Renato
There is very little reporting that you can do on Alerting OOTB. What I have done is the following:
I create a new Global Notification template using the following string:
ESA|RSA|Security Analytics ESA|10.6.2|Alert|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} protocol=${x.ip_proto!" "} saddr=${x.ip_src!" "} sport=${x.tcp_srcport!" "} hostname=<#if x.alias_host?has_content><@value_of x.alias_host /></#if> daddr=${x.ip_dst!" "} dport=${x.tcp_dstport!" "} duser=${x.user_dst!" "} suser=${x.user_src!" "} fname=${x.filename!" "} filePath=${x.directory!" "} dport=${x.udp_dstport!" "} action=${x.action!" "} eventdesc=${x.event_desc!" "} eventcomputer=${x.event_computer!" "} domain=${x.domain!" "} messageID=${x.msg_id!" "} group=${x.group!" "} ec.theme=${x.ec_theme!" "} ec.outcome=${x.ec_outcome!" "} ec.subject=${x.ec_subject!" "} ec.activity=${x.ec_activity!" "}</#list>
Once that is completed I go into my ESA rules and add a syslog output action of the above template to every rule. Note you must have a syslog server set up in Global Notifications to point to the NWLD.
Once that is done I install the Netwitness_alerts parser to the log decoder.
Once both of the pieces are done, you will have a new device type of Netwitness_Alerts.
There is a bunch of meta from the rule outputs now available, one of which is severity. There is also rule name which is nice to have for a dashboard as well.
Let me know if you have any issues
Dave
