This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Alerts Summary on Dashboard

SoumyajitDhara
Beginner
Beginner

‎2016-06-26 05:14 AM

Hi Guys,

 

One quick and simple question. Is it possible to show Alert Summary of ESA on Security Analytics Dashboard.

12 REPLIES 12

DavidWaugh1
Employee
Employee
In response to MohdSaadKhan

‎2016-11-30 03:57 AM

Hi Saad,

 

You have sent your ESA alerts via syslog back into the logdecoder. I would open the alert in Investigation and check that the severity meta is part of the alert. 

 

Looking at the CEF.xml parser, the severity is the part after the event description.

 

 content="<event_time_string>{ <hostname> mwg: | <hostname>} CEF:<cefversion>|<devvendor>|<product>|<version>|<event_type>|<event_description>|<severity>|<!payload>"/>

 

If you are creating severity meta, then you need to adjust your reporting rules to make use of it.

0 Likes

MohdSaadKhan
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-11-30 04:17 AM

Hi David,

 

I have got the above mentioned line it is correct. But I am getting severity as 3,5 (in numbers) rather than as low, medium, high. How can I resolve this

0 Likes

DavidWaugh1
Employee
Employee
In response to MohdSaadKhan

‎2016-11-30 04:37 AM

Hi Saad,

Thanks for your reply.

 

What I would do is create a feed.

 

Create a CSV file as follows containing the following

#Severity, Description

3,Low

5,Medium

7,High

9,Critical

 

This will map our numeric values to the test values that you want.

 

Then create a custom feed:

feed.png

 

Severity will then have both the numeric and the text value.

 

severity.png

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.