Confidence Filtering
Originally Published: 2013-06-26
Article Number
Issue
What is confidence filtering and how do I configure it in Envision?
Resolution
For example, let's say you received a message from your Cisco secure IDS XML device that told you it thinks it saw an intrusion attempt. You might normally configure a correlated alert to look for any messages that come in from that device and fire an alert when that happens.
Envision has the ability to calculate a Confidence level (how confident are we that this is really an attack) with Low meaning that we are not really confident this IDS message is really an intrusion attempt and High meaning that we are very confident that this is an attack. We also have a Medium value for messages that fall in between. To determine a message confidence level, we use a field found in the message XML and the vulnerability data for an asset list in the Asset database.
When configuring the filter, you are required to select at least field that contains an IP address (Source, Destination, etc). To calculate the Confidence level, we first look at the message XML for our IDS device to see if the event we received includes a vidx field. If it does, we next look to see if the IP address in the message field we picked appears in the Asset database. Assuming both are there, we use the value contained in the vidx field as a bit lookup in the cv_mask and nav_mask fields in the AFP table for the row containing our IP address. Depending on what we find, we set the Confidence level as follows:
- cv_mask field is set to TRUE (1), set the Confidence level to HIGH
- nav_mask field is set to TRUE (1), set the confidence level to LOW
- Both the cv_mask and nav_mask fields set to FALSE (0), set the confidence level to MEDIUM
There is never a condition when both fields are set to TRUE.
For any other situation, such as when the message XML does not have the vidx field or the selected IP address does not appear in the Asset database, the Confidence level is set to MEDIUM.
If the user picks two or more fields to be compared, I believe we err on the side of caution and default to the higher severity (needs to be confirmed).
Related Articles
RSA Announces the May 2019 Release of RSA SecurID Access Number of Views RSA Authenticator 6.2 for Windows Quick Start Guide (Chinese) Number of Views Citrix NetScaler - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views Robin - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views My Page Recovery Policy Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
