000026762 - How to use variables in RSA Security Analytics Reporting Engine templates

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026762
Applies ToRSA Security Analytics
RSA Security Analytics Reporting Engine
IssueHow to use variables in RSA Security Analytics Reporting Engine templates.
How to output meta data in Reporting Engine Templates.
Resolution

The following variables can be used in the Reporting Engine alerting templates:



${meta.} - Meta key value
${name}  - Alert name defined in RE
${count} - Number of times the alert had been detected in the given time frame(currently one minute)
${sa.host} - Security Analytics host name as configured in RE
${device.id}  - SA device id of the data source



 


Below is an example of a template:



CEF:0|RSA | Security Analytics|2.0|${name}|${name}|Medium | externalId= ${meta.sessionid} proto= ${meta.ip.proto} categorySignificance=/Normal categoryBehavior=/Authentication/Verify categoryDeviceGroup=/OS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1207590435129 act= ${meta.action} rt=1207590435129 deviceDirection=0 shost= ${meta.ip.host} src= ${meta.ip.src} spt= ${meta.tcp.srcport} dhost=  ${meta.ip.host} dst= ${meta.ip.dst} dport= ${meta.tcp.dstport} duser= ${meta.username} dproc=27444 fileType=security cs1= ${meta.did} cs2= ${meta.password} cs3=4 cs4=5 cn1= ${meta.rid} cn2=0 cn3=0



 


The output of the example above would be similar to the following:



CEF: 0|RSA | Security Analytics|2.0|Alias Host Found|Alias Host Found|Medium | externalId= 103923155 proto=  categorySignificance=/Normal categoryBehavior=/Authentication/Verify categoryDeviceGroup=/OS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1207590435129 act=  rt=1207590435129 deviceDirection=0 shost=  src= 192.168.123.241 spt=  dhost=   dst= 192.168.123.27 dport=  duser=  dproc=27444 fileType=security cs1= logdeccol1 cs2=  cs3=4 cs4=5 cn1= 26080256 cn2=0 cn3=0


NotesThe alert that generated this event was just looking to see if an alias.host meta existed and as a result not all fields are populated.
Legacy Article IDa67662

Attachments

    Outcomes