AnsweredAssumed Answered

Thsoot script execution in ESA

Question asked by Igor Max Fernandes Vieira on Dec 27, 2016
Latest reply on Dec 28, 2016 by Igor Max Fernandes Vieira

Hello,

 

I´m building a script that extracts an IP from an raw alert (default script template) and execute some stuff.

My output script is, the basic that i´ve found at documentation and at forum:

#!/usr/bin/env python
import json
import sys
def invoke_rest_API(alert):
#
 with open('data.txt', 'w') as outfile:
  json.dump(alert, outfile)
if __name__ == "__main__":
 invoke_rest_API(json.loads(sys.argv[1]))
 sys.exit(0)

 

First, I´m testing the execution of the alert to create a file. The issue is that the "data.txt" isn´t created.

I added another notification via smtp to test and to get the raw alert. I executed the script (via CLI) with the output (from smtp) and the file were created. The script works with the output. My conclusion is that maybe the ESA isn´t running the script.

 

My notification configuration is:

Output: SCRIPT

Notification: Invoke REST API (above)

Notification Server: Script Executor (from documentation: Configure Script as a Notification Server - RSA Security Analytics Documentation )

Template: Default Script Template

 

How can I check what is wrong? Any ideia what is wrong?

As soon my file were created I would change the script and extract only what I need.

 

Thanks

 

Igor Max

Outcomes