000029497 - Security Analytics for Logs: Issue with alerts sent to third party tools (such as ArcSight)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029497
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
Platform: CentOS
IssueWhen sending alerts to a third party tool, such as ArcSight, there may be issues with how the alerts are being displayed, as it may appear that packets are sent with multiple alert titles in the same packet. In ArcSight, it would appear that one alert would run into another. 
An example:  
The triggering of one rule is also appeared to trigger another rule.   In ArcSight, these rules appear to have been combined, and these alerts that are triggered at the same time appear to be showing up in the same alert in ArcSight vs in separate alerts as they should be. 


Below is the flow for the Reporting Engine (RE) when it creates SA Alerts:

1. RE will query all the sessions for Alerts (for example; "select where alert = '<alert-name>'")
2. For each session received, RE will generate a template. A session can have multiple "alerts" (in such cases in template all the alerts will appear as a "comma separated" form)

If a session has alerts "[ AlertA , AlertD, AlertB, AlertC, AlertD ]" then in Template it will appear as "AlertA, AlertD, AlertB, AlertC, AlertD" (Comma Separated Values)


In the above sample use case, the issue is with interpretation of "meta.alert".   This can be rectified by using the following:

use "$


" instead of "$



....in the template. Execution in such a way will  display "Alert Name" vs all alerts in "Session".  This methodology insures transmission of the alert name which fired the event in syslog.