ArcSight notification script: less is more

Document created by Knight on Aug 26, 2010Last modified by Knight on Aug 27, 2010
Version 2Show Document
  • View in full screen mode

Hi @ all,

 

Since the ArcSight notifications via e-mail aren’t so „beautiful“as we want them.

I created a small script that will create html notifications.

 

ArcSightNotification.gif

 

The script expects to get a logo file (gif / jpg) in the same directory as the script. And has a small config part that has to be adjusting once.

The config part is located at the begin of the script:

 

# ------------------ CONFIG BEGIN -----------------------

# Your E-Mail server

mailserver = "Insert here the IP-Address of your cooperate E-Mail-Server"

# UserName for the E-Mail-Server if needed

mail_user = None

# Password for the E-Mail-Server if needed

mail_password = None

# Your cooperate logo

cooperate_logo = "The name of the logo file in GIF or JPG format in the same directory e.g /home/arcsight/logo.gif"

# Defaul E-Mail address that should receives notifications

default_receiver = "The E-Mail address of the CERT for example"

# ArcSight (Sender) Address

notification_sender = "The sender E-Mail address like arcsight@your_company.de"

# ------------------ CONFIG END -----------------------

 

Place the script and your cooperate logo file in /home/acrsight/

After that you can create rules with the Execute Command option:

ArcSightNotificationRule.gif

Settings are:

Platform: Linux

Command: /usr/bin/python

Argument: "/home/arcsight/ArcSightNotification.py" "$name" "$sourceAddress" "$sourceUserName" "$targetAddress" "$targetUserName" "CustomField" "A custom notification message" [“optional a alternative E-Mail address that should receives the E-Mail”]

Action Type: Automatically run on manager

 

Comments and suggestions or improvements are welcome, the script was tested on ArcSight Manager Version 4.5.2.6076.0

 

Best Regards

Knight

Outcomes