|Applies To||RSA Product Set: Security Management|
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.1
|Issue||Attempting to hard-code values in the Common Event Format (CEF) template for data being passed from Security Analytics through the RSA Connector Framework (RCF) to Archer's Security Incidents application. Fields are not populated in Archer.|
A normal entry in the CEF template transfers variable data from a field in Security Analytics, and looks like this:
Hard-coded values are included in the template like this:
The result is that records are created in Archer and variable field data is populate in the Archer record; but the two fields with hard-coded values are not populated in the Archer record.
The RCF log shows the following error for the Archer field (Threat Category).
WARNING: Null value retrieved from record for field name ( Threat Category - keyName archercategory); nothing to do.
|Cause||The problem is caused by incorrect syntax in the CEF template. The word "Label" should be capitalized, but was lower-case.|
|Resolution||Correct syntax in the CEF template. Capitalize the word "Label" as follows:|
After correcting the syntax, these fields populate as expected.