def createIncident(self, vfilename): import logging import datetime import arcsightIOInterface import re import sys import os import emailout return "INC123456" logger = logging.getLogger('serviceNowInterface') today = datetime.datetime.today() Files2Proc = arcsightIOInterface.arcsightInterface() vattackProtocol = Files2Proc.readAttackProtocol(vfilename) TempLU = serviceNowInterface() sysemail = emailout.emailout() logger.info("File Recommended Action (used for templates): " + vattackProtocol) vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol, "assignedgroup") vDescription = TempLU.getTemplateInfo(vattackProtocol, "description") vTitle = TempLU.getTemplateInfo(vattackProtocol, "title") vUserId = Files2Proc.readUserId(vfilename) vWorkstationName = Files2Proc.readHostName(vfilename) vReadCaseName = Files2Proc.readCaseName(vfilename) # Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process if vUserId == "False" or vWorkstationName == "False": vUserId = "" try: sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION") logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) except: logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******") try: os.remove(vfilename) except: logger.error("Error removing ArcSight export file.") sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) # Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process if vDescription == "False": try: sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE") logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) except: logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******") try: os.remove(vfilename) except: logger.error("Error removing ArcSight export file.") sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) #Send email notification to user if vattackProtocol == "0": templateid = "scan" elif vattackProtocol == "1": templateid = "reimage" elif vattackProtocol == "2" or vattackProtocol == "3": templateid = "softwareremoval" else: templateid = "scan" vSoftwareName = Files2Proc.readSoftwareName(vfilename) vASCaseId = Files2Proc.readASCaseId(vfilename) logger.debug("Userid from file: " + vUserId) logger.debug("Workstation Name from file: " + vWorkstationName) logger.debug("Software Name from file: " + vSoftwareName) logger.debug("ArcSight Case ID from file: " + vASCaseId) logger.debug("Template ticket info, assigned group: " + vAssignedGroup) logger.debug("Template ticket info, title: " + vTitle) logger.info("Template found. Assigned group: " + vAssignedGroup) if (vattackProtocol == "0" or vattackProtocol == "1") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False": vDescClean = vDescription % (vWorkstationName, vASCaseId) logger.info("Template ticket info, description: " + vDescClean) elif (vattackProtocol == "2" or vattackProtocol == "3") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False": logger.info("Template ticket info, description: " + vDescription % (vWorkstationName, vSoftwareName, vASCaseId)) vDescClean = vDescription % (vWorkstationName, vSoftwareName, vASCaseId) else: logger.info("Something went wrong pulling all of the template fields: ") logger.info("Template ticket info, assigned group: " + vAssignedGroup) logger.info("Template ticket info, title: " + vTitle) values = {'impact': '3', 'urgency': '2', 'priority': '2', 'category': 'High', 'location': 'XX-UNKNOWN', 'user': vUserId, 'assignment_group': vAssignedGroup, 'subcategory': 'DART', 'short_description': vTitle, 'description': vDescClean + "\r\n \r\n" + vReadCaseName, 'business_unit': 'Corporate'} new_incident_sysid=TempLU.createSNOWIncident(values) logger.info("****** Incident Created: " + repr(new_incident_sysid) + " *****") vreg = "'number': '(.*)'" logger.info(''.join(re.findall(vreg, repr(new_incident_sysid)))) try: INCNum =''.join(re.findall(vreg, repr(new_incident_sysid))) except: INCNum = "False" logger.info(repr(new_incident_sysid)) sysemail.sendEmail(vUserId, templateid, INCNum) return INCNum
def sendEmail(self, vuserIdorEmail, templatetype, incidentnum): import smtplib import logging import arcsightIOInterface from email.mime.text import MIMEText Files2Proc = arcsightIOInterface.arcsightInterface() logger = logging.getLogger('serviceNowInterface') emailInt = emailout() SMTPServerName = "localhost" vfrom = "DL-DARTAnalysis@[Company].com" varTemplateFolder = "/opt/arcsight/manager/archive/template/" if templatetype == "system": if incidentnum == "NOUSERORWORKSTATION": vCaseId = Files2Proc.readASCaseId(vuserIdorEmail) vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed" vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the workstation name or the the userid. Please correct and re-export the case." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "MISSINGTEMPLATE": vCaseId = Files2Proc.readASCaseId(vuserIdorEmail) vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed" vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the template information in the Recommended Action field in the case. Please correct and re-export the case." