on Jun 14, 2016Article Content
| Article Number | 000029785 |
| Applies To | RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Live, Core Appliance RSA Version/Condition: 10.x, 11.x |
| Issue | The values in the Alert ID (alert.id) meta key do not have descriptive names, and therefore do not describe the alert that was triggered. |
| Tasks | Values in the Alert ID (alert.id) meta key generally correspond to Application Rule names from the decoder on which the session was captured, namely rules that were deployed via RSA Live. There are two methods that can be used to identify the Application Rule that triggered the alert, which are described below. Method 1: Using the Live Search to Identify the Application Rule As the Application Rules using the nwXXXXX are deployed using RSA Live, the Live search page can be used to quickly identify the official name of an Application Rule.
 Method 2: Examining the Deployed Application Rules on the Decoder Another method for identifying Application Rules is to examine the Decoder configuration. While this method will not provide the official name of the rule, it will provide the syntax for the rule itself.
 |
| Notes | For more information on Application Rules, refer to the Decoder: App Rules Tab |