The original to the script i'm using was originally posted by Knight around 2010 and can be located here:
https://protect724.hp.com/docs/DOC-1351#comment-2481. Other P724 member conbributions and thoughts can been there here as well. This is essentially a python script being called from ESM by Rule Action, so the sky is the limit on what you can actually do. I take no credit for the original implementation, I just adopted and adapted what was available to fill a need.
Attached is a zip containing the python scripts i'm running to achieve the aforementioned HTML notifications. Mind you these are probably not a best fit for all scenarios, but for outputting specific data to those outside the SIEM world, it's proven helpful. (IE those people that have no clue or care what their logs look like). I've also included the service system scripts i'm using to pass ArcSight alerts into the service system(service-now) automatically.
- Windows Scripts
- RHEL Scripts
- Config Doc
- A default HP/ArcSight logo to use with the scripts
- - Tested and functional on both ESM 5.x and 6.x
- For Windows based ESMs(5.x) you'll need to install Python 2.7 on the manager server for these scripts to execute properly.
- For RHEL/Linux based ESMs(5.x+) python support should be part of the base OS install in most cases.
- Scripts can be placed where ever you'd like on the manager, personally I just made a scripts folder on root of the manager directory for easy access. Just remember where you place them on the manager as that is how you'll need to reference them from correlation actions.
- I have sanitized our organizations information from the scripts and the config document provided therein, please take care to remember this will need to be modified to work in your environment.
- Service-Now Scripts may or may not work out of the box for all environments. Our Service-now instance allows for e-mail creation of incidents, however i'm not involved with our service team enough to know if this is part of the default capability provided with the solution. Since no connector for Service-Now exists from ArcSight, this was a best fit use case for this issue.
- I'm happy to field minor support questions, but this script is provided "as-is" with no claim of responsibility for how you use it in your environment.