RSA Admin

Correlation Rule Variables Filter / Multi-threading

Discussion created by RSA Admin Employee on Jul 12, 2011
Latest reply on Aug 2, 2011 by RSA Admin

Hopefully I can explain this in a way that makes sense.


I am very familiar with creating new reports in envision.  I can put together test reports that will show me where data ends up getting parsed to, and to filter down the columns that actually have the data we are looking for.


Now I am trying to move some reports over to alerts and I see that the variables that you can use for filtering and multi-threading do not match up with fields I see in the report tables.  Is there a way (utility, etc) I can identify what is going into these variables based on test data? 


The rule I want to make deals with windows 2008 user names, but I am not sure if I would use the Event User, Login ID or User Name variable.  For a report I would just run one and show the data for all three and see what is getting populated.  For this I am not sure how I can see which variable is getting the real username from a log message.


I would think there is a somewhat easy way of doing this, since you would often want to know what is in a variable.  Any info someone could provide would be GREATLY appreciated!!