import os
import logging
import shutil
import emailout
serviceNowConfig.ClientConfig("CSVImport")
logger = logging.getLogger('serviceNowInterface')
logger.info("Started CSV Import")
varCSVFileName = "/opt/arcsight/snow/serviceNowModule/Working/incident_with_close_notes.csv"
varImportFolder = "/opt/arcsight/manager/archive/imports/"
varTemplateFolder = "/opt/arcsight/manager/archive/template/"
varClosedTicketFolder = "/opt/arcsight/manager/archive/template/closed"
Files2Proc = arcsightIOInterface.arcsightInterface()
ServiceNowProc = serviceNowInterface.serviceNowInterface()
sysemail = emailout.emailout()
#try:
vCSVFile = open(varCSVFileName)
csvreader = csv.reader(vCSVFile)
vClosedDescription = ""
count, rcount, vStatus, vIncidentNum = 0, 0, "", ""
for row in csvreader:
rcount += 1
count, vStatus, vIncidentNum, vSubStatus= 0, "", "", ""
for column in row:
if count == 0:
vIncidentNum = column
logger.debug(vIncidentNum)
elif count == 3:
def createIncident(self, vfilename):
import logging
import datetime
import arcsightIOInterface
import re
import sys
import os
import emailout
return "INC123456"
logger = logging.getLogger('serviceNowInterface')
today = datetime.datetime.today()
Files2Proc = arcsightIOInterface.arcsightInterface()
vattackProtocol = Files2Proc.readAttackProtocol(vfilename)
TempLU = serviceNowInterface()
sysemail = emailout.emailout()
logger.info("File Recommended Action (used for templates): " + vattackProtocol)
vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol, "assignedgroup")
vDescription = TempLU.getTemplateInfo(vattackProtocol, "description")
vTitle = TempLU.getTemplateInfo(vattackProtocol, "title")
vUserId = Files2Proc.readUserId(vfilename)
vWorkstationName = Files2Proc.readHostName(vfilename)
vReadCaseName = Files2Proc.readCaseName(vfilename)
# Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process
if vUserId == "False" or vWorkstationName == "False":
vUserId = ""
try:
sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION")
logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
except:
logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******")
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
# Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process
if vDescription == "False":
try:
sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE")
logger.error("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
except:
logger.error("****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******")
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit("No user id or workstation name present in the ArcSight case. Workstation Name: " + vWorkstationName + ", User Name: " + vUserId)
#Send email notification to user
if vattackProtocol == "0":
templateid = "scan"
elif vattackProtocol == "1":
templateid = "reimage"
elif vattackProtocol == "2" or vattackProtocol == "3":
templateid = "softwareremoval"
else:
templateid = "scan"
vSoftwareName = Files2Proc.readSoftwareName(vfilename)
vASCaseId = Files2Proc.readASCaseId(vfilename)
logger.debug("Userid from file: " + vUserId)
logger.debug("Workstation Name from file: " + vWorkstationName)
logger.debug("Software Name from file: " + vSoftwareName)
logger.debug("ArcSight Case ID from file: " + vASCaseId)
logger.debug("Template ticket info, assigned group: " + vAssignedGroup)
logger.debug("Template ticket info, title: " + vTitle)
logger.info("Template found. Assigned group: " + vAssignedGroup)
if (vattackProtocol == "0" or vattackProtocol == "1") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
vDescClean = vDescription % (vWorkstationName, vASCaseId)
logger.info("Template ticket info, description: " + vDescClean)
elif (vattackProtocol == "2" or vattackProtocol == "3") and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
logger.info("Template ticket info, description: " + vDescription % (vWorkstationName, vSoftwareName, vASCaseId))
vDescClean = vDescription % (vWorkstationName, vSoftwareName, vASCaseId)
else:
logger.info("Something went wrong pulling all of the template fields: ")
logger.info("Template ticket info, assigned group: " + vAssignedGroup)
logger.info("Template ticket info, title: " + vTitle)
values = {'impact': '3', 'urgency': '2', 'priority': '2', 'category': 'High', 'location': 'XX-UNKNOWN', 'user': vUserId, 'assignment_group': vAssignedGroup, 'subcategory': 'DART', 'short_description': vTitle, 'description': vDescClean + "\r\n \r\n" + vReadCaseName, 'business_unit': 'Corporate'}
new_incident_sysid=TempLU.createSNOWIncident(values)
logger.info("****** Incident Created: " + repr(new_incident_sysid) + " *****")
