Hello,
We are tying to send in syslog esa alert to Archer.
Is there a way to send the raw log, who have trigerred the alert to archer ? I know how to sent meta like our template below, but we need to send all the log.
<#list events as x>CEF:0|RSA|Security Analytics (ESA)|10.3.3|20|This incident is based on the rule "${moduleName}" and based on the aggregation criteria "Destination User" where the Destination User is:${x.user_dst!" "} and source is:${x.host_src!" "} and destination is:${x.alias_host!" "} and Port source is:${x.ip_srcport!" "} and Ports destination is:${x.ip_dstport!" "} |3|externalId=${x.sessionid!" "} src=${x.host_src!" "} dst=${x.alias_host!" "} rt=${time?datetime} sourceServiceName=${x.service!" "} requestClientApplication=${x.client!" "} destinationDnsDomain=${x.domain_dst!" "} smac=${x.eth_src!" "} dmac=${x.eth_dst!" "} cs1=${x.city_dst!" "} cs1Label=destinationcity cs2=${x.country_dst!" "} cs2Label=destinationcountry cs3=esa-${moduleName}-${x.user_dst!" "} cs3Label=aggregationcriteria alertagg=${id} cs4=${x.did!" "} cs4Label=decoderid cs5=${x.cid!" "} cs5Label=concentratorid cs6=${x.threat_source!" "} cs6Label=threatsource cs7=${x.referer!" "} cs7Label=referer cs8=esa cs8Label=RCFApplicationName spt=${x.tcp_srcport!" "} dpt=${tcp_dstport!" "} cs9=${x.udp_srcport!" "} cs9Label=udpsourceport cs10=${x.udp_dstport!" "} cs10Label=udptargetport cs11=${x.latdec_dst!" "} cs11Label=destinationlattitude cs12=${x.latdec_src!" "} cs12Label=sourcelattitude cs13=${x.longdec_dst!" "} cs13Label=destinationlongitude cs14=${x.longdec_src!" "} cs14Label=sourcelongitude cs15=${x.alert_id!" "} cs15Label=alertid cs16=${x.domain_src!" "} cs16Label=sourcedomain cs17=${x.domain_dst!" "} cs17Label=destinationdomain cs18=${moduleName} cs18Label=alert cs19=${x.country_src!" "} cs19Label=sourcecountry cs20=${x.city_src!" "} cs20Label=sourcecity cs21=${x.device_id!" "} cs21Label=deviceid msg=${moduleName} grouped by Destination User:${x.user_dst!" "} cs24=${x.risk_info!" "} cs24Label=riskinfo cs25=${x.risk_warning!" "} cs25Label=riskwarn cs26=${x.risk_suspicious!" "} cs26Label=risksusp cs27=${x.threat_category!" "} cs27Label=threatcategory cs28=${x.threat_desc!" "} cs28Label=threatdesc cs29=L2 Incident Handlers cs29Label=Incident_Queue cs30=Automatic cs30Label=Detection_Type cs31=Abnormal activity cs31Label=Incident_Type_1 cs32=Network cs32Label=Category cat=${x.category!" "} level=${x.level!" "} devicetype=${x.device_type!" "} deviceclass=${x.device_class!" "} suser=${x.user_src!" "} eventsource=${x.event_source!" "} eventtype=${x.event_type!" "} eventdescription=${x.event_desc!" "} duser=${x.user_dst!" "} filename=${x.filename!" "} deviceip=${x.device_ip!" "} esaseverity=${severity} time=${x.esa_time?number_to_datetime!" "} statement=${statement} id=${id} moduleType=${moduleType}$$$$</#list>
Regards,
Clement
Hi Clement,
I have moved this thread to the RSA NetWitness Platform community so that you can get an answer to your question.
Thanks,
Jeff