NetWitness Community

StefanoElia · ‎2017-11-15

Hi all,
I would like to know if there is a way to discover the data model passed by ESM alarms to the CEF Freemarker templates, in "Global Notifications".
The reason behind this question is that I want to use a custom CEF Syslog template, so I want to know which data is available in order to build a more complete Syslog message.

Anyone knows if this is possible?
Thanks in advance.

Stefano

Anonymous · ‎2017-11-15

Any meta that was associated with the sessions comprising the alert are eligible to be called by freemarker. Below is an example of a CEF Syslog output I built as part of an integration with ArcSight last year:

<#include "macros.ftl">
<#list events as x> CEF:0|RSA|NetWitness|10.6.2|${x.event_type!""}|${moduleName}|${x.severity!""}|act="<#if x.action?has_content><@value_of x.action /></#if>" app=${x.protocol!""} destinationDnsDomain=${x.domain_dst!""} destinationServiceName="${x.client!""}" dmac=${x.eth_dst!""} sntdom=${x.ad_domain_src!""} dproc="${x.process!""}" dpt=${x.tcp_dstport!""} dst=${x.ip_dst!""} duid='${x.user_dst!""}' dvc=${x.device_ip!""} dvchost=${x.device_host!""} endTime=${time?datetime} externalId=${x.rid!""} fileType=${x.filetype!""} fileName="${x.filename!""}" msg="${x.event_desc!""}" transportProtocol=${x.service!""} reason="${x.result_code!""}" requestClientApplication="${x.user_agent!""}" requestMethod="<#if x.action?has_content><@value_of x.action /></#if>" sourceHostName=${x.host_src!""} src=${x.ip_src!""} smac=${x.eth_src!""} sourceDnsDomain=${x.domain_src!""} suid='${x.user_src!""}' type=${x.medium!""} deviceCustomDate1=${x.event_time!""} deviceCustomDate1Label="Event Time" cs2=${time?datetime?iso_m_nz("GMT+01")} cs2Label="Custom Time String plus 1 Hour" cs1=${time?datetime?iso_m_nz("GMT-01")} cs1Label="Custom Time String minus 1 Hour" cat="${x.event_cat_name!""}" spriv="${x.group!""}" cs3="${x.alert_id!""}" cs3Label="Alert ID" cs4="${x.msg_id!""}" cs4Label="Message ID" cs5="${x.risk_info!""}-${x.risk_suspicious!""}-${x.risk_warning!""}" cs5Label="Risk Categories" cs6="${x.category!""}" cs6Label="NW Category" suser='${x.ad_username_src!""}' deviceExternalId=${x.did!""} dhost=<#if x.alias_host?has_content><@value_of x.alias_host/></#if> spt=${x.tcp_srcport!""} duser='${x.ad_username_dst!""}' fileSize=${x.size!""} fileHash=${x.checksum!""} outcome="${x.ec_outcome!""}" cn1=${x.sessionid!""} cn1Label="SessionID" </#list>

Note that that particular template will include all events associated with an Alert (aka, if the alert was 5 failed logins, all 5 login events will be sent).

To break this down, let's use an example:

src=${x.ip_src!""}

src= : is hardcoded and expected in the template from the receiving device

${ : ${ is indicating the beginning of a variable

x. : 'x.' is required as part of the "list events as x" from above.

ip_src : this is how the metakey is represented within ESA. On the core appliance, it would be ip.src. You can find a list of all metakeys and their ESA formats under Alert>Config>Settings . The general rule of thumb is that all decimals are replaced with underscores in metakey names

!""" : when this is present after a metakey, it means that when the value is empty a null/blank value will be substituted.

} : Closing the variable

Anonymous · ‎2017-11-15

I should follow up, if you simply want to call a metakey and do nothing else, all you have to do is the following:

${metakey_name}

EX

${ip_src}

StefanoElia · ‎2017-11-16

Thank you, Evan! Your answer is clear and precise, but I meant the "Event Source Monitoring" Alarm Notification. That is the notification you get when a policy concerning Event Sources is violated. Let me be more specific, this is my currently working template:

<@compress single_line=true>CEF:0|RSA|Security Analytics Event Source Monitoring|${version}|
<#if highAlarmsCount gt 0> HighThresholdAlert | ThresholdExceeded |1| cat=${group} policy=A string goes here! <#list highAlarmEventSources as es>
<#assign x = es?split("-") />
src=${x[0]} event.source=${x[1]}
</#list>
</#if><#if lowAlarmsCount gt 0> LowThresholdAlert | ThresholdViolated |1| cat=${group} policy=A string goes here! <#list lowAlarmEventSources as es>
<#assign x = es?split("-") />
src=${x[0]} event.source=${x[1]}
</#list>
</#if></@compress>

As you see, I can address to ${group} which consists in the Group name the Event Source is associated to. The variable 'lowAlarmEventSources' is something like '192.168.0.1-ESType-manual ...'; that's why I'm splitting it like that.

Let's say I want to include the name of the Log Collector which collects the alarmed source(s) in the CEF message, I tried with ${logCollector} (not randomly, cause it's an index in mongodb on SA server: db.getCollection('esmalarm').find({}));
but apparently it's not the right approach.
What variables can I actually address? Surely I can address to alert-related variables, such as 'lowAlarmsCount', 'group', 'lowAlarmEventSources', I hope that's not all of it, but so far no documentation covers it.

Thank you again for your time and understanding.

Stefano

MaximSiyazov1 · ‎2017-11-16

I am recalling I've asked that question a couple of years ago. The answer was there is no any data model being provided to notifications of the ESM but the only one string you mentioned 192.168.0.1-ESType-manual and they parse it within the template as you have found out. I have asked to raise an RFE for a data model to be implemented like in ESA. Unfortunately, I cannot find any reference now.

NetWitness Community

ESM Notification Freemarker data model