forked from only1dallas/ArcSightServiceNowIntegration
-
Notifications
You must be signed in to change notification settings - Fork 0
/
serviceNowInterface.py
executable file
·179 lines (158 loc) · 12.3 KB
/
serviceNowInterface.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#__author__ = 'Vosteen'
# serviceNowInterface.py = defines the Company1 Service Now Creation templates
# depending on the template, it creates an incident with the appropriate Title & Descriptions and assigns it to the rightful assignment group.
#
class serviceNowInterface():
def __init__(self):
r = None
def getTemplateInfo(self, vattackProtocol, vTemplateField):
import logging
logger = logging.getLogger('serviceNowInterface')
if vattackProtocol == "0":
#if vattackProtocol == "machine scan":
if vTemplateField == "title":
return "Company1 Information Security Request - Please read full description below"
elif vTemplateField == "description":
return "System %s has been reaching out to malicious websites. Customer may not be aware of the issue. Please contact customer immediately to schedule a scan and removal of infection for this system using an approved malware removal tool. \r\n \r\nPlease take note of threats found and include in the closing comments. \r\n \r\n If this request is closed for any other reason than successful scan, please contact a member of the DART team via dl-dartanalysis. \r\n \r\n This ticket has been created on behalf of the listed requester by the DART. \r\n\r\n Company1 Information Security Team Detection Analysis Response ArcSight case %s"
elif vTemplateField == "assignedgroup":
return "Field Support Services"
else:
return "False"
elif vattackProtocol == "1":
#elif vattackProtocol == "machine reimage":
if vTemplateField == "title":
return "Company1 Information Security Request - Please read full description below"
elif vTemplateField == "description":
return "Machine %s has been discovered to be infected with malware and is actively attempting to connect to external addresses to receive instructions. Due to the level of infection, this machine will be re-imaged to minimize continued risk to Company1. Customer may not be aware of issue. Please contact customer immediately to schedule a re-image for this system. \r\n \r\n Please ship/deploy a loaner system at the earliest available to minimize impact to the Associate. \r\n \r\n If backing up data, complete both malware and AV scans with approved tools before the backup, restore only what is needed. Do not restore temporary files, executables downloaded and any installation outside approved. \r\n \r\n If this request is closed for any other reason than successful re-image, please contact a member of the DART team via dl-dartanalysis. \r\n \r\n This ticket has been created on behalf of the listed requester by the DART. \r\n \r\n Company1 Information Security Team Detection Analysis Response \r\n \r\n Detection Analysis Response Arcsight case %s"
elif vTemplateField == "assignedgroup":
return "ENTERPRISE_SERVICEDESK_ATS"
else:
return "False"
elif vattackProtocol == "2":
#elif vattackProtocol == "unauthorized file sharing software removal":
if vTemplateField == "title":
return "Company1 Information Security Request - Please read full description below"
elif vTemplateField == "description":
return "System %s was observed to have unauthorized software %s installed. This type of software is not authorized for installation on Company1 assets and could potentially be used for malicious purposes. Customer may not be aware of the issue. Please contact customer immediately to remove unauthorized software and scan for malware using an approved malware removal tool. \r\n \r\n Please take note of threats found and include in the closing comments. \r\n \r\n If this request is closed for any other reason than successful software removal and scan, please contact a member of the DART team via dl-dartanalysis. \r\n \r\n This ticket has been created on behalf of the listed requester by the DART. Company1 Information Security Team \r\n \r\n Detection Analysis Response \r\n \r\n ArcSight case %s"
elif vTemplateField == "assignedgroup":
return "ENTERPRISE_SERVICEDESK_ATS"
else:
return "False"
elif vattackProtocol == "3":
#elif vattackProtocol == "unauthorized software installed":
if vTemplateField == "title":
return "Company1 Information Security Request - Please read full description below"
elif vTemplateField == "description":
return "System %s was observed to have unauthorized software %s installed. This type of software is not authorized for installation on Company1 assets and could potentially be used for malicious purposes. Customer may not be aware of the issue. Please contact customer immediately to remove unauthorized software and scan for malware using an approved malware removal tool. \r\n \r\n Please take note of threats found and include in the closing comments. \r\n \r\n If this request is closed for any other reason than successful software removal and scan, please contact a member of the DART team via dl-dartanalysis. \r\n \r\n This ticket has been created on behalf of the listed requester by the DART. Company1 Information Security Team \r\n \r\n Detection Analysis Response \r\n \r\n ArcSight case %s"
elif vTemplateField == "assignedgroup":
return "ENTERPRISE_SERVICEDESK_ATS"
else:
return "False"
else:
return "False"
def createSNOWIncident(self, params_dict):
import datetime
from SOAPpy import SOAPProxy
# instance to send to
instance = 'Company1prod'
# username/password
username = 'svcArcSight'
password = 'Company1@123'
# proxy - NOTE: ALWAYS use https://INSTANCE.service-now.com, not https://www.service-now.com/INSTANCE for web services URL from now on!
