1 of 1 people found this helpful
The packet data is identified by the token "[$Packet Data]". It's in the template editor under Event Fields/Network.
Remember that Alarms are generated by the ESM, and the ESM can only include the packet data in the alarm email if the ESM has access to it. By default, packet data is NOT copied to the ESM. In the standard config, packet data is stored on the Receiver. There are 2 ways to get packet data to transfer to the ESM:
- Manually by reviewing the event packet tab. This causes the ESM to reach inito the Receiver and copy the packet for the relevant event from the Receiver to the ESM. This assumes that the packet still exists on the Reciever. The Receiiver has a limited amount of storage, and keeps packets for the most recent events.
- Automatically by modifying the policy. There is a setting called "copy packet" for each rule in your policy. If you set this to "on" for the relevant Data Source rule(s), then the ESM will automatically copy the packet from the Receiver to the ESM during the regular receiver polling interval.
Note that this increases the amount of storage used by these events, and therefore can decrease the number of event records your ESM can store. The amount of increase depends greatly on what kind of events you're talking about. As a rule-of-thumb, I generally assume that the event record + packet is about 2x the size of the event alone, although for some large complex logs it can be 3x or more.
Wondeful! Thanks for this information. Works great trying to see the URL from Windows DNS failures ( SigID 43-3317837541).
Question - Is it possible to be get this Packet information in a report?
Question about this as well. Will this work when receiving an email from a triggering correlation rule? Correlation rules technically do not have any packet data - just the source events on the correlation rule. If not, is there a way to include packet data in an email from source events on a correlation rule?