Joshua Randall

Freemarker Tips & Tricks in NetWitness 11.x

Blog Post created by Joshua Randall Employee on Jan 17, 2018

If you have some custom alert templates that you've been using in NetWitness 10.6.x, you may find that certain expressions no longer work in 11.x, specifically the "@value_of" function we use to iterate through variables that are stored as arrays.

 

For reference, the out-of-the-box string arrays in the Event Stream Analysis are:

 

The statements we use in10.6.x to include these string arrays in our alerts looked like this:

 

CEF:0|RSA|NetWitness ESA|11.0|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} hostname=<#if x.alias_host?has_content><@value_of x.alias_host /></#if> </#list>

 

To achieve the same functionality in 11.x for string arrays such as alias_host, we need to use a different expression in order to tell the freemarker template to iterate through each value in the array.  We also need the new expression to be able to handle null values, for example if there is no alias_host meta within the alert.

 

<#if x.alias_host?has_content><#list (x.alias_host) as alias_host> hostname=${alias_host!" "} </#list></#if>

 

It is important to take note of the spaces included within this expression, as these ensure each value of "alias.host=www.example.com" is delimited from subsequent "alias.host=" values.  Otherwise, we would end up with this:

 

The template as a whole would look like this:

 

 

CEF:0|RSA|NetWitness ESA|11.0|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} <#if x.alias_host?has_content><#list (x.alias_host) as alias_host> hostname=${alias_host!" "} </#list></#if> </#list>

 

 

And we can add additional expressions within the template as necessary:

 

CEF:0|RSA|NetWitness ESA|11.0|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} <#if x.alias_host?has_content><#list (x.alias_host) as alias_host> hostname=${alias_host!" "} </#list></#if> <#if x.action?has_content><#list (x.action) as action> action=${action!" "} </#list></#if> </#list>

Outcomes