created by Halim Abouzeid Employee on Apr 5, 2017

This is not an RSA officially supported integration.

 

This script will sync the incidents of a specific RSA NetWitness user to his Todoist account. He can then leverage the Todoist integrations with the Amazon Echo, Google Home, IFTTT …

It can be setup for multiple users using different Todoist account (add one per line in the config file).

 

 

The open incidents of a user, as well as their severity will be synced with Todoist.

Whenever an incident is removed from the user’s queue in NW (either closed, or moved to another analyst), it will be set as closed on Todoist. Closing an incident on Todoist will not close it on NW IM, it will just re-appear the next time a synchronization is triggered.

 

 

 

 

 

What you will need

You will need the API Token from your Todoist Account (Settings --> Integration --> API Token)

 

 

You will need the Project Number from Todoist. This will define to which project the incidents will be added to. By default it should be on the Inbox (if you want it to work with the Amazon Echo for example). From your browser, go to Todoist, click on Inbox and grab the ID from the URL (do not take “2F”). If you want to sync with another project, then click on that project and grab the ID.

If you setup this script on a Todoist project that already has items, the existing items will get deleted.

 

You will also need the username on RSA NetWitness.

 

 

 

Setup

Edit the nwim2todoist.conf file and add a line for each user you wish to do the synchronization for.

There shouldn’t be any empty lines or extra spaces in the file.

The following is the format: <nw_username>,<todoist_api_token>,<todoist_project_id>

 

 

Put both nwim2todoist.py and nwim2todoist.conf in the same folder on the ESA Server

Make sure the ESA server has access to https://todoist.com

Edit nwim2todoist.conf to have a line for each user for who to sync his associated incidents with his Todoist account

 

 

 

Privacy

By default, the script will create an item on Todosit for each Incident called <INCIDENT ID> - <INCIDENT NAME>

If for privacy reasons you don’t want to sync the Incident Name and just have the Incident ID, then edit the nwim2todoist.py file and change hide_name from 0 to 1.

 

Example with Privacy enabled:

 

 

 

Run the Script

Simply execute: python nwim2todoist.py

Create a cron job to execute regularly.

 

 

 

Results

Example without Privacy:

 

 

Example with Privacy:

 

 

 

credit to Ian Cuthbertson

Outcomes