def createIncident(self, vfilename):
import logging
import datetime
import arcsightIOInterface
import re
import sys
import os
import emailout
return "INC123456"
logger = logging.getLogger('serviceNowInterface')
today = datetime.datetime.today()
Files2Proc = arcsightIOInterface.arcsightInterface()
vattackProtocol = Files2Proc.readAttackProtocol(vfilename)
TempLU = serviceNowInterface()
sysemail = emailout.emailout()
logger.info("File Recommended Action (used for templates): " + vattackProtocol)
vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol, "assignedgroup")
vDescription = TempLU.getTemplateInfo(vattackProtocol, "description")
vTitle = TempLU.getTemplateInfo(vattackProtocol, "title")
vUserId = Files2Proc.readUserId(vfilename)
vWorkstationName = Files2Proc.readHostName(vfilename)
vReadCaseName = Files2Proc.readCaseName(vfilename)
# Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process
if vUserId == "False" or vWorkstationName == "False":
vUserId = ""
try:
sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION")
logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
except:
logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******")
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
# Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process
if vDescription == "False":
try:
sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE")
logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
except:
logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******")
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
#Send email notification to user
if vattackProtocol == "0":
templateid = "scan"
elif vattackProtocol == "1":
templateid = "reimage"
elif vattackProtocol == "2" or vattackProtocol == "3":
templateid = "softwareremoval"
else:
templateid = "scan"
vSoftwareName = Files2Proc.readSoftwareName(vfilename)
vASCaseId = Files2Proc.readASCaseId(vfilename)
logger.debug("Userid from file: " + vUserId)
logger.debug("Workstation Name from file: " + vWorkstationName)
logger.debug("Software Name from file: " + vSoftwareName)
logger.debug("ArcSight Case ID from file: " + vASCaseId)
logger.debug("Template ticket info, assigned group: " + vAssignedGroup)
logger.debug("Template ticket info, title: " + vTitle)
logger.info("Template found. Assigned group: " + vAssignedGroup)
if (vattackProtocol == "0" or vattackProtocol == "1") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
vDescClean = vDescription % (vWorkstationName, vASCaseId)
logger.info("Template ticket info, description: " + vDescClean)
elif (vattackProtocol == "2" or vattackProtocol == "3") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
logger.info("Template ticket info, description: " + vDescription % (vWorkstationName, vSoftwareName, vASCaseId))
vDescClean = vDescription % (vWorkstationName, vSoftwareName, vASCaseId)
else:
logger.info("Something went wrong pulling all of the template fields: ")
logger.info("Template ticket info, assigned group: " + vAssignedGroup)
logger.info("Template ticket info, title: " + vTitle)
values = {'impact': '3', 'urgency': '2', 'priority': '2', 'category': 'High', 'location': 'XX-UNKNOWN', 'user': vUserId, 'assignment_group': vAssignedGroup, 'subcategory': 'DART', 'short_description': vTitle, 'description': vDescClean + "\r\n \r\n" + vReadCaseName, 'business_unit': 'Corporate'}
new_incident_sysid=TempLU.createSNOWIncident(values)
logger.info("****** Incident Created: " + repr(new_incident_sysid) + " *****")
vreg = "'number': '(.*)'"
logger.info(''.join(re.findall(vreg, repr(new_incident_sysid))))
try:
INCNum =''.join(re.findall(vreg, repr(new_incident_sysid)))
except:
INCNum = "False"
logger.info(repr(new_incident_sysid))
sysemail.sendEmail(vUserId, templateid, INCNum)
return INCNum
def sendEmail(self, vuserIdorEmail, templatetype, incidentnum):
import smtplib
import logging
import arcsightIOInterface
from email.mime.text import MIMEText
Files2Proc = arcsightIOInterface.arcsightInterface()
logger = logging.getLogger('serviceNowInterface')
emailInt = emailout()
SMTPServerName = "localhost"
vfrom = "DL-DARTAnalysis@[Company].com"
varTemplateFolder = "/opt/arcsight/manager/archive/template/"
if templatetype == "system":
if incidentnum == "NOUSERORWORKSTATION":
vCaseId = Files2Proc.readASCaseId(vuserIdorEmail)
vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed"
vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the workstation name or the the userid. Please correct and re-export the case."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "MISSINGTEMPLATE":
vCaseId = Files2Proc.readASCaseId(vuserIdorEmail)
vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed"
vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the template information in the Recommended Action field in the case. Please correct and re-export the case."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "ERRORCREATINC":
vCaseId = Files2Proc.readASCaseId(vuserIdorEmail)
vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed"
vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n Please review information in the case for any errors. Please reference the error log for the ArcSight-ServiceNow Integration module for more information on the error."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "ClosedTicket":
vCaseId = Files2Proc.readASCaseId(varTemplateFolder +
vuserIdorEmail + ".xml")
vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed"
vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "ClosedTicketCancelled":
vCaseId = Files2Proc.readASCaseId(varTemplateFolder +
vuserIdorEmail + ".xml")
vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed with a Cancelled Status"
vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed with a Cancel Status. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors."
