Environment
Situation
Resolution
The correlated event will have the tags copied from a last event only. There is no function to currently support the copy of fields from various events into the correlated event.
There are various fields that are set by the correlation_engine. They are described below.
########################################################################################
When the %all% keyword is used as a parameter of a Correlation
Action, these 47 standard parameters listed in order below, will be
passed to the executed script/application.
Relating to the correlation rule that was triggered:
$1 = RuleName
$2 = RuleType (C or W)
$3 = RuleDescription
$4 = RuleSeverity
$5 = RuleResource
$6 = RuleSubResource
$7 = RuleLg (Rule language)
$8 = RuleCount
$9 = RuleDuration
$10 = RulePattern (TAG1='VALUE1'TAG2='VALUE2'...)
$11 = CorrelatedEventUUID
$12 = MessageText
$13 = EventName
Relating to the last event that triggered the correlation
rule:
$14 = Severity
$15 = Vulnerability
$16 = Criticality
$17 = DateTime
$18 = SourceIP
$19 = DestinationIP
$20 = EventID
$21 = SourceID
$22 = eWizardPort
$23 = eWizardAgent
$24 = Resource
$25 = SubResource
$26 = EventName
$27 = SensorName
$28 = SensorType
$29 = EventTime
$30 = Protocol
$31 = SourceHostName
$32 = SourcePort
$33 = DestinationHostName
$34 = DestinationPort
$35 = SourceUserName
$36 = DestinationUserName
$37 = FileName
$38 = ExtendedInformation
$39 = ReportName
$40 = ProductName
$41 = Message
$42 = RT1
$43 = RT2
$44 = CT1
$45 = CT2
$46 = RT3
$47 = CT3
NOTE 1: Parameters $12 and $13 are new and thus older scripts which expected 45 parameters to be passed with the %all% parameter may need to be updated.
NOTE 2: Any parameters that have null or blank values will be passed to the script/application with the value of "E_NULL".
Other fields that are set in the correlation_event are...
RV_ 9:
RV_19:
RV_25:
RV_99:
CV_ 9:
CV_19:
CV_99: