AnsweredAssumed Answered

ESA Alert Template Raw log possible ? CEF

Question asked by Clement Frizon on Jan 31, 2018
Latest reply on Jan 31, 2018 by Joshua Randall

Hello,

 

We are tying to send in syslog esa alert to Archer.

Is there a way to send the raw log, who have trigerred the alert to archer ? I know how to sent meta like our template below, but we need to send all the log.

 

<#list events as x>CEF:0|RSA|Security Analytics (ESA)|10.3.3|20|This incident is based on the rule "${moduleName}" and based on the aggregation criteria "Destination User" where the Destination User is:${x.user_dst!" "} and source is:${x.host_src!" "} and destination is:${x.alias_host!" "} and Port source is:${x.ip_srcport!" "} and Ports destination is:${x.ip_dstport!" "} |3|externalId=${x.sessionid!" "} src=${x.host_src!" "} dst=${x.alias_host!" "} rt=${time?datetime} sourceServiceName=${x.service!" "} requestClientApplication=${x.client!" "} destinationDnsDomain=${x.domain_dst!" "} smac=${x.eth_src!" "} dmac=${x.eth_dst!" "} cs1=${x.city_dst!" "} cs1Label=destinationcity cs2=${x.country_dst!" "} cs2Label=destinationcountry cs3=esa-${moduleName}-${x.user_dst!" "} cs3Label=aggregationcriteria alertagg=${id} cs4=${x.did!" "} cs4Label=decoderid cs5=${x.cid!" "} cs5Label=concentratorid cs6=${x.threat_source!" "} cs6Label=threatsource cs7=${x.referer!" "} cs7Label=referer cs8=esa cs8Label=RCFApplicationName spt=${x.tcp_srcport!" "} dpt=${tcp_dstport!" "} cs9=${x.udp_srcport!" "} cs9Label=udpsourceport cs10=${x.udp_dstport!" "} cs10Label=udptargetport cs11=${x.latdec_dst!" "} cs11Label=destinationlattitude cs12=${x.latdec_src!" "} cs12Label=sourcelattitude cs13=${x.longdec_dst!" "} cs13Label=destinationlongitude cs14=${x.longdec_src!" "} cs14Label=sourcelongitude cs15=${x.alert_id!" "} cs15Label=alertid cs16=${x.domain_src!" "} cs16Label=sourcedomain cs17=${x.domain_dst!" "} cs17Label=destinationdomain cs18=${moduleName} cs18Label=alert cs19=${x.country_src!" "} cs19Label=sourcecountry cs20=${x.city_src!" "} cs20Label=sourcecity cs21=${x.device_id!" "} cs21Label=deviceid msg=${moduleName} grouped by Destination User:${x.user_dst!" "} cs24=${x.risk_info!" "} cs24Label=riskinfo cs25=${x.risk_warning!" "} cs25Label=riskwarn cs26=${x.risk_suspicious!" "} cs26Label=risksusp cs27=${x.threat_category!" "} cs27Label=threatcategory cs28=${x.threat_desc!" "} cs28Label=threatdesc cs29=L2 Incident Handlers cs29Label=Incident_Queue cs30=Automatic cs30Label=Detection_Type cs31=Abnormal activity cs31Label=Incident_Type_1 cs32=Network cs32Label=Category cat=${x.category!" "} level=${x.level!" "} devicetype=${x.device_type!" "} deviceclass=${x.device_class!" "} suser=${x.user_src!" "} eventsource=${x.event_source!" "} eventtype=${x.event_type!" "} eventdescription=${x.event_desc!" "} duser=${x.user_dst!" "} filename=${x.filename!" "} deviceip=${x.device_ip!" "} esaseverity=${severity} time=${x.esa_time?number_to_datetime!" "} statement=${statement} id=${id} moduleType=${moduleType}$$$$</#list>

 

Regards,

 

Clement

Outcomes