RSA Admin

Identifying the username that generated an alert

Discussion created by RSA Admin Employee on Apr 1, 2010



I'm experiencing a difficulty identifying the username that was used in a correlation rule to trigger an alert.


Currently my alerts generate a task.


In Event Explorer, I’ve identified the entries that contain the Events and the ones that contain the Alerts.

Using the Datastore storage option, the Other13 variable for Alerts is 16 and for Events it is 99. However, in these entries there is no variable containing the username that generated the alert even though the username variable is used in the correlation rule as the multi-threading key.


Can someone point me in the right way to finding the username?

I'd like to be able to report on usernames that generated alerts but without finding out the username.. this is a bit difficult. It seems the only place where the username is visible is in the “Trace” logs of Event Explorer but I also can't seem to find how to report on these as the Task Triage table is very limited in the variables it shows.


Thanks in advance