Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..
313 views

how to Get string values with aggregated fields correlations?

Hi guys,

I have a rule that use correlations, I created a email notification for this rule and now I need get the values of each "Event Definition". In my case I have:

Matching Event:
(pamUnixExpirando.Event ID= pamUnix.Event ID AND LoginAceito.End Time= pamUnix.End Time)
LoginAceito :
(Name= Accepted password AND Agent ID = /All Connectors/CCD-DF/syslog_SO_CCD_BSA )
pamUnix :
(Name Contains pam_unix(sshd:account):password for user AND Agent ID=/All Connectors/CCD-DF/syslog_SO_CCD_BSA )
pamUnixExpirando :
(Agent ID= /All Connectors/CCD-DF/syslog_SO_CCD_BSA AND Name Contains will expired in)

I  declareted all important fields for my information in tamplate notification, my problem is: How to get values of field in pamUnixExpirando and LoginAceito separetely, I need of values in diferents events of this correlations.

In my email.vm is all correct, it request the file syslog-ccd-mail.vm, but the values always show  fields values at "Event Definition"=LoginAceito and I need of fields of "Event Definition"=pamUnixExpirando too.

Ex: LoginAceito.name ; LoginAceito.targetUserName ; pamUnixExpirando.agentAddress ; pamUnixExpirando.deviceHostName

In my notification file the variables is:
- Ativo Monitorado, nome do servidor no Syslog-CCD-BSA
        --------------------------------------------------------------------
        Servidor Atingido: $introspector.getDisplayValue($event,"targetHostName")

#Servidro Atingido: $introspector.getDisplayValues($event,"LoginAceito.TargetHostName")

- Identificacao do Usuario no Servidor
        --------------------------------------------------------------------
        Usuario Usado: $introspector.getDisplayValue($event,"targetUserName")

- Evidencia Localizada no Acesso
        --------------------------------------------------------------------
        Evidencia: $introspector.getDisplayValue($event,"message")

- Start Time (Campo no ArcSight)
        ----- ---------------------------------------------------------------
        Inicio do Evento: $introspector.getDisplayValue($event,"endTime")

Who can help me?

Thanks Fred Henrique

 

0 Likes
2 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Fred,

Can you show me how rule aggregation works?

 

Cheers

Gayan 

Mr
0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hy Gayan,

How do I do?

Do you want that I show you my "condition" for start the correlation rule? Or do you want the aggregations for get the fields that I need?

 

Thanks

Fred Henrique

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.