3 Replies Latest reply on Oct 27, 2016 3:04 PM by noshelter

    Adding a variable to custom alert template

    noshelter

      I am running ESM 9.6.1.  I am trying to generate a custom alert for changes to the firewall configuration.  I am successfully alerting on the correct events, but I am unable to pull the command used and the object as identified in the event details.  I started with a copy of the Classic Event Template and modified from there.

       

      I have tried the following because that's how the variables showed up in the rule parsing:

       

      SrcIP=[$Source IP], SrcUser="[$%UserIDSrc]", Rule="[$Rule Message]", Method=[$ObjectID], Cmd="[$CommandID]"

       

      And I tried the following because that's how the fields were labeled in the event details:

       

      SrcIP=[$Source IP], SrcUser="[$%UserIDSrc]", Rule="[$Rule Message]", Method=[$Object], Cmd="[$Command]"

       

      Everything works except for the Method and Cmd fields.

       

      Any assistance on how I can get these fields to show up in the email template would be appreciated.

        • 1. Re: Adding a variable to custom alert template
          abanaru

          Can you post here screenshots with an event example ? I don't think there is a custom_type associated with Object and Command or they have another meaning in your event.

          1 of 1 people found this helpful
          • 2. Re: Adding a variable to custom alert template
            noshelter

            I certainly would, but it appears McAfee's website does not play nice with our security settings.  It's Signature ID 278-111010, and under custom types, there's the following fields:

             

            Application: ASA

            Object: 'CLI'

            Command: 'configure terminal'

            Source User: 'enable_15'

             

             

            I think I may be on to something though.

            • 3. Re: Adding a variable to custom alert template
              noshelter

              Found it.  It appears in order to get the custom fields generated by the parser, you must use the rule parser name (similar to my initial try).  The parsing rule identifies the target fields as "CommandID" and "ObjectID".  When inserting the variable in the template, it requires the use of a percent sign (%) after the dollar sign ($), just like in the UserIDSrc variable from my initial example.

               

              Ex:

              Method=[$%ObjectID], Cmd=[$%CommandID]

               

              Thanks for making me take a closer look at it, and I hope this helps someone else out one day.