This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Freemarker Tips & Tricks in NetWitness 11.x

Freemarker Tips & Tricks in NetWitness 11.x

JoshRandall
Valued Contributor JoshRandall Valued Contributor
Valued Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-01-17 06:00 PM

If you have some custom alert templates that you've been using in NetWitness 10.6.x, you may find that certain expressions no longer work in 11.x, specifically the "@value_of" function we use to iterate through variables that are stored as arrays.

 

For reference, the out-of-the-box string arrays in the Event Stream Analysis are:

pastedImage_3.png

 

The statements we use in10.6.x to include these string arrays in our alerts looked like this:

 

CEF:0|RSA|NetWitness ESA|11.0|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} hostname=<#if x.alias_host?has_content><@value_of x.alias_host /></#if> </#list>

 

To achieve the same functionality in 11.x for string arrays such as alias_host, we need to use a different expression in order to tell the freemarker template to iterate through each value in the array.  We also need the new expression to be able to handle null values, for example if there is no alias_host meta within the alert.

 

<#if x.alias_host?has_content><#list (x.alias_host) as alias_host> hostname=${alias_host!" "} </#list></#if>

 

It is important to take note of the spaces included within this expression, as these ensure each value of "alias.host=www.example.com" is delimited from subsequent "alias.host=" values.  Otherwise, we would end up with this:

pastedImage_27.png

 

The template as a whole would look like this:

 

 

CEF:0|RSA|NetWitness ESA|11.0|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} <#if x.alias_host?has_content><#list (x.alias_host) as alias_host> hostname=${alias_host!" "} </#list></#if> </#list>

 

 

And we can add additional expressions within the template as necessary:

 

CEF:0|RSA|NetWitness ESA|11.0|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} <#if x.alias_host?has_content><#list (x.alias_host) as alias_host> hostname=${alias_host!" "} </#list></#if> <#if x.action?has_content><#list (x.action) as action> action=${action!" "} </#list></#if> </#list>

  • 11.x
  • Alert
  • Custom
  • freemarker
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
  • syslog
  • template
4 Likes
Share
1 Comment

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.