RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness Server
|Issue||When sending alerts to a third-party tool, such as ArcSight, there may be issues with how the alerts are being displayed, as it may appear that packets are sent with multiple alert titles in the same packet. In ArcSight, it would appear that one alert would run into another. |
The triggering of one rule is also appeared to trigger another rule. In ArcSight, these rules appear to have been combined, and these alerts that are triggered at the same time appear to be showing up in the same alert in ArcSight vs in separate alerts as they should be.
Below is the flow for the Reporting Engine (RE) when it creates NW Alerts:
If a session has alerts "[ AlertA , AlertD, AlertB, AlertC, AlertD ]" then in Template it will appear as "AlertA, AlertD, AlertB, AlertC, AlertD" (Comma Separated Values)
In the above sample use case, the issue is with the interpretation of "meta.alert". This can be rectified by using the following:
" instead of "$