Harden the Admin Account
The STIG Hardening Guide in the SA 10.4 Documentation on SCOL (https://knowledge.rsasecurity.com/scolcms/set.aspx?id=10407) has this information.
Audit Log Messages
It can be useful to see which user actions result in which log message types in the /var/log/messages file.
The event categories spreadsheet included in the log parser package in the Security Analytics Parser v2.0.zip archive lists the event categories and the event parser lines to help with building reports, alerts, and queries.
NwConsole for Health & Wellness
RSA has added a command option called logParse in NwConsole. This command option supports log parsing, a convenient way to check log parser without setting up the full system to do log parse.
Note: Does anyone know of any documentation for this command?
Thick Client Error: remote content device entry not found
Error: “The remote content device entry was not found,” generated for a correlation rule applied to a concentrator.
Problem: in Investigation, if you click the
correlation-rule-name meta value in the Alert meta key, you do not get session information.
Solution: Instead of using correlation rules on decoders and concentrators, use ESA rules. The ESA rules do record the correlation sessions that match the ESA rule.
View Example Parsers
Since flex and lua parsers are encrypted when they are delivered by Live, you cannot easily view their contents.
However, some plain text examples are available here: https://community.emc.com/docs/DOC-41108.
Harden the Security Analytics Admin Account
The Security Analytics v10.4 STIG Hardening Instructions guide, available on the Security Analytics 10.4 documentation page on SCOL, contains details on hardening the Admin account.
This link to a wiki page has lots of good troubleshooting information: https://wiki.na.rsa.net/pages/viewpa...email@example.com@rsa.com.
These are issues related to Health & Wellness, upgrading, provisioning, and other OS-related services and folders. This could be fleshed out into multiple troubleshooting topics.
Configure WinRM Event Sources
The following Inside EMC article has a video that walks through the process of setting up Windows RM (Remote Management) collection: https://inside.emc.com/docs/DOC-122732.
Additionally, it contains two scripts that are shortcuts for procedures described in the "Windows Event Source Configuration Guide."