RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 7)

Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 7)

Part VII : Multi-threading

In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

Once the Circuits and Statements have been defined, we also have to define a variable on which our Event messages could be multi-threaded—that is, “linked together” with.  In this case, we use the variable ID which ties directly to the VMware EventChain Id.  This is how we ensure we are following a string of messages across the Vblock VMware infrastructure.

You have returned to the Manage Correlation Rules – Add/Modify Rule window you were at previously. 

Here you will see each of the circuits you created.  

Make sure these circuits are joined by an And operator.

Now that all of the relocate events have been selected for both vCenter and ESX, we will tie them together using multi-threading.  This is accomplished through the use of the VMware Event Chain ID’s.

Next to Multi-threading, click the […] button

Select the check box next to ID and click the OK button.

-        Multi-threading will now be set to ID.

-        Click the Apply button button towards the bottom of the window.

-        An information window will pop-up letting you know that the RSA enVision alerter service may need to be restarted before you can use the view.  Click OK to close this window.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)