Article Content
Article Number | 000033154 |
Applies To | RSA Product Set: Archer RSA Product/Service Type: Security Operations Management (SecOps) RSA Version/Condition: 1.1 |
Issue | When attempting to hard-code values in the Common Event Format (CEF) template for data being passed from Security Analytics through the RSA Connector Framework (RCF) to the RSA Archer Security Incidents application, the fields are not populated in Archer. A normal entry in the CEF template transfers variable data from a field in Security Analytics, and looks like this:
Hard-coded values are included in the template like this:
The result is that records are created in Archer and variable field data is populate in the Archer record; but the two fields with hard-coded values are not populated in the Archer record. The RCF log shows the following error for the Archer field (Threat Category):
|
Cause | The problem is caused by incorrect syntax in the CEF template. The word Label should be capitalized, but was lower case. |
Resolution | Correct syntax in the CEF template. Capitalize the word Label as follows:
After correcting the syntax, these fields populate as expected. |