I´m building a script that extracts an IP from an raw alert (default script template) and execute some stuff.
My output script is, the basic that i´ve found at documentation and at forum:
with open('data.txt', 'w') as outfile:
if __name__ == "__main__":
First, I´m testing the execution of the alert to create a file. The issue is that the "data.txt" isn´t created.
I added another notification via smtp to test and to get the raw alert. I executed the script (via CLI) with the output (from smtp) and the file were created. The script works with the output. My conclusion is that maybe the ESA isn´t running the script.
My notification configuration is:
Notification: Invoke REST API (above)
Notification Server: Script Executor (from documentation: Configure Script as a Notification Server - RSA Security Analytics Documentation )
Template: Default Script Template
How can I check what is wrong? Any ideia what is wrong?
As soon my file were created I would change the script and extract only what I need.