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "ERRORCREATINC": vCaseId = Files2Proc.readASCaseId(vuserIdorEmail) vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed" vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n Please review information in the case for any errors. Please reference the error log for the ArcSight-ServiceNow Integration module for more information on the error." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "ClosedTicket": vCaseId = Files2Proc.readASCaseId(varTemplateFolder + vuserIdorEmail + ".xml") vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed" vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "ClosedTicketCancelled": vCaseId = Files2Proc.readASCaseId(varTemplateFolder + vuserIdorEmail + ".xml") vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed with a Cancelled Status" vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed with a Cancel Status. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors." vemail = vfrom msg = MIMEText(vbody) else: return "False" else: vemail = "" if "@" in vuserIdorEmail: vemail = vuserIdorEmail elif vuserIdorEmail != "": vemail = vuserIdorEmail + "@[Company].com" # Pull Subject vsubject = emailInt.getTemplateInfo(templatetype, "subject") + incidentnum vbody = emailInt.getTemplateInfo(templatetype, "body") # msg = MIMEText() fp = open( "/opt/arcsight/manager/archive/template/emailtemplates/" + templatetype + ".html", 'rb') msg = MIMEText(fp.read(), 'html') msg['Subject'] = vsubject msg['From'] = vfrom vemail = "duy.tran@[Company].com" msg['To'] = vemail try: s = smtplib.SMTP(SMTPServerName) s.sendmail(vfrom, [vemail], msg.as_string()) s.quit() except: logger.error("Error sending out email.")
def sendEmail(self, vuserIdorEmail, templatetype, incidentnum): import smtplib import logging import arcsightIOInterface from email.mime.text import MIMEText Files2Proc = arcsightIOInterface.arcsightInterface() logger = logging.getLogger('serviceNowInterface') emailInt = emailout() SMTPServerName = "localhost" vfrom = "DL-DARTAnalysis@[Company].com" varTemplateFolder = "/opt/arcsight/manager/archive/template/" if templatetype == "system": if incidentnum == "NOUSERORWORKSTATION": vCaseId = Files2Proc.readASCaseId(vuserIdorEmail) vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed" vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the workstation name or the the userid. Please correct and re-export the case." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "MISSINGTEMPLATE": vCaseId = Files2Proc.readASCaseId(vuserIdorEmail) vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed" vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n The case was missing the template information in the Recommended Action field in the case. Please correct and re-export the case." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "ERRORCREATINC": vCaseId = Files2Proc.readASCaseId(vuserIdorEmail) vsubject = "Attempt to Export ArcSight and Create SystemNow Ticket Failed" vbody = "There was a problem processing the ServiceNow incident for ArcSight CaseId: " + vCaseId + ". \r\n \r\n Please review information in the case for any errors. Please reference the error log for the ArcSight-ServiceNow Integration module for more information on the error." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "ClosedTicket": vCaseId = Files2Proc.readASCaseId(varTemplateFolder + vuserIdorEmail + ".xml") vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed" vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors." vemail = vfrom msg = MIMEText(vbody) elif incidentnum == "ClosedTicketCancelled": vCaseId = Files2Proc.readASCaseId(varTemplateFolder + vuserIdorEmail + ".xml") vsubject = "ServiceNow Ticket Associated to ArcSight Case has been Closed with a Cancelled Status" vbody = "A ticket associated to ArcSight Case Id: " + vCaseId + " has been closed with a Cancel Status. The service now incident number is: " + vuserIdorEmail + ". The information logged in the ServiceNow resolution field is logged in the ArcSight Case.\r\n \r\n Please review information in the case for any errors." vemail = vfrom msg = MIMEText(vbody) else: return "False" else: vemail="" if "@" in vuserIdorEmail: vemail = vuserIdorEmail elif vuserIdorEmail != "": vemail = vuserIdorEmail + "@[Company].com" # Pull Subject vsubject = emailInt.getTemplateInfo(templatetype, "subject") + incidentnum vbody = emailInt.getTemplateInfo(templatetype, "body") # msg = MIMEText() fp = open("/opt/arcsight/manager/archive/template/emailtemplates/" + templatetype + ".html", 'rb') msg = MIMEText(fp.read(), 'html') msg['Subject'] = vsubject msg['From'] = vfrom vemail = "duy.tran@[Company].com" msg['To'] = vemail try: s = smtplib.SMTP(SMTPServerName) s.sendmail(vfrom, [vemail], msg.as_string()) s.quit() except: logger.error("Error sending out email.")
