Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 1)
Part I: Overview and Framing The Problem
In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.
Why is this important? With a physical infrastructure, you may architect physical separation of your PCI environment from your non-PCI environment. (Picture two rooms: a PCI room and a non-PCI room.) In that physical infrastructure, you would notice when someone relocates a server from the PCI room to the non-PCI room. With a virtual infrastructure, it’s much harder to notice when a change like this occurs. Organizations can leverage correlation rules within enVision to alert when this type of activity takes place.
We will define two Circuits:
Circuit 1: Contains the vCenter event(s) associated with the relocate action.
Circuit 2: Contains the ESX / ESXi event(s) associated with the relocate action.
Under these Circuits, we will nest and define four Statements:
Statement 1: The first statement is nested under our first Circuit group. This statement contains the technical criteria we are looking for from vCenter. In this case, we are looking for the specific Event ID VirtualMachine.relocate.
Statement 2: The second statement is the first of three statements nested under our second Circuit group. This statement contains the first piece of technical criteria we are looking for from the ESX hosts. In this case, we are looking for the Event Id TaskEvent on any ESX server within our PCI-Scope-ESX-Servers device group.
Statement 3: The second of the three statements nested under the second Circuit group, this statement contains the second piece of technical criteria we are looking for from the ESX hosts. For this statement, we are looking for the Event Id VmBeingRelocatedEvent on any ESX server within our PCI-Scope-ESX-Servers device group.
Statement 4: The last of the three statements nested under the second Circuit group, this statement contains the final successful relocation event we are looking for from the ESX hosts. For this statement, we are looking for the Event Id VmRelocatedEvent on any ESX server that was not within our PCI-Scope-ESX-Servers watchlist.
Once the Circuits and Statements have been defined, we also have to define a variable on which our Event messages could be multi-threaded—that is, “linked together” with. In this case, we use the variable ID which ties directly to the VMware EventChain Id. This is how we ensure we are following a string of messages across the Vblock VMware infrastructure.
The following diagram shows how the nesting of the circuits, statements, and message criteria is logically structured within RSA enVision.
As you can see, the Correlation Rule structure within RSA enVision allows for very detailed definition of rule logic. This enables the user to build very complex rule sets quickly and easily within the RSA enVision Administrative interface.
-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 1)
Reviewed by BlackHat
on
10:41 AM
Rating:
No comments:
Post a Comment