Hello,
I would like using data from ESA in my reports. I would like see how many alerts I have everyday and also I would like see who (ip.src/ip.dst and user.dst) catching in the ESA rule. For create this report I have to pulling ESA events to Log Decoder and than create report using devece.type = rsa_security_analytics_esa. By default I have ESA Syslog Template:
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId}
But this not enough for me. I modify template to:
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} deviceip=${events[0].device_ip!" "} devicetype=${events[0].device_type!" "} src=${events[0].ip_src!" "} shost=${events[0].host_src!" "} dst=${events[0].ip_dst!" "} dhost=${events[0].host_dst!" "} duser=${events[0].user_dst!" "}
But this give me opportunity see only metadata from first event. If I use this template:
<#list events as x>CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} deviceip=${x.device_ip!" "} devicetype=${x.device_type!" "} src=${x.ip_src!" "} shost=${x.host_src!" "} dst=${x.ip_dst!" "} dhost=${x.host_dst!" "} duser=${x.user_dst!" "}</#list>
or this:
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x>deviceip=${x.device_ip!" "} devicetype=${x.device_type!" "} src=${x.ip_src!" "} shost=${x.host_src!" "} dst=${x.ip_dst!" "} dhost=${x.host_dst!" "} duser=${x.user_dst!" "}</#list>
events are not parsing in Log Decoder.
Do you have any ideas? I also want to see (add to this ESA event) link to each raw message what ESA used in the rule.
