Emailing individual users based on rule
I have created an activelist with a list of users and their email addresses along with usernames.
I would like to email each user every time a rule fires that contains their username.
Has anyone done this and can share with me?
I have considered doing this for malware detections but have not implemented it quite yet. I don't believe that there is a way to do this directly from a rule but you could have the rule execute a command that would all an application or script with the necessary parameters to send the email for you.
I've not done it, but I know a company that has. Theirs is a fairly complex setup that I couldn't begin to detail for you.
What about firing a rule that invokes an external script (via the "external command" rule action). Pass the pieces of data you need like user ID and Infection via command line arguments, and have the script format those items into an e-mail template. The script could do an LDAP (or other) lookup and populate the e-mail of the user and mayber even the users manager and send it.
Might be a starting place ?
This may or may not work for you, but if you have a list with the user's user name and email, you will need to make sure that the user name is a key field in the list. In your rule, create a list variable that will look into the corresponding list that you created, it will grab all of the data fields in that row, one of which is the users email address, you can then call that information by it's corresponding velocity template. You may be able to then use that when sending the notification, or if you can't do it directly through the manager, you would use that field when sending the command out to a script on the manager.
As far as I'm concerned, thit is impossible to achieve purely by ArcSight.
It's a shame we have to explicitly declare notification group during rule definition.
If any1 knows how to bypass this, please do share that knowledge:)
Can you outline how this company you mentioned has done it? No need for specifics, just an idea. I am trying to figure out how to do the same here, multiple possible destinatons, multiple rules, different templates for notifications depending on rules triggered and I am not clearly seeing how this could be done. ActiveLists take you only so far, I would still have to maintain templates outside of ESM. Thought about using the Export to External System action an then parsing the generated xml file by a script, but running into the same template problem.
If someone has solved this, i'd love to know how.
Lets see if I can recall how they did this:
1) rules fire and send an e-mail notification using a heavily modified velocity template which includes macros for the data that needs a lookup (like e-mail addresses).
2 ) The e-mail goes into a sendmail server that parses the formatting from the template and causes the variables to get resolved. The resolved info is fed back into arcsight as a new event
3) A second stage rule fires that picks up the original rule and the subsequent lookup event from the mailserver and merges the data into a new rule fire that again uses a heavily customized template. This template pulls the email destination from the event data to do the direct send.
There is more to it, but this is all I can recall.
I started playing with this myself and came up with the following:
1. Perl script on the manager that takes as input 3 command-line parameters: Email destination(s), Email subject, Email body. It then uses local sendmail installation to send out the notification
2. Active list with Generator ID being the key. The other two columns are email destinations and email subject.
3. Rule that wants to send out notification has a variable named "Template" that uses the "Evaluate Velocity Template" function to build the body of the message, then looks up the recepients and the subject in the above list and calls the script passing all 3 parameters to it.
It works, but I am not sure if this is a cleaner/more efficient solution that using built-in notifications. On one hand, I don't have to maintain separate notification destination groups which usually end up being one per rule. On the other hand, this custom solution has too many moving parts and isn't really fool-proof. For example, there is probably a character limit to command-line parameters, so i am probably going to hit it if I want to include lots of info in the message body, and other unknown gotchas that I am sure i'll encounter one i've invested too much time/effort in getting this to work.
We have a need for something like this.
Can you share your perl script, active list, and rule, and the Velocity template in the varible?
We basically want to send notifications to users that recieve what we have identified as spear(or otherwise) phishing emails.
Here is the content of the notification script that you can call as a response action from a rule. It accepts 3 parameters: destination, subject and body of the email. Since the body of the message is frequently more than one line and I couldn't figure out how to pass carriage returns on the command line to the script, I had to create a hack where the script substitutes the pipe charater "|" with a carriage return. So if the 3rd parameter to the script is "This is one line.|This is another line." the body of the message will be:
This is one line.
This is another line.
Doing it that way allows me to use a Evaluate Velocity Template variable to build the body of the message. I'll leave the rest of the implementation up to you. Just make sure that sendmail works on your manager prior to messing with the script, since it relies on a working copy of sendmail.
$from= 'ArcSight Notification';
open(MAIL, "|/usr/sbin/sendmail -t");
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n\n";
print MAIL "$body\n";