000013997 - Confidence Filtering

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013997
IssueConfidence Filtering
What is confidence filtering and how do I configure it in Envision?
ResolutionWhen you create an alert for certain IDS devices, such as the Cisco Secure IDS XML device, you have the ability to filter (prevent from firing) alerts that would normally fire when those events come in based on the calculated Confidence level.

For example, let's say you received a message from your Cisco secure IDS XML device that told you it thinks it saw an intrusion attempt. You might normally configure a correlated alert to look for any messages that come in from that device and fire an alert when that happens.

Envision has the ability to calculate a Confidence level (how confident are we that this is really an attack) with Low meaning that we are not really confident this IDS message is really an intrusion attempt and High meaning that we are very confident that this is an attack. We also have a Medium value for messages that fall in between. To determine a message confidence level, we use a field found in the message XML and the vulnerability data for an asset list in the Asset database.

When configuring the filter, you are required to select at least field that contains an IP address (Source, Destination, etc). To calculate the Confidence level, we first look at the message XML for our IDS device to see if the event we received includes a vidx field. If it does, we next look to see if the IP address in the message field we picked appears in the Asset database. Assuming both are there, we use the value contained in the vidx field as a bit lookup in the cv_mask and nav_mask fields in the AFP table for the row containing our IP address. Depending on what we find, we set the Confidence level as follows:

   - cv_mask field is set to TRUE (1), set the Confidence level to HIGH
   - nav_mask field is set to TRUE (1), set the confidence level to LOW
   - Both the cv_mask and nav_mask fields set to FALSE (0), set the confidence level to MEDIUM

There is never a condition when both fields are set to TRUE.

For any other situation, such as when the message XML does not have the vidx field or the selected IP address does not appear in the Asset database, the Confidence level is set to MEDIUM.

If the user picks two or more fields to be compared, I believe we err on the side of caution and default to the higher severity (needs to be confirmed).
Legacy Article IDa61807