RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 3)

Advanced Correlatio​n Lab: Build a Correlatio​n Rule for VM Relocation (Part 3)

Part III: Circuit #1, Statement #1: The vCenter Event

In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

The first statement is nested under our first Circuit group.  This statement contains the technical criteria we are looking for from vCenter.  In this case, we are looking for the specific Event ID VirtualMachine.relocate.

First we add a new rule.

Under the Manage Correlation Rules – Add/Modify Rule window, fill in the fields using the information in the table below.  Once complete, click the Add Circuit button towards the bottom of the window.

Under the Add/Modify Circuit Definition window, fill in the fields as shown below.  Once complete, click the Add Statement button towards the bottom of the window.

 

Under the Add/Modify Statement window, perform the following steps.  A screenshot is included below.

-        Fill in the Statement label with "A VirtualMachine.relocate event has occurred"

-        Under the Threshold Definition section

-        Click the Consider every event radio button

-        Under the Device Selection section

-        Click the Select devices by Device Class/Type radio button

-        Click the Add button

-        Select Host.Virtualization/VMware vCenter in the drop down box

-        Under the Event Selection section

-        Click the Add button

-        Under Event Type, select Event ID for VMware vCenter in the drop down boxes

-        Under Comparison, select IN in the drop down box

-        Under Value, click the […] button

-        Browse for the VirtualMachine.relocate Event Id, and click the Select button

(You can use the browser find function, Ctrl-F, to quickly find the Event in this window.)

 

-        Click the Apply button towards the bottom of the window.

 

  

You will now be returned to the Add/Modify Circuit Definition window.  Here you will see the statement you just created.  Click the Apply button towards the bottom of the window.

You will now be returned to the Manage Correlation Rules – Add/Modify Rule window. 

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)