000033154 - Syntax error in Common Event Format (CEF) template causes data to not be populated in RSA Archer (SecOps 1.1 P1)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033154
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.1
IssueAttempting to hard-code values in the Common Event Format (CEF) template for data being passed from Security Analytics through the RSA Connector Framework (RCF) to Archer's Security Incidents application. Fields are not populated in Archer.
A normal entry in the CEF template transfers variable data from a field in Security Analytics, and looks like this:
cs1=${x.city_dst!" "} 
cs2=${x.country_dst!" "}

Hard-coded values are included in the template like this:
cs56=Malicious Code 
cs57=L1 Analyst

The result is that records are created in Archer and variable field data is populate in the Archer record; but the two fields with hard-coded values are not populated in the Archer record.
The RCF log shows the following error for the Archer field (Threat Category). 
WARNING: Null value retrieved from record for field name ( Threat Category - keyName archercategory); nothing to do.

CauseThe problem is caused by incorrect syntax in the CEF template.  The word "Label" should be capitalized, but was lower-case.
ResolutionCorrect syntax in the CEF template. Capitalize the word "Label" as follows:
cs56=Malicious Code 
cs57=L1 Analyst

After correcting the syntax, these fields populate as expected.