This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Alerts Summary on Dashboard

SoumyajitDhara
Beginner
Beginner

‎2016-06-26 05:14 AM

Hi Guys,

 

One quick and simple question. Is it possible to show Alert Summary of ESA on Security Analytics Dashboard.

12 REPLIES 12

DavidWaugh1
Employee
Employee

‎2016-06-26 06:35 AM

Yea

Send syslog from esa to log decoder to generate meta.

 

Then write a rule and report to us this meta.

 

Sent from my iPhone

0 Likes

SoumyajitDhara
Beginner
Beginner
In response to DavidWaugh1

‎2016-06-26 06:41 AM

Global Audit Logging is already enabled and configured for Security Analytics. Is it same you are referring or different.

0 Likes

DavidWaugh1
Employee
Employee
In response to SoumyajitDhara

‎2016-06-27 03:50 AM

Hi

 

What I mean is set Syslog notification on the ESA Rule, with the template in CEF format. This will send the ESA alert to the log decoder where meta will be generated.

 

First set up a notification on the ESA Rule

 

esarule.jpg

 

Make sure that the template type is one with a CEF template defined and the the syslog will be sent to your log decoder.

 

Here is an example of a verbose template that I use:

 

<#include "macros.ftl"/>

CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as metadata><#list metadata?keys?sort as key> ${key}=<@value_of metadata[key]/></#list></#list>

 

verboseesa.jpg

 

Any meta in the esa alert will then get sent to the Log Decoder including the name of the ESA Alert.

 

You can then create a report based on this meta (using device.type = 'rsa_security_analytics_esa')

 

esameta.jpg

 

You can then use this meta in a report.

esareportrule.jpg

ruleoutput.jpg

 

And then make it into a Dashlet chart!

 

chart.jpg

SoumyajitDhara
Beginner
Beginner
In response to DavidWaugh1

‎2016-06-27 08:05 AM

Worked !!!

 

Thanks a lot David..

0 Likes

DavidWaugh1
Employee
Employee

‎2016-06-27 08:32 AM

Thats good news.

Note. I changed my syslog from UDP to TCP and increased the size up to 4096. This is because the messages can be quite large, so if you are sending messages over UDP they are likely to be truncated and so not parsed correctly.

0 Likes

SoumyajitDhara
Beginner
Beginner
In response to DavidWaugh1

‎2016-06-27 09:22 AM

That great. Thanks for the information.

0 Likes

Anonymous
Not applicable

‎2016-06-30 04:54 PM

Hi Soumyajit Dhara​ -

 

Please feel free to reach out to me to discuss our roadmap. This forum probably isn't the place to discuss the future of the product, but I'd be happy to spend some time discussing our direction specifically around the issue in this thread.

 

Thanks!

 

Corey Dukai

SoumyajitDhara
Beginner
Beginner
In response to Anonymous

‎2016-07-05 02:52 AM

Hi Corey Dukai,

 

Yes, lets discuss. But which place is suitable, to discuss about the future of this product let me know.

0 Likes

MohdSaadKhan
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-11-30 02:03 AM

Hi David,

 

I have successfully created the alert dashboard but I am not getting severity of the particular alerts in investigation though I have opened, indexed "severity" meta. If I want to create dashboard according to severity of alerts what should I follow.

 

Regards

Saad

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.