2016-06-26 05:14 AM
Hi Guys,
One quick and simple question. Is it possible to show Alert Summary of ESA on Security Analytics Dashboard.
2016-11-30 03:57 AM
Hi Saad,
You have sent your ESA alerts via syslog back into the logdecoder. I would open the alert in Investigation and check that the severity meta is part of the alert.
Looking at the CEF.xml parser, the severity is the part after the event description.
content="<event_time_string>{ <hostname> mwg: | <hostname>} CEF:<cefversion>|<devvendor>|<product>|<version>|<event_type>|<event_description>|<severity>|<!payload>"/>
If you are creating severity meta, then you need to adjust your reporting rules to make use of it.
2016-11-30 04:17 AM
Hi David,
I have got the above mentioned line it is correct. But I am getting severity as 3,5 (in numbers) rather than as low, medium, high. How can I resolve this
2016-11-30 04:37 AM
Hi Saad,
Thanks for your reply.
What I would do is create a feed.
Create a CSV file as follows containing the following
#Severity, Description
3,Low
5,Medium
7,High
9,Critical
This will map our numeric values to the test values that you want.
Then create a custom feed:
Severity will then have both the numeric and the text value.