vemail = vfrom
msg = MIMEText(vbody)
else:
return "False"
else:
vemail = ""
if "@" in vuserIdorEmail:
vemail = vuserIdorEmail
elif vuserIdorEmail != "":
vemail = vuserIdorEmail + "@[Company].com"
# Pull Subject
vsubject = emailInt.getTemplateInfo(templatetype,
"subject") + incidentnum
vbody = emailInt.getTemplateInfo(templatetype, "body")
# msg = MIMEText()
fp = open(
"/opt/arcsight/manager/archive/template/emailtemplates/" +
templatetype + ".html", 'rb')
msg = MIMEText(fp.read(), 'html')
msg['Subject'] = vsubject
msg['From'] = vfrom
vemail = "duy.tran@[Company].com"
msg['To'] = vemail
try:
s = smtplib.SMTP(SMTPServerName)
s.sendmail(vfrom, [vemail], msg.as_string())
s.quit()
except:
logger.error("Error sending out email.")
def sendEmail(self, vuserIdorEmail, templatetype, incidentnum):
import smtplib
import logging
import arcsightIOInterface
from email.mime.text import MIMEText
Files2Proc = arcsightIOInterface.arcsightInterface()
logger = logging.getLogger('serviceNowInterface')
emailInt = emailout()
SMTPServerName = "localhost"
vfrom = "DL-DARTAnalysis@[Company].com"
varTemplateFolder = "/opt/arcsight/manager/archive/template/"
if templatetype == "system":
if incidentnum == "NOUSERORWORKSTATION":
vCaseId = Files2Proc.readASCaseId(vuserIdorEmail)
vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed"
vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the workstation name or the the userid. Please correct and re-export the case."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "MISSINGTEMPLATE":
vCaseId = Files2Proc.readASCaseId(vuserIdorEmail)
vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed"
vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the template information in the Recommended Action field in the case. Please correct and re-export the case."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "ERRORCREATINC":
vCaseId = Files2Proc.readASCaseId(vuserIdorEmail)
vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed"
vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n Please review information in the case for any errors. Please reference the error log for the ArcSight-ServiceNow Integration module for more information on the error."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "ClosedTicket":
vCaseId = Files2Proc.readASCaseId(varTemplateFolder + vuserIdorEmail + ".xml")
vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed"
vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors."
vemail = vfrom
msg = MIMEText(vbody)
elif incidentnum == "ClosedTicketCancelled":
vCaseId = Files2Proc.readASCaseId(varTemplateFolder + vuserIdorEmail + ".xml")
vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed with a Cancelled Status"
vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed with a Cancel Status. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors."
vemail = vfrom
msg = MIMEText(vbody)
else:
return "False"
else:
vemail=""
if "@" in vuserIdorEmail:
vemail = vuserIdorEmail
elif vuserIdorEmail != "":
vemail = vuserIdorEmail + "@[Company].com"
# Pull Subject
vsubject = emailInt.getTemplateInfo(templatetype, "subject") + incidentnum
vbody = emailInt.getTemplateInfo(templatetype, "body")
# msg = MIMEText()
fp = open("/opt/arcsight/manager/archive/template/emailtemplates/" + templatetype + ".html", 'rb')
msg = MIMEText(fp.read(), 'html')
msg['Subject'] = vsubject
msg['From'] = vfrom
vemail = "duy.tran@[Company].com"
msg['To'] = vemail
try:
s = smtplib.SMTP(SMTPServerName)
s.sendmail(vfrom, [vemail], msg.as_string())
s.quit()
except:
logger.error("Error sending out email.")