proxy = 'https://%s:%s@%s.service-now.com/incident.do?SOAP' % (username, password, instance)
namespace = 'http://www.service-now.com/'
server = SOAPProxy(proxy, namespace)
# uncomment these for LOTS of debugging output
# server.config.dumpHeadersIn = 1
# server.config.dumpHeadersOut = 1
# server.config.dumpSOAPOut = 1
# server.config.dumpSOAPIn = 1
response = server.insert(impact=int(params_dict['impact']), urgency=int(params_dict['urgency']), priority=int(params_dict['priority']), category=params_dict['category'], u_current_location=params_dict['location'], caller_id=params_dict['user'], assignment_group=params_dict['assignment_group'], subcategory=params_dict['subcategory'], short_description=params_dict['short_description'], description=params_dict['description'], u_business_unit=params_dict['business_unit'])
return response
def createIncident(self, vfilename):
import logging
import datetime
import arcsightIOInterface
import re
import sys
import os
import emailout
return "INC123456"
logger = logging.getLogger('serviceNowInterface')
today = datetime.datetime.today()
Files2Proc = arcsightIOInterface.arcsightInterface()
vattackProtocol = Files2Proc.readAttackProtocol(vfilename)
TempLU = serviceNowInterface()
sysemail = emailout.emailout()
logger.info("File Recommended Action (used for templates): " + vattackProtocol)
vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol, "assignedgroup")
vDescription = TempLU.getTemplateInfo(vattackProtocol, "description")
vTitle = TempLU.getTemplateInfo(vattackProtocol, "title")
vUserId = Files2Proc.readUserId(vfilename)
vWorkstationName = Files2Proc.readHostName(vfilename)
vReadCaseName = Files2Proc.readCaseName(vfilename)
# Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process
if vUserId == "False" or vWorkstationName == "False":
vUserId = ""
try:
sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION")
logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
except:
logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******")
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
# Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process
if vDescription == "False":
try:
sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE")
logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
except:
logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******")
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
#Send email notification to user
if vattackProtocol == "0":
templateid = "scan"
elif vattackProtocol == "1":
templateid = "reimage"
elif vattackProtocol == "2" or vattackProtocol == "3":
templateid = "softwareremoval"
else:
templateid = "scan"
vSoftwareName = Files2Proc.readSoftwareName(vfilename)
vASCaseId = Files2Proc.readASCaseId(vfilename)
logger.debug("Userid from file: " + vUserId)
logger.debug("Workstation Name from file: " + vWorkstationName)
logger.debug("Software Name from file: " + vSoftwareName)
logger.debug("ArcSight Case ID from file: " + vASCaseId)
logger.debug("Template ticket info, assigned group: " + vAssignedGroup)
logger.debug("Template ticket info, title: " + vTitle)
logger.info("Template found. Assigned group: " + vAssignedGroup)
if (vattackProtocol == "0" or vattackProtocol == "1") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
vDescClean = vDescription % (vWorkstationName, vASCaseId)
logger.info("Template ticket info, description: " + vDescClean)
elif (vattackProtocol == "2" or vattackProtocol == "3") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
logger.info("Template ticket info, description: " + vDescription % (vWorkstationName, vSoftwareName, vASCaseId))
vDescClean = vDescription % (vWorkstationName, vSoftwareName, vASCaseId)
else:
logger.info("Something went wrong pulling all of the template fields: ")
logger.info("Template ticket info, assigned group: " + vAssignedGroup)
logger.info("Template ticket info, title: " + vTitle)
values = {'impact': '3', 'urgency': '2', 'priority': '2', 'category': 'High', 'location': 'XX-UNKNOWN', 'user': vUserId, 'assignment_group': vAssignedGroup, 'subcategory': 'DART', 'short_description': vTitle, 'description': vDescClean + "\r\n \r\n" + vReadCaseName, 'business_unit': 'Corporate'}
new_incident_sysid=TempLU.createSNOWIncident(values)
logger.info("****** Incident Created: " + repr(new_incident_sysid) + " *****")
vreg = "'number': '(.*)'"
logger.info(''.join(re.findall(vreg, repr(new_incident_sysid))))
try:
INCNum =''.join(re.findall(vreg, repr(new_incident_sysid)))
except:
INCNum = "False"
logger.info(repr(new_incident_sysid))
sysemail.sendEmail(vUserId, templateid, INCNum)
return INCNum