RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 6)

Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 6)

Part VI : Circuit #2, Statement #3: The Third ESX Event … and Linking the statements

In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

The last of the three statements nested under the second Circuit group, this statement contains the final successful relocation event we are looking for from the ESX hosts.  For this statement, we are looking for the Event Id VmRelocatedEvent on any ESX server that was not within our PCI-Scope-ESX-Servers watchlist.

You have just returned to the Add/Modify Circuit Definition window.  Here you will see the statement you just created.  Click the Add Statement button towards the bottom of the window.

 

Under the Add/Modify Statement window, perform the following steps.  A screenshot is included on the next page.

-        Fill in the Statement label with “Chained VmRelocatedEvent on non-PCI scope ESX Host.”

-        Under the Threshold Definition section

-        Click the Consider every event radio button

-        Under the Device Selection section

-        Click the Select devices by Device Class/Type radio button

-        Click the Add button

-        Select Host.Virtualization/VMware ESX / ESXi in the drop down box

-        Under the Event Selection section

-        Click the Add button

-        Under Event Type, select Event ID for VMware ESX / ESXi in the drop down boxes

-        Under Comparison, select IN in the drop down box

-        Under Value, click the […] button

-        Browse for the VmRelocatedEvent Event Id, and click the Select button

(You can use the browser find function, Ctrl-F, to quickly find the Event in this window.)

-        Click the Set Filter button towards the bottom of the window.

 

You will now be taken to the Set Statement Filter window.  Here you will define filters for the statement you just created. 

-        Click the Add Filter button towards the bottom of the window.

-        Under Variable, select Host IP in the drop down box

-        Under Comparison, select Not In Watchlist in the drop down box

-        Under Criteria, select the PCI-Scope-ESX-Servers watchlist in the drop down box (this is the watchlist we created in Part II)

-        Click the Apply button towards the bottom of the window.

You will now be returned to the Add/Modify Statement window you were at previously.  Here you will see the statement you created.  Click the Apply button towards the bottom of the window.

 

You will now be returned to the Add/Modify Circuit Definition window you were at previously.  Here you will see each of the statements you created. 

Each of the statement should be joined using the And operator.

Click the Apply button towards the bottom of the window to continue.

The second circuit is now complete.  Tomorrow, we will complete the rule by joining the two circuits and adding multi-threading.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)