RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 4)

Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 4)

Part IV: Circuit #2, Statement #1: The First ESX Event

In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

The second statement is the first of three statements nested under our second Circuit group.  This statement contains the first piece of technical criteria we are looking for from the ESX hosts.  In this case, we are looking for the Event Id TaskEvent on any ESX server within our PCI-Scope-ESX-Servers device group (the group we created in Part II).

You have just returned to the Manage Correlation Rules – Add/Modify Rule window.  Here you will see the Circuit you just created.  Click the Add Circuit button towards the bottom of the window.

Under the Add/Modify Circuit Definition window, fill in the fields as shown below.  Once complete, click the Add Statement button towards the bottom of the window.

 

Under the Add/Modify Statement window, perform the following steps.  A screenshot is included on the next page.

-        Fill in the Statement label with “TaskEvent initiated on a PCI scope ESX Host.”

-        Under the Threshold Definition section

-        Click the Consider every event radio button

-        Under the Device Selection section

-        Click the Select devices by Device Group radio button

-        Click the Add button

-        Select PCI-Scope-ESX-Servers in the drop down box (this is the group we created in Part II)

-        Under the Event Selection section

-        Click the Add button

-        Under Event Type, select Event ID for VMware ESX / ESXi in the drop down boxes

-        Under Comparison, select IN in the drop down box

-        Under Value, click the […] button

-        Browse for the TaskEvent Event Id, and click the Select button

(You can use the browser find function, Ctrl-F, to quickly find the Event in this window.)

-        Click the Apply button towards the bottom of the window.

 

You will now be returned to the Add/Modify Circuit Definition window. 

  

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)