2016-06-26 05:14 AM
Hi Guys,
One quick and simple question. Is it possible to show Alert Summary of ESA on Security Analytics Dashboard.
2016-06-26 06:35 AM
Yea
Send syslog from esa to log decoder to generate meta.
Then write a rule and report to us this meta.
Sent from my iPhone
2016-06-26 06:41 AM
Global Audit Logging is already enabled and configured for Security Analytics. Is it same you are referring or different.
2016-06-27 03:50 AM
Hi
What I mean is set Syslog notification on the ESA Rule, with the template in CEF format. This will send the ESA alert to the log decoder where meta will be generated.
First set up a notification on the ESA Rule
Make sure that the template type is one with a CEF template defined and the the syslog will be sent to your log decoder.
Here is an example of a verbose template that I use:
<#include "macros.ftl"/>
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as metadata><#list metadata?keys?sort as key> ${key}=<@value_of metadata[key]/></#list></#list>
Any meta in the esa alert will then get sent to the Log Decoder including the name of the ESA Alert.
You can then create a report based on this meta (using device.type = 'rsa_security_analytics_esa')
You can then use this meta in a report.
And then make it into a Dashlet chart!
2016-06-27 08:05 AM
Worked !!!
Thanks a lot David..
2016-06-27 08:32 AM
Thats good news.
Note. I changed my syslog from UDP to TCP and increased the size up to 4096. This is because the messages can be quite large, so if you are sending messages over UDP they are likely to be truncated and so not parsed correctly.
2016-06-27 09:22 AM
That great. Thanks for the information.
2016-06-30 04:54 PM
Hi Soumyajit Dhara -
Please feel free to reach out to me to discuss our roadmap. This forum probably isn't the place to discuss the future of the product, but I'd be happy to spend some time discussing our direction specifically around the issue in this thread.
Thanks!
Corey Dukai
2016-07-05 02:52 AM
Hi Corey Dukai,
Yes, lets discuss. But which place is suitable, to discuss about the future of this product let me know.
2016-11-30 02:03 AM
Hi David,
I have successfully created the alert dashboard but I am not getting severity of the particular alerts in investigation though I have opened, indexed "severity" meta. If I want to create dashboard according to severity of alerts what should I follow.
Regards
Saad