import serviceNowInterface import csv import os import logging import shutil import emailout serviceNowConfig.ClientConfig("CSVImport") logger = logging.getLogger('serviceNowInterface') logger.info("Started CSV Import") varCSVFileName = "/opt/arcsight/snow/serviceNowModule/Working/incident_with_close_notes.csv" varImportFolder = "/opt/arcsight/manager/archive/imports/" varTemplateFolder = "/opt/arcsight/manager/archive/template/" varClosedTicketFolder = "/opt/arcsight/manager/archive/template/closed" Files2Proc = arcsightIOInterface.arcsightInterface() ServiceNowProc = serviceNowInterface.serviceNowInterface() sysemail = emailout.emailout() #try: vCSVFile = open(varCSVFileName) csvreader = csv.reader(vCSVFile) vClosedDescription = "" count, rcount, vStatus, vIncidentNum = 0, 0, "", "" for row in csvreader: rcount += 1 count, vStatus, vIncidentNum, vSubStatus= 0, "", "", "" for column in row: if count == 0: vIncidentNum = column
def createIncident(self, vfilename): import logging import datetime import arcsightIOInterface import re import sys import os import emailout return "INC123456" logger = logging.getLogger('serviceNowInterface') today = datetime.datetime.today() Files2Proc = arcsightIOInterface.arcsightInterface() vattackProtocol = Files2Proc.readAttackProtocol(vfilename) TempLU = serviceNowInterface() sysemail = emailout.emailout() logger.info("File Recommended Action (used for templates): " + vattackProtocol) vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol, "assignedgroup") vDescription = TempLU.getTemplateInfo(vattackProtocol, "description") vTitle = TempLU.getTemplateInfo(vattackProtocol, "title") vUserId = Files2Proc.readUserId(vfilename) vWorkstationName = Files2Proc.readHostName(vfilename) vReadCaseName = Files2Proc.readCaseName(vfilename) # Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process if vUserId == "False" or vWorkstationName == "False": vUserId = "" try: sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION") logger.error( "No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) except: logger.error( "****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******" ) try: os.remove(vfilename) except: logger.error("Error removing ArcSight export file.") sys.exit( "No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) # Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process if vDescription == "False": try: sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE") logger.error( "No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) except: logger.error( "****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******" ) try: os.remove(vfilename) except: logger.error("Error removing ArcSight export file.") sys.exit( "No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId) #Send email notification to user if vattackProtocol == "0": templateid = "scan" elif vattackProtocol == "1": templateid = "reimage" elif vattackProtocol == "2" or vattackProtocol == "3": templateid = "softwareremoval" else: templateid = "scan" vSoftwareName = Files2Proc.readSoftwareName(vfilename) vASCaseId = Files2Proc.readASCaseId(vfilename) logger.debug("Userid from file: " + vUserId) logger.debug("Workstation Name from file: " + vWorkstationName) logger.debug("Software Name from file: " + vSoftwareName) logger.debug("ArcSight Case ID from file: " + vASCaseId) logger.debug("Template ticket info, assigned group: " + vAssignedGroup) logger.debug("Template ticket info, title: " + vTitle) logger.info("Template found. Assigned group: " + vAssignedGroup) if ( vattackProtocol == "0" or vattackProtocol == "1" ) and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False": vDescClean = vDescription % (vWorkstationName, vASCaseId) logger.info("Template ticket info, description: " + vDescClean) elif ( vattackProtocol == "2" or vattackProtocol == "3" ) and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False": logger.info("Template ticket info, description: " + vDescription % (vWorkstationName, vSoftwareName, vASCaseId)) vDescClean = vDescription % (vWorkstationName, vSoftwareName, vASCaseId) else: logger.info( "Something went wrong pulling all of the template fields: ") logger.info("Template ticket info, assigned group: " + vAssignedGroup) logger.info("Template ticket info, title: " + vTitle) values = { 'impact': '3', 'urgency': '2', 'priority': '2', 'category': 'High', 'location': 'XX-UNKNOWN', 'user': vUserId, 'assignment_group': vAssignedGroup, 'subcategory': 'DART', 'short_description': vTitle, 'description': vDescClean + "\r\n \r\n" + vReadCaseName, 'business_unit': 'Corporate' } new_incident_sysid = TempLU.createSNOWIncident(values) logger.info("****** Incident Created: " + repr(new_incident_sysid) + " *****") vreg = "'number': '(.*)'" logger.info(''.join(re.findall(vreg, repr(new_incident_sysid)))) try: INCNum = ''.join(re.findall(vreg, repr(new_incident_sysid))) except: INCNum = "False" logger.info(repr(new_incident_sysid)) sysemail.sendEmail(vUserId, templateid, INCNum) return INCNum