On Mon, Sep 24, 2012 at 6:35 AM, Phil Daws <[email protected]> wrote: > Hello, > > we have created a local_decoder for an internal application and extract a > user and srcip. When an alert is triggered within our local_rules.xml is > there anyway to use the captured user id within the desc field of the rule; > some sort of variable substitution ? > -- > Thanks, Phil >
No.
