This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to get ESA Alert @Name Statement content in the Incident Manager ?

ThomasBROSSARD
Beginner
Beginner

‎2018-07-20 09:26 AM

Hello,

We're using the @Name Statement in our advanced ESA Alert but the statement content is only present in the Alert->Summary-> Event Detail .

What we're trying to do is having it in our Alerts or Incident of the Incident Management module, but it's not by default in the Raw alert, is possible to modify it in order to have this information ?

0 Likes
3 REPLIES 3

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-07-20 12:02 PM

There is some documentation on this subject here: https://community.rsa.com/docs/DOC-84214.

 

I have a couple rules that I use this with, for example:

 

            @Name("Failed Logins Outside Business Hours by {user_dst}")

 

Which produces a raw alert like this:

 

           alert_detail.png

 

Can you share your "@Name” annotation?


Mr. Mongo
0 Likes

ThomasBROSSARD
Beginner
Beginner
In response to JoshRandall

‎2018-07-23 03:56 AM

Thank you for your reply.

 

It's basically the same : @Name("Group by done on {threat_category}")

 

But i don't have the "detail" field in my raw alert.

 

Here's an exemple :

{ "instance_id": "8c844e0eee88973e2bc4635191b57a33",

"engineUri": "default",

"events": [ { "server": "........EXE",

"alias_host": [ "XXXXXXXX"

],

"header_id": "0001",

"policy_id": "850",

"event_cat_name": "IPS_sep",

 

Is there a parameter to enable on the ESA prior to have this information ?

 

Thanks in advance,

 

Thomas.

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to ThomasBROSSARD

‎2018-08-27 07:11 PM

Hi Thomas BROSSARD

 

You're still on NW 10.6.x, right?  Can you check on your ESA for the file "/opt/rsa/esa/freemarker/message_bus.ftl” and see if it contains the following:

 

<#include "macros.ftl">

{"events": <@json_value_of events/>, "engineUri": "${engineUri}", "instance_id": "${instance_id}", "detail": "${statement}" }

 

The part you need for the dynamic naming is "detail": "${statement}".

 

Also, please note that this functionality was introduced in version 10.6.4, so if you are still on an older revision then this won't work for you until you have upgraded.

 

(if you're on version 11.x, then this file will be located on the ESA at "/var/netwitness/esa/freemarker/message_bus.ftl” instead)


Mr. Mongo
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.