000029785 - How to identify an Alert ID value in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 27, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029785
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Live, Core Appliance
RSA Version/Condition: 10.x, 11.x
IssueThe values in the Alert ID (alert.id) meta key do not have descriptive names, and therefore do not describe the alert that was triggered.

User-added image
TasksValues in the Alert ID (alert.id) meta key generally correspond to Application Rule names from the decoder on which the session was captured, namely rules that were deployed via RSA Live. There are two methods that can be used to identify the Application Rule that triggered the alert, which are described below.

Method 1: Using the Live Search to Identify the Application Rule
As the Application Rules using the nwXXXXX are deployed using RSA Live, the Live search page can be used to quickly identify the official name of an Application Rule.
  1. In the Security Analytics UI, navigate to Live -> Search.
  2. Enter the Alert ID value in the Keywords box and click the Search button.  Information about the corresponding Application Rule will be displayed in the Matching Resources section.

User-added image

Method 2:  Examining the Deployed Application Rules on the Decoder
Another method for identifying Application Rules is to examine the Decoder configuration.  While this method will not provide the official name of the rule, it will provide the syntax for the rule itself.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Select the Decoder service, click on the red Actions button in the far right column, and select View -> Config.
  3. Click on the App Rules tab.  The Alert ID value will be listed in the Name column, whereas the syntax of the rule will be listed in the Condition column.

User-added image
NotesFor more information on Application Rules, refer to the Decoder: App Rules Tab