AnsweredAssumed Answered

ESA Syslog Template for SA

Question asked by hubba900 on Jun 3, 2015
Latest reply on Sep 23, 2016 by Sal Sanshez

Hello,

 

I would like using data from ESA in my reports. I would like see how many alerts I have everyday and also I would like see who (ip.src/ip.dst and user.dst) catching in the ESA rule. For create this report I have to pulling ESA events to Log Decoder and than create report using devece.type = rsa_security_analytics_esa. By default I have ESA Syslog Template:

 

CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId}

 

But this not enough for me. I modify template to:

 

CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} deviceip=${events[0].device_ip!" "} devicetype=${events[0].device_type!" "} src=${events[0].ip_src!" "} shost=${events[0].host_src!" "} dst=${events[0].ip_dst!" "} dhost=${events[0].host_dst!" "} duser=${events[0].user_dst!" "}

 

But this give me opportunity see only metadata from first event. If I use this template:

 

<#list events as x>CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} deviceip=${x.device_ip!" "} devicetype=${x.device_type!" "} src=${x.ip_src!" "} shost=${x.host_src!" "} dst=${x.ip_dst!" "} dhost=${x.host_dst!" "} duser=${x.user_dst!" "}</#list>

 

or this:

 

CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x>deviceip=${x.device_ip!" "} devicetype=${x.device_type!" "} src=${x.ip_src!" "} shost=${x.host_src!" "} dst=${x.ip_dst!" "} dhost=${x.host_dst!" "} duser=${x.user_dst!" "}</#list>


events are not parsing in Log Decoder.


Do you have any ideas? I also want to see (add to this ESA event) link to each raw message what ESA used in the rule. 

Outcomes