Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 2)

Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 2)

Part II: Getting Started: The Device Group and Watchlist

In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

Before we start, we will define a device group and watchlist, which the rule will refer to later.  You may already have a similar device group and watchlist in your environment, or you may need to create it along with us.

We start by creating a static device group.  Navigate to the Overview Tab, in the menu on the left:

-        Select System Configuration

-        Expand Devices

-        Select Manage Device Group Filters

-        Click the Add Static button at the bottom of the window on the right.

 

Under the Manage Static Device Group Filters – Add/Modify Filter window, fill in the fields using the information in the screenshot below.  Once complete, click the Add button towards the bottom of the window.

You will be presented with a device filter window.  Here you can build a where statement to narrow down the devices you want to add to your device group. 

-        Click the Add button to add multiple levels to the where statement filter.

-        Click the Apply button to apply your filter to the device list.

-        For our example, we will build our statement filter using the values shown in the screenshot, but your IP Addresses will obviously be different.

-        Once complete, select the checkbox(s) next to the IP Address of the devices you want to add to the filter.

-        Click the OK button to save the device list.

You will now be returned to the Manage Static Device Group Filters – Add/Modify Filter window.  The devices you selected using the where statement filter will be displayed below.

-        Click the Apply button

-        Upon clicking apply, you will be presented with an information box informing you that certain services may need to be restarted before you can use this Device Group.  This applies to Device selection during Alert creation, etc. 

-        Click OK to acknowledge.

You will now be returned to the Manage Device Group Filters window.  You can see the newly created Device Group listed including the Type. 

-        By clicking on the Show Devices button, you can review what devices are included in the Device Group.

The Static Device Group is now available for use in alert rule creation, analysis, etc.

We’ll now add a static watchlist:

Navigate to the Overview Tab, in the menu on the left:

-        Select System Configuration

-        Expand Watchlists

-        Select Manage Watchlists

-        Click the Add button at the bottom of the window on the right.

Under the Manage Watchlists – Add/Modify Watchlist window, fill in the fields using the information in the table below.  Once complete, click the Add button towards the bottom of the window to add values to the watchlist.

-        For this watchlist, we will explicitly specify the device addresses of our PCI Scope ESX Servers (yours will be different):

          10.241.109.44

          10.241.109.45

-        Once complete, Click Apply to accept the values and create the watchlist.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)