import serviceNowInterface
import csv
import os
import logging
import shutil
import emailout
serviceNowConfig.ClientConfig("CSVImport")
logger = logging.getLogger('serviceNowInterface')
logger.info("Started CSV Import")
varCSVFileName = "/opt/arcsight/snow/serviceNowModule/Working/incident_with_close_notes.csv"
varImportFolder = "/opt/arcsight/manager/archive/imports/"
varTemplateFolder = "/opt/arcsight/manager/archive/template/"
varClosedTicketFolder = "/opt/arcsight/manager/archive/template/closed"
Files2Proc = arcsightIOInterface.arcsightInterface()
ServiceNowProc = serviceNowInterface.serviceNowInterface()
sysemail = emailout.emailout()
#try:
vCSVFile = open(varCSVFileName)
csvreader = csv.reader(vCSVFile)
vClosedDescription = ""
count, rcount, vStatus, vIncidentNum = 0, 0, "", ""
for row in csvreader:
rcount += 1
count, vStatus, vIncidentNum, vSubStatus= 0, "", "", ""
for column in row:
if count == 0:
vIncidentNum = column
def createIncident(self, vfilename):
import logging
import datetime
import arcsightIOInterface
import re
import sys
import os
import emailout
return "INC123456"
logger = logging.getLogger('serviceNowInterface')
today = datetime.datetime.today()
Files2Proc = arcsightIOInterface.arcsightInterface()
vattackProtocol = Files2Proc.readAttackProtocol(vfilename)
TempLU = serviceNowInterface()
sysemail = emailout.emailout()
logger.info("File Recommended Action (used for templates): " +
vattackProtocol)
vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol,
"assignedgroup")
vDescription = TempLU.getTemplateInfo(vattackProtocol, "description")
vTitle = TempLU.getTemplateInfo(vattackProtocol, "title")
vUserId = Files2Proc.readUserId(vfilename)
vWorkstationName = Files2Proc.readHostName(vfilename)
vReadCaseName = Files2Proc.readCaseName(vfilename)
# Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process
if vUserId == "False" or vWorkstationName == "False":
vUserId = ""
try:
sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION")
logger.error(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
except:
logger.error(
"****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******"
)
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
# Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process
if vDescription == "False":
try:
sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE")
logger.error(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
except:
logger.error(
"****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******"
)
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
#Send email notification to user
if vattackProtocol == "0":
templateid = "scan"
elif vattackProtocol == "1":
templateid = "reimage"
elif vattackProtocol == "2" or vattackProtocol == "3":
templateid = "softwareremoval"
else:
templateid = "scan"
vSoftwareName = Files2Proc.readSoftwareName(vfilename)
vASCaseId = Files2Proc.readASCaseId(vfilename)
logger.debug("Userid from file: " + vUserId)
logger.debug("Workstation Name from file: " + vWorkstationName)
logger.debug("Software Name from file: " + vSoftwareName)
logger.debug("ArcSight Case ID from file: " + vASCaseId)
logger.debug("Template ticket info, assigned group: " + vAssignedGroup)
logger.debug("Template ticket info, title: " + vTitle)
logger.info("Template found. Assigned group: " + vAssignedGroup)
if (
vattackProtocol == "0" or vattackProtocol == "1"
) and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
vDescClean = vDescription % (vWorkstationName, vASCaseId)
logger.info("Template ticket info, description: " + vDescClean)
elif (
vattackProtocol == "2" or vattackProtocol == "3"
) and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
logger.info("Template ticket info, description: " + vDescription %
(vWorkstationName, vSoftwareName, vASCaseId))
vDescClean = vDescription % (vWorkstationName, vSoftwareName,
vASCaseId)
else:
logger.info(
"Something went wrong pulling all of the template fields: ")
logger.info("Template ticket info, assigned group: " +
vAssignedGroup)
logger.info("Template ticket info, title: " + vTitle)
values = {
'impact': '3',
'urgency': '2',
'priority': '2',
'category': 'High',
'location': 'XX-UNKNOWN',
'user': vUserId,
'assignment_group': vAssignedGroup,
'subcategory': 'DART',
'short_description': vTitle,
'description': vDescClean + "\r\n \r\n" + vReadCaseName,
'business_unit': 'Corporate'
}
new_incident_sysid = TempLU.createSNOWIncident(values)
logger.info("****** Incident Created: " + repr(new_incident_sysid) +
" *****")
vreg = "'number': '(.*)'"
logger.info(''.join(re.findall(vreg, repr(new_incident_sysid))))
try:
INCNum = ''.join(re.findall(vreg, repr(new_incident_sysid)))
except:
INCNum = "False"
logger.info(repr(new_incident_sysid))
sysemail.sendEmail(vUserId, templateid, INCNum)
return INCNum
