This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Master list of template variables.

Go to solution
Anonymous
Not applicable

‎2014-06-11 09:15 AM

   ive been digging through the online documentation trying to find an answer, I'm looking to build some custom alert templates for SA.

and the ones i had saved from the legacy informer appliance no longer work, as the variable options have changed, ive been able to find some idea of what i need to be looking for by coming across the cep alert setup within the help documentation but it doesnt list all the available options that there are for all the meta that is collected.

 

 

-mark

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-06-12 11:25 PM

for reporting engine alert, for meta, you can add like this: ${meta.sessionid}, ${meta.service}, ${meta.filename}, and etc.

Add an Alert - RSA Security Analytics Documentation

View solution in original post

0 Likes
5 REPLIES 5

Go to solution
huanzhou1
Beginner
Beginner

‎2014-06-11 11:28 AM

for the alert, ESA alert template you can find from sadocs.

for reporting engine, the alert template not there

for cep, not sure whether same as ESA or not

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-06-11 11:55 AM

its mostly for the reporting engine. as its all i have. since we are just using SA for the NW/FPC options and not using it as a siem.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-06-12 10:18 AM

no, its more templates for email alerts, and the required fields for the meta variables. as well as how they are built.

IE in 9.x i had this for an informer template, that would send an smtp alert out when a condition or alert was generated.

i modified this from a cef template that we had for our siem.

 

{name} found in {#sessionid} ip.src:{#ip.src} - ip dst:{#ip.dst} - Host: {#alias.host} {#directory} - {#filename} - tcp.dst{#tcp.dstport} - Udp DST{#udp.dstport} - Location {#tld} - Serivce = {#service}

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-06-12 11:25 PM

for reporting engine alert, for meta, you can add like this: ${meta.sessionid}, ${meta.service}, ${meta.filename}, and etc.

Add an Alert - RSA Security Analytics Documentation

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.