NetWitness Community

Anonymous · ‎2015-01-22

Hi, I want to create custom templates for email notifications.

ESA has an email default template inside Alerts-Configure-Settings-Templates "Default SMTP Template"

I want to create a new one customized with very specific meta, similar of what we can do with the reporting engine.

Does anybody knows how to do it? And how to use the meta available for the specific alert.

Anonymous · ‎2015-01-27

You can create a new template to include any metadata that you like. The syntax to use the meta data is ${metakey}. Below is an example template that is used to send events from RSA Security Analytics ESA server to the RSA Security Operations Manager solution.

<#list events as x>CEF:0|RSA|Security Analytics (ESA)|10.4|20|This incident is based on the rule "${moduleName}" and based on the aggregation criteria "Destination IP" where the Destination IP is:${x.ip_dst!" "}|3|externalId=${x.sessionid!" "} src=${x.ip_src!" "} dst=${x.ip_dst!" "} rt=${time?datetime} sourceServiceName=${x.service!" "} requestClientApplication=${x.client!" "} destinationDnsDomain=${x.domain_dst!" "} smac=${x.eth_src!" "} dmac=${x.eth_dst!" "} cs1=${x.city_dst!" "} cs1Label=destinationcity cs2=${x.country_dst!" "} cs2Label=destinationcountry cs3=esa-${moduleName}-${x.ip_dst!" "} cs3Label=aggregationcriteria alertagg=${id} cs4=${x.did!" "} cs4Label=decoderid cs5=${x.cid!" "} cs5Label=concentratorid cs6=${x.threat_source!" "} cs6Label=threatsource cs7=${x.referer!" "} cs7Label=referer cs8=esa cs8Label=RCFApplicationName spt=${x.tcp_srcport!" "} dpt=${tcp_dstport!" "} cs9=${x.udp_srcport!" "} cs9Label=udpsourceport cs10=${x.udp_dstport!" "} cs10Label=udptargetport cs11=${x.latdec_dst!" "} cs11Label=destinationlattitude cs12=${x.latdec_src!" "} cs12Label=sourcelattitude cs13=${x.longdec_dst!" "} cs13Label=destinationlongitude cs14=${x.longdec_src!" "} cs14Label=sourcelongitude cs15=${x.alert_id!" "} cs15Label=alertid cs16=${x.domain_src!" "} cs16Label=sourcedomain cs17=${x.domain_dst!" "} cs17Label=destinationdomain cs18=${moduleName} cs18Label=alert cs19=${x.country_src!" "} cs19Label=sourcecountry cs20=${x.city_src!" "} cs20Label=sourcecity cs21=${x.device_id!" "} cs21Label=deviceid msg=${moduleName} grouped by Destination IP:${x.ip_dst!" "} cs24=${x.risk_info!" "} cs24Label=riskinfo cs25=${x.risk_warning!" "} cs25Label=riskwarn cs26=${x.risk_suspicious!" "} cs26Label=risksusp cs27=${x.threat_category!" "} cs27Label=threatcategory cs28=${x.threat_desc!" "} cs28Label=threatdesc cat=${x.category!" "} level=${x.level!" "} devicetype=${x.device_type!" "} deviceclass=${x.device_class!" "} suser=${x.user_src!" "} eventsource=${x.event_source!" "} eventtype=${x.event_type!" "} eventdescription=${x.event_desc!" "} duser=${x.user_dst!" "} filename=${x.filename!" "} deviceip=${x.device_ip!" "} esaseverity=${severity} time=${x.esa_time?number_to_datetime!" "} statement=${statement} id=${id} moduleType=${moduleType}$$$$</#list>

SalSanshez · ‎2016-09-27

Is there an option for the raw log message?

OrnaldoNaqellar · ‎2018-08-20

Hello there. I am also trying to customize the body of an alert mail. For the moment in the body of mail we have only the link of the event such as: https://${sa.host}/investigation/${device.id}/navigate/event/DETAILS/${meta.sessionid}

We want to change the body of mail when the alert is send and we need to login into RSA console to understand better

I tried to enter the code written by @Chris Thomas but when i receive the mail with the alert i have only the code

Please any idea ?

Thnx

david_waugh · ‎2018-08-23

You could do what you require with a script. See

000031690 - How to send customized subjects in an RSA Security Analytics ESA alert email

You would need to modify the script to include the raw message contents.

I had a look and someone has already done this.

https://community.rsa.com/docs/DOC-59915

OrnaldoNaqellar · ‎2018-08-23

Thank You David Waugh‌ for your replay. I followed the steps but in my case i do not have a RSA LIVE ESA Rule ALERT. My alert is on Reports-Manage-Alert and i do not have script as output. all i have when i try to edit my firewall alert is: notification Record, SMTP, SNMAP, Syslog. Also i have Body Template.

david_waugh · ‎2018-08-23

I think unfortunately you are out of luck then =(

OrnaldoNaqellar · ‎2018-08-23

I found an article about variables in rsa security alerts. i will explore them thnx

AllanVargas · ‎2018-09-04

Actually, I want to do the same configuration. Anyone know how?

OrnaldoNaqellar · ‎2018-09-06

Hello, i managed to create a ESA Rule for FW Changes. I modified the existing ESA Rule for router:

/*
Version: 3
*/

module Module_esa000069;

@Name('Module_esa000069_Alert')
@RSAAlert(oneInSeconds=0)

SELECT * FROM
           Event(
                    medium = 32
                   AND
                   device_class = 'Firewall'
                   AND
                   (
                       event_cat_name = 'Config.Changes'
                       OR
                       (ec_activity = 'Modify' AND ec_theme = 'Configuration')
                   )
               ).win:time_length_batch(300 seconds, 1) HAVING COUNT(*) = 1;

NetWitness Community

Custom ESA Email Template