000034192 - Sample ESA SMTP Template to shows esa_time/time/event_time as human readable format in RSA Security Analytics

Document created by RSA Customer Support Employee on Oct 26, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034192
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6
IssueWith default ESA SMTP template the report shows esa_time in "milliseconds" passed since the epoch, while event_time and time provided by concentrator in "seconds" passed since the epoch, as figure shown below.
User-added image
They are not human readable time. So need adjust the esa smtp template to change the time format.
ResolutionPlease modify the default SMTP template as follows: 

Find the following two lines from the original template: 
 
<td>${key}</td> 
<td><@value_of metadata[key]/></td>


ESA allows you to define useful templates with FreeMarker language. Below is a sample to change the time format.
Create a custom esa smtp template, copy the content of default SMTP template, then modify the custom template and apply the new template to the esa alert. 
For SA 10.4.x, 
Find the following two lines from the original template: 
<td>${key}</td> 
<td><@value_of metadata[key]/></td>


Change them as follows: 
<td>${key}</td> 
<td><#if key == "time" || key == "event_time">${(metadata[key] * 1000)?number_to_datetime}<#elseif key ==
"esa_time"><@value_of metadata[key]?number_to_datetime/><#else><@value_of metadata[key]/></#if></td>



For SA 10.5.x & 10.6.x, 
Find the following two lines from the original template: 
<td><span style="color: #363636; font-family: Arial; font-size: 1.1em;">${key}</span></td>
<td><span style="color: #363636; font-family: Arial; font-size: 1.1em;"><@value_of metadata[key]/></span></td>


Change them as follows: 
<td><span style="color: #363636; font-family: Arial; font-size: 1.1em;">${key}</span></td>
<td><span style="color: #363636; font-family: Arial; font-size: 1.1em;"><#if key == "time" || key == "event_time">${(metadata[key] * 1000)?number_to_datetime}<#elseif
key == "esa_time"><@value_of metadata[key]?number_to_datetime/><#else><@value_of metadata[key]/></#if></span></td>


Below is a sample output
User-added image

 

Attachments

    Outcomes