RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 5)

Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 5)

Part V: Circuit #2, Statement #2 : The Second ESX Event

In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

The second of the three statements nested under the second Circuit group, this statement contains the second piece of technical criteria we are looking for from the ESX hosts.  For this statement, we are looking for the Event Id VmBeingRelocatedEvent on any ESX server within our PCI-Scope-ESX-Servers device group.

You have just returned to the Add/Modify Circuit Definition window.  Here you will see the statement you just created.  Click the Add Statement button towards the bottom of the window.

Under the Add/Modify Statement window, perform the following steps.  A screenshot and is included on the next page.

-        Fill in the Statement label with “VmBeingRelocatedEvent initiated on a PCI scope ESX Host.”

-        Under the Threshold Definition section

-        Click the Consider every event radio button

-        Under the Device Selection section

-        Click the Select devices by Device Group radio button

-        Click the Add button

-        Select PCI-Scope-ESX-Servers in the drop down box

-        Under the Event Selection section

-        Click the Add button

-        Under Event Type, select Event ID for VMware ESX / ESXi in the drop down boxes

-        Under Comparison, select IN in the drop down box

-        Under Value, click the […] button

-        Browse for the VmBeingRelocatedEvent Event Id, toggle the checkbox, and click the Select button

(You can use the browser find function, Ctrl-F, to quickly find the Event in this window.)

-        Click the Apply button towards the bottom of the window.

 

You will now be returned to the Add/Modify Circuit Definition window. 

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)