I would really like to utilize the "run a script" functionality within the RTTA to populate information in our event tracker. I can't seem to find any documentation on how this works though. The built-in help doesn't say anything about what kind of script is expected, where the script is run, how variables are accessed, etc.
I'm attempting to write a KB article on this, however I'm running into the same issue you are with it erroring every time, so I haven't been able to test much yet.
It's my understanding that it works similar to the Windows command prompt. You can call other programs, echo into text files, etc and use the variables provided to pass more information to the script. I'll have more information when I can see what's causing the errors.
I was able to get this to work:
Variables don't work either:
var myvar = "test";
$myvar = "test";
Also can't redirect anything to stdout, adding " >> somefile.txt" causes the error again.
I opened a ticket with platinum support, will see what they say.
It looks like you can call programs, such as batch files. For example, I created this batch file in E:\temp\test.bat:
echo %1 %2 > out.txt
I then made this script in the RTTA:
E:\temp\test.bat $ALERT_ID$ $ATTACK_ID$
Running that script created an out.txt file on my desktop, containing the alert and attack ID for the alert I ran the script off of.
The fact that print worked lead me to believe it was a scripting language as well, until I realized that print is a function in the command line, to print files. At least with the ability to call a batch file (or other script, I assume) you can write whatever you want with whatever input you need.