000033154 - Syntax error in Common Event Format (CEF) template causes data to not be populated in RSA Archer (SecOps 1.1 P1)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 17, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033154
Applies ToRSA Product Set: Archer
RSA Product/Service Type: Security Operations Management (SecOps)
RSA Version/Condition: 1.1
IssueWhen attempting to hard-code values in the Common Event Format (CEF) template for data being passed from Security Analytics through the RSA Connector Framework (RCF) to the RSA Archer Security Incidents application, the fields are not populated in Archer.

A normal entry in the CEF template transfers variable data from a field in Security Analytics, and looks like this:

cs1=${x.city_dst!" "}
cs2=${x.country_dst!" "}

Hard-coded values are included in the template like this:

cs56=Malicious Code
cs57=L1 Analyst

The result is that records are created in Archer and variable field data is populate in the Archer record; but the two fields with hard-coded values are not populated in the Archer record.

The RCF log shows the following error for the Archer field (Threat Category):

WARNING: Null value retrieved from record for field name ( Threat Category - keyName archercategory); nothing to do.

CauseThe problem is caused by incorrect syntax in the CEF template.  The word Label should be capitalized, but was lower case.

ResolutionCorrect syntax in the CEF template. Capitalize the word Label as follows:

cs56=Malicious Code
cs57=L1 Analyst

After correcting the syntax, these fields populate as expected.