Custom ESA email template with raw event payload

Document created by Sal Sanshez Employee on Sep 30, 2016
Version 1Show Document
  • View in full screen mode

A customer requested to recreate specifically formatted email alert templates that they were getting from Trustwave. I put together the following script with the help of the following 2 solutions. : 


Report for ESA's Triggered Alerts with Raw Events (Halim)  


000031690 - How to send customized subjects in an RSA Security Analytics ESA alert email


Here is the final script: 


  1. In the Security Analytics Web Interface, navigate to Administration -> System -> Global Notification -> Output.
  2. Create a New ESA Script Containing the text below.


#!/usr/bin/env python
from smtplib import SMTP
import datetime
import json
import sys
import re #regular expressions
import urllib2 #for querying concentrator's API
import logging #for sending syslog
import logging.handlers #for sending syslog
import time
import io

def dispatch(alert):
    The default dispatch just prints the 'last' alert to /tmp/esa_alert.json. Alert details
    are available in the Python hash passed to this method e.g. alert['id'], alert['severity'],
    alert['module_name'], alert['events'][0], etc.
    These can be used to implement the external integration required.

    with open("/tmp/esa_alert.json", mode='w') as alert_file:
        alert_file.write(json.dumps(alert, indent=True))

#function to get the raw logs from the sessions IDs
def getrawlogs():
    f = open('/tmp/esasyslogtest.log','w') #open and clear the file, start fresh
    #f = open('/tmp/esasyslogtest.log','w') write the raw log to the message we're building
    for line in open("/tmp/esa_alert.json"): #open the file containing meta related to the triggered alert
        if "sessionid" in line: #look for the each line containing sessions IDs of constituent events
            sid ='(\d+)',line) #only keep the actual session ID (numbers) and drop all text
            rawlog = querycon( #call function to query the concentrator which returns the raw log for the session ID
            rawlog = rawlog.replace("\n", "") #do some cleaning

#function that returns the raw log message based on the session ID by querying the concentrator's API
def querycon(sid):
        cip = '' #concentrator's IP
        rport = '50105' #rest port
        userData = "Basic " + ("saservice:netwitness").encode("base64").rstrip() #first encode the username & password
        req = urllib2.Request('http://'+cip+':'+rport+'/sdk/packets?render=logs&sessions='+sid) #we build the query
        req.add_header('Authorization', userData) #add the authentication header
        raw = urllib2.urlopen(req) #make the request
        return #return the raw log

def read():
    sa_server = ''
    brokerid = '35'
    smtp_server = ''
    smtp_port = '25'
    smtp_user = ''
    smtp_pass = ''
    from_addr = "LogAll <>"
    to_addr = ['']

    # Get data from JSON
    esa_alert = json.loads(open('/tmp/esa_alert.json').read())
    #Extract Variables (Add as required)
        module_name = esa_alert["module_name"]
    except KeyError:
        module_name = "null"
        sig_type = esa_alert["events"][0]["sig_type"]
    except KeyError:
        sig_type = "null"
        event_desc = esa_alert["events"][0]["event_desc"]
    except KeyError:
        event_desc = "null"
        sensor = esa_alert["events"][0]["sensor"]
    except KeyError:
        sensor = "null"
        ip_src = esa_alert["events"][0]["ip_src"]
    except KeyError:
        ip_src = "null"
        ip_dst = esa_alert["events"][0]["ip_dst"]
    except KeyError:
        ip_dst = "null"
    # Sends Email
    smtp = SMTP()

    raw_event = ''
    with'/tmp/esasyslogtest.log') as f:
            raw_event = ''.join(f.readlines())
        except IOError:

    date = "%d/%m/%Y %H:%M" )
    subj = ( module_name ) + " :: " + ( date ) + " :: " + ( sig_type ) + " :: " + ( ip_src )
    message_text = ("Alert Name: \t\t%s\n" % ( module_name )+
        "Date/Time: \t\t\t%s\n" % ( date  ) +
        "IDS Signature: \t\t%s\n" % ( sig_type ) +
        "IDS Alert Detail: \t%s\n" % ( event_desc ) +
        "Sensor: \t\t\t%s\n" % ( sensor ) +
        "Source IP: \t\t\t%s\n" % ( ip_src ) +
        "Target IP: \t\t\t%s\n" % ( ip_dst ) +
        "\n" +
        "Raw Event: " + "\n" +
        "\n" +

    msg = "From: %s\nTo: %s\nSubject: %s\nDate: %s\n\n%s\n" % ( from_addr, to_addr, subj, date, message_text )
    smtp.sendmail(from_addr, to_addr, msg)

if __name__ == "__main__":
    getrawlogs() #add the raw logs of the constituent events to the message



  1. Note: The indentation in the above message is very important.
  2. Change the line sa_server =  to reflect the IP address of your SA Server.
  3. Change the line brokerid = '35' to reflect the deviceid of your SA Broker.
  4. Change the line smtp_server =  to be the IP address of your SMTP server.
  5. Change the from_addr and to_addr lines as applicable to your environment.
  6. Go to the Global Notifications -> Servers tab and define a Script Server (accept the default values).
  7. Under Alerts ->Configure make sure that the rule for which you wish to use the script has the notification type set as Script ,as shown below. (Adjust Output Suppression as desired)
User-added image



Email alert from trustwave

email alert from Trustwave



Email alert from ESA


Email alert from ESA



Looks pretty close. Just need a little formatting. 



Let me know what you think. Good, Bad or Indifferent! You can't offend me it's all plagiarized!







RSA NetWitness Suite Training 

RSA NetWitness Logs & Packets Administrator Training

RSA NetWitness Logs & Packets Knowledge Base

3 people found this helpful