NetWitness Community

JamesMcSawley · ‎2015-02-19

Hi,

I have rule created in ESA to fire on specific criteria in Web logs. I have added the GeoIP as an enrichmnet (lookup based on ip_src. All this works just fine. As part of the rule I want to fire off an e-mail alert, but I only want to include one element (region) of the GeoIP enrichment date not all the elements. Does anyone know how I can reference just the one element in the e-mail template. I have tried

----Snip----

<#list events as metadata>

---Snip---

${metadata.GeoIpLoookup.region

---snip--

but that does not appear to work.

Any suggestions would be greatly appreciated.

Thanks

James

RSAAdmin · ‎2015-02-20

The GeoIpLookup meta of the event is a sequence itself. So, it needs to be indexed too. What you have already is /almost/ correct - all you need is a [0] after the GeoIpLookup.

Does this work?

<#list events as metadata>

${metadata.GeoIpLookup[0].region}
</#list>

View solution in original post

Anonymous · ‎2015-02-20

you can use inside the <#list> tag

<#if metadata_index==1>

${metadata.GeoIpLoookup.region}

</#if>

RSAAdmin · ‎2015-02-20

The GeoIpLookup meta of the event is a sequence itself. So, it needs to be indexed too. What you have already is /almost/ correct - all you need is a [0] after the GeoIpLookup.

Does this work?

<#list events as metadata>

${metadata.GeoIpLookup[0].region}
</#list>

NetWitness Community

ESA and GeoIP