The content you are looking for has been archived. View related content below.
The following variables can be used in the Reporting Engine alerting templates:
${meta.} - Meta key value
${name} - Alert name defined in RE
${count} - Number of times the alert had been detected in the given time frame(currently one minute)
${sa.host} - Security Analytics host name as configured in RE
${device.id} - SA device id of the data source
Below is an example of a template:
CEF:0|RSA | Security Analytics|2.0|${name}|${name}|Medium | externalId= ${meta.sessionid} proto= ${meta.ip.proto} categorySignificance=/Normal categoryBehavior=/Authentication/Verify categoryDeviceGroup=/OS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1207590435129 act= ${meta.action} rt=1207590435129 deviceDirection=0 shost= ${meta.ip.host} src= ${meta.ip.src} spt= ${meta.tcp.srcport} dhost= ${meta.ip.host} dst= ${meta.ip.dst} dport= ${meta.tcp.dstport} duser= ${meta.username} dproc=27444 fileType=security cs1= ${meta.did} cs2= ${meta.password} cs3=4 cs4=5 cn1= ${meta.rid} cn2=0 cn3=0
The output of the example above would be similar to the following:
CEF: 0|RSA | Security Analytics|2.0|Alias Host Found|Alias Host Found|Medium | externalId= 103923155 proto= categorySignificance=/Normal categoryBehavior=/Authentication/Verify categoryDeviceGroup=/OS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1207590435129 act= rt=1207590435129 deviceDirection=0 shost= src= 192.168.123.241 spt= dhost= dst= 192.168.123.27 dport= duser= dproc=27444 fileType=security cs1= logdeccol1 cs2= cs3=4 cs4=5 cn1= 26080256 cn2=0 cn3=0