000035154 - How to include SNORT IDS event information in an Alert Notification in RSA Security Analytics 10.6.x.x

Document created by RSA Customer Support Employee on May 17, 2017Last modified by RSA Customer Support Employee on May 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035154
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Reporting Engine
RSA Version/Condition: 10.6.x.x
IssueBy default when you click any of the output actions [SMTP or SNMP or Syslog] you will see the below:

User-added image

TasksThis article is intended to demonstrate the other event details that can be included in an Alert notification template where that notification can include sufficient values for a SOC team to raise a security incident.
ResolutionThere are two ways to modify the content in an alert notification.
  • Navigate to Reports > Manage > Alerts and then create a new alert with the desired output action where you can manually update the Alert notification.
  • Navigate to Reports > Manage > Alerts and then click on Template to include all the notification data inside that template. Then create an alert, select any desired notification method (SMTP, SNMP or Syslog) and then from the Body Template drop down menu select the template you just created.
    NOTE: The template will replace any existing values in the notification built-in body template.
The screenshots below depicts the steps of using the template with some of basic SNORT event-related values that will be presented in any alert notification method.
User-added image
User-added image
User-added image

Below are the SNORT-related event-values: 
Meta_time: ${meta.time}
Meta_Name: ${name}
Event_count: ${count}
SA_host_IP: ${sa.host}
Device Type: $(meta.device.type}
Device Class: ${meta.device.class}
Result: ${meta.result}
Police Name: ${meta.policy.name}
Event Time: ${meta.event.time.str}
Snort ID: ${meta.threat.desc}:${meta.msg.id}:${meta.version}
Source IP: ${meta.ip.src}
Destination IP: ${meta.ip.dst}