Article Number
000001184
Applies To
RSA Product Set: Security Analytics, RSA NetWitness Logs & Network
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.x,10.6.x
Platform: CentOS
O/S Version: 6
Issue
Enrichment Sources can be added to an ESA rule by following the
SA user guide.
However, the additional information does not get added to the Syslog notification.
Resolution
In order to add the information included by an Enrichment Source, please follow the steps below:
- Open the ESA rule and make a note of the Enrichment Source name under Enrichment Source column.
e.g. TestEnrichment from the following screenshot.
Image description
- Open the template used for the ESA rule from Administration-System-Global Notifications-Templates.
- Add the following line at the top of the file.
<#include "macros.ftl"> - Add the following line to the desired location within the template.
xxx=<@event_meta_last "yyy"/> <#t>
where xxx is any string value to indicate the start of the added information and yyy is the Enrichment Source name noted from step 1. - Save the template and monitor the syslog messages.
- If the syslog messages still do not include the new information, modify the ESA rule to use another template, save, select the correct template, save and deploy the rule to ensure the deployed rule uses the right template.
With a csv file containing the following information-
address string,criticality integer,department string
10.10.10.1,1,SALESand
Criticality=<@event_meta_last "TestEnrichment"/> <#t> added to the syslog template, the following line will be added to the syslog message.
...
Criticality=address=10.10.10.1;criticality=1;department=SALES ...