Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033154 - Syntax error in Common Event Format (CEF) template causes data to not be populated in RSA Archer (SecOps 1.1 P1)

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033154
Applies To	RSA Product Set: Security Management RSA Product/Service Type: SecOps RSA Version/Condition: 1.1
Issue	Attempting to hard-code values in the Common Event Format (CEF) template for data being passed from Security Analytics through the RSA Connector Framework (RCF) to Archer's Security Incidents application. Fields are not populated in Archer. A normal entry in the CEF template transfers variable data from a field in Security Analytics, and looks like this: cs1=${x.city_dst!" "} cs1Label=destinationcity cs2=${x.country_dst!" "} cs2Label=destinationcountry Hard-coded values are included in the template like this: cs56=Malicious Code cs56label=archercategory cs57=L1 Analyst cs57label=archersubcategory The result is that records are created in Archer and variable field data is populate in the Archer record; but the two fields with hard-coded values are not populated in the Archer record. The RCF log shows the following error for the Archer field (Threat Category). WARNING: Null value retrieved from record for field name ( Threat Category - keyName archercategory); nothing to do.
Cause	The problem is caused by incorrect syntax in the CEF template. The word "Label" should be capitalized, but was lower-case.
Resolution	Correct syntax in the CEF template. Capitalize the word "Label" as follows: cs56=Malicious Code cs56Label=archercategory cs57=L1 Analyst cs57Label=archersubcategory After correcting the syntax, these fields populate as expected.

Attachments

Outcomes

0 Comments

Recommended Content