This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2007-10-15 02:56 PM

Correlating between Qualys data with other sources of log data ?

Back in the earlier part of this year, we were told we'd have the ability to correlate events from IDS (specifically, ISS), AV (ePO) and FW's together with vulnerability data from Qualys.  I see we can now import Qualys data in real-time, but it doesn't yet appear we're able to correlate the data together from all of these devices (or any, really).  Am I missing something?  Has anyone heard of upcoming support for Qualys data to be incorporated?  I'm not sure I'm finding enVision 3.5.1 is able to do anything w/the data from Qualys once it gets it - and I'm confused by this.
 
We're looking for a SIEM tool, and were hoping enVision might one day be one (today?) such tool we could consider... it'd certainly be a lot cheaper than bringing in someone else (since we already own an instance of enVision).
 
Anyone?
0 Likes
Reply
5 Replies
RSAAdmin
Beginner
Beginner
‎2008-04-02 08:25 AM

The ability to import Qualys data was present on 3.5.1 however it didnt really do anything.  Version 3.7 fully supports Qualys as a vulnerability feed which we can use to correlate with attack data from supported Network IDS systems. 

 

The VAM IDS devices supported are Cisco Secure IDS (XML), Enterasys Networks Dragon, ISS RealSecure IDS, Juniper Networks IDP, McAfee Intrushield, TippingPoint UnityOne and SNORT

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-06-22 03:41 PM

How do you configure the correlation rules?  I have been trying and have the first half of the rule set to look at all event types of "attacks.*" from our Cisco ASA/IPS where dest IP in in our server groups, but I can find no way to correlate this with VAM data.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-06-23 06:10 AM

You need to set the "confidence level filtering" criteria at the top level of the rule configuration.  Search in the online help for "confidence" and there is lots of information.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-06-23 09:31 AM

This method does not appear to currently support Cisco ASA using SDEE collection.  With SDEE collection the IDS events come via syslog from the ASA itself, not the IPS module.  However if I select Security.Firewall/Cisco ASA in my correlation rule, I do not get the option for Confidence Filtering.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-06-24 08:14 AM

OK that makes some sense, we only support specific IDS systems for VAM and if one of those isnt selected in the rule then the confidence level option isnt even available.

 

It appears that this variation on the Cisco IDS is not currently supported for VAM and this will require a product update.

 

Get this logged with techical support as an enhancment request so it gets into the system and can be tracked and fed back to product managment.

 

Gary

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.