000031690 - How to send customized subjects in an RSA Security Analytics ESA alert email

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031690
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
 
IssueBy default all ESA Email Alerts have the subject "ESA Alert".
TasksThis article explains how to create a custom ESA alert with a customized template.
  1. In the Security Analytics Web Interface, navigate to Administration -> System -> Global Notification -> Output.
  2. Create a New ESA Script Containing the text below.
    #!/usr/bin/env python
    from smtplib import SMTP
    import datetime
    import json
    import sys
    def dispatch(alert):
        """
        The default dispatch just prints the 'last' alert to /tmp/esa_alert.json. Alert details
        are available in the Python hash passed to this method e.g. alert['id'], alert['severity'],
        alert['module_name'], alert['events'][0], etc.
        These can be used to implement the external integration required.
        """
        with open("/tmp/esa_alert.json", mode='w') as alert_file:
            alert_file.write(json.dumps(alert, indent=True))

    def read():
        #Parameter
        sa_server = '192.168.123.4'
        brokerid = '35'
        smtp_server = '192.168.123.27'
        smtp_port = '25'
        smtp_user = ''
        smtp_pass = ''
        from_addr = "RSA Security Analytics <RSA@SecurityAnalytics.com>"
        to_addr = ['securityanalytics@waugh.local']

        # Get data from JSON
        esa_alert = json.loads(open('/tmp/esa_alert.json').read())
        #Extract Variables (Add as required)
        try:
            module_name = esa_alert["module_name"]
        except KeyError:
            module_name = "null"
        try:
            ip_src = esa_alert["events"][0]["ip_src"]
        except KeyError:
            ip_src = "null"
        try:
            country_src = esa_alert["events"][0]["coutry_src"]
        except KeyError:
            country_src = "null"
        try:
            domain_src = esa_alert["events"][0]["domain_src"]
        except KeyError:
            domain_src = "null"
        try:
            user_dst = esa_alert["events"][0]["user_dst"]
        except KeyError:
            user_dst = "null"
        # Sends Email
        smtp = SMTP()
        smtp.set_debuglevel(0)
        smtp.connect(smtp_server,smtp_port)
        #smtp.login(smtp_user,smtp_pass)

        date = datetime.datetime.now().strftime( "%d/%m/%Y %H:%M" )
        subj = ( module_name ) + " :: " + ( date ) + " :: " + ( ip_src ) + " :: " + ( domain_src )
        message_text = ("Alert Name: \t\t%s\n" % ( module_name )+
            "Date/Time: \t\t%s\n" % ( date  ) +
            "Domain Source: \t\t%s\n" % ( domain_src ) +
            "Source IP: \t\t%s\n" % ( ip_src ) +
            "User: \t%s\n" % ( user_dst ) +
            "Source Country: \t\t%s\n" % ( country_src )
        )

        msg = "From: %s\nTo: %s\nSubject: %s\nDate: %s\n\n%s\n" % ( from_addr, to_addr, subj, date, message_text )
        smtp.sendmail(from_addr, to_addr, msg)
        smtp.quit()

    if __name__ == "__main__":
        dispatch(json.loads(sys.argv[1]))
        read()
        sys.exit(0)


    Note: The indentation in the above message is very important.
  3. Change the line sa_server = '192.168.123.4' to reflect the IP address of your SA Server.
  4. Change the line brokerid = '35' to reflect the deviceid of your SA Broker.
  5. Change the line smtp_server = '192.168.123.27' to be the IP address of your SMTP server.
  6. Change the from_addr and to_addr lines as applicable to your environment.
  7. Go to the Global Notifications -> Servers tab and define a Script Server (accept the default values).
  8. Under Alerts ->Configure make sure that the rule for which you wish to use the script has the notification type set as Script ,as shown below. (Adjust Output Suppression as desired)
User-added image
NotesEmails will be received in the format shown in the example below when using the script in this article:
-----Original Message-----
From: RSA Security Analytics [mailto:RSA@SecurityAnalytics.com]
Sent: None
To: "['securityanalytics"@waugh.local']
Subject: 2 Login Events Same User Different Devices :: 09/11/2015 11:31 :: null :: null
Alert Name:   2 Login Events Same User Different Devices
Date/Time:   09/11/2015 11:31
Domain Source:   null
Source IP:   null
User:  rsatest
Source Country:   null

The script can be modified as desired.

Attachments

    Outcomes