Correlation rules: less than comparison, port sweep
There are basic correlation capabilities in the system. We tried to create a very simple correlation rule on logconcentrator/decoder and noticed that we can't use less than comparison with the rules. These would be very useful and it's quite odd that you can use "more than" comparison, but not equals or less than with the rules. Why do you want to restrict this? Make people to buy ESA appliances for these simple cases or is there a some sort of technical reason for this?
We could use these less than rules to monitor log collection for instance. This can be done with the new monitoring feature on SA server as well, but we didn't get it working and it's too simple. You can use only IP-addresses or device types there. Having multiple concentrators under one SA server could also bring out problems with that feature... We would like to use our custom meta fields related to those logging devices. Monitoring log collection in general could be achieved very easily with these basic correlation rules, if we could use less than comparison.
Another thing that we noticed was that we couldn't put different kind of meta fields to instance key field. So basically, simple correlation rule to detect port sweeps can't be created. Port scanning can be created though.
Fixes coming on upcoming releases or should we try something else?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Hopefully this doesn't get blocked.
Likely you were, as we were, told by the sales people, it can do correlation and it works great just like EnVision. Well, this was a lie and we were told by an undisclosed source inside RSA that they realize they have lied to a lot of customers and are unsure of how to proceed. The real answer is ESA, you need it to do anything that is useful. If you actually look in the live feeds, you can see ESA rules that do the exact processes you mention.
I would suggest contacting sales and see what they can do for you.