|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Live, Core Appliance
RSA Version/Condition: 10.x, 11.x
|Issue||The values in the Alert ID (alert.id) meta key do not have descriptive names, and therefore do not describe the alert that was triggered.|
|Tasks||Values in the Alert ID (alert.id) meta key generally correspond to Application Rule names from the decoder on which the session was captured, namely rules that were deployed via RSA Live. There are two methods that can be used to identify the Application Rule that triggered the alert, which are described below.|
Method 1: Using the Live Search to Identify the Application Rule
As the Application Rules using the nwXXXXX are deployed using RSA Live, the Live search page can be used to quickly identify the official name of an Application Rule.
Method 2: Examining the Deployed Application Rules on the Decoder
Another method for identifying Application Rules is to examine the Decoder configuration. While this method will not provide the official name of the rule, it will provide the syntax for the rule itself.
|Notes||For more information on Application Rules, refer to the Decoder: App Rules Tab|