Skip to content
  • There are no suggestions because the search field is empty.

How to use variables in RSA Security Analytics Reporting Engine templates

Issue

How to use variables in RSA Security Analytics Reporting Engine templates.
How to output meta data in Reporting Engine Templates.

Resolution

The following variables can be used in the Reporting Engine alerting templates:

${meta.} - Meta key value
${name}  - Alert name defined in RE
${count} - Number of times the alert had been detected in the given time frame(currently one minute)
${sa.host} - Security Analytics host name as configured in RE
${device.id}  - SA device id of the data source

Below is an example of a template:

CEF:0|RSA | Security Analytics|2.0|${name}|${name}|Medium | externalId= ${meta.sessionid} proto= ${meta.ip.proto} categorySignificance=/Normal categoryBehavior=/Authentication/Verify categoryDeviceGroup=/OS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1207590435129 act= ${meta.action} rt=1207590435129 deviceDirection=0 shost= ${meta.ip.host} src= ${meta.ip.src} spt= ${meta.tcp.srcport} dhost=  ${meta.ip.host} dst= ${meta.ip.dst} dport= ${meta.tcp.dstport} duser= ${meta.username} dproc=27444 fileType=security cs1= ${meta.did} cs2= ${meta.password} cs3=4 cs4=5 cn1= ${meta.rid} cn2=0 cn3=0

The output of the example above would be similar to the following:

CEF: 0|RSA | Security Analytics|2.0|Alias Host Found|Alias Host Found|Medium | externalId= 103923155 proto=  categorySignificance=/Normal categoryBehavior=/Authentication/Verify categoryDeviceGroup=/OS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1207590435129 act=  rt=1207590435129 deviceDirection=0 shost=  src= 192.168.123.241 spt=  dhost=   dst= 192.168.123.27 dport=  duser=  dproc=27444 fileType=security cs1= logdeccol1 cs2=  cs3=4 cs4=5 cn1= 26080256 cn2=0 cn3=0


Notes

The alert that generated this event was just looking to see if an alias.host meta existed and as a result not all fields are populated.


Internal Comments

UserName:shurtj
9/15/2014 10:44:23 PM - Technically Reviewed
Technically reviewed the article and changed its status to Copy Edited. Modified statements and formatting to adhere to Primus best practices. Corrected spelling and grammatical errors.

Product Details

RSA Product Set: Security Analytics, Netwitness Logs & Network
SA Product/Service Type: Reporting Engine
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue