This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-05-05 07:39 PM

Additional output action fields

Can RSA please add more fields to the output action templates.  The current templates and are very "Network" centric.  We utilise envision alerts for alot of windows hosts and it would be good to see some windows fields like username, object type etc included into the templates. 

 

Why cant we just create our own and pick the fields that are in specific tables ??  seems simple enough to me and other SIEM products can do it.

0 Likes
Reply
8 Replies
JeffHermans
Beginner
Beginner
‎2011-05-26 03:15 PM

I second that request. It would be nice to be able to format the output similar to "<table-name:field-name>=<value>" within the body of the email.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to JeffHermans
‎2011-06-13 10:54 AM

I've been asking for this for years.  Even more specifically, I'd like to see these fields added:

 

Target Account Name

Caller Machine Name

Caller User Name

 

These fields are common throughout many Windows Security events and provide key information in events like Account Lockouts, Accounts Unlocked, Password Resets and many others like these.

 

As the other person stated, the output action fields available are very Network centric.  I think these are all still the original fields from many years ago.  Without the above fields that I mentioned, you have to use the Message Text field to get that information, but it ends up being a big block of data and you have to fish for it making it quite cumbersome.  Add trying to read it on a blackberry and it becomes a nightmare to say the least.

 

These are standard message fields and shouln't be too difficult to add, I would think.  I know the alert parsing is being addressed and that changes are coming down the road, but can we at least get tossed a bone to keep us somewhat satisfied for now?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-26 02:02 AM

Any feedback from product management on this request ?
0 Likes
Reply
ScottPause
Beginner
Beginner
In response to RSAAdmin
‎2011-11-18 04:23 PM

I've asked that they at least standardize the fields they output. That would be a start.

ESE-357 - Need fields added to output action (should be for standardizing all fields output)

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to ScottPause
‎2012-01-03 05:14 PM

Would be nice to have an update on this one. I would still like to see username in my emails. The other nice thing would be the ability to use variables in the subject line.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-03 10:34 PM

The feature to add variables to subject line will be supported in upcoming version of enVision.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-04 11:09 AM

sreejith, thats great news!!! Very happy to see this.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2012-01-18 10:14 AM

I've been asking RSA about this for years as well. My understanding is that content 2.0 updates will allow more "common" fields to be shared across all event sources, similar to what the "global" table was meant to be. I really hope this comes soon, my customers have a difficult time understanding why we cannot give them meaningful output actions. Additionally, management wants all alerts forwarded to our event management solution, IBM Netcool. It's been far too long, i'm ready for RSA to take some action here...
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.