I helped one of my customers implement a use case last year that entailed sending email alerts to specific users when those users logged into legacy applications within their environment.
Creating the alerts for this activity with the ESA was rather trivial - we knew which event source would generate the logs and the meta to trigger against - but sending the alert via email to the specific user that was ID'd in the alert itself added a bit of complexity.
Fortunately, others have had similar-ish requirements in the past and there are guides on the community that cover how to generate custom emails for ESA alerts through the script notification option, such as Custom ESA email template with raw event payload and 000031690 - How to send customized subjects in an RSA Security Analytics ESA alert email.
This meant that all we had to do was map the usernames from the log events to the appropriate email addresses, enrich the events and/or alerts with those email addresses, and then customize the email notification using that information. Mapping the usernames to email addresses and adding this information to events/alerts could have been accomplished in a couple different ways - either a custom Feed (Live: Create a Custom Feed) or an In-Memory Table (Alerting: Configure In-Memory Table as Enrichment Source) - for this customer the In-Memory Table was the preferred option because it would not create unnecessary meta in their environment.
We added the CSV containing the usernames and email addresses as an enrichment source:
....then added that enrichment to the ESA alert:
With these steps done, we triggered a couple alerts to see exactly what the raw output looked like, specifically how the enrichment data was included. The easiest way to find raw alert output is within the respond module by clicking into the alert and looking for the "Raw Alert" pane:
Armed with this information, we were then able to write the script (copy/pasting from the articles linked above and modifying the details) to extract the email address and use that as the "to_addr" for the email script (also attached at the bottom of this post):
from smtplib import SMTP
The default dispatch just prints the 'last' alert to /tmp/esa_alert.json. Alert details
are available in the Python hash passed to this method e.g. alert['id'], alert['severity'],
alert['module_name'], alert['events'], etc.
These can be used to implement the external integration required.
with open("/tmp/esa_alert.json", mode='w') as alert_file:
smtp_server = "<your_mail_relay_server>"
smtp_port = "25"
# "smtp_user" and "smtp_pass" are necessary
# if your SMTP server requires authentication
# used in "smtp.login()" below
#smtp_user = "<your_smtp_user_name>"
#smtp_pass = "<your_smtp_user_password>"
from_addr = "<your_mail_sending_address>"
missing_msg = ""
to_addr = "" #defined from enrichment table
# Get data from JSON
esa_alert = json.loads(open('/tmp/esa_alert.json').read())
#Extract Variables (Add as required)
module_name = esa_alert["module_name"]
module_name = "null"
to_addr = esa_alert["events"]["user_emails"]["email"]
missing_msg = "ATTN:Unable to retrieve from enrich table"
to_addr = "<address_to_send_to_when_enrichment_fails>"
device_host = esa_alert["events"]["device_host"]
device_host = "null"
service_name = esa_alert["events"]["service_name"]
host_dst = "null"
user_dst = esa_alert["events"]["user_dst"]
user_dst = "null"
# Sends Email
smtp = SMTP()
date = datetime.datetime.now().strftime( "%m/%d/%Y %H:%M" ) + " GMT"
subj = "Login Attempt on " + ( device_host )
message_text = ("Alert Name: \t\t%s\n" % ( module_name ) +
" \t\t%s\n" % ( missing_msg ) +
"Date/Time : \t%s\n" % ( date ) +
"Host: \t%s\n" % ( device_host ) +
"Service: \t%s\n" % ( service_name ) +
"User: \t%s\n" % ( user_dst )
msg = "From: %s\nTo: %s\nSubject: %s\nDate: %s\n\n%s\n" % ( from_addr, to_addr, subj, date, message_text )
# "smtp.login()" is necessary if your
# SMTP server requires authentication
smtp.sendmail(from_addr, to_addr, msg)
if __name__ == "__main__":
And the result, after adding the script as a notification option within the ESA alert:
Of course, all of this can and should be modified to include whatever information you might want/need for your use case.