vreg = "'number': '(.*)'"
logger.info(''.join(re.findall(vreg, repr(new_incident_sysid))))
try:
INCNum =''.join(re.findall(vreg, repr(new_incident_sysid)))
except:
INCNum = "False"
logger.info(repr(new_incident_sysid))
sysemail.sendEmail(vUserId, templateid, INCNum)
return INCNum
def createIncident(self, vfilename):
import logging
import datetime
import arcsightIOInterface
import re
import sys
import os
import emailout
return "INC123456"
logger = logging.getLogger('serviceNowInterface')
today = datetime.datetime.today()
Files2Proc = arcsightIOInterface.arcsightInterface()
vattackProtocol = Files2Proc.readAttackProtocol(vfilename)
TempLU = serviceNowInterface()
sysemail = emailout.emailout()
logger.info("File Recommended Action (used for templates): " +
vattackProtocol)
vAssignedGroup = TempLU.getTemplateInfo(vattackProtocol,
"assignedgroup")
vDescription = TempLU.getTemplateInfo(vattackProtocol, "description")
vTitle = TempLU.getTemplateInfo(vattackProtocol, "title")
vUserId = Files2Proc.readUserId(vfilename)
vWorkstationName = Files2Proc.readHostName(vfilename)
vReadCaseName = Files2Proc.readCaseName(vfilename)
# Checks if UserId and Workstation in the ArcSight case send notification email and stop incident creation process
if vUserId == "False" or vWorkstationName == "False":
vUserId = ""
try:
sysemail.sendEmail(vfilename, "system", "NOUSERORWORKSTATION")
logger.error(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
except:
logger.error(
"****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing workstation or user information. ******"
)
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
# Checks if vattackProtocol (Template) in the ArcSight case is empty or incorrect, if it is send notification email and stop incident creation process
if vDescription == "False":
try:
sysemail.sendEmail(vfilename, "system", "MISSINGTEMPLATE")
logger.error(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
except:
logger.error(
"****** Error sending out system notification email showing failure in ServiceNow Incident creation because of missing template information. ******"
)
try:
os.remove(vfilename)
except:
logger.error("Error removing ArcSight export file.")
sys.exit(
"No user id or workstation name present in the ArcSight case. Workstation Name: "
+ vWorkstationName + ", User Name: " + vUserId)
#Send email notification to user
if vattackProtocol == "0":
templateid = "scan"
elif vattackProtocol == "1":
templateid = "reimage"
elif vattackProtocol == "2" or vattackProtocol == "3":
templateid = "softwareremoval"
else:
templateid = "scan"
vSoftwareName = Files2Proc.readSoftwareName(vfilename)
vASCaseId = Files2Proc.readASCaseId(vfilename)
logger.debug("Userid from file: " + vUserId)
logger.debug("Workstation Name from file: " + vWorkstationName)
logger.debug("Software Name from file: " + vSoftwareName)
logger.debug("ArcSight Case ID from file: " + vASCaseId)
logger.debug("Template ticket info, assigned group: " + vAssignedGroup)
logger.debug("Template ticket info, title: " + vTitle)
logger.info("Template found. Assigned group: " + vAssignedGroup)
if (
vattackProtocol == "0" or vattackProtocol == "1"
) and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
vDescClean = vDescription % (vWorkstationName, vASCaseId)
logger.info("Template ticket info, description: " + vDescClean)
elif (
vattackProtocol == "2" or vattackProtocol == "3"
) and vAssignedGroup != "False" and vAssignedGroup != "False" and vAssignedGroup != "False":
logger.info("Template ticket info, description: " + vDescription %
(vWorkstationName, vSoftwareName, vASCaseId))
vDescClean = vDescription % (vWorkstationName, vSoftwareName,
vASCaseId)
else:
logger.info(
"Something went wrong pulling all of the template fields: ")
logger.info("Template ticket info, assigned group: " +
vAssignedGroup)
logger.info("Template ticket info, title: " + vTitle)
values = {
'impact': '3',
'urgency': '2',
'priority': '2',
'category': 'High',
'location': 'XX-UNKNOWN',
'user': vUserId,
'assignment_group': vAssignedGroup,
'subcategory': 'DART',
'short_description': vTitle,
'description': vDescClean + "\r\n \r\n" + vReadCaseName,
'business_unit': 'Corporate'
}
new_incident_sysid = TempLU.createSNOWIncident(values)
logger.info("****** Incident Created: " + repr(new_incident_sysid) +
" *****")
vreg = "'number': '(.*)'"
logger.info(''.join(re.findall(vreg, repr(new_incident_sysid))))
try:
INCNum = ''.join(re.findall(vreg, repr(new_incident_sysid)))
except:
INCNum = "False"
logger.info(repr(new_incident_sysid))
sysemail.sendEmail(vUserId, templateid, INCNum)
return INCNum