FortiSIEM Setting Scripts as Notification Actions

Setting Scripts as Notification Actions

One of the actions you can specify for an incident notification is to execute a script. For example, suppose you are monitoring Windows services that are in Auto mode, and you have rules that will trigger an incident if one of those services is stopped. The notification action for that incident can include the running of a script by AccelOps that will re-start the service, as shown in the example scripts in this topic.

How Script Notification Actions are Processed

  1. When you specify the notification action as a script, you must provide the full path to the script in the notification policy settings, for example /tmp/Myscript.py.
  2. You must write the script so it expects the incident XML file to be located in the same directory as the script, for example /tmp if the script location is /tmp/Myscript.py.
  3. When a notification policy is triggered by an incident, the policy actions are handled in sequential order, so if there are multiple script actions, the first one will be processed before the second one.
  4. When the script action is processed, the AccelOps notification module will first generate an incident XML file and put it in the same directory as the script. AccelOps will then call the script with the XML file name as an argument.
  5. When the script returns, the incident XML file that was created by AccelOps is deleted, so there is no confusion with the next script action which involves a new incident XML file and is processed only after the previous script action is complete.

Setting a Script Notification Action

  1. Log in to your Supervisor node.
  2. Go to Analytics > Incident Notification Policy.
  3. Select the notification policy where you want to add the script action.
  4. Under Actions, next to the Methods table, click .
  5. Under Run Script, click Add.
  6. For Script Name, enter the name of the script and the absolute directory path to it.
  7. Click OK.

 

Example of a Windows Restart Script as a Notification Action

This topic provides an example of a script that could be used as a notification action, following the example of re-starting a Windows service that has stopped an triggered an incident as described in Setting Scripts as Notification Actions.

This example requires two scripts: one located on the Windows server that hosts the service, and a script on the AccelOps Supervisor host machine that will be triggered by the incident notification and will execute the Windows server script.

Windows Script

AccelOps Script

Windows Script

  1. Create a script named installWinexeSvc.bat for starting the remote winexe provider service.

This script, restartWinService.py, reads the incident XML file, parses out the target IP and stopped service, and issues a winexe command to restart the service.

#!/usr/bin/python importos, re, sys, time importxml.dom.minidom iflen(sys.argv) != 2:

print “Usage: parseTargetIP.py incident.xml”    exit() else:

fileName = sys.argv[1] print “parsing incident xml file : “, fileName #os.system(“cp “+ fileName + ” “+ fileName + “.txt”) # /incident/incidentTarget/entry[@attribute=’hostIpAddr’] doc = xml.dom.minidom.parse(fileName) nodes = doc.getElementsByTagName(‘incidentTarget’) ifnodes.length < 1:

print “no incident Target found!” else:

targeNode = nodes[0] targetIP = “” fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “hostIpAddr”:

targetIP = node.firstChild.data iftargetIP == “”:

print “no incident target found!” # trim IP, e.g. 10.1.20.189(SH-Quidway-SW1) targetIP = re.sub(r’\(.+\)’, “”, targetIP) print “restart service for target IP: “, targetIP # parse process name nodes = doc.getElementsByTagName(‘incidentDetails’) ifnodes.length < 1:

print “no incidentDetails found!” else:

targeNode = nodes[0] fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “serviceName”:

targetService = node.firstChild.data ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

# ########################################################################

######################## # stop the service stopCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc stop “+ targetService + “‘” ret = os.system(stopCmd)

print “stop service with return code ,”, ret print “waiting service stop” time.sleep(10) ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

#

########################################################################

######################## ## start the service startCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc start “+ targetService + “‘”


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.