000031179 - How to use Reporting Engine lists for ESA alert creation in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031179
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA), Reporting Engine, Security Analytics UI
RSA Version/Condition: 10.4.1.0
Platform: CentOS
O/S Version: EL6
TasksExample:
User wants to get information about blacklisted IP addresses in order to have a list with the IP addresses in the Reporting Engine.
He then wants to get ESA alerts based on events matching this Blacklisted IP list.
ESA rules only work with meta so as a workaround it is possible to use the 'In Memory Enrichment feature' in ESA in order to refer to this Blacklist IP list on the ESA Module.
To do this, the steps below must be followed.
  1. Export the Reporting Engine list, as shown below.
    User-added image
    User-added image
  2. Add an In-Memory Table as an Enrichment Source on the ESA.
    User-added image
  3. Import the Blacklisted IP's file as a csv file by using the Import button on the In-Memory Table screen.
    User-added image

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesFor more information on the In-Memory Enrichment Table, refer to the Security Analytics User Guide.

Attachments

    Outcomes