cancel
Showing results for 
Search instead for 
Did you mean: 
noshelter
Level 8

Adding a variable to custom alert template

Jump to solution

I am running ESM 9.6.1.  I am trying to generate a custom alert for changes to the firewall configuration.  I am successfully alerting on the correct events, but I am unable to pull the command used and the object as identified in the event details.  I started with a copy of the Classic Event Template and modified from there.

I have tried the following because that's how the variables showed up in the rule parsing:

SrcIP=[$Source IP], SrcUser="[$%UserIDSrc]", Rule="[$Rule Message]", Method=[$ObjectID], Cmd="[$CommandID]"

And I tried the following because that's how the fields were labeled in the event details:

SrcIP=[$Source IP], SrcUser="[$%UserIDSrc]", Rule="[$Rule Message]", Method=[$Object], Cmd="[$Command]"

Everything works except for the Method and Cmd fields.

Any assistance on how I can get these fields to show up in the email template would be appreciated.

0 Kudos
1 Solution

Accepted Solutions
noshelter
Level 8

Re: Adding a variable to custom alert template

Jump to solution

Found it.  It appears in order to get the custom fields generated by the parser, you must use the rule parser name (similar to my initial try).  The parsing rule identifies the target fields as "CommandID" and "ObjectID".  When inserting the variable in the template, it requires the use of a percent sign (%) after the dollar sign ($), just like in the UserIDSrc variable from my initial example.

Ex:

Method=[$%ObjectID], Cmd=[$%CommandID]

Thanks for making me take a closer look at it, and I hope this helps someone else out one day.

0 Kudos
3 Replies
abanaru
Level 11

Re: Adding a variable to custom alert template

Jump to solution

Can you post here screenshots with an event example ? I don't think there is a custom_type associated with Object and Command or they have another meaning in your event.

0 Kudos
noshelter
Level 8

Re: Adding a variable to custom alert template

Jump to solution

I certainly would, but it appears McAfee's website does not play nice with our security settings.  It's Signature ID 278-111010, and under custom types, there's the following fields:

Application: ASA

Object: 'CLI'

Command: 'configure terminal'

Source User: 'enable_15'

I think I may be on to something though.

0 Kudos
noshelter
Level 8

Re: Adding a variable to custom alert template

Jump to solution

Found it.  It appears in order to get the custom fields generated by the parser, you must use the rule parser name (similar to my initial try).  The parsing rule identifies the target fields as "CommandID" and "ObjectID".  When inserting the variable in the template, it requires the use of a percent sign (%) after the dollar sign ($), just like in the UserIDSrc variable from my initial example.

Ex:

Method=[$%ObjectID], Cmd=[$%CommandID]

Thanks for making me take a closer look at it, and I hope this helps someone else out one day.

0